91a63b622904cbe324975ceae8ddfd1c0c22c549b728d5cde1f6ce24f8c78eaa

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe
Size

40KB
MD5

00b28c98a10ec90e91f8dfae7d40d550
SHA1

69648c5c98f98a9b7af26840cae8349b90fb524c
SHA256

91a63b622904cbe324975ceae8ddfd1c0c22c549b728d5cde1f6ce24f8c78eaa
SHA512

12e15fc77c4847501a9a3fa1d461199ac853250848e9247e107e5a2d49ad22df6ccac227edc2f54cda81f7ef60acf8d6169173d919cc0622914a4aadfd6e8625
SSDEEP

768:yiYoIfHbL8KatMHv+7dwwaleRp2OuyamBlabCY787fsBI21FX:XbyYt7LagG3N13oDWh1N

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	weodpb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wpx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wsusg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wmij.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wnndqsh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wrllf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wnbvjife.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wbnsunx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wkvl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wffrr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wxocwtx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wrokoeo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	whirfaqa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wvjey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	waysdis.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wdqdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wwjyx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	whqjl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wmgimeymj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wfnec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wckf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wqrjcrck.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wdfbdp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wqcwxi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wtltsahs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wrpgl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wnuy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wnoqac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wwfdi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wynq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	woeifcw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wtxuj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wujrcuc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wdsarmbhw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wtaynv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wgeijk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	woixr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wjcqj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wnldd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wucjvjo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wfgvct.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wapsq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wjupwsby.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wqenrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wlhpn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wxoqs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wsstxfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wtjfv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	weycnre.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wdnxslv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	waoykoh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wmec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wiuxqxr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wvabvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wkhdae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	weqps.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wphum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wqpeivw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wofmjmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wdvurrh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wdrbga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wtfdvvm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wdtntr.exe

