72216569506577835b62dccb15612f790480a1240cb792030a547b0661177a63

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acc8a201f1ef7b2dbef0a5d37c2df7a1.exe
Size

259KB
MD5

acc8a201f1ef7b2dbef0a5d37c2df7a1
SHA1

28c6e2be97eec741c5cbd2bd4429afe083696dd0
SHA256

72216569506577835b62dccb15612f790480a1240cb792030a547b0661177a63
SHA512

b395628d17af41efa8119daab6c8d8cd87a441e163a3a6528395b4f25b8144054905e0066342a2c44a00494bdb5a58b2a2dee6fb698e3a9045389637b6819872
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpuK:ZY7xh6SZI4z7FSVpuK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2612	wshar.exe
2424	wgwsjn.exe
1380	wxu.exe
1572	wybyqo.exe
2000	waw.exe
2052	whgv.exe
1552	wwirsuq.exe
896	wlx.exe
2436	wdw.exe
2824	wniohwm.exe
300	wdsjvlrx.exe
1192	wixlr.exe
2272	whj.exe
2304	wtwtuky.exe
1328	wgowuc.exe
2952	wgkqi.exe
2740	wkrrtbgoy.exe
2596	wsj.exe
2276	wya.exe
2584	wahxre.exe
1656	wxdvud.exe
2388	wxbx.exe
2720	wkdmbvl.exe
1052	woio.exe
1932	wnjomffr.exe
3056	wax.exe
2384	wipa.exe
2224	weaqtk.exe
2588	wpotc.exe
2536	wlm.exe
2172	whxjfmiwf.exe
1056	wtywuiaxt.exe
704	woltm.exe
748	wfcimscy.exe
296	wjmqyirw.exe
2380	wiqat.exe
2108	wiyenrra.exe
2544	whjrkodg.exe
2608	wcjyjtbll.exe
2960	wsijqivas.exe
2536	wxmkkt.exe
472	wnygyi.exe
1580	wsqqavl.exe
2452	wipbije.exe
488	weniip.exe
2936	wqqwwlsr.exe
2012	wtyglbin.exe
2524	wpltaa.exe
2576	wgvnone.exe
1920	wlb.exe
860	wwdeyx.exe
1556	wstwsbwax.exe
324	wsekpyjgq.exe
1548	wieuwnevy.exe
3064	wyjjivim.exe
580	wla.exe
2220	wkjcnp.exe
2572	wbvwde.exe
2688	wkleuifeu.exe
2432	wacemrtk.exe
2864	wrisxbwb.exe
2712	wywbof.exe
2732	wdh.exe
1004	whploch.exe

