c664712f1f4ba717816eed9c15d4d05f48a91bc5280d8ed1080f083c52a01a90

Analysis

max time kernel
140s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acad2392f55ee3b75ee914661f7f1613.exe
Size

263KB
MD5

acad2392f55ee3b75ee914661f7f1613
SHA1

aabc5065a60f23dda114fbe4240f1e4b8b533842
SHA256

c664712f1f4ba717816eed9c15d4d05f48a91bc5280d8ed1080f083c52a01a90
SHA512

1407546cc77c508a1b15c622306b69c44828f02b4bf25615751328df0c3badb3a09dae9aa69453673f3e44ceb74a8ae9e4ca3408884b6973ab116802a532e909
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpuh:ZY7xh6SZI4z7FSVpuh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2412	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2564	wgjbtn.exe
2424	wdafnj.exe
1020	wafev.exe
1948	wima.exe
1860	wxph.exe
2140	wga.exe
1332	wjwot.exe
2172	wgd.exe
2240	wxuthelra.exe
3016	wtcctir.exe
1204	wkjpotue.exe
556	wnclagv.exe
1936	wwavfigoe.exe
1088	wblymsc.exe
2764	wadovo.exe
708	wgt.exe
1996	walspg.exe
2996	wuopslf.exe
2240	wcahwq.exe
2700	wcjibkb.exe
324	wummc.exe
1820	wxcxc.exe
1936	wxemc.exe
2100	wvvcma.exe
436	wnvltn.exe
1656	whf.exe
2548	wlu.exe
1224	wpepmp.exe
1804	wytxftt.exe
2508	wdrktfaly.exe
1104	wlhsli.exe
1792	wuwoli.exe
2044	wxnalve.exe
1436	whehebfkv.exe
1800	wddoeg.exe
2528	wllhp.exe
2816	whaein.exe
1080	wiex.exe
1204	wtflhcl.exe
1040	wdcvndwnx.exe
768	wowirceb.exe
2936	wxlqjg.exe
2716	wwvdgerfk.exe
1332	wodpbq.exe
2652	wfspcf.exe
2976	wvekqti.exe
572	wucng.exe
2444	wds.exe
1956	whb.exe
2784	wgs.exe
828	wcsb.exe
2904	wbtbmgyr.exe
948	wjyxxk.exe
300	wocufx.exe
2176	wqa.exe
1128	wubovamw.exe
2020	whirrxjxp.exe
812	wkydsk.exe
1016	wgyk.exe
1936	wntaex.exe
2100	wkshddg.exe
640	woqtqnnb.exe
536	wrhfrakhq.exe
856	wnfaxdktd.exe

