91a63b622904cbe324975ceae8ddfd1c0c22c549b728d5cde1f6ce24f8c78eaa

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe
Size

40KB
MD5

00b28c98a10ec90e91f8dfae7d40d550
SHA1

69648c5c98f98a9b7af26840cae8349b90fb524c
SHA256

91a63b622904cbe324975ceae8ddfd1c0c22c549b728d5cde1f6ce24f8c78eaa
SHA512

12e15fc77c4847501a9a3fa1d461199ac853250848e9247e107e5a2d49ad22df6ccac227edc2f54cda81f7ef60acf8d6169173d919cc0622914a4aadfd6e8625
SSDEEP

768:yiYoIfHbL8KatMHv+7dwwaleRp2OuyamBlabCY787fsBI21FX:XbyYt7LagG3N13oDWh1N

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2136	wgwsjn.exe
2208	wnqpr.exe
2972	wbm.exe
1608	winpdg.exe
2900	wrjnqf.exe
788	wgtwoua.exe
2928	wjgsl.exe
1492	wsdpxh.exe
1228	wrtuqe.exe
2960	wwqvml.exe
2460	wqheo.exe
1192	wyt.exe
1392	wchnyv.exe
912	wctvpo.exe
1632	wifnd.exe
568	wrbkrs.exe
664	wydr.exe
2132	wspuo.exe
2168	wdcht.exe
1952	wnlu.exe
1500	wsoeoa.exe
2508	wylgkg.exe
776	wrdol.exe
1968	wlxe.exe
768	wrjuwag.exe
2408	wecwgtqw.exe
2536	wbelgrun.exe
2696	wdqfeho.exe
2572	wncsjf.exe
1844	wlx.exe
1780	wdabkbuny.exe
2096	wjb.exe
1736	wxwbww.exe
912	wmsvbol.exe
2868	wxmkkt.exe
844	wao.exe
2880	wbbkd.exe
2560	wadlkebo.exe
2524	wxeajagf.exe
2112	wfehrg.exe
2968	wcpjob.exe
908	wllhbxv.exe
1084	wukrhb.exe
1752	womip.exe
996	wlnxo.exe
2684	wakr.exe
288	wkgpgsmx.exe
1672	wlsjdh.exe
2228	wssrkmsm.exe
2844	wlyqmuvr.exe
2516	wnbcdj.exe
1860	wxlqjg.exe
2184	whiyp.exe
768	wivumx.exe
2676	wwroqnyye.exe
2536	wdcgguvi.exe
1588	woptmsxh.exe
1424	wpqed.exe
988	wymcpf.exe
2572	woiwtvgd.exe
2352	wcepwl.exe
1484	wkewfriy.exe
1716	wocxbxqw.exe
1544	wymmgwrwt.exe