Loads dropped DLL 64 IoCs

pid	Process
2204	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe
2204	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe
2204	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe
2204	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe
2612	wshar.exe
2612	wshar.exe
2612	wshar.exe
2612	wshar.exe
2424	wgwsjn.exe
2424	wgwsjn.exe
2424	wgwsjn.exe
2424	wgwsjn.exe
1380	wxu.exe
1380	wxu.exe
1380	wxu.exe
1380	wxu.exe
1572	wybyqo.exe
1572	wybyqo.exe
1572	wybyqo.exe
1572	wybyqo.exe
2000	waw.exe
2000	waw.exe
2000	waw.exe
2000	waw.exe
2052	whgv.exe
2052	whgv.exe
2052	whgv.exe
2052	whgv.exe
1552	wwirsuq.exe
1552	wwirsuq.exe
1552	wwirsuq.exe
1552	wwirsuq.exe
896	wlx.exe
896	wlx.exe
896	wlx.exe
896	wlx.exe
2436	wdw.exe
2436	wdw.exe
2436	wdw.exe
2436	wdw.exe
2824	wniohwm.exe
2824	wniohwm.exe
2824	wniohwm.exe
2824	wniohwm.exe
300	wdsjvlrx.exe
300	wdsjvlrx.exe
300	wdsjvlrx.exe
300	wdsjvlrx.exe
1192	wixlr.exe
1192	wixlr.exe
1192	wixlr.exe
1192	wixlr.exe
2272	whj.exe
2272	whj.exe
2272	whj.exe
2272	whj.exe
2304	wtwtuky.exe
2304	wtwtuky.exe
2304	wtwtuky.exe
2304	wtwtuky.exe
1328	wgowuc.exe
1328	wgowuc.exe
1328	wgowuc.exe
1328	wgowuc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wlm.exe	wpotc.exe
File opened for modification	C:\Windows\SysWOW64\wiyenrra.exe	wiqat.exe
File created	C:\Windows\SysWOW64\whploch.exe	wdh.exe
File opened for modification	C:\Windows\SysWOW64\wvuh.exe	wwvdgerfk.exe
File opened for modification	C:\Windows\SysWOW64\wdnrvycr.exe	wyvguld.exe
File created	C:\Windows\SysWOW64\wdsjvlrx.exe	wniohwm.exe
File opened for modification	C:\Windows\SysWOW64\wipa.exe	wax.exe
File created	C:\Windows\SysWOW64\wvuh.exe	wwvdgerfk.exe
File created	C:\Windows\SysWOW64\wxdvud.exe	wahxre.exe
File opened for modification	C:\Windows\SysWOW64\wstwsbwax.exe	wwdeyx.exe
File created	C:\Windows\SysWOW64\wvyndqi.exe	wtpeobr.exe
File opened for modification	C:\Windows\SysWOW64\wrisxbwb.exe	wacemrtk.exe
File created	C:\Windows\SysWOW64\wipxjdg.exe	wgvxbawl.exe
File created	C:\Windows\SysWOW64\wfertc.exe	wsonjfi.exe
File created	C:\Windows\SysWOW64\wla.exe	wyjjivim.exe
File created	C:\Windows\SysWOW64\wgvxbawl.exe	wsheki.exe
File opened for modification	C:\Windows\SysWOW64\wdsjvlrx.exe	wniohwm.exe
File created	C:\Windows\SysWOW64\wnygyi.exe	wxmkkt.exe
File opened for modification	C:\Windows\SysWOW64\wpltaa.exe	wtyglbin.exe
File created	C:\Windows\SysWOW64\wshar.exe	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe
File opened for modification	C:\Windows\SysWOW64\wsqqavl.exe	wnygyi.exe
File created	C:\Windows\SysWOW64\wgvnone.exe	wpltaa.exe
File created	C:\Windows\SysWOW64\wgkqi.exe	wgowuc.exe
File created	C:\Windows\SysWOW64\wywbof.exe	wrisxbwb.exe
File opened for modification	C:\Windows\SysWOW64\wpleoihn.exe	wdfkur.exe
File created	C:\Windows\SysWOW64\wxbx.exe	wxdvud.exe
File opened for modification	C:\Windows\SysWOW64\wiuavaeh.exe	wmwcbc.exe
File created	C:\Windows\SysWOW64\wsonjfi.exe	wseamjvj.exe
File opened for modification	C:\Windows\SysWOW64\wcjyjtbll.exe	whjrkodg.exe
File created	C:\Windows\SysWOW64\wyvguld.exe	wbms.exe
File created	C:\Windows\SysWOW64\wxl.exe	wepn.exe
File opened for modification	C:\Windows\SysWOW64\wtmcwro.exe	wiuavaeh.exe
File created	C:\Windows\SysWOW64\wfrwhmr.exe	wormyw.exe
File created	C:\Windows\SysWOW64\wcbpo.exe	wipxjdg.exe
File opened for modification	C:\Windows\SysWOW64\wuibant.exe	wvyndqi.exe
File created	C:\Windows\SysWOW64\wisqiekf.exe	wmhad.exe
File created	C:\Windows\SysWOW64\wrwothbl.exe	wisqiekf.exe
File created	C:\Windows\SysWOW64\wgwsjn.exe	wshar.exe
File created	C:\Windows\SysWOW64\wlx.exe	wwirsuq.exe
File opened for modification	C:\Windows\SysWOW64\wwdeyx.exe	wlb.exe
File created	C:\Windows\SysWOW64\wniohwm.exe	wdw.exe
File opened for modification	C:\Windows\SysWOW64\wwvdgerfk.exe	wwgovjxox.exe
File created	C:\Windows\SysWOW64\wpleoihn.exe	wdfkur.exe
File opened for modification	C:\Windows\SysWOW64\wixlr.exe	wdsjvlrx.exe
File opened for modification	C:\Windows\SysWOW64\wyjjivim.exe	wieuwnevy.exe
File opened for modification	C:\Windows\SysWOW64\wpsnysve.exe	wgmqopf.exe
File created	C:\Windows\SysWOW64\wbrwtcv.exe	wjcju.exe
File opened for modification	C:\Windows\SysWOW64\wuerubvg.exe	wfrwhmr.exe
File opened for modification	C:\Windows\SysWOW64\wvdbbp.exe	wfertc.exe
File opened for modification	C:\Windows\SysWOW64\whgv.exe	waw.exe
File created	C:\Windows\SysWOW64\wiqat.exe	wjmqyirw.exe
File created	C:\Windows\SysWOW64\wacemrtk.exe	wkleuifeu.exe
File created	C:\Windows\SysWOW64\wkdmbvl.exe	wxbx.exe
File opened for modification	C:\Windows\SysWOW64\wbvwde.exe	wkjcnp.exe
File created	C:\Windows\SysWOW64\woltm.exe	wtywuiaxt.exe
File opened for modification	C:\Windows\SysWOW64\wedkbvon.exe	wxl.exe
File created	C:\Windows\SysWOW64\wwgovjxox.exe	wvajso.exe
File created	C:\Windows\SysWOW64\wiuavaeh.exe	wmwcbc.exe
File created	C:\Windows\SysWOW64\wpsnysve.exe	wgmqopf.exe
File opened for modification	C:\Windows\SysWOW64\wymbiplc.exe	wuerubvg.exe
File opened for modification	C:\Windows\SysWOW64\whjrkodg.exe	wiyenrra.exe
File opened for modification	C:\Windows\SysWOW64\wywbof.exe	wrisxbwb.exe
File opened for modification	C:\Windows\SysWOW64\whploch.exe	wdh.exe
File created	C:\Windows\SysWOW64\wikncbie.exe	wucxygj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2212	1892	WerFault.exe	260