Loads dropped DLL 64 IoCs

pid	Process
3012	acad2392f55ee3b75ee914661f7f1613.exe
3012	acad2392f55ee3b75ee914661f7f1613.exe
3012	acad2392f55ee3b75ee914661f7f1613.exe
3012	acad2392f55ee3b75ee914661f7f1613.exe
2564	wgjbtn.exe
2564	wgjbtn.exe
2564	wgjbtn.exe
2564	wgjbtn.exe
2424	wdafnj.exe
2424	wdafnj.exe
2424	wdafnj.exe
2424	wdafnj.exe
1020	wafev.exe
1020	wafev.exe
1020	wafev.exe
1020	wafev.exe
1948	wima.exe
1948	wima.exe
1948	wima.exe
1948	wima.exe
1860	wxph.exe
1860	wxph.exe
1860	wxph.exe
1860	wxph.exe
2140	wga.exe
2140	wga.exe
2140	wga.exe
2140	wga.exe
1332	wjwot.exe
1332	wjwot.exe
1332	wjwot.exe
1332	wjwot.exe
2172	wgd.exe
2172	wgd.exe
2172	wgd.exe
2172	wgd.exe
2240	wxuthelra.exe
2240	wxuthelra.exe
2240	wxuthelra.exe
2240	wxuthelra.exe
3016	wtcctir.exe
3016	wtcctir.exe
3016	wtcctir.exe
3016	wtcctir.exe
1204	wkjpotue.exe
1204	wkjpotue.exe
1204	wkjpotue.exe
1204	wkjpotue.exe
556	wnclagv.exe
556	wnclagv.exe
556	wnclagv.exe
556	wnclagv.exe
1936	wwavfigoe.exe
1936	wwavfigoe.exe
1936	wwavfigoe.exe
1936	wwavfigoe.exe
1088	wblymsc.exe
1088	wblymsc.exe
1088	wblymsc.exe
1088	wblymsc.exe
2764	wadovo.exe
2764	wadovo.exe
2764	wadovo.exe
2764	wadovo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wnclagv.exe	wkjpotue.exe
File opened for modification	C:\Windows\SysWOW64\walspg.exe	wgt.exe
File opened for modification	C:\Windows\SysWOW64\wurqur.exe	wogoni.exe
File created	C:\Windows\SysWOW64\wxph.exe	wima.exe
File created	C:\Windows\SysWOW64\wnclagv.exe	wkjpotue.exe
File opened for modification	C:\Windows\SysWOW64\wxuthelra.exe	wgd.exe
File opened for modification	C:\Windows\SysWOW64\wubovamw.exe	wqa.exe
File opened for modification	C:\Windows\SysWOW64\wpffpw.exe	witatu.exe
File created	C:\Windows\SysWOW64\wqrchp.exe	wvsvi.exe
File opened for modification	C:\Windows\SysWOW64\wqrchp.exe	wvsvi.exe
File created	C:\Windows\SysWOW64\wficyqmx.exe	waoweji.exe
File opened for modification	C:\Windows\SysWOW64\wiex.exe	whaein.exe
File opened for modification	C:\Windows\SysWOW64\wgyk.exe	wkydsk.exe
File created	C:\Windows\SysWOW64\wummc.exe	wcjibkb.exe
File created	C:\Windows\SysWOW64\wdcvndwnx.exe	wtflhcl.exe
File opened for modification	C:\Windows\SysWOW64\wima.exe	wafev.exe
File opened for modification	C:\Windows\SysWOW64\wblymsc.exe	wwavfigoe.exe
File created	C:\Windows\SysWOW64\wbtbmgyr.exe	wcsb.exe
File opened for modification	C:\Windows\SysWOW64\winkecke.exe	wlrlaao.exe
File opened for modification	C:\Windows\SysWOW64\wiiayo.exe	wvruotg.exe
File created	C:\Windows\SysWOW64\wgd.exe	wjwot.exe
File created	C:\Windows\SysWOW64\wvvcma.exe	wxemc.exe
File created	C:\Windows\SysWOW64\winkecke.exe	wlrlaao.exe
File created	C:\Windows\SysWOW64\wecafyw.exe	wfdy.exe
File opened for modification	C:\Windows\SysWOW64\wwvdgerfk.exe	wxlqjg.exe
File opened for modification	C:\Windows\SysWOW64\wbtbmgyr.exe	wcsb.exe
File opened for modification	C:\Windows\SysWOW64\wuhamrhbb.exe	wpcxt.exe
File opened for modification	C:\Windows\SysWOW64\wxcxc.exe	wummc.exe
File opened for modification	C:\Windows\SysWOW64\wtflhcl.exe	wiex.exe
File opened for modification	C:\Windows\SysWOW64\wgs.exe	whb.exe
File created	C:\Windows\SysWOW64\wxyry.exe	wpxayno.exe
File created	C:\Windows\SysWOW64\wcijwekt.exe	wqhuhittt.exe
File created	C:\Windows\SysWOW64\wob.exe	wkdxhmy.exe
File created	C:\Windows\SysWOW64\wuhamrhbb.exe	wpcxt.exe
File created	C:\Windows\SysWOW64\wdafnj.exe	wgjbtn.exe
File opened for modification	C:\Windows\SysWOW64\wdafnj.exe	wgjbtn.exe
File opened for modification	C:\Windows\SysWOW64\wqa.exe	wocufx.exe
File opened for modification	C:\Windows\SysWOW64\wpxayno.exe	wpywjpmw.exe
File opened for modification	C:\Windows\SysWOW64\wpcxt.exe	wuerubvg.exe
File created	C:\Windows\SysWOW64\wxuthelra.exe	wgd.exe
File created	C:\Windows\SysWOW64\wvekqti.exe	wfspcf.exe
File created	C:\Windows\SysWOW64\whdvbps.exe	wvwfwut.exe
File created	C:\Windows\SysWOW64\wohnesf.exe	wbbwyyh.exe
File created	C:\Windows\SysWOW64\wuwoli.exe	wlhsli.exe
File created	C:\Windows\SysWOW64\wqhuhittt.exe	wuamvf.exe
File opened for modification	C:\Windows\SysWOW64\wlhsli.exe	wdrktfaly.exe
File opened for modification	C:\Windows\SysWOW64\wucng.exe	wvekqti.exe
File opened for modification	C:\Windows\SysWOW64\whirrxjxp.exe	wubovamw.exe
File created	C:\Windows\SysWOW64\woqtqnnb.exe	wkshddg.exe
File opened for modification	C:\Windows\SysWOW64\wfomxje.exe	wjjfm.exe
File created	C:\Windows\SysWOW64\wovinvmq.exe	wtlshpe.exe
File opened for modification	C:\Windows\SysWOW64\wlu.exe	whf.exe
File created	C:\Windows\SysWOW64\wytxftt.exe	wpepmp.exe
File created	C:\Windows\SysWOW64\wdluakqd.exe	wlsmfvfy.exe
File opened for modification	C:\Windows\SysWOW64\wkguupx.exe	wxyry.exe
File created	C:\Windows\SysWOW64\wkdxhmy.exe	whmlgb.exe
File opened for modification	C:\Windows\SysWOW64\wceyvm.exe	whwqlhvf.exe
File created	C:\Windows\SysWOW64\wasoqo.exe	wrchyih.exe
File created	C:\Windows\SysWOW64\wjwot.exe	wga.exe
File created	C:\Windows\SysWOW64\wxemc.exe	wxcxc.exe
File created	C:\Windows\SysWOW64\wurqur.exe	wogoni.exe
File created	C:\Windows\SysWOW64\wvruotg.exe	wasoqo.exe
File opened for modification	C:\Windows\SysWOW64\wecafyw.exe	wfdy.exe
File opened for modification	C:\Windows\SysWOW64\wdluakqd.exe	wlsmfvfy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1636	2700	WerFault.exe	89