Loads dropped DLL 64 IoCs

pid	Process
2028	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe
2028	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe
2028	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe
2028	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe
2136	wgwsjn.exe
2136	wgwsjn.exe
2136	wgwsjn.exe
2136	wgwsjn.exe
2136	wgwsjn.exe
2208	wnqpr.exe
2208	wnqpr.exe
2208	wnqpr.exe
2208	wnqpr.exe
2208	wnqpr.exe
2972	wbm.exe
2972	wbm.exe
2972	wbm.exe
2972	wbm.exe
2972	wbm.exe
1608	winpdg.exe
1608	winpdg.exe
1608	winpdg.exe
1608	winpdg.exe
1608	winpdg.exe
2900	wrjnqf.exe
2900	wrjnqf.exe
2900	wrjnqf.exe
2900	wrjnqf.exe
2900	wrjnqf.exe
788	wgtwoua.exe
788	wgtwoua.exe
788	wgtwoua.exe
788	wgtwoua.exe
788	wgtwoua.exe
2928	wjgsl.exe
2928	wjgsl.exe
2928	wjgsl.exe
2928	wjgsl.exe
2928	wjgsl.exe
1492	wsdpxh.exe
1492	wsdpxh.exe
1492	wsdpxh.exe
1492	wsdpxh.exe
1492	wsdpxh.exe
1228	wrtuqe.exe
1228	wrtuqe.exe
1228	wrtuqe.exe
1228	wrtuqe.exe
1228	wrtuqe.exe
2960	wwqvml.exe
2960	wwqvml.exe
2960	wwqvml.exe
2960	wwqvml.exe
2960	wwqvml.exe
2460	wqheo.exe
2460	wqheo.exe
2460	wqheo.exe
2460	wqheo.exe
2460	wqheo.exe
1192	wyt.exe
1192	wyt.exe
1192	wyt.exe
1192	wyt.exe
1192	wyt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2028-0-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x000d00000001227f-5.dat	upx
behavioral1/memory/2028-21-0x0000000003730000-0x000000000373B000-memory.dmp	upx
behavioral1/memory/2136-20-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2028-23-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x003900000001340e-29.dat	upx
behavioral1/memory/2208-47-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2136-50-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x000c00000001344f-64.dat	upx
behavioral1/memory/2208-73-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2972-74-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x000e00000001227f-81.dat	upx
behavioral1/memory/2972-97-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1608-95-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x003a00000001340e-102.dat	upx
behavioral1/memory/1608-116-0x0000000003AB0000-0x0000000003ACA000-memory.dmp	upx
behavioral1/memory/1608-123-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1608-120-0x0000000003AB0000-0x0000000003ABB000-memory.dmp	upx
behavioral1/memory/2900-119-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x000d00000001344f-127.dat	upx
behavioral1/memory/2900-144-0x0000000003330000-0x000000000333B000-memory.dmp	upx
behavioral1/memory/788-143-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2900-147-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x000f00000001227f-153.dat	upx
behavioral1/memory/788-169-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2928-167-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x003b00000001340e-174.dat	upx
behavioral1/memory/1492-191-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2928-190-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x000e00000001344f-198.dat	upx
behavioral1/memory/1492-208-0x0000000003BC0000-0x0000000003BDA000-memory.dmp	upx
behavioral1/memory/1492-216-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x001000000001227f-221.dat	upx
behavioral1/memory/1228-230-0x00000000033F0000-0x000000000340A000-memory.dmp	upx
behavioral1/memory/1228-234-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2460-248-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2960-250-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2460-264-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1192-282-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1392-296-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/912-310-0x0000000003E50000-0x0000000003E6A000-memory.dmp	upx
behavioral1/memory/1632-311-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/912-314-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/568-328-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1632-329-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/664-343-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/568-345-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/664-357-0x00000000038E0000-0x00000000038FA000-memory.dmp	upx
behavioral1/memory/2132-361-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/664-360-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2132-371-0x0000000002370000-0x000000000238A000-memory.dmp	upx
behavioral1/memory/2168-377-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2132-379-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2132-378-0x0000000002380000-0x000000000238B000-memory.dmp	upx
behavioral1/memory/2168-391-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1952-392-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1952-406-0x0000000003070000-0x000000000307B000-memory.dmp	upx
behavioral1/memory/1952-408-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1500-423-0x0000000002380000-0x000000000239A000-memory.dmp	upx
behavioral1/memory/2508-424-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1500-425-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2508-442-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2696-537-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1736-612-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wnqpr.exe	wgwsjn.exe
File created	C:\Windows\SysWOW64\wgkhn.exe	wovtgmm.exe
File created	C:\Windows\SysWOW64\wao.exe	wxmkkt.exe
File opened for modification	C:\Windows\SysWOW64\wakr.exe	wlnxo.exe
File opened for modification	C:\Windows\SysWOW64\wahcc.exe	whmlgb.exe
File opened for modification	C:\Windows\SysWOW64\wovinvmq.exe	wbkaqgib.exe
File created	C:\Windows\SysWOW64\wmvyddtc.exe	wgkhn.exe
File created	C:\Windows\SysWOW64\wnqpr.exe	wgwsjn.exe
File created	C:\Windows\SysWOW64\winpdg.exe	wbm.exe
File created	C:\Windows\SysWOW64\wnlu.exe	wdcht.exe
File created	C:\Windows\SysWOW64\waqgbt.exe	wovinvmq.exe
File opened for modification	C:\Windows\SysWOW64\wgwsjn.exe	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\wncsjf.exe	wdqfeho.exe
File opened for modification	C:\Windows\SysWOW64\wardpses.exe	wmadgwu.exe
File created	C:\Windows\SysWOW64\wbbkd.exe	wao.exe
File opened for modification	C:\Windows\SysWOW64\wkewfriy.exe	wcepwl.exe
File opened for modification	C:\Windows\SysWOW64\wkepwqfr.exe	wardpses.exe
File opened for modification	C:\Windows\SysWOW64\wbtwawmu.exe	wahcc.exe
File opened for modification	C:\Windows\SysWOW64\wjgsl.exe	wgtwoua.exe
File created	C:\Windows\SysWOW64\wctvpo.exe	wchnyv.exe
File created	C:\Windows\SysWOW64\wsoeoa.exe	wnlu.exe
File created	C:\Windows\SysWOW64\whiyp.exe	wxlqjg.exe
File created	C:\Windows\SysWOW64\wbkaqgib.exe	wlpemq.exe
File opened for modification	C:\Windows\SysWOW64\wbkaqgib.exe	wlpemq.exe
File opened for modification	C:\Windows\SysWOW64\wchnyv.exe	wyt.exe
File created	C:\Windows\SysWOW64\wmsvbol.exe	wxwbww.exe
File opened for modification	C:\Windows\SysWOW64\wlnxo.exe	womip.exe
File created	C:\Windows\SysWOW64\wgtwoua.exe	wrjnqf.exe
File opened for modification	C:\Windows\SysWOW64\wymmgwrwt.exe	wocxbxqw.exe
File created	C:\Windows\SysWOW64\wbayc.exe	wumimp.exe
File created	C:\Windows\SysWOW64\wtpeobr.exe	wymmgwrwt.exe
File created	C:\Windows\SysWOW64\wkepwqfr.exe	wardpses.exe
File opened for modification	C:\Windows\SysWOW64\waqgbt.exe	wovinvmq.exe
File created	C:\Windows\SysWOW64\wovtgmm.exe	wbayc.exe
File created	C:\Windows\SysWOW64\wbgiys.exe	wmvyddtc.exe
File created	C:\Windows\SysWOW64\wlnxo.exe	womip.exe
File opened for modification	C:\Windows\SysWOW64\wlsjdh.exe	wkgpgsmx.exe
File opened for modification	C:\Windows\SysWOW64\wymcpf.exe	wpqed.exe
File opened for modification	C:\Windows\SysWOW64\wgtwoua.exe	wrjnqf.exe
File opened for modification	C:\Windows\SysWOW64\womip.exe	wukrhb.exe
File created	C:\Windows\SysWOW64\wnbcdj.exe	wlyqmuvr.exe
File created	C:\Windows\SysWOW64\wdcgguvi.exe	wwroqnyye.exe
File created	C:\Windows\SysWOW64\woptmsxh.exe	wdcgguvi.exe
File opened for modification	C:\Windows\SysWOW64\wbm.exe	wnqpr.exe
File created	C:\Windows\SysWOW64\wdcht.exe	wspuo.exe
File created	C:\Windows\SysWOW64\wcpjob.exe	wfehrg.exe
File opened for modification	C:\Windows\SysWOW64\wcpjob.exe	wfehrg.exe
File created	C:\Windows\SysWOW64\wpqed.exe	woptmsxh.exe
File opened for modification	C:\Windows\SysWOW64\wbergs.exe	whbaymq.exe
File opened for modification	C:\Windows\SysWOW64\winpdg.exe	wbm.exe
File created	C:\Windows\SysWOW64\wbelgrun.exe	wecwgtqw.exe
File created	C:\Windows\SysWOW64\wfehrg.exe	wxeajagf.exe
File opened for modification	C:\Windows\SysWOW64\wlyqmuvr.exe	wssrkmsm.exe
File created	C:\Windows\SysWOW64\wqkijj.exe	wbtwawmu.exe
File created	C:\Windows\SysWOW64\wrjnqf.exe	winpdg.exe
File created	C:\Windows\SysWOW64\wrjuwag.exe	wlxe.exe
File created	C:\Windows\SysWOW64\wdqfeho.exe	wbelgrun.exe
File opened for modification	C:\Windows\SysWOW64\wwroqnyye.exe	wivumx.exe
File created	C:\Windows\SysWOW64\wymmgwrwt.exe	wocxbxqw.exe
File opened for modification	C:\Windows\SysWOW64\wmadgwu.exe	wsitfsdi.exe
File created	C:\Windows\SysWOW64\wkrkaqoly.exe	waqgbt.exe
File opened for modification	C:\Windows\SysWOW64\wkrkaqoly.exe	waqgbt.exe
File opened for modification	C:\Windows\SysWOW64\wsdpxh.exe	wjgsl.exe
File opened for modification	C:\Windows\SysWOW64\wrjuwag.exe	wlxe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2920	2516	WerFault.exe	185