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2612	2204	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe	28
PID 2204 wrote to memory of 2612	2204	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe	28
PID 2204 wrote to memory of 2612	2204	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe	28
PID 2204 wrote to memory of 2612	2204	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe	28
PID 2204 wrote to memory of 2636	2204	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe	29
PID 2204 wrote to memory of 2636	2204	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe	29
PID 2204 wrote to memory of 2636	2204	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe	29
PID 2204 wrote to memory of 2636	2204	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe	29
PID 2612 wrote to memory of 2424	2612	wshar.exe	31
PID 2612 wrote to memory of 2424	2612	wshar.exe	31
PID 2612 wrote to memory of 2424	2612	wshar.exe	31
PID 2612 wrote to memory of 2424	2612	wshar.exe	31
PID 2612 wrote to memory of 2124	2612	wshar.exe	33
PID 2612 wrote to memory of 2124	2612	wshar.exe	33
PID 2612 wrote to memory of 2124	2612	wshar.exe	33
PID 2612 wrote to memory of 2124	2612	wshar.exe	33
PID 2424 wrote to memory of 1380	2424	wgwsjn.exe	34
PID 2424 wrote to memory of 1380	2424	wgwsjn.exe	34
PID 2424 wrote to memory of 1380	2424	wgwsjn.exe	34
PID 2424 wrote to memory of 1380	2424	wgwsjn.exe	34
PID 2424 wrote to memory of 1776	2424	wgwsjn.exe	35
PID 2424 wrote to memory of 1776	2424	wgwsjn.exe	35
PID 2424 wrote to memory of 1776	2424	wgwsjn.exe	35
PID 2424 wrote to memory of 1776	2424	wgwsjn.exe	35
PID 1380 wrote to memory of 1572	1380	wxu.exe	37
PID 1380 wrote to memory of 1572	1380	wxu.exe	37
PID 1380 wrote to memory of 1572	1380	wxu.exe	37
PID 1380 wrote to memory of 1572	1380	wxu.exe	37
PID 1380 wrote to memory of 2484	1380	wxu.exe	38
PID 1380 wrote to memory of 2484	1380	wxu.exe	38
PID 1380 wrote to memory of 2484	1380	wxu.exe	38
PID 1380 wrote to memory of 2484	1380	wxu.exe	38
PID 1572 wrote to memory of 2000	1572	wybyqo.exe	41
PID 1572 wrote to memory of 2000	1572	wybyqo.exe	41
PID 1572 wrote to memory of 2000	1572	wybyqo.exe	41
PID 1572 wrote to memory of 2000	1572	wybyqo.exe	41
PID 1572 wrote to memory of 692	1572	wybyqo.exe	42
PID 1572 wrote to memory of 692	1572	wybyqo.exe	42
PID 1572 wrote to memory of 692	1572	wybyqo.exe	42
PID 1572 wrote to memory of 692	1572	wybyqo.exe	42
PID 2000 wrote to memory of 2052	2000	waw.exe	44
PID 2000 wrote to memory of 2052	2000	waw.exe	44
PID 2000 wrote to memory of 2052	2000	waw.exe	44
PID 2000 wrote to memory of 2052	2000	waw.exe	44
PID 2000 wrote to memory of 852	2000	waw.exe	45
PID 2000 wrote to memory of 852	2000	waw.exe	45
PID 2000 wrote to memory of 852	2000	waw.exe	45
PID 2000 wrote to memory of 852	2000	waw.exe	45
PID 2052 wrote to memory of 1552	2052	whgv.exe	47
PID 2052 wrote to memory of 1552	2052	whgv.exe	47
PID 2052 wrote to memory of 1552	2052	whgv.exe	47
PID 2052 wrote to memory of 1552	2052	whgv.exe	47
PID 2052 wrote to memory of 2908	2052	whgv.exe	48
PID 2052 wrote to memory of 2908	2052	whgv.exe	48
PID 2052 wrote to memory of 2908	2052	whgv.exe	48
PID 2052 wrote to memory of 2908	2052	whgv.exe	48
PID 1552 wrote to memory of 896	1552	wwirsuq.exe	51
PID 1552 wrote to memory of 896	1552	wwirsuq.exe	51
PID 1552 wrote to memory of 896	1552	wwirsuq.exe	51
PID 1552 wrote to memory of 896	1552	wwirsuq.exe	51
PID 1552 wrote to memory of 1540	1552	wwirsuq.exe	52
PID 1552 wrote to memory of 1540	1552	wwirsuq.exe	52
PID 1552 wrote to memory of 1540	1552	wwirsuq.exe	52
PID 1552 wrote to memory of 1540	1552	wwirsuq.exe	52

C:\Users\Admin\AppData\Local\Temp\acc8a201f1ef7b2dbef0a5d37c2df7a1.exe
"C:\Users\Admin\AppData\Local\Temp\acc8a201f1ef7b2dbef0a5d37c2df7a1.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\wshar.exe
  "C:\Windows\system32\wshar.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\wgwsjn.exe
    "C:\Windows\system32\wgwsjn.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\wxu.exe
      "C:\Windows\system32\wxu.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1380
    - - C:\Windows\SysWOW64\wybyqo.exe
        
        "C:\Windows\system32\wybyqo.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1572
      - C:\Windows\SysWOW64\waw.exe
        
        "C:\Windows\system32\waw.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\whgv.exe
        
        "C:\Windows\system32\whgv.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\wwirsuq.exe
        
        "C:\Windows\system32\wwirsuq.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\wlx.exe
        
        "C:\Windows\system32\wlx.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:896
        
        C:\Windows\SysWOW64\wdw.exe
        
        "C:\Windows\system32\wdw.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\wniohwm.exe
        