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2564	3012	acad2392f55ee3b75ee914661f7f1613.exe	28
PID 3012 wrote to memory of 2564	3012	acad2392f55ee3b75ee914661f7f1613.exe	28
PID 3012 wrote to memory of 2564	3012	acad2392f55ee3b75ee914661f7f1613.exe	28
PID 3012 wrote to memory of 2564	3012	acad2392f55ee3b75ee914661f7f1613.exe	28
PID 3012 wrote to memory of 2412	3012	acad2392f55ee3b75ee914661f7f1613.exe	29
PID 3012 wrote to memory of 2412	3012	acad2392f55ee3b75ee914661f7f1613.exe	29
PID 3012 wrote to memory of 2412	3012	acad2392f55ee3b75ee914661f7f1613.exe	29
PID 3012 wrote to memory of 2412	3012	acad2392f55ee3b75ee914661f7f1613.exe	29
PID 2564 wrote to memory of 2424	2564	wgjbtn.exe	31
PID 2564 wrote to memory of 2424	2564	wgjbtn.exe	31
PID 2564 wrote to memory of 2424	2564	wgjbtn.exe	31
PID 2564 wrote to memory of 2424	2564	wgjbtn.exe	31
PID 2564 wrote to memory of 2108	2564	wgjbtn.exe	32
PID 2564 wrote to memory of 2108	2564	wgjbtn.exe	32
PID 2564 wrote to memory of 2108	2564	wgjbtn.exe	32
PID 2564 wrote to memory of 2108	2564	wgjbtn.exe	32
PID 2424 wrote to memory of 1020	2424	wdafnj.exe	34
PID 2424 wrote to memory of 1020	2424	wdafnj.exe	34
PID 2424 wrote to memory of 1020	2424	wdafnj.exe	34
PID 2424 wrote to memory of 1020	2424	wdafnj.exe	34
PID 2424 wrote to memory of 2864	2424	wdafnj.exe	36
PID 2424 wrote to memory of 2864	2424	wdafnj.exe	36
PID 2424 wrote to memory of 2864	2424	wdafnj.exe	36
PID 2424 wrote to memory of 2864	2424	wdafnj.exe	36
PID 1020 wrote to memory of 1948	1020	wafev.exe	37
PID 1020 wrote to memory of 1948	1020	wafev.exe	37
PID 1020 wrote to memory of 1948	1020	wafev.exe	37
PID 1020 wrote to memory of 1948	1020	wafev.exe	37
PID 1020 wrote to memory of 1832	1020	wafev.exe	38
PID 1020 wrote to memory of 1832	1020	wafev.exe	38
PID 1020 wrote to memory of 1832	1020	wafev.exe	38
PID 1020 wrote to memory of 1832	1020	wafev.exe	38
PID 1948 wrote to memory of 1860	1948	wima.exe	40
PID 1948 wrote to memory of 1860	1948	wima.exe	40
PID 1948 wrote to memory of 1860	1948	wima.exe	40
PID 1948 wrote to memory of 1860	1948	wima.exe	40
PID 1948 wrote to memory of 768	1948	wima.exe	41
PID 1948 wrote to memory of 768	1948	wima.exe	41
PID 1948 wrote to memory of 768	1948	wima.exe	41
PID 1948 wrote to memory of 768	1948	wima.exe	41
PID 1860 wrote to memory of 2140	1860	wxph.exe	43
PID 1860 wrote to memory of 2140	1860	wxph.exe	43
PID 1860 wrote to memory of 2140	1860	wxph.exe	43
PID 1860 wrote to memory of 2140	1860	wxph.exe	43
PID 1860 wrote to memory of 1812	1860	wxph.exe	45
PID 1860 wrote to memory of 1812	1860	wxph.exe	45
PID 1860 wrote to memory of 1812	1860	wxph.exe	45
PID 1860 wrote to memory of 1812	1860	wxph.exe	45
PID 2140 wrote to memory of 1332	2140	wga.exe	46
PID 2140 wrote to memory of 1332	2140	wga.exe	46
PID 2140 wrote to memory of 1332	2140	wga.exe	46
PID 2140 wrote to memory of 1332	2140	wga.exe	46
PID 2140 wrote to memory of 1184	2140	wga.exe	47
PID 2140 wrote to memory of 1184	2140	wga.exe	47
PID 2140 wrote to memory of 1184	2140	wga.exe	47
PID 2140 wrote to memory of 1184	2140	wga.exe	47
PID 1332 wrote to memory of 2172	1332	wjwot.exe	49
PID 1332 wrote to memory of 2172	1332	wjwot.exe	49
PID 1332 wrote to memory of 2172	1332	wjwot.exe	49
PID 1332 wrote to memory of 2172	1332	wjwot.exe	49
PID 1332 wrote to memory of 2800	1332	wjwot.exe	50
PID 1332 wrote to memory of 2800	1332	wjwot.exe	50
PID 1332 wrote to memory of 2800	1332	wjwot.exe	50
PID 1332 wrote to memory of 2800	1332	wjwot.exe	50

C:\Users\Admin\AppData\Local\Temp\acad2392f55ee3b75ee914661f7f1613.exe
"C:\Users\Admin\AppData\Local\Temp\acad2392f55ee3b75ee914661f7f1613.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\wgjbtn.exe
  "C:\Windows\system32\wgjbtn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\wdafnj.exe
    "C:\Windows\system32\wdafnj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\wafev.exe
      "C:\Windows\system32\wafev.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Windows\SysWOW64\wima.exe
        
        "C:\Windows\system32\wima.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Windows\SysWOW64\wxph.exe
        
        "C:\Windows\system32\wxph.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\wga.exe
        
        "C:\Windows\system32\wga.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\wjwot.exe
        
        "C:\Windows\system32\wjwot.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\wgd.exe
        
        "C:\Windows\system32\wgd.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\wxuthelra.exe
        
        "C:\Windows\system32\wxuthelra.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2240
        
        C:\Windows\SysWOW64\wtcctir.exe
        
        "C:\Windows\system32\wtcctir.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3016
        