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2136	2028	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe	29
PID 2028 wrote to memory of 2136	2028	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe	29
PID 2028 wrote to memory of 2136	2028	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe	29
PID 2028 wrote to memory of 2136	2028	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe	29
PID 2028 wrote to memory of 2632	2028	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe	30
PID 2028 wrote to memory of 2632	2028	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe	30
PID 2028 wrote to memory of 2632	2028	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe	30
PID 2028 wrote to memory of 2632	2028	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe	30
PID 2136 wrote to memory of 2208	2136	wgwsjn.exe	32
PID 2136 wrote to memory of 2208	2136	wgwsjn.exe	32
PID 2136 wrote to memory of 2208	2136	wgwsjn.exe	32
PID 2136 wrote to memory of 2208	2136	wgwsjn.exe	32
PID 2136 wrote to memory of 2580	2136	wgwsjn.exe	33
PID 2136 wrote to memory of 2580	2136	wgwsjn.exe	33
PID 2136 wrote to memory of 2580	2136	wgwsjn.exe	33
PID 2136 wrote to memory of 2580	2136	wgwsjn.exe	33
PID 2208 wrote to memory of 2972	2208	wnqpr.exe	35
PID 2208 wrote to memory of 2972	2208	wnqpr.exe	35
PID 2208 wrote to memory of 2972	2208	wnqpr.exe	35
PID 2208 wrote to memory of 2972	2208	wnqpr.exe	35
PID 2208 wrote to memory of 1624	2208	wnqpr.exe	36
PID 2208 wrote to memory of 1624	2208	wnqpr.exe	36
PID 2208 wrote to memory of 1624	2208	wnqpr.exe	36
PID 2208 wrote to memory of 1624	2208	wnqpr.exe	36
PID 2972 wrote to memory of 1608	2972	wbm.exe	38
PID 2972 wrote to memory of 1608	2972	wbm.exe	38
PID 2972 wrote to memory of 1608	2972	wbm.exe	38
PID 2972 wrote to memory of 1608	2972	wbm.exe	38
PID 2972 wrote to memory of 848	2972	wbm.exe	39
PID 2972 wrote to memory of 848	2972	wbm.exe	39
PID 2972 wrote to memory of 848	2972	wbm.exe	39
PID 2972 wrote to memory of 848	2972	wbm.exe	39
PID 1608 wrote to memory of 2900	1608	winpdg.exe	41
PID 1608 wrote to memory of 2900	1608	winpdg.exe	41
PID 1608 wrote to memory of 2900	1608	winpdg.exe	41
PID 1608 wrote to memory of 2900	1608	winpdg.exe	41
PID 1608 wrote to memory of 776	1608	winpdg.exe	42
PID 1608 wrote to memory of 776	1608	winpdg.exe	42
PID 1608 wrote to memory of 776	1608	winpdg.exe	42
PID 1608 wrote to memory of 776	1608	winpdg.exe	42
PID 2900 wrote to memory of 788	2900	wrjnqf.exe	44
PID 2900 wrote to memory of 788	2900	wrjnqf.exe	44
PID 2900 wrote to memory of 788	2900	wrjnqf.exe	44
PID 2900 wrote to memory of 788	2900	wrjnqf.exe	44
PID 2900 wrote to memory of 2384	2900	wrjnqf.exe	45
PID 2900 wrote to memory of 2384	2900	wrjnqf.exe	45
PID 2900 wrote to memory of 2384	2900	wrjnqf.exe	45
PID 2900 wrote to memory of 2384	2900	wrjnqf.exe	45
PID 788 wrote to memory of 2928	788	wgtwoua.exe	47
PID 788 wrote to memory of 2928	788	wgtwoua.exe	47
PID 788 wrote to memory of 2928	788	wgtwoua.exe	47
PID 788 wrote to memory of 2928	788	wgtwoua.exe	47
PID 788 wrote to memory of 2920	788	wgtwoua.exe	48
PID 788 wrote to memory of 2920	788	wgtwoua.exe	48
PID 788 wrote to memory of 2920	788	wgtwoua.exe	48
PID 788 wrote to memory of 2920	788	wgtwoua.exe	48
PID 2928 wrote to memory of 1492	2928	wjgsl.exe	50
PID 2928 wrote to memory of 1492	2928	wjgsl.exe	50
PID 2928 wrote to memory of 1492	2928	wjgsl.exe	50
PID 2928 wrote to memory of 1492	2928	wjgsl.exe	50
PID 2928 wrote to memory of 2068	2928	wjgsl.exe	51
PID 2928 wrote to memory of 2068	2928	wjgsl.exe	51
PID 2928 wrote to memory of 2068	2928	wjgsl.exe	51
PID 2928 wrote to memory of 2068	2928	wjgsl.exe	51