Executes dropped EXE 64 IoCs

pid	Process
960	wfhxfo.exe
4784	wbnsunx.exe
3252	wtfdvvm.exe
1004	wkvl.exe
2352	wprlp.exe
4836	weodpb.exe
4008	wapsq.exe
620	wffrr.exe
2456	wjupwsby.exe
1636	wmgimeymj.exe
3372	wkw.exe
4476	wfnec.exe
1696	wdsarmbhw.exe
3032	wtaynv.exe
3144	wqpeivw.exe
1400	wdtntr.exe
1816	whqmkxapl.exe
364	wpx.exe
4480	wneolufd.exe
3640	waoykoh.exe
5052	wee.exe
3200	wmec.exe
4440	wxocwtx.exe
2460	wwfdi.exe
4548	wgeijk.exe
1220	wofmjmx.exe
4592	wew.exe
632	wqenrt.exe
3368	wrpgl.exe
3684	wlhpn.exe
4060	wxoqs.exe
2960	wiuxqxr.exe
4100	wvabvn.exe
1164	wkhdae.exe
1248	wrokoeo.exe
2604	wckf.exe
2472	wqrjcrck.exe
1636	whirfaqa.exe
2392	wynq.exe
2036	wsuqxqyd.exe
4476	wsstxfd.exe
2476	woixr.exe
4472	wbpb.exe
3676	wyibkp.exe
4540	wtjfv.exe
376	wdfbdp.exe
1636	wumbyx.exe
3064	wvjey.exe
2960	wjcqj.exe
4420	wwwj.exe
4652	woeifcw.exe
4856	wdvurrh.exe
3580	wqcwxi.exe
2084	waysdis.exe
4464	weycnre.exe
844	wnuy.exe
2036	weqps.exe
4644	wsusg.exe
940	wtltsahs.exe
2160	wdrbga.exe
4596	wdqdf.exe
4612	wnldd.exe
4380	wsrdrkr.exe
5016	wwn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4048-0-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0006000000023288-6.dat	upx
behavioral2/memory/4048-11-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0007000000023420-19.dat	upx
behavioral2/memory/4784-21-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/960-22-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000800000002341d-30.dat	upx
behavioral2/memory/4784-33-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0008000000023422-41.dat	upx
behavioral2/memory/3252-44-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0008000000023420-52.dat	upx
behavioral2/memory/1004-55-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0007000000023423-63.dat	upx
behavioral2/memory/4836-65-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2352-66-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4836-77-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0007000000023424-75.dat	upx
behavioral2/files/0x0009000000023420-85.dat	upx
behavioral2/memory/4008-88-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0008000000023423-97.dat	upx
behavioral2/memory/2456-98-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/620-99-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000700000002342b-108.dat	upx
behavioral2/memory/1636-109-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2456-111-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0014000000023420-119.dat	upx
behavioral2/memory/1636-121-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0009000000023423-129.dat	upx
behavioral2/memory/3372-131-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000800000002342b-139.dat	upx
behavioral2/memory/4476-143-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/1696-141-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0015000000023420-151.dat	upx
behavioral2/memory/3032-153-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/1696-155-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000a000000023423-164.dat	upx
behavioral2/memory/3144-166-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3032-167-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000700000002342c-175.dat	upx
behavioral2/memory/3144-177-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0016000000023420-185.dat	upx
behavioral2/memory/1400-188-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000b000000023423-196.dat	upx
behavioral2/memory/364-198-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/1816-200-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000500000002295f-209.dat	upx
behavioral2/memory/364-210-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4480-211-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4480-221-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000e00000002336e-220.dat	upx
behavioral2/memory/3640-233-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/5052-231-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0008000000023391-230.dat	upx
behavioral2/memory/5052-244-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3200-243-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000700000002295f-242.dat	upx
behavioral2/memory/3200-255-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4440-254-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000f00000002336e-253.dat	upx
behavioral2/memory/4440-266-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2460-267-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000d00000002338c-264.dat	upx