        C:\Windows\SysWOW64\wkjpotue.exe
        
        "C:\Windows\system32\wkjpotue.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\wnclagv.exe
        
        "C:\Windows\system32\wnclagv.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:556
        
        C:\Windows\SysWOW64\wwavfigoe.exe
        
        "C:\Windows\system32\wwavfigoe.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\wblymsc.exe
        
        "C:\Windows\system32\wblymsc.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1088
        
        C:\Windows\SysWOW64\wadovo.exe
        
        "C:\Windows\system32\wadovo.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2764
        
        C:\Windows\SysWOW64\wgt.exe
        
        "C:\Windows\system32\wgt.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:708
        
        C:\Windows\SysWOW64\walspg.exe
        
        "C:\Windows\system32\walspg.exe"
        18⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\wuopslf.exe
        
        "C:\Windows\system32\wuopslf.exe"
        19⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\wcahwq.exe
        
        "C:\Windows\system32\wcahwq.exe"
        20⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\wcjibkb.exe
        
        "C:\Windows\system32\wcjibkb.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\wummc.exe
        
        "C:\Windows\system32\wummc.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:324
        
        C:\Windows\SysWOW64\wxcxc.exe
        
        "C:\Windows\system32\wxcxc.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\wxemc.exe
        
        "C:\Windows\system32\wxemc.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\wvvcma.exe
        
        "C:\Windows\system32\wvvcma.exe"
        25⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\wnvltn.exe
        
        "C:\Windows\system32\wnvltn.exe"
        26⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\whf.exe
        
        "C:\Windows\system32\whf.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\wlu.exe
        
        "C:\Windows\system32\wlu.exe"
        28⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\wpepmp.exe
        
        "C:\Windows\system32\wpepmp.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\wytxftt.exe
        
        "C:\Windows\system32\wytxftt.exe"
        30⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\wdrktfaly.exe
        
        "C:\Windows\system32\wdrktfaly.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\wlhsli.exe
        
        "C:\Windows\system32\wlhsli.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\wuwoli.exe
        
        "C:\Windows\system32\wuwoli.exe"
        33⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\wxnalve.exe
        
        "C:\Windows\system32\wxnalve.exe"
        34⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\whehebfkv.exe
        
        "C:\Windows\system32\whehebfkv.exe"
        35⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\SysWOW64\wddoeg.exe
        
        "C:\Windows\system32\wddoeg.exe"
        36⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\wllhp.exe
        
        "C:\Windows\system32\wllhp.exe"
        37⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\whaein.exe
        
        "C:\Windows\system32\whaein.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\wiex.exe
        
        "C:\Windows\system32\wiex.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1080
        
        C:\Windows\SysWOW64\wtflhcl.exe
        
        "C:\Windows\system32\wtflhcl.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\wdcvndwnx.exe
        
        "C:\Windows\system32\wdcvndwnx.exe"
        41⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\wowirceb.exe
        
        "C:\Windows\system32\wowirceb.exe"
        42⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\wxlqjg.exe
        
        "C:\Windows\system32\wxlqjg.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\wwvdgerfk.exe
        
        "C:\Windows\system32\wwvdgerfk.exe"
        44⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\SysWOW64\wodpbq.exe
        
        "C:\Windows\system32\wodpbq.exe"
        45⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\wfspcf.exe
        
        "C:\Windows\system32\wfspcf.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\wvekqti.exe
        
        "C:\Windows\system32\wvekqti.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\wucng.exe
        
        "C:\Windows\system32\wucng.exe"
        48⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\wds.exe
        
        "C:\Windows\system32\wds.exe"
        49⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\whb.exe
        
        "C:\Windows\system32\whb.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\wgs.exe
        
        "C:\Windows\system32\wgs.exe"
        51⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\SysWOW64\wcsb.exe
        
        "C:\Windows\system32\wcsb.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:828
        
        C:\Windows\SysWOW64\wbtbmgyr.exe
        
        "C:\Windows\system32\wbtbmgyr.exe"
        53⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\wjyxxk.exe
        
        "C:\Windows\system32\wjyxxk.exe"
        54⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\wocufx.exe
        
        "C:\Windows\system32\wocufx.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:300
        
        C:\Windows\SysWOW64\wqa.exe
        
        "C:\Windows\system32\wqa.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\wubovamw.exe
        
        "C:\Windows\system32\wubovamw.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\whirrxjxp.exe
        
        "C:\Windows\system32\whirrxjxp.exe"
        58⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\wkydsk.exe
        
        "C:\Windows\system32\wkydsk.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\wgyk.exe
        
        "C:\Windows\system32\wgyk.exe"
        60⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\wntaex.exe
        
        "C:\Windows\system32\wntaex.exe"
        61⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\wkshddg.exe
        
        "C:\Windows\system32\wkshddg.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\woqtqnnb.exe
        
        "C:\Windows\system32\woqtqnnb.exe"
        63⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\wrhfrakhq.exe
        
        "C:\Windows\system32\wrhfrakhq.exe"
        64⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\wnfaxdktd.exe
        
        "C:\Windows\system32\wnfaxdktd.exe"
        65⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Windows\SysWOW64\wkfhwhi.exe
        
        "C:\Windows\system32\wkfhwhi.exe"
        66⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\wpywjpmw.exe
        
        "C:\Windows\system32\wpywjpmw.exe"
        67⤵
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\wpxayno.exe
        
        "C:\Windows\system32\wpxayno.exe"
        68⤵
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\wxyry.exe
        