C:\Users\Admin\AppData\Local\Temp\00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\wgwsjn.exe
  "C:\Windows\system32\wgwsjn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\wnqpr.exe
    "C:\Windows\system32\wnqpr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\wbm.exe
      "C:\Windows\system32\wbm.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\SysWOW64\winpdg.exe
        
        "C:\Windows\system32\winpdg.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Windows\SysWOW64\wrjnqf.exe
        
        "C:\Windows\system32\wrjnqf.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\wgtwoua.exe
        
        "C:\Windows\system32\wgtwoua.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\wjgsl.exe
        
        "C:\Windows\system32\wjgsl.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\wsdpxh.exe
        
        "C:\Windows\system32\wsdpxh.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1492
        
        C:\Windows\SysWOW64\wrtuqe.exe
        
        "C:\Windows\system32\wrtuqe.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1228
        
        C:\Windows\SysWOW64\wwqvml.exe
        
        "C:\Windows\system32\wwqvml.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2960
        
        C:\Windows\SysWOW64\wqheo.exe
        
        "C:\Windows\system32\wqheo.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2460
        
        C:\Windows\SysWOW64\wyt.exe
        
        "C:\Windows\system32\wyt.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1192
        
        C:\Windows\SysWOW64\wchnyv.exe
        
        "C:\Windows\system32\wchnyv.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\wctvpo.exe
        
        "C:\Windows\system32\wctvpo.exe"
        15⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\wifnd.exe
        
        "C:\Windows\system32\wifnd.exe"
        16⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\wrbkrs.exe
        
        "C:\Windows\system32\wrbkrs.exe"
        17⤵
        Executes dropped EXE
        
        PID:568
        
        C:\Windows\SysWOW64\wydr.exe
        
        "C:\Windows\system32\wydr.exe"
        18⤵
        Executes dropped EXE
        
        PID:664
        
        C:\Windows\SysWOW64\wspuo.exe
        
        "C:\Windows\system32\wspuo.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\wdcht.exe
        
        "C:\Windows\system32\wdcht.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\wnlu.exe
        
        "C:\Windows\system32\wnlu.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\wsoeoa.exe
        
        "C:\Windows\system32\wsoeoa.exe"
        22⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\wylgkg.exe
        
        "C:\Windows\system32\wylgkg.exe"
        23⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\wrdol.exe
        
        "C:\Windows\system32\wrdol.exe"
        24⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\wlxe.exe
        
        "C:\Windows\system32\wlxe.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\wrjuwag.exe
        
        "C:\Windows\system32\wrjuwag.exe"
        26⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\wecwgtqw.exe
        
        "C:\Windows\system32\wecwgtqw.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\wbelgrun.exe
        
        "C:\Windows\system32\wbelgrun.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\wdqfeho.exe
        
        "C:\Windows\system32\wdqfeho.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\wncsjf.exe
        
        "C:\Windows\system32\wncsjf.exe"
        30⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\wlx.exe
        
        "C:\Windows\system32\wlx.exe"
        31⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\wdabkbuny.exe
        
        "C:\Windows\system32\wdabkbuny.exe"
        32⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\wjb.exe
        
        "C:\Windows\system32\wjb.exe"
        33⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\wxwbww.exe
        
        "C:\Windows\system32\wxwbww.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\wmsvbol.exe
        
        "C:\Windows\system32\wmsvbol.exe"
        35⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\wxmkkt.exe
        
        "C:\Windows\system32\wxmkkt.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\wao.exe
        
        "C:\Windows\system32\wao.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\wbbkd.exe
        
        "C:\Windows\system32\wbbkd.exe"
        38⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\wadlkebo.exe
        
        "C:\Windows\system32\wadlkebo.exe"
        39⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\wxeajagf.exe
        
        "C:\Windows\system32\wxeajagf.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\wfehrg.exe
        
        "C:\Windows\system32\wfehrg.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\wcpjob.exe
        
        "C:\Windows\system32\wcpjob.exe"
        42⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\wllhbxv.exe
        
        "C:\Windows\system32\wllhbxv.exe"
        43⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\wukrhb.exe
        
        "C:\Windows\system32\wukrhb.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\womip.exe
        
        "C:\Windows\system32\womip.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\wlnxo.exe
        
        "C:\Windows\system32\wlnxo.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:996
        
        C:\Windows\SysWOW64\wakr.exe
        
        "C:\Windows\system32\wakr.exe"
        47⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\wkgpgsmx.exe
        
        "C:\Windows\system32\wkgpgsmx.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:288
        
        C:\Windows\SysWOW64\wlsjdh.exe
        
        "C:\Windows\system32\wlsjdh.exe"
        49⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\wssrkmsm.exe
        