behavioral2/memory/2460-277-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000800000002295f-276.dat	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wfhxfo.exe	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\wckf.exe	wrokoeo.exe
File opened for modification	C:\Windows\SysWOW64\wqcwxi.exe	wdvurrh.exe
File opened for modification	C:\Windows\SysWOW64\wew.exe	wofmjmx.exe
File opened for modification	C:\Windows\SysWOW64\wmij.exe	wucjvjo.exe
File created	C:\Windows\SysWOW64\wrllf.exe	wthuapi.exe
File opened for modification	C:\Windows\SysWOW64\wwjyx.exe	wnndqsh.exe
File opened for modification	C:\Windows\SysWOW64\wmcyulwe.exe	whqjl.exe
File opened for modification	C:\Windows\SysWOW64\wckf.exe	wrokoeo.exe
File created	C:\Windows\SysWOW64\woixr.exe	wsstxfd.exe
File opened for modification	C:\Windows\SysWOW64\wvjey.exe	wumbyx.exe
File created	C:\Windows\SysWOW64\wlpcegsl.exe	wwjyx.exe
File opened for modification	C:\Windows\SysWOW64\wtxuj.exe	wgqrfi.exe
File created	C:\Windows\SysWOW64\wwidxh.exe	wnbvjife.exe
File opened for modification	C:\Windows\SysWOW64\wvabvn.exe	wiuxqxr.exe
File created	C:\Windows\SysWOW64\wphum.exe	wwn.exe
File created	C:\Windows\SysWOW64\wnoqac.exe	wujrcuc.exe
File opened for modification	C:\Windows\SysWOW64\wsuqxqyd.exe	wynq.exe
File created	C:\Windows\SysWOW64\wyibkp.exe	wbpb.exe
File opened for modification	C:\Windows\SysWOW64\woeifcw.exe	wwwj.exe
File created	C:\Windows\SysWOW64\wqcwxi.exe	wdvurrh.exe
File created	C:\Windows\SysWOW64\wnldd.exe	wdqdf.exe
File created	C:\Windows\SysWOW64\wmij.exe	wucjvjo.exe
File created	C:\Windows\SysWOW64\weqps.exe	wnuy.exe
File opened for modification	C:\Windows\SysWOW64\whqjl.exe	wwidxh.exe
File created	C:\Windows\SysWOW64\wmcyulwe.exe	whqjl.exe
File created	C:\Windows\SysWOW64\wujrcuc.exe	wiuybf.exe
File opened for modification	C:\Windows\SysWOW64\wjgw.exe	wnoqac.exe
File created	C:\Windows\SysWOW64\wapsq.exe	weodpb.exe
File created	C:\Windows\SysWOW64\wdsarmbhw.exe	wfnec.exe
File created	C:\Windows\SysWOW64\wmec.exe	wee.exe
File created	C:\Windows\SysWOW64\wsuqxqyd.exe	wynq.exe
File created	C:\Windows\SysWOW64\wdfbdp.exe	wtjfv.exe
File opened for modification	C:\Windows\SysWOW64\wlpcegsl.exe	wwjyx.exe
File opened for modification	C:\Windows\SysWOW64\wdsarmbhw.exe	wfnec.exe
File opened for modification	C:\Windows\SysWOW64\wdtntr.exe	wqpeivw.exe
File opened for modification	C:\Windows\SysWOW64\wwn.exe	wsrdrkr.exe
File opened for modification	C:\Windows\SysWOW64\wmdsg.exe	wtxuj.exe
File created	C:\Windows\SysWOW64\wtaynv.exe	wdsarmbhw.exe
File created	C:\Windows\SysWOW64\wqpeivw.exe	wtaynv.exe
File opened for modification	C:\Windows\SysWOW64\whqmkxapl.exe	wdtntr.exe
File opened for modification	C:\Windows\SysWOW64\wdqdf.exe	wdrbga.exe
File opened for modification	C:\Windows\SysWOW64\wgsolvtd.exe	wrllf.exe
File opened for modification	C:\Windows\SysWOW64\wgqrfi.exe	wlpcegsl.exe
File created	C:\Windows\SysWOW64\wkw.exe	wmgimeymj.exe
File opened for modification	C:\Windows\SysWOW64\wpx.exe	whqmkxapl.exe
File opened for modification	C:\Windows\SysWOW64\wtltsahs.exe	wsusg.exe
File opened for modification	C:\Windows\SysWOW64\wnndqsh.exe	wfgvct.exe
File opened for modification	C:\Windows\SysWOW64\wumbyx.exe	wdfbdp.exe
File opened for modification	C:\Windows\SysWOW64\wnuy.exe	weycnre.exe
File created	C:\Windows\SysWOW64\wdqdf.exe	wdrbga.exe
File created	C:\Windows\SysWOW64\wthuapi.exe	wfar.exe
File opened for modification	C:\Windows\SysWOW64\wnoqac.exe	wujrcuc.exe
File created	C:\Windows\SysWOW64\wjupwsby.exe	wffrr.exe
File opened for modification	C:\Windows\SysWOW64\wxocwtx.exe	wmec.exe
File created	C:\Windows\SysWOW64\wiuxqxr.exe	wxoqs.exe
File created	C:\Windows\SysWOW64\wtltsahs.exe	wsusg.exe
File created	C:\Windows\SysWOW64\wsrdrkr.exe	wnldd.exe
File created	C:\Windows\SysWOW64\wwn.exe	wsrdrkr.exe
File created	C:\Windows\SysWOW64\wxoqs.exe	wlhpn.exe
File created	C:\Windows\SysWOW64\wtjfv.exe	wyibkp.exe
File opened for modification	C:\Windows\SysWOW64\wtjfv.exe	wyibkp.exe
File created	C:\Windows\SysWOW64\weycnre.exe	waysdis.exe
File created	C:\Windows\SysWOW64\wjgw.exe	wnoqac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
3100	4548	WerFault.exe	169
4480	2036	WerFault.exe	218
2456	4476	WerFault.exe	221
4072	4476	WerFault.exe	221
4580	1636	WerFault.exe	245
4608	3580	WerFault.exe	266
4140	4596	WerFault.exe	298
4900	2216	WerFault.exe	339
3692	4068	WerFault.exe	367
4368	4068	WerFault.exe	367