        "C:\Windows\system32\wniohwm.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\wdsjvlrx.exe
        
        "C:\Windows\system32\wdsjvlrx.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:300
        
        C:\Windows\SysWOW64\wixlr.exe
        
        "C:\Windows\system32\wixlr.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1192
        
        C:\Windows\SysWOW64\whj.exe
        
        "C:\Windows\system32\whj.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2272
        
        C:\Windows\SysWOW64\wtwtuky.exe
        
        "C:\Windows\system32\wtwtuky.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2304
        
        C:\Windows\SysWOW64\wgowuc.exe
        
        "C:\Windows\system32\wgowuc.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\wgkqi.exe
        
        "C:\Windows\system32\wgkqi.exe"
        17⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\wkrrtbgoy.exe
        
        "C:\Windows\system32\wkrrtbgoy.exe"
        18⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\wsj.exe
        
        "C:\Windows\system32\wsj.exe"
        19⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\wya.exe
        
        "C:\Windows\system32\wya.exe"
        20⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\wahxre.exe
        
        "C:\Windows\system32\wahxre.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\wxdvud.exe
        
        "C:\Windows\system32\wxdvud.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\wxbx.exe
        
        "C:\Windows\system32\wxbx.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\wkdmbvl.exe
        
        "C:\Windows\system32\wkdmbvl.exe"
        24⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\woio.exe
        
        "C:\Windows\system32\woio.exe"
        25⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\wnjomffr.exe
        
        "C:\Windows\system32\wnjomffr.exe"
        26⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\wax.exe
        
        "C:\Windows\system32\wax.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\wipa.exe
        
        "C:\Windows\system32\wipa.exe"
        28⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\weaqtk.exe
        
        "C:\Windows\system32\weaqtk.exe"
        29⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\wpotc.exe
        
        "C:\Windows\system32\wpotc.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\wlm.exe
        
        "C:\Windows\system32\wlm.exe"
        31⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\whxjfmiwf.exe
        
        "C:\Windows\system32\whxjfmiwf.exe"
        32⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\wtywuiaxt.exe
        
        "C:\Windows\system32\wtywuiaxt.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\woltm.exe
        
        "C:\Windows\system32\woltm.exe"
        34⤵
        Executes dropped EXE
        
        PID:704
        
        C:\Windows\SysWOW64\wfcimscy.exe
        
        "C:\Windows\system32\wfcimscy.exe"
        35⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\wjmqyirw.exe
        
        "C:\Windows\system32\wjmqyirw.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:296
        
        C:\Windows\SysWOW64\wiqat.exe
        
        "C:\Windows\system32\wiqat.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\wiyenrra.exe
        
        "C:\Windows\system32\wiyenrra.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\whjrkodg.exe
        
        "C:\Windows\system32\whjrkodg.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\wcjyjtbll.exe
        
        "C:\Windows\system32\wcjyjtbll.exe"
        40⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\wsijqivas.exe
        
        "C:\Windows\system32\wsijqivas.exe"
        41⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\wxmkkt.exe
        
        "C:\Windows\system32\wxmkkt.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\wnygyi.exe
        
        "C:\Windows\system32\wnygyi.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:472
        
        C:\Windows\SysWOW64\wsqqavl.exe
        
        "C:\Windows\system32\wsqqavl.exe"
        44⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\wipbije.exe
        
        "C:\Windows\system32\wipbije.exe"
        45⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\weniip.exe
        
        "C:\Windows\system32\weniip.exe"
        46⤵
        Executes dropped EXE
        
        PID:488
        
        C:\Windows\SysWOW64\wqqwwlsr.exe
        
        "C:\Windows\system32\wqqwwlsr.exe"
        47⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\wtyglbin.exe
        
        "C:\Windows\system32\wtyglbin.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\wpltaa.exe
        
        "C:\Windows\system32\wpltaa.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\wgvnone.exe
        
        "C:\Windows\system32\wgvnone.exe"
        50⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\wlb.exe
        
        "C:\Windows\system32\wlb.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\wwdeyx.exe
        
        "C:\Windows\system32\wwdeyx.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\wstwsbwax.exe
        
        "C:\Windows\system32\wstwsbwax.exe"
        53⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\wsekpyjgq.exe
        
        "C:\Windows\system32\wsekpyjgq.exe"
        54⤵
        Executes dropped EXE
        
        PID:324
        
        C:\Windows\SysWOW64\wieuwnevy.exe
        
        "C:\Windows\system32\wieuwnevy.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\wyjjivim.exe
        
        "C:\Windows\system32\wyjjivim.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\wla.exe
        
        "C:\Windows\system32\wla.exe"
        57⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wla.exe"
        58⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\wkjcnp.exe
        
        "C:\Windows\system32\wkjcnp.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\wbvwde.exe
        
        "C:\Windows\system32\wbvwde.exe"
        59⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\wkleuifeu.exe
        
        "C:\Windows\system32\wkleuifeu.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\wacemrtk.exe
        
        "C:\Windows\system32\wacemrtk.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\wrisxbwb.exe
        
        "C:\Windows\system32\wrisxbwb.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\wywbof.exe
        
        "C:\Windows\system32\wywbof.exe"
        63⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\wdh.exe
        
        "C:\Windows\system32\wdh.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\whploch.exe
        