        "C:\Windows\system32\wxyry.exe"
        69⤵
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\wkguupx.exe
        
        "C:\Windows\system32\wkguupx.exe"
        70⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\wjxkel.exe
        
        "C:\Windows\system32\wjxkel.exe"
        71⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\wvsvi.exe
        
        "C:\Windows\system32\wvsvi.exe"
        72⤵
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\wqrchp.exe
        
        "C:\Windows\system32\wqrchp.exe"
        73⤵
        
        PID:900
        
        C:\Windows\SysWOW64\wuamvf.exe
        
        "C:\Windows\system32\wuamvf.exe"
        74⤵
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\wqhuhittt.exe
        
        "C:\Windows\system32\wqhuhittt.exe"
        75⤵
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\wcijwekt.exe
        
        "C:\Windows\system32\wcijwekt.exe"
        76⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\wcoobyt.exe
        
        "C:\Windows\system32\wcoobyt.exe"
        77⤵
        
        PID:380
        
        C:\Windows\SysWOW64\wjjfm.exe
        
        "C:\Windows\system32\wjjfm.exe"
        78⤵
        Drops file in System32 directory
        
        PID:584
        
        C:\Windows\SysWOW64\wfomxje.exe
        
        "C:\Windows\system32\wfomxje.exe"
        79⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\wrfqhgjuv.exe
        
        "C:\Windows\system32\wrfqhgjuv.exe"
        80⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\waejhkv.exe
        
        "C:\Windows\system32\waejhkv.exe"
        81⤵
        
        PID:940
        
        C:\Windows\SysWOW64\waoweji.exe
        
        "C:\Windows\system32\waoweji.exe"
        82⤵
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\wficyqmx.exe
        
        "C:\Windows\system32\wficyqmx.exe"
        83⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\waiixu.exe
        
        "C:\Windows\system32\waiixu.exe"
        84⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\warvutvjm.exe
        
        "C:\Windows\system32\warvutvjm.exe"
        85⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\whmlgb.exe
        
        "C:\Windows\system32\whmlgb.exe"
        86⤵
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\wkdxhmy.exe
        
        "C:\Windows\system32\wkdxhmy.exe"
        87⤵
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\wob.exe
        
        "C:\Windows\system32\wob.exe"
        88⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\wvcnnhoiy.exe
        
        "C:\Windows\system32\wvcnnhoiy.exe"
        89⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\wqcunm.exe
        
        "C:\Windows\system32\wqcunm.exe"
        90⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\wuerubvg.exe
        
        "C:\Windows\system32\wuerubvg.exe"
        91⤵
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\wpcxt.exe
        
        "C:\Windows\system32\wpcxt.exe"
        92⤵
        Drops file in System32 directory
        
        PID:896
        
        C:\Windows\SysWOW64\wuhamrhbb.exe
        
        "C:\Windows\system32\wuhamrhbb.exe"
        93⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\wltucg.exe
        
        "C:\Windows\system32\wltucg.exe"
        94⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\wlrlaao.exe
        
        "C:\Windows\system32\wlrlaao.exe"
        95⤵
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\winkecke.exe
        
        "C:\Windows\system32\winkecke.exe"
        96⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\whpjv.exe
        
        "C:\Windows\system32\whpjv.exe"
        97⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\wcnque.exe
        
        "C:\Windows\system32\wcnque.exe"
        98⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\wtlshpe.exe
        
        "C:\Windows\system32\wtlshpe.exe"
        99⤵
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\wovinvmq.exe
        
        "C:\Windows\system32\wovinvmq.exe"
        100⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\wslvo.exe
        
        "C:\Windows\system32\wslvo.exe"
        101⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\wolbnoi.exe
        
        "C:\Windows\system32\wolbnoi.exe"
        102⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\wfdy.exe
        
        "C:\Windows\system32\wfdy.exe"
        103⤵
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\wecafyw.exe
        
        "C:\Windows\system32\wecafyw.exe"
        104⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\webevt.exe
        
        "C:\Windows\system32\webevt.exe"
        105⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\wguxql.exe
        
        "C:\Windows\system32\wguxql.exe"
        106⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\wlsmfvfy.exe
        
        "C:\Windows\system32\wlsmfvfy.exe"
        107⤵
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\wdluakqd.exe
        
        "C:\Windows\system32\wdluakqd.exe"
        108⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\whwqlhvf.exe
        
        "C:\Windows\system32\whwqlhvf.exe"
        109⤵
        Drops file in System32 directory
        
        PID:556
        
        C:\Windows\SysWOW64\wceyvm.exe
        
        "C:\Windows\system32\wceyvm.exe"
        110⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\wogoni.exe
        
        "C:\Windows\system32\wogoni.exe"
        111⤵
        Drops file in System32 directory
        
        PID:108
        
        C:\Windows\SysWOW64\wurqur.exe
        
        "C:\Windows\system32\wurqur.exe"
        112⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\wbbwyyh.exe
        
        "C:\Windows\system32\wbbwyyh.exe"
        113⤵
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\wohnesf.exe
        
        "C:\Windows\system32\wohnesf.exe"
        114⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\wrchyih.exe
        
        "C:\Windows\system32\wrchyih.exe"
        115⤵
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\wasoqo.exe
        
        "C:\Windows\system32\wasoqo.exe"
        116⤵
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\wvruotg.exe
        
        "C:\Windows\system32\wvruotg.exe"
        117⤵
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\wiiayo.exe
        