        "C:\Windows\system32\wssrkmsm.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\wlyqmuvr.exe
        
        "C:\Windows\system32\wlyqmuvr.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\wnbcdj.exe
        
        "C:\Windows\system32\wnbcdj.exe"
        52⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\wxlqjg.exe
        
        "C:\Windows\system32\wxlqjg.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\whiyp.exe
        
        "C:\Windows\system32\whiyp.exe"
        54⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\wivumx.exe
        
        "C:\Windows\system32\wivumx.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\wwroqnyye.exe
        
        "C:\Windows\system32\wwroqnyye.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\wdcgguvi.exe
        
        "C:\Windows\system32\wdcgguvi.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\woptmsxh.exe
        
        "C:\Windows\system32\woptmsxh.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\wpqed.exe
        
        "C:\Windows\system32\wpqed.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1424
        
        C:\Windows\SysWOW64\wymcpf.exe
        
        "C:\Windows\system32\wymcpf.exe"
        60⤵
        Executes dropped EXE
        
        PID:988
        
        C:\Windows\SysWOW64\woiwtvgd.exe
        
        "C:\Windows\system32\woiwtvgd.exe"
        61⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\wcepwl.exe
        
        "C:\Windows\system32\wcepwl.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\wkewfriy.exe
        
        "C:\Windows\system32\wkewfriy.exe"
        63⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\wocxbxqw.exe
        
        "C:\Windows\system32\wocxbxqw.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\wymmgwrwt.exe
        
        "C:\Windows\system32\wymmgwrwt.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\wtpeobr.exe
        
        "C:\Windows\system32\wtpeobr.exe"
        66⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\wabveip.exe
        
        "C:\Windows\system32\wabveip.exe"
        67⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\wsitfsdi.exe
        
        "C:\Windows\system32\wsitfsdi.exe"
        68⤵
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\wmadgwu.exe
        
        "C:\Windows\system32\wmadgwu.exe"
        69⤵
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\wardpses.exe
        
        "C:\Windows\system32\wardpses.exe"
        70⤵
        Drops file in System32 directory
        
        PID:1780
        
        C:\Windows\SysWOW64\wkepwqfr.exe
        
        "C:\Windows\system32\wkepwqfr.exe"
        71⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\witt.exe
        
        "C:\Windows\system32\witt.exe"
        72⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\wvqosd.exe
        
        "C:\Windows\system32\wvqosd.exe"
        73⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\whmlgb.exe
        
        "C:\Windows\system32\whmlgb.exe"
        74⤵
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\wahcc.exe
        
        "C:\Windows\system32\wahcc.exe"
        75⤵
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\wbtwawmu.exe
        
        "C:\Windows\system32\wbtwawmu.exe"
        76⤵
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\wqkijj.exe
        
        "C:\Windows\system32\wqkijj.exe"
        77⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\wbphkit.exe
        
        "C:\Windows\system32\wbphkit.exe"
        78⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\whbaymq.exe
        
        "C:\Windows\system32\whbaymq.exe"
        79⤵
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\wbergs.exe
        
        "C:\Windows\system32\wbergs.exe"
        80⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\wlpemq.exe
        
        "C:\Windows\system32\wlpemq.exe"
        81⤵
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\wbkaqgib.exe
        
        "C:\Windows\system32\wbkaqgib.exe"
        82⤵
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\wovinvmq.exe
        
        "C:\Windows\system32\wovinvmq.exe"
        83⤵
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\waqgbt.exe
        
        "C:\Windows\system32\waqgbt.exe"
        84⤵
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\wkrkaqoly.exe
        
        "C:\Windows\system32\wkrkaqoly.exe"
        85⤵
        
        PID:608
        
        C:\Windows\SysWOW64\wumimp.exe
        
        "C:\Windows\system32\wumimp.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\wbayc.exe
        
        "C:\Windows\system32\wbayc.exe"
        87⤵
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\wovtgmm.exe
        
        "C:\Windows\system32\wovtgmm.exe"
        88⤵
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\wgkhn.exe
        
        "C:\Windows\system32\wgkhn.exe"
        89⤵
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\wmvyddtc.exe
        
        "C:\Windows\system32\wmvyddtc.exe"
        90⤵
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\wbgiys.exe
        
        "C:\Windows\system32\wbgiys.exe"
        91⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\wtbyuys.exe
        
        "C:\Windows\system32\wtbyuys.exe"
        92⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbgiys.exe"
        92⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmvyddtc.exe"
        91⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkhn.exe"
        90⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovtgmm.exe"
        89⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbayc.exe"
        88⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wumimp.exe"
        87⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkrkaqoly.exe"
        86⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waqgbt.exe"
        85⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovinvmq.exe"
        84⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbkaqgib.exe"
        83⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlpemq.exe"
        82⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbergs.exe"
        81⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whbaymq.exe"
        80⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbphkit.exe"
        79⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqkijj.exe"
        78⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbtwawmu.exe"
        77⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahcc.exe"
        76⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whmlgb.exe"
        75⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqosd.exe"
        74⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\witt.exe"
        73⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkepwqfr.exe"
        72⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wardpses.exe"
        71⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmadgwu.exe"
        70⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsitfsdi.exe"
        69⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wabveip.exe"
        68⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtpeobr.exe"
        67⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymmgwrwt.exe"
        66⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wocxbxqw.exe"
        65⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkewfriy.exe"
        64⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcepwl.exe"
        63⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woiwtvgd.exe"
        62⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymcpf.exe"
        61⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpqed.exe"
        60⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woptmsxh.exe"
        59⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcgguvi.exe"
        58⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwroqnyye.exe"
        57⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivumx.exe"
        56⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whiyp.exe"
        55⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxlqjg.exe"
        54⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbcdj.exe"
        53⤵
        