        "C:\Windows\system32\whploch.exe"
        65⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\wfyyla.exe
        
        "C:\Windows\system32\wfyyla.exe"
        66⤵
        
        PID:892
        
        C:\Windows\SysWOW64\wvajso.exe
        
        "C:\Windows\system32\wvajso.exe"
        67⤵
        Drops file in System32 directory
        
        PID:572
        
        C:\Windows\SysWOW64\wwgovjxox.exe
        
        "C:\Windows\system32\wwgovjxox.exe"
        68⤵
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\wwvdgerfk.exe
        
        "C:\Windows\system32\wwvdgerfk.exe"
        69⤵
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\wvuh.exe
        
        "C:\Windows\system32\wvuh.exe"
        70⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\wbms.exe
        
        "C:\Windows\system32\wbms.exe"
        71⤵
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\wyvguld.exe
        
        "C:\Windows\system32\wyvguld.exe"
        72⤵
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\wdnrvycr.exe
        
        "C:\Windows\system32\wdnrvycr.exe"
        73⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\wepn.exe
        
        "C:\Windows\system32\wepn.exe"
        74⤵
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\wxl.exe
        
        "C:\Windows\system32\wxl.exe"
        75⤵
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\wedkbvon.exe
        
        "C:\Windows\system32\wedkbvon.exe"
        76⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\wuevh.exe
        
        "C:\Windows\system32\wuevh.exe"
        77⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\wucxygj.exe
        
        "C:\Windows\system32\wucxygj.exe"
        78⤵
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\wikncbie.exe
        
        "C:\Windows\system32\wikncbie.exe"
        79⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\whirrxjxp.exe
        
        "C:\Windows\system32\whirrxjxp.exe"
        80⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\wtkfhuywe.exe
        
        "C:\Windows\system32\wtkfhuywe.exe"
        81⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\wiedchqrk.exe
        
        "C:\Windows\system32\wiedchqrk.exe"
        82⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\wde.exe
        
        "C:\Windows\system32\wde.exe"
        83⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\wtpeobr.exe
        
        "C:\Windows\system32\wtpeobr.exe"
        84⤵
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\wvyndqi.exe
        
        "C:\Windows\system32\wvyndqi.exe"
        85⤵
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\wuibant.exe
        
        "C:\Windows\system32\wuibant.exe"
        86⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\wmwcbc.exe
        
        "C:\Windows\system32\wmwcbc.exe"
        87⤵
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\wiuavaeh.exe
        
        "C:\Windows\system32\wiuavaeh.exe"
        88⤵
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\wtmcwro.exe
        
        "C:\Windows\system32\wtmcwro.exe"
        89⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\wgmqopf.exe
        
        "C:\Windows\system32\wgmqopf.exe"
        90⤵
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\wpsnysve.exe
        
        "C:\Windows\system32\wpsnysve.exe"
        91⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\woccvqi.exe
        
        "C:\Windows\system32\woccvqi.exe"
        92⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\wjcju.exe
        
        "C:\Windows\system32\wjcju.exe"
        93⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\wbrwtcv.exe
        
        "C:\Windows\system32\wbrwtcv.exe"
        94⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\wmhad.exe
        
        "C:\Windows\system32\wmhad.exe"
        95⤵
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmhad.exe"
        96⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\wisqiekf.exe
        
        "C:\Windows\system32\wisqiekf.exe"
        96⤵
        Drops file in System32 directory
        
        PID:276
        
        C:\Windows\SysWOW64\wrwothbl.exe
        
        "C:\Windows\system32\wrwothbl.exe"
        97⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\wiwacvubl.exe
        
        "C:\Windows\system32\wiwacvubl.exe"
        98⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\whfevmjj.exe
        
        "C:\Windows\system32\whfevmjj.exe"
        99⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\wdfkur.exe
        
        "C:\Windows\system32\wdfkur.exe"
        100⤵
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\wpleoihn.exe
        
        "C:\Windows\system32\wpleoihn.exe"
        101⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\wptiiavv.exe
        
        "C:\Windows\system32\wptiiavv.exe"
        102⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\wormyw.exe
        
        "C:\Windows\system32\wormyw.exe"
        103⤵
        Drops file in System32 directory
        
        PID:1276
        
        C:\Windows\SysWOW64\wfrwhmr.exe
        
        "C:\Windows\system32\wfrwhmr.exe"
        104⤵
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\wuerubvg.exe
        
        "C:\Windows\system32\wuerubvg.exe"
        105⤵
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\wymbiplc.exe
        
        "C:\Windows\system32\wymbiplc.exe"
        106⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\wdvjweca.exe
        
        "C:\Windows\system32\wdvjweca.exe"
        107⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\wplogah.exe
        
        "C:\Windows\system32\wplogah.exe"
        108⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\wsheki.exe
        
        "C:\Windows\system32\wsheki.exe"
        109⤵
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\wgvxbawl.exe
        
        "C:\Windows\system32\wgvxbawl.exe"
        110⤵
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\wipxjdg.exe
        
        "C:\Windows\system32\wipxjdg.exe"
        111⤵
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\wcbpo.exe
        
        "C:\Windows\system32\wcbpo.exe"
        112⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\wxbxnpm.exe
        
        "C:\Windows\system32\wxbxnpm.exe"
        113⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxbxnpm.exe"
        114⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\wkbldlc.exe
        