        "C:\Windows\system32\wiiayo.exe"
        118⤵
        
        PID:392
        
        C:\Windows\SysWOW64\wnwyh.exe
        
        "C:\Windows\system32\wnwyh.exe"
        119⤵
        
        PID:768
        
        C:\Windows\SysWOW64\wyxo.exe
        
        "C:\Windows\system32\wyxo.exe"
        120⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\wpyxf.exe
        
        "C:\Windows\system32\wpyxf.exe"
        121⤵
        
        PID:400
        
        C:\Windows\SysWOW64\witatu.exe
        
        "C:\Windows\system32\witatu.exe"
        122⤵
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\wpffpw.exe
        
        "C:\Windows\system32\wpffpw.exe"
        123⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\wdinanh.exe
        
        "C:\Windows\system32\wdinanh.exe"
        124⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\wmqhlq.exe
        
        "C:\Windows\system32\wmqhlq.exe"
        125⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\wvwfwut.exe
        
        "C:\Windows\system32\wvwfwut.exe"
        126⤵
        Drops file in System32 directory
        
        PID:572
        
        C:\Windows\SysWOW64\whdvbps.exe
        
        "C:\Windows\system32\whdvbps.exe"
        127⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\wirs.exe
        
        "C:\Windows\system32\wirs.exe"
        128⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\wqlye.exe
        
        "C:\Windows\system32\wqlye.exe"
        129⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdvbps.exe"
        128⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvwfwut.exe"
        127⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmqhlq.exe"
        126⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdinanh.exe"
        125⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpffpw.exe"
        124⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\witatu.exe"
        123⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpyxf.exe"
        122⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxo.exe"
        121⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwyh.exe"
        120⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiiayo.exe"
        119⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvruotg.exe"
        118⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wasoqo.exe"
        117⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrchyih.exe"
        116⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohnesf.exe"
        115⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbbwyyh.exe"
        114⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wurqur.exe"
        113⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wogoni.exe"
        112⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wceyvm.exe"
        111⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwqlhvf.exe"
        110⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdluakqd.exe"
        109⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsmfvfy.exe"
        108⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wguxql.exe"
        107⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\webevt.exe"
        106⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wecafyw.exe"
        105⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfdy.exe"
        104⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wolbnoi.exe"
        103⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wslvo.exe"
        102⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovinvmq.exe"
        101⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtlshpe.exe"
        100⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcnque.exe"
        99⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whpjv.exe"
        98⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winkecke.exe"
        97⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrlaao.exe"
        96⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wltucg.exe"
        95⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhamrhbb.exe"
        94⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpcxt.exe"
        93⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuerubvg.exe"
        92⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqcunm.exe"
        91⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvcnnhoiy.exe"
        90⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wob.exe"
        89⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkdxhmy.exe"
        88⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whmlgb.exe"
        87⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warvutvjm.exe"
        86⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waiixu.exe"
        85⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wficyqmx.exe"
        84⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waoweji.exe"
        83⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waejhkv.exe"
        82⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrfqhgjuv.exe"
        81⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfomxje.exe"
        80⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjjfm.exe"
        79⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcoobyt.exe"
        78⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcijwekt.exe"
        77⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqhuhittt.exe"
        76⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuamvf.exe"
        75⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqrchp.exe"
        74⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvsvi.exe"
        73⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjxkel.exe"
        72⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkguupx.exe"
        71⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxyry.exe"
        70⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpxayno.exe"
        69⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpywjpmw.exe"
        68⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkfhwhi.exe"
        67⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnfaxdktd.exe"
        66⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhfrakhq.exe"
        65⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woqtqnnb.exe"
        64⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkshddg.exe"
        63⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntaex.exe"
        62⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgyk.exe"
        61⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkydsk.exe"
        60⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whirrxjxp.exe"
        59⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wubovamw.exe"
        58⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqa.exe"
        57⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wocufx.exe"
        56⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjyxxk.exe"
        55⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbtbmgyr.exe"
        54⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcsb.exe"
        53⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgs.exe"
        52⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whb.exe"
        51⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wds.exe"
        50⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wucng.exe"
        49⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvekqti.exe"
        48⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfspcf.exe"
        47⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wodpbq.exe"
        46⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwvdgerfk.exe"
        45⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxlqjg.exe"
        44⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wowirceb.exe"
        43⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcvndwnx.exe"
        42⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtflhcl.exe"
        41⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiex.exe"
        40⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whaein.exe"
        39⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllhp.exe"
        38⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wddoeg.exe"
        37⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whehebfkv.exe"
        36⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxnalve.exe"
        35⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwoli.exe"
        34⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlhsli.exe"
        33⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrktfaly.exe"
        32⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wytxftt.exe"
        31⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpepmp.exe"
        30⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlu.exe"
        29⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whf.exe"
        28⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnvltn.exe"
        27⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvvcma.exe"
        26⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxemc.exe"
        25⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxcxc.exe"
        24⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wummc.exe"
        23⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjibkb.exe"
        22⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 808
        22⤵
        Program crash
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcahwq.exe"
        21⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuopslf.exe"
        20⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\walspg.exe"
        19⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgt.exe"
        18⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wadovo.exe"
        17⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wblymsc.exe"
        16⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwavfigoe.exe"
        15⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnclagv.exe"
        14⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjpotue.exe"
        13⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtcctir.exe"
        12⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxuthelra.exe"
        11⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgd.exe"
        10⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwot.exe"
        9⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wga.exe"
        8⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxph.exe"
        7⤵
        
        PID:1812
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wima.exe"
        6⤵
        
        PID:768
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wafev.exe"
        5⤵
        