        PID:340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 792
        53⤵
        Program crash
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyqmuvr.exe"
        52⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wssrkmsm.exe"
        51⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsjdh.exe"
        50⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkgpgsmx.exe"
        49⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wakr.exe"
        48⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnxo.exe"
        47⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womip.exe"
        46⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wukrhb.exe"
        45⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllhbxv.exe"
        44⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcpjob.exe"
        43⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfehrg.exe"
        42⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxeajagf.exe"
        41⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wadlkebo.exe"
        40⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbbkd.exe"
        39⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wao.exe"
        38⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxmkkt.exe"
        37⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmsvbol.exe"
        36⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwbww.exe"
        35⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjb.exe"
        34⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdabkbuny.exe"
        33⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlx.exe"
        32⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wncsjf.exe"
        31⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdqfeho.exe"
        30⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbelgrun.exe"
        29⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wecwgtqw.exe"
        28⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjuwag.exe"
        27⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlxe.exe"
        26⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrdol.exe"
        25⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wylgkg.exe"
        24⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsoeoa.exe"
        23⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnlu.exe"
        22⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcht.exe"
        21⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wspuo.exe"
        20⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydr.exe"
        19⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrbkrs.exe"
        18⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifnd.exe"
        17⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctvpo.exe"
        16⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchnyv.exe"
        15⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyt.exe"
        14⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqheo.exe"
        13⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwqvml.exe"
        12⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtuqe.exe"
        11⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsdpxh.exe"
        10⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjgsl.exe"
        9⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtwoua.exe"
        8⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjnqf.exe"
        7⤵
        
        PID:2384
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winpdg.exe"
        6⤵
        
        PID:776
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbm.exe"
        5⤵
        
        PID:848
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqpr.exe"
      4⤵
      PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwsjn.exe"
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe"
  2⤵
  - Deletes itself
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L726UGXE.txt

Filesize
98B

MD5
225e5128b65e6f081e8270fc9af34add

SHA1
a866f77f35b8ef0339875140146130e73f698e9f

SHA256
316b0f1f59f1cd36572cd19a18ac6c1506e24889b1735cf8724902ec5ed1423e

SHA512
b200a3ed10daee6b753e229caf8a7f2a8fdfaed06b071b34b6ada494863699127726e5d02b7fdea7f23a17c01bf3eef041098f737d799f091ea717fcecd6001c

Download Submit
\Windows\SysWOW64\wbm.exe

Filesize
40KB

MD5
2792a658e1d8898f6b34f99b447bbe0d

SHA1
037e16ee9e57be34ef62e8cad52cfa84ceaa56e4

SHA256
aec70fbfa5dfc3bcd1d9f6f41adbb7484055b37b3dff940a32d6dd1be0989fea

SHA512
f1fd5ad437c1a268fac3e35767d574ee93895a941fc14ae67999ad5d57fd3f285796c771b72a9a9b784e00164120b2ada13c2eaf07b98f6e60e26b4f8a9a6f36

Download Submit
\Windows\SysWOW64\wgtwoua.exe

Filesize
40KB

MD5
8b34d907d8326718f714afc476571fa3

SHA1
ccc57eb8cdb747b4a080cba5b2a119d70cc1edbb

SHA256
9fe53560261194759964b3bf51f25a974a5a127a2a36b117c9af421f59bf7cd4

SHA512
2c36308f87970df080dc7faee9003b6a13145d3fd929e89cf173f6760af750c5a5138d69329b61a013be22bd38b63de48b7b6b08c1bd60d563195b030a58b16e

Download Submit
\Windows\SysWOW64\wgwsjn.exe

Filesize
40KB

MD5
090c7983a84f3797eb0d2e690ad4ef81

SHA1
f6b8d9a47af1caa53382b72cd169f06f640ff379

SHA256
88950f954e322c1260f4300d03e6ddcb1ab1f3da0d4f3994fd4c4bcb801cc64f

SHA512
688e53a86d6e0bf1ce1780fa7a1efac71c4f4e7db68582f1378cfbe2786add766db2b4f11443066a28bfcf4ba2e011c4e2c18a9075361d0ab7aa87968c6815b0

Download Submit
\Windows\SysWOW64\winpdg.exe

Filesize
40KB

MD5
81a6295ecfb264f20c4998067cfe7071

SHA1
e12ff1c682aa0b3f1451304d69f17907c0af47af

SHA256
b3aa0c26e4ee8e97565cc07007c11316ee8e13ead7c6e546842757b4e864935b

SHA512
04fda26b314e85530af754e6a5a1ca274c0e3842b52a90094d9a22c9fe3b2bbb3068cd443b5a5cd37cdfce206bea61a5dbc4d2d3d2c0db901346572463ec6612

Download Submit
\Windows\SysWOW64\wjgsl.exe

Filesize
40KB

MD5
9a0833d5397f85b6b9437f426abdc72e

SHA1
df594d59909e4bf893a803c49ccebec37e8d3a19

SHA256
28d97fd1e2b3e488a00d4752f54592364ea65c0636f213aad3132494d3beb71f

SHA512
838c798bf776200b2a7300f125fd2034a82fe31e3117254da1e17b546758f27d65c3699050a1a2ce7656aa3428cdb7e1b6f1312553dca7f020870b2a6a49faa1