        "C:\Windows\system32\wkbldlc.exe"
        114⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\wseamjvj.exe
        
        "C:\Windows\system32\wseamjvj.exe"
        115⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\wsonjfi.exe
        
        "C:\Windows\system32\wsonjfi.exe"
        116⤵
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\wfertc.exe
        
        "C:\Windows\system32\wfertc.exe"
        117⤵
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\wvdbbp.exe
        
        "C:\Windows\system32\wvdbbp.exe"
        118⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\wbtbja.exe
        
        "C:\Windows\system32\wbtbja.exe"
        119⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\wjppey.exe
        
        "C:\Windows\system32\wjppey.exe"
        120⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbtbja.exe"
        120⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdbbp.exe"
        119⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfertc.exe"
        118⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsonjfi.exe"
        117⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wseamjvj.exe"
        116⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbldlc.exe"
        115⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcbpo.exe"
        113⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipxjdg.exe"
        112⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgvxbawl.exe"
        111⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsheki.exe"
        110⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wplogah.exe"
        109⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvjweca.exe"
        108⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymbiplc.exe"
        107⤵
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuerubvg.exe"
        106⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfrwhmr.exe"
        105⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wormyw.exe"
        104⤵
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wptiiavv.exe"
        103⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpleoihn.exe"
        102⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdfkur.exe"
        101⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whfevmjj.exe"
        100⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiwacvubl.exe"
        99⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwothbl.exe"
        98⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wisqiekf.exe"
        97⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbrwtcv.exe"
        95⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjcju.exe"
        94⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woccvqi.exe"
        93⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpsnysve.exe"
        92⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgmqopf.exe"
        91⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtmcwro.exe"
        90⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiuavaeh.exe"
        89⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmwcbc.exe"
        88⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuibant.exe"
        87⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvyndqi.exe"
        86⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtpeobr.exe"
        85⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wde.exe"
        84⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiedchqrk.exe"
        83⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtkfhuywe.exe"
        82⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whirrxjxp.exe"
        81⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikncbie.exe"
        80⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wucxygj.exe"
        79⤵
        
        PID:776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 808
        79⤵
        Program crash
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuevh.exe"
        78⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wedkbvon.exe"
        77⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxl.exe"
        76⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wepn.exe"
        75⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnrvycr.exe"
        74⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyvguld.exe"
        73⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbms.exe"
        72⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvuh.exe"
        71⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwvdgerfk.exe"
        70⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwgovjxox.exe"
        69⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvajso.exe"
        68⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfyyla.exe"
        67⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whploch.exe"
        66⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdh.exe"
        65⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywbof.exe"
        64⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrisxbwb.exe"
        63⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wacemrtk.exe"
        62⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkleuifeu.exe"
        61⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvwde.exe"
        60⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjcnp.exe"
        59⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyjjivim.exe"
        57⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wieuwnevy.exe"
        56⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsekpyjgq.exe"
        55⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wstwsbwax.exe"
        54⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwdeyx.exe"
        53⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlb.exe"
        52⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgvnone.exe"
        51⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpltaa.exe"
        50⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtyglbin.exe"
        49⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqwwlsr.exe"
        48⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weniip.exe"
        47⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipbije.exe"
        46⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsqqavl.exe"
        45⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnygyi.exe"
        44⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxmkkt.exe"
        43⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsijqivas.exe"
        42⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjyjtbll.exe"
        41⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whjrkodg.exe"
        40⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiyenrra.exe"
        39⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiqat.exe"
        38⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjmqyirw.exe"
        37⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfcimscy.exe"
        36⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woltm.exe"
        35⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtywuiaxt.exe"
        34⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxjfmiwf.exe"
        33⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlm.exe"
        32⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpotc.exe"
        31⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weaqtk.exe"
        30⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipa.exe"
        29⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wax.exe"
        28⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnjomffr.exe"
        27⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woio.exe"
        26⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkdmbvl.exe"
        25⤵
        
        PID:500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxbx.exe"
        24⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxdvud.exe"
        23⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahxre.exe"
        22⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wya.exe"
        21⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsj.exe"
        20⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkrrtbgoy.exe"
        19⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkqi.exe"
        18⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgowuc.exe"
        17⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtwtuky.exe"
        16⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whj.exe"
        15⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wixlr.exe"
        14⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdsjvlrx.exe"
        13⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wniohwm.exe"
        12⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdw.exe"
        11⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlx.exe"
        10⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwirsuq.exe"
        9⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whgv.exe"
        8⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waw.exe"
        7⤵
        
        PID:852
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybyqo.exe"
        6⤵
        
        PID:692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxu.exe"
        5⤵
        
        PID:2484
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwsjn.exe"
      4⤵
      PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wshar.exe"
    3⤵
    PID:2124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\acc8a201f1ef7b2dbef0a5d37c2df7a1.exe"
  2⤵
  - Deletes itself
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ANNIL7AO.txt

Filesize
97B

MD5
28c7645b05676023d33ed22388ebf768

SHA1
722d9b55dbd558dcd1c0e1f13ad0fda3371f877a

SHA256
0e2916e7d61e1b62284c4f6faaa1b0d9d9d7d2ee6a53c8ebcb00ed2702cf0079

SHA512
76709875fb51913be7f2cc0b3e05e37185db2b7c334829938a6633bdb9a86cb83e3d336f502f1c68df93bf74b230e5ac40b0d284d4f1562e9afd2d6d18143531