        PID:1832
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdafnj.exe"
      4⤵
      PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgjbtn.exe"
    3⤵
    PID:2108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\acad2392f55ee3b75ee914661f7f1613.exe"
  2⤵
  - Deletes itself
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0ZOCJJHF.txt

Filesize
97B

MD5
af0568e790a336f65c63237aca0b4a14

SHA1
34b83fb79f888408122f78c344f3b7b659b96046

SHA256
cff4154a47d006eadb297fce820b1228281b699339fe2e7e44bf04d985a05066

SHA512
12444edf5384d1335059b2558ee92ca453ca05a5998e2eed26d362f932456f41a80e27900b7e1377d66be1269dcb081bfcd11a9742515db02e802f53de3a823e

Download Submit
C:\Windows\SysWOW64\wga.exe

Filesize
130KB

MD5
6252715f0e0939dfc09fc7b25fcd2008

SHA1
71a9b54d20d26634343acdbdf68f4539f7afcec0

SHA256
5c08bfab0c3006f8bbffe28739d0e86765c77d9191ff237837af64135025088d

SHA512
869ebfad07ad3992a8cb476f0a023e75e532d0e4375ac7c328b549b0fd762e1e43ea005d1e2e676ec3766492df139741a3577fb68b1d5d954fd19d80d1e228f8

Download Submit
C:\Windows\SysWOW64\wtcctir.exe

Filesize
264KB

MD5
7d122435dfbe7a64f9ab5b23b5fba3f8

SHA1
43f336945ff30248abc711ecc4a06d00929f29b3

SHA256
6fa0680b98bbdd044cbf325e1c5253ab8905a8746f2a9bc623632f0296fcaf27

SHA512
34e6bc4320804e18b247ff2aebaca1648cbe7242ced197531aa78ecbc41024885052feeaf207422132c49a4fed2a4c6be6254babfe4e0274b33106f5255a958f

Download Submit
\Windows\SysWOW64\wafev.exe

Filesize
263KB

MD5
2b9afcab4bd3cb3db46c369ea66abce6

SHA1
b9fabf76aca88578df14dda2d13d2b7b6ffd8942

SHA256
55b80a838cb00706efa32d2468e23fa356bb4fb22a6171dbb4da924815158aa6

SHA512
c2bb6aa402c4f7de635ff0d84ba83ca1e327bc213708e07468bee123c7c135704aaee1507d98d218e8df572ddb1661fe6ff0429593aed84e9f9058fdf2393a5e

Download Submit
\Windows\SysWOW64\wdafnj.exe

Filesize
263KB

MD5
11da3da6935a54a64cea2a9d47915b09

SHA1
ec7d482d6163a22f489d64b6ddcc748a39bbf482

SHA256
50092c172799ff8019d5961b686155a11d9308bff3800ed1cf171599bac57710

SHA512
fdef522e449bebd1b500a5d783dee3c958a33dab6a8025285c58d99e2db9405ddc881e2f714d32ae220388d9bbc70aa652f6a5b62cc79f6f83d7812ff6129b79

Download Submit
\Windows\SysWOW64\wga.exe

Filesize
263KB

MD5
1132c7ca5d425f1010d30c81517f2b8b

SHA1
98f78163bb561b1d6799ca39d08b75d12de95775

SHA256
eea2e4984a6b923ad0236725125ec45da783ce77868f6e82f3146b3b15badeae

SHA512
2869b7bb734ffe28feba4e7cd63a56c251b198d968e96ca9f4fcf5bbd9afe518b90c2ae7f75956b3e02758b42f91280c393a4c60a89db277cd9c196e5237793b

Download Submit
\Windows\SysWOW64\wgd.exe

Filesize
263KB

MD5
644579fc0c160f166acebde4cc914581

SHA1
3b3536e0cc4accf78c64e724fca83a22ef29f004

SHA256
2403d8361e393d18125d8547836bbde0f45137ab6dc52e564b98680f142d364b

SHA512
3b1740c9917ee5d5536477f5483de3c09b524f8f40f277f44405622bfd4161a25cc7177a22e804fd058a9d1e22634b0711c258e7d028f2a19a0adac673d46c9e

Download Submit
\Windows\SysWOW64\wgjbtn.exe

Filesize
263KB

MD5
0aa0fa0ea55af51c7c048a7cf5b338d8

SHA1
b1a21f42131e0fff961343a657588ba550fc216b

SHA256
4fea9fa87f881029d32ebf6f0cedc6514280aaa7a36bbb0f2ceeed6671992196

SHA512
ddf903708abd44edf7b38e857dbd014b20e9de1f3b91b709c3ffac68cb42e3381ca3d628b2f7c8538caf17c95e51066d2a0c349c4e066d8a72eddb05a298e046

Download Submit
\Windows\SysWOW64\wima.exe

Filesize
263KB

MD5
c11478c5b30c0ec282b61d6c29eb4889

SHA1
17b3033fa2c806e8d064a5d763914b3508c115ae

SHA256
9dcccd03486e4a2bb0b74dfce54121eb43e3c5d6cdb15c537a2f7a71ed329e6a

SHA512
c7cddce1e811e06b00435667734ecd832036ab03705bba85df938191e9e61063dabeb299b9324c2fc9ba57b5c0175bc6074054225b8da3fa2104b8058baf0bb0