Download Submit
\Windows\SysWOW64\wnqpr.exe

Filesize
40KB

MD5
150c87be3589a8c2df6a20525fa239d4

SHA1
f078eff2136d0c89b7902290d0f9b71b797b5aea

SHA256
18f3e72f5183c4c7d87f5b45f66749126788ca0eee71a9520685fd00a8044f02

SHA512
7db2175d4ea41a3bc3f3fd3fdf88ae31b9e105cfe35a1fa5a5265c6c794675664e86642195be36d48643df8aa2f6ba320afcd8e3fe94952d1cfb9ab521f345eb

Download Submit
\Windows\SysWOW64\wrjnqf.exe

Filesize
40KB

MD5
fdf24ca6dfc3a6c931a71958c00e9d62

SHA1
b13a57a91c8d8264035c92eaee038610ae330bd0

SHA256
a2d77f7b7d5332d2fdf1f329de9f6eb5b6b58e9496b050158d23b238a9785e22

SHA512
a4eb5af0fe5560efcdcdb8562fab93d2b0c0280dc2b8407da938a82e03b55c087dab5977c9c33e13e8fab6394540696cf7a8a0239e6aa86b8251c6f0a7eb408c

Download Submit
\Windows\SysWOW64\wrtuqe.exe

Filesize
40KB

MD5
021ad9e5996bbc1c546a34a3b03f56f9

SHA1
103ed5ce4eeef7c2a9776861fa071ec727eb6afd

SHA256
d5d0510093506525978aa1a2784ea0bfe7e2e93b23b59bb900722b2ad6278225

SHA512
419766c366883fb5438586f5fe15fed75f9165416a5c949881cc4573587e40fbe32a14fdcbe92f9bc5d37960bbfbc60f2ef8aa8c9f6cb301c84161bf573d7a3d

Download Submit
\Windows\SysWOW64\wsdpxh.exe

Filesize
40KB

MD5
7a98712d442a1dbb4030216a74e40192

SHA1
5c13d0bca80ca2d92125df1c1a117e70b356550c

SHA256
354478b87dde3251a39a5d13bf809125b174c7359591e8d93e1a3f5523accd24

SHA512
62b416038bfd67f0e312355e4fe847131aa29a2195a062f636854d665ca1276dfef06e91c2b671a9735969b8d84c4a9d76b24ef0d8026bd1a52e5bca7fe1ebb5

Download Submit
\Windows\SysWOW64\wwqvml.exe

Filesize
40KB

MD5
43d07b817b3fb2856ed7183df86e5e19

SHA1
d224bdb68aab7c9c4999c1126307ad509cf2a287

SHA256
fb8cfad87fd44390f4c2c4819d5f97407f640733e372041681fc3a930333c8fb

SHA512
67eb99435ccf897c70826c7eb9c311b2e96a5b8ebbafde69d5a9af37d734b285cc4039576c537be9e8630300ea54a7222ac130779740b493251c4405035d6385

Download Submit
memory/568-345-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/568-342-0x00000000031A0000-0x00000000031BA000-memory.dmp

Filesize
104KB

Download
memory/568-328-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/568-341-0x00000000031A0000-0x00000000031BA000-memory.dmp

Filesize
104KB

Download
memory/568-344-0x00000000031B0000-0x00000000031BB000-memory.dmp

Filesize
44KB

Download
memory/664-357-0x00000000038E0000-0x00000000038FA000-memory.dmp

Filesize
104KB

Download
memory/664-360-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/664-358-0x00000000038E0000-0x00000000038FA000-memory.dmp

Filesize
104KB

Download
memory/664-343-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/788-143-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/788-164-0x0000000003F70000-0x0000000003F8A000-memory.dmp

Filesize
104KB

Download
memory/788-163-0x0000000003F70000-0x0000000003F8A000-memory.dmp

Filesize
104KB

Download
memory/788-168-0x0000000003F70000-0x0000000003F7B000-memory.dmp

Filesize
44KB

Download
memory/788-169-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/844-659-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/912-314-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/912-310-0x0000000003E50000-0x0000000003E6A000-memory.dmp

Filesize
104KB

Download
memory/912-312-0x0000000001E60000-0x0000000001E6B000-memory.dmp

Filesize
44KB

Download
memory/912-309-0x0000000003E50000-0x0000000003E6A000-memory.dmp

Filesize
104KB

Download
memory/1192-278-0x0000000001FA0000-0x0000000001FBA000-memory.dmp

Filesize
104KB

Download
memory/1192-279-0x0000000001FA0000-0x0000000001FBA000-memory.dmp

Filesize
104KB

Download
memory/1192-282-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1192-281-0x0000000001FA0000-0x0000000001FAB000-memory.dmp

Filesize
44KB

Download
memory/1192-280-0x0000000001FA0000-0x0000000001FBA000-memory.dmp

Filesize
104KB

Download
memory/1228-232-0x0000000003160000-0x000000000316B000-memory.dmp

Filesize
44KB

Download
memory/1228-234-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1228-231-0x00000000033F0000-0x000000000340A000-memory.dmp

Filesize
104KB

Download
memory/1228-230-0x00000000033F0000-0x000000000340A000-memory.dmp

Filesize
104KB

Download
memory/1392-294-0x0000000002440000-0x000000000245A000-memory.dmp

Filesize
104KB

Download
memory/1392-295-0x0000000003380000-0x000000000339A000-memory.dmp

Filesize
104KB

Download
memory/1392-296-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1392-297-0x0000000002450000-0x000000000245B000-memory.dmp

Filesize
44KB

Download
memory/1424-1019-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1492-211-0x0000000003BC0000-0x0000000003BDA000-memory.dmp

Filesize
104KB

Download
memory/1492-191-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1492-208-0x0000000003BC0000-0x0000000003BDA000-memory.dmp