Download Submit
\Windows\SysWOW64\waw.exe

Filesize
259KB

MD5
60394ea3c4742aa059fa55591800bb41

SHA1
a60f714c1df4184d92e9ee696ba7107f8fab2418

SHA256
68d7a2b414ccfccf898e96a073ba39c0adc042fa59fcbf8c4f4dde170e8b8c5b

SHA512
32d68070c66b86b7ec23f50f970f95d0c1bc8e80b83fd093a340c10fe9a0d994e3e6dab3519d72dca683344c93d52fa4c468d04ff6cd55ca8a9f7b6509f2c36b

Download Submit
\Windows\SysWOW64\wdsjvlrx.exe

Filesize
260KB

MD5
c8cfe1e431b173a0e18637361d4a2f5b

SHA1
c19f9300bd30dde3d7c8d39a77026d80edcd76b3

SHA256
9797e83105a1e7223e89d0d436767eaf38a1510305d77a731a86b4283921a2a5

SHA512
62d6e90cc4515685160d249a438d85c768fa40a47284c4f890e9a1809584738033ec26bb0037c04722c3952ee9397046fa6c664f6e884a1d4892d7ade61d074c

Download Submit
\Windows\SysWOW64\wdw.exe

Filesize
260KB

MD5
919d297e51d7c368c5d53ffc4396a4f2

SHA1
6d8bf0e75a442d9ab254a918bd2ba1751ce9f9e0

SHA256
c3c3f8d1f4fd977aa462adeb22ac4b8b9f3e40b18100a082259a1ca4d771fddb

SHA512
2fb4b5ef0b5020190ade9624fb26784987e71c705dc372317dd5bf61dd61aff9466950509a7ffe3541c2fe8b3d19bad75d5fdc8316ef7afe47c67151ed7b3a07

Download Submit
\Windows\SysWOW64\wgwsjn.exe

Filesize
259KB

MD5
528484a12496151ad34fe88bba9e7c22

SHA1
3ccc2873ca23580c8ebb8ea6ca4ab7538d256a59

SHA256
3ba62678758955b6170b346851cc4fe1bec4ea0a5b2f51f238e37dc94fdbd4ec

SHA512
59141f47eeff5a29743b398d49c5437b4e128b14669f141a8422530e724ac7e95de906566af582f421b9c39a1c08037a50beed77f564962e39d5910a4cd5e7c2

Download Submit
\Windows\SysWOW64\whgv.exe

Filesize
260KB

MD5
d83270b92e06d0f3bda9993b1727767f

SHA1
b247c43d59e3c08612634c19333a9629d5261fac

SHA256
d0413c2928d3951786f72aac41b40d7de25a6743c46841ebec6ad3d884268e0a

SHA512
fc2b33289b823291d9103114150fd44be72afb0d9630881bece7d910ea6227d848baec538a0deaf3b8225355dd49a867254dd3146f043437f570fa21eefa1379

Download Submit
\Windows\SysWOW64\wlx.exe

Filesize
260KB

MD5
5e3e37811b02f6265345ac87081fb43f

SHA1
b373dfef4d183fb5926e2806d9f398bd0e2bc22f

SHA256
57145e088171eddf47dfd963033444f9626540a41456ac8587c8285321697a33

SHA512
117e4193582cde817bc09108481d79962c7fdd9590637d9d1dce96d1cad8e35c0118b74d28e5951745d038aa5d1d8940807c0f81bc2356efdf0a80a87cae05a3

Download Submit
\Windows\SysWOW64\wniohwm.exe

Filesize
260KB

MD5
ec282be25c0c6918639009d5314677d9

SHA1
3e83107b883b000c0ac813ca4fdd34ea02668775

SHA256
652d93e96c866a85d05ccfe2e2f28fd0d502fb2f9f0f6ffc8c0bec7d5efaaadf

SHA512
a02d4abc963bf9cac0488c665a54356d460d41ad9f70d3b28621e15bb544ce150a682c2c818643e1ecfa8e0d4f60cb6a8b1ca8b9e083c015960009ccc2ba8446

Download Submit
\Windows\SysWOW64\wshar.exe

Filesize
259KB

MD5
9907c5f89cbe90788918c05e87d86fd6

SHA1
1c70c5342e0dfe75b75c407179133146a280f935

SHA256
1091a9ce051e5e765dfab2b87c8b78c658aada046de987bf44f579e61d3e6141

SHA512
c441b4e93b235714b427930d0aa5ae3e3142287dad5267ae5974e4d56f2f0cd7e66dc915527c212b1acefb3ee4f235843edf124a0d0b287fec84a84f85fad7a4

Download Submit
\Windows\SysWOW64\wwirsuq.exe

Filesize
260KB

MD5
50b617f0f7a85cb337d2760395b45b73

SHA1
b73769681b1983efb43a5e45a27c1ed746bac481

SHA256
5a9f9bd53df91b150862e120dc610ecab01694331f8b762b8ef69a05ae778a8d

SHA512
1b36b0bf2dfad71117fa8c9ea012fb69723e1a20d17c39c601421aae1fef4b39f53c03b6abfd0acc26b39cb527c1f766df8e6c494fe8184f32793af2cfda07cf