Download Submit
\Windows\SysWOW64\wjwot.exe

Filesize
263KB

MD5
570eb6506980a49d7a552b1ef49c92d1

SHA1
3200d7dc0f2937369851b5984692ac9bf9b194c4

SHA256
fbd712e06a25aaf5b75456d44f653a7e1d3c3b507bc86586b22ddd696f4ccf6f

SHA512
f2b55f7aaa01d1ecb49464838514ec08cfd6268d6dfb2b868623ee26a761dfcd71a8a16ff8faf4efee01f1a14d973b4a2aace122e0283ceaae6782a9e3e7d1cb

Download Submit
\Windows\SysWOW64\wkjpotue.exe

Filesize
264KB

MD5
dbde9050b8022ba9199f9c2a148be0fb

SHA1
a8901d41c0d9d4415f8829aba439e5820f07c57a

SHA256
92108942c92219292687bc0c85821757e2ab472eed634dda7d050d673247c652

SHA512
90548e3bf659fd22477f2d248b0d38cbc48b84c7cbf085fe29aab712d2c82e3a7dd06c66e7d1522588bcfa76aec045a9759add4ddc020ef838dfb1c6ac924394

Download Submit
\Windows\SysWOW64\wxph.exe

Filesize
263KB

MD5
7d1909a2cb716492690df4022b8c2002

SHA1
28e3d7dd087dede359cd9a31d758aa6abc462eb3

SHA256
1524b8ad723cb828c6676f6e0fe91325fa394453c52496cae696d03f21cc2432

SHA512
d2ac57c9ad6f90aea7f563eee332a2bc0d2d53d19b52877a9d39e85902239071c483fff9a48cfc70c801361235e5ae2828dde87a4ba4a26a491447aee0b6f88e

Download Submit
\Windows\SysWOW64\wxuthelra.exe

Filesize
264KB

MD5
b5d6669f8535f29492d996eb5c264ff8

SHA1
f94112d318c782b7b5091518273846306a36ed90

SHA256
48f9a8e011e0f86413254214ce4596af57d03a0f8778e5b7ebf2c466778ae503

SHA512
f98fcc242690f75cffabe00fc2d4b2a3c36d592e1011526077dd68a4ee4a1614f6176f0d74d0522ef2631b2d020c9c23f5d8becd15e53f7e9425d79433d374b3

Download Submit
memory/556-263-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/556-258-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/556-249-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1020-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1020-76-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/1020-85-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1020-84-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/1088-292-0x00000000037A0000-0x00000000037B7000-memory.dmp

Filesize
92KB

Download
memory/1088-294-0x0000000003B40000-0x0000000003B57000-memory.dmp

Filesize
92KB

Download
memory/1088-280-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1088-293-0x0000000003B40000-0x0000000003B57000-memory.dmp

Filesize
92KB

Download
memory/1204-248-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1204-247-0x0000000003C80000-0x0000000003C97000-memory.dmp

Filesize
92KB

Download
memory/1204-231-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1204-241-0x0000000003BB0000-0x0000000003BC7000-memory.dmp

Filesize
92KB

Download
memory/1204-246-0x0000000003C80000-0x0000000003C97000-memory.dmp

Filesize
92KB

Download
memory/1204-245-0x0000000003BB0000-0x0000000003BC7000-memory.dmp

Filesize
92KB

Download
memory/1332-170-0x0000000003D80000-0x0000000003D97000-memory.dmp

Filesize
92KB

Download
memory/1332-171-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1332-169-0x0000000003D80000-0x0000000003D97000-memory.dmp

Filesize
92KB

Download
memory/1332-150-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1860-125-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/1860-128-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1860-106-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1860-119-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/1936-278-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1936-276-0x0000000003910000-0x0000000003927000-memory.dmp

Filesize
92KB

Download
memory/1936-279-0x0000000003920000-0x0000000003937000-memory.dmp

Filesize
92KB

Download
memory/1936-262-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1936-277-0x0000000003920000-0x0000000003937000-memory.dmp

Filesize
92KB

Download
memory/1948-103-0x0000000003270000-0x0000000003287000-memory.dmp

Filesize
92KB

Download
memory/1948-105-0x0000000003B40000-0x0000000003B57000-memory.dmp

Filesize
92KB

Download
memory/1948-107-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1948-102-0x0000000003270000-0x0000000003287000-memory.dmp

Filesize
92KB

Download
memory/1948-83-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2140-147-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/2140-146-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/2140-129-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2140-152-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2140-149-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/2172-191-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2172-183-0x0000000003A80000-0x0000000003A97000-memory.dmp

Filesize
92KB

Download
memory/2172-172-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2240-192-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2240-211-0x0000000003380000-0x0000000003397000-memory.dmp

Filesize
92KB

Download
memory/2240-210-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2240-212-0x0000000003380000-0x0000000003397000-memory.dmp

Filesize
92KB

Download
memory/2240-269-0x0000000003380000-0x0000000003397000-memory.dmp

Filesize
92KB

Download
memory/2424-43-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2424-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2424-127-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/2424-60-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/2424-61-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/2564-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2564-41-0x0000000003DB0000-0x0000000003DC7000-memory.dmp

Filesize
92KB

Download
memory/2564-40-0x0000000003DA0000-0x0000000003DB7000-memory.dmp

Filesize
92KB

Download
memory/3012-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3012-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3012-19-0x0000000003C80000-0x0000000003C97000-memory.dmp

Filesize
92KB

Download
memory/3012-12-0x0000000003BB0000-0x0000000003BC7000-memory.dmp

Filesize
92KB

Download
memory/3012-6-0x0000000003BB0000-0x0000000003BC7000-memory.dmp

Filesize
92KB

Download
memory/3016-232-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3016-230-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/3016-214-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download