Filesize
104KB

Download
memory/1492-216-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1492-210-0x0000000003BC0000-0x0000000003BDA000-memory.dmp

Filesize
104KB

Download
memory/1492-209-0x0000000003BC0000-0x0000000003BDA000-memory.dmp

Filesize
104KB

Download
memory/1492-214-0x00000000034E0000-0x00000000034EB000-memory.dmp

Filesize
44KB

Download
memory/1500-420-0x0000000002380000-0x000000000239A000-memory.dmp

Filesize
104KB

Download
memory/1500-421-0x0000000002380000-0x000000000239A000-memory.dmp

Filesize
104KB

Download
memory/1500-422-0x0000000002380000-0x000000000239A000-memory.dmp

Filesize
104KB

Download
memory/1500-423-0x0000000002380000-0x000000000239A000-memory.dmp

Filesize
104KB

Download
memory/1500-425-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1608-116-0x0000000003AB0000-0x0000000003ACA000-memory.dmp

Filesize
104KB

Download
memory/1608-115-0x0000000003AB0000-0x0000000003ACA000-memory.dmp

Filesize
104KB

Download
memory/1608-114-0x0000000003AB0000-0x0000000003ACA000-memory.dmp

Filesize
104KB

Download
memory/1608-123-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1608-120-0x0000000003AB0000-0x0000000003ABB000-memory.dmp

Filesize
44KB

Download
memory/1608-95-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1632-329-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1632-311-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1632-327-0x00000000022F0000-0x000000000230A000-memory.dmp

Filesize
104KB

Download
memory/1672-860-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1736-612-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1752-794-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1860-921-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1952-406-0x0000000003070000-0x000000000307B000-memory.dmp

Filesize
44KB

Download
memory/1952-392-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1952-405-0x0000000003070000-0x000000000308A000-memory.dmp

Filesize
104KB

Download
memory/1952-404-0x0000000003070000-0x000000000308A000-memory.dmp

Filesize
104KB

Download
memory/1952-408-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2028-21-0x0000000003730000-0x000000000373B000-memory.dmp

Filesize
44KB

Download
memory/2028-23-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2028-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2028-18-0x0000000003FF0000-0x000000000400A000-memory.dmp

Filesize
104KB

Download
memory/2028-11-0x0000000003FF0000-0x000000000400A000-memory.dmp

Filesize
104KB

Download
memory/2132-378-0x0000000002380000-0x000000000238B000-memory.dmp

Filesize
44KB

Download
memory/2132-361-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2132-379-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2132-375-0x0000000003AF0000-0x0000000003B0A000-memory.dmp

Filesize
104KB

Download
memory/2132-370-0x0000000002370000-0x000000000238A000-memory.dmp

Filesize
104KB

Download
memory/2132-371-0x0000000002370000-0x000000000238A000-memory.dmp

Filesize
104KB

Download
memory/2136-20-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2136-50-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2136-41-0x0000000001DD0000-0x0000000001DEA000-memory.dmp

Filesize
104KB

Download
memory/2136-44-0x0000000003550000-0x000000000356A000-memory.dmp

Filesize
104KB

Download
memory/2136-43-0x0000000003550000-0x000000000356A000-memory.dmp

Filesize
104KB

Download
memory/2136-48-0x0000000001DE0000-0x0000000001DEB000-memory.dmp

Filesize
44KB

Download
memory/2136-42-0x0000000001DD0000-0x0000000001DEA000-memory.dmp

Filesize
104KB

Download
memory/2168-391-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2168-377-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2184-938-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2208-67-0x0000000003620000-0x000000000363A000-memory.dmp

Filesize
104KB

Download
memory/2208-66-0x0000000003620000-0x000000000363A000-memory.dmp

Filesize
104KB

Download
memory/2208-69-0x0000000003620000-0x000000000363A000-memory.dmp

Filesize
104KB

Download
memory/2208-47-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2208-68-0x0000000003620000-0x000000000363A000-memory.dmp

Filesize
104KB

Download
memory/2208-73-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2228-877-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2460-319-0x00000000030F0000-0x00000000030FB000-memory.dmp

Filesize
44KB

Download
memory/2460-262-0x0000000003E50000-0x0000000003E6A000-memory.dmp

Filesize
104KB

Download
memory/2460-248-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2460-263-0x0000000003E50000-0x0000000003E6A000-memory.dmp

Filesize
104KB

Download
memory/2460-265-0x00000000030F0000-0x00000000030FB000-memory.dmp

Filesize
44KB

Download
memory/2460-264-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2508-424-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2508-442-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2696-537-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2900-144-0x0000000003330000-0x000000000333B000-memory.dmp

Filesize
44KB

Download
memory/2900-140-0x0000000003320000-0x000000000333A000-memory.dmp

Filesize
104KB

Download
memory/2900-147-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2900-139-0x0000000003320000-0x000000000333A000-memory.dmp

Filesize
104KB

Download
memory/2900-119-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2928-190-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2928-186-0x00000000007A0000-0x00000000007BA000-memory.dmp

Filesize
104KB

Download
memory/2928-167-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2960-250-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2960-247-0x0000000004020000-0x000000000403A000-memory.dmp

Filesize
104KB

Download
memory/2960-246-0x0000000004020000-0x000000000403A000-memory.dmp

Filesize
104KB

Download
memory/2972-97-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2972-92-0x0000000003520000-0x000000000353A000-memory.dmp

Filesize
104KB

Download
memory/2972-74-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2972-91-0x0000000003520000-0x000000000353A000-memory.dmp

Filesize
104KB

Download