Download Submit
\Windows\SysWOW64\wxu.exe

Filesize
259KB

MD5
47d66903bff2f965366e946bd6b60b7e

SHA1
22cc6835baa4ee8b7b82dce227d0374739b9c207

SHA256
20ac18b6e669767564b2d2893e8f2a276a8cfd1f0e56b23e906445f65333da0e

SHA512
74fba96248e727fcc7852ce3d4fead18a2d4967c01ab4971eb9133fba2966766d72ef0a1d5bfc01012d902faacd627c55cae5a81e94fcbc73fda0765f24bca0a

Download Submit
\Windows\SysWOW64\wybyqo.exe

Filesize
259KB

MD5
584f7f0b4b0693e2b3ed18d7f4807313

SHA1
7b5a1e7edf68028fa74c67e7e4f78ab0b6bc56ed

SHA256
6ca115b0cbf4b7dd27ed7fcc50c4b11b48630bcd5c0e0be9faafd795854e6abf

SHA512
b78860b310d735ba313129381e510fbf7e76b4ac32c3553f2de7aa1ddd9bf6f892848dd8f5d5b0e337feef7f31dd26aebdfc9507f9c03851220cbb9977799f9b

Download Submit
memory/300-250-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/300-234-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/300-248-0x0000000003480000-0x0000000003497000-memory.dmp

Filesize
92KB

Download
memory/300-246-0x0000000000B80000-0x0000000000B97000-memory.dmp

Filesize
92KB

Download
memory/300-247-0x0000000000B80000-0x0000000000B97000-memory.dmp

Filesize
92KB

Download
memory/896-193-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/896-191-0x00000000037B0000-0x00000000037C7000-memory.dmp

Filesize
92KB

Download
memory/896-173-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1192-260-0x0000000003520000-0x0000000003537000-memory.dmp

Filesize
92KB

Download
memory/1192-258-0x0000000003520000-0x0000000003537000-memory.dmp

Filesize
92KB

Download
memory/1192-265-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1192-249-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1192-264-0x00000000036B0000-0x00000000036C7000-memory.dmp

Filesize
92KB

Download
memory/1380-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1380-88-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1380-85-0x0000000003B00000-0x0000000003B17000-memory.dmp

Filesize
92KB

Download
memory/1380-84-0x0000000003B00000-0x0000000003B17000-memory.dmp

Filesize
92KB

Download
memory/1552-172-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1552-169-0x0000000003BB0000-0x0000000003BC7000-memory.dmp

Filesize
92KB

Download
memory/1552-151-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1552-231-0x0000000003BB0000-0x0000000003BC7000-memory.dmp

Filesize
92KB

Download
memory/1552-171-0x0000000003BB0000-0x0000000003BC7000-memory.dmp

Filesize
92KB

Download
memory/1572-109-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1572-105-0x0000000002310000-0x0000000002327000-memory.dmp

Filesize
92KB

Download
memory/1572-106-0x0000000003D70000-0x0000000003D87000-memory.dmp

Filesize
92KB

Download
memory/1572-87-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2000-129-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2000-127-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/2000-126-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/2000-108-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-149-0x0000000003390000-0x00000000033A7000-memory.dmp

Filesize
92KB

Download
memory/2052-152-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-148-0x00000000033A0000-0x00000000033B7000-memory.dmp

Filesize
92KB

Download
memory/2052-147-0x00000000033A0000-0x00000000033B7000-memory.dmp

Filesize
92KB

Download
memory/2052-136-0x0000000003390000-0x00000000033A7000-memory.dmp

Filesize
92KB

Download
memory/2204-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-11-0x00000000021A0000-0x00000000021B7000-memory.dmp

Filesize
92KB

Download
memory/2204-19-0x0000000003F10000-0x0000000003F27000-memory.dmp

Filesize
92KB

Download
memory/2204-18-0x0000000003F10000-0x0000000003F27000-memory.dmp

Filesize
92KB

Download
memory/2204-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2272-279-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2272-277-0x0000000004170000-0x0000000004187000-memory.dmp

Filesize
92KB

Download
memory/2272-278-0x0000000004170000-0x0000000004187000-memory.dmp

Filesize
92KB

Download
memory/2304-292-0x0000000003D20000-0x0000000003D37000-memory.dmp

Filesize
92KB

Download
memory/2304-280-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2304-294-0x0000000003D30000-0x0000000003D47000-memory.dmp

Filesize
92KB

Download
memory/2304-293-0x0000000003D20000-0x0000000003D37000-memory.dmp

Filesize
92KB

Download
memory/2424-63-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/2424-52-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/2424-64-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/2424-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2424-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-211-0x00000000023A0000-0x00000000023B7000-memory.dmp

Filesize
92KB

Download
memory/2436-214-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-212-0x00000000023B0000-0x00000000023C7000-memory.dmp

Filesize
92KB

Download
memory/2436-194-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2612-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2612-43-0x0000000004050000-0x0000000004067000-memory.dmp

Filesize
92KB

Download
memory/2612-41-0x0000000002320000-0x0000000002337000-memory.dmp

Filesize
92KB

Download
memory/2612-40-0x0000000002320000-0x0000000002337000-memory.dmp

Filesize
92KB

Download
memory/2612-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2824-232-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2824-233-0x00000000030F0000-0x0000000003107000-memory.dmp

Filesize
92KB

Download
memory/2824-215-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download