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 960	4048	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe	86
PID 4048 wrote to memory of 960	4048	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe	86
PID 4048 wrote to memory of 960	4048	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe	86
PID 4048 wrote to memory of 4360	4048	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe	88
PID 4048 wrote to memory of 4360	4048	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe	88
PID 4048 wrote to memory of 4360	4048	00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe	88
PID 960 wrote to memory of 4784	960	wfhxfo.exe	92
PID 960 wrote to memory of 4784	960	wfhxfo.exe	92
PID 960 wrote to memory of 4784	960	wfhxfo.exe	92
PID 960 wrote to memory of 4668	960	wfhxfo.exe	93
PID 960 wrote to memory of 4668	960	wfhxfo.exe	93
PID 960 wrote to memory of 4668	960	wfhxfo.exe	93
PID 4784 wrote to memory of 3252	4784	wbnsunx.exe	97
PID 4784 wrote to memory of 3252	4784	wbnsunx.exe	97
PID 4784 wrote to memory of 3252	4784	wbnsunx.exe	97
PID 4784 wrote to memory of 4612	4784	wbnsunx.exe	98
PID 4784 wrote to memory of 4612	4784	wbnsunx.exe	98
PID 4784 wrote to memory of 4612	4784	wbnsunx.exe	98
PID 3252 wrote to memory of 1004	3252	wtfdvvm.exe	100
PID 3252 wrote to memory of 1004	3252	wtfdvvm.exe	100
PID 3252 wrote to memory of 1004	3252	wtfdvvm.exe	100
PID 3252 wrote to memory of 3096	3252	wtfdvvm.exe	101
PID 3252 wrote to memory of 3096	3252	wtfdvvm.exe	101
PID 3252 wrote to memory of 3096	3252	wtfdvvm.exe	101
PID 1004 wrote to memory of 2352	1004	wkvl.exe	104
PID 1004 wrote to memory of 2352	1004	wkvl.exe	104
PID 1004 wrote to memory of 2352	1004	wkvl.exe	104
PID 1004 wrote to memory of 2200	1004	wkvl.exe	105
PID 1004 wrote to memory of 2200	1004	wkvl.exe	105
PID 1004 wrote to memory of 2200	1004	wkvl.exe	105
PID 2352 wrote to memory of 4836	2352	wprlp.exe	108
PID 2352 wrote to memory of 4836	2352	wprlp.exe	108
PID 2352 wrote to memory of 4836	2352	wprlp.exe	108
PID 2352 wrote to memory of 4492	2352	wprlp.exe	109
PID 2352 wrote to memory of 4492	2352	wprlp.exe	109
PID 2352 wrote to memory of 4492	2352	wprlp.exe	109
PID 4836 wrote to memory of 4008	4836	weodpb.exe	111
PID 4836 wrote to memory of 4008	4836	weodpb.exe	111
PID 4836 wrote to memory of 4008	4836	weodpb.exe	111
PID 4836 wrote to memory of 4776	4836	weodpb.exe	112
PID 4836 wrote to memory of 4776	4836	weodpb.exe	112
PID 4836 wrote to memory of 4776	4836	weodpb.exe	112
PID 4008 wrote to memory of 620	4008	wapsq.exe	114
PID 4008 wrote to memory of 620	4008	wapsq.exe	114
PID 4008 wrote to memory of 620	4008	wapsq.exe	114
PID 4008 wrote to memory of 1672	4008	wapsq.exe	115
PID 4008 wrote to memory of 1672	4008	wapsq.exe	115
PID 4008 wrote to memory of 1672	4008	wapsq.exe	115
PID 620 wrote to memory of 2456	620	wffrr.exe	118
PID 620 wrote to memory of 2456	620	wffrr.exe	118
PID 620 wrote to memory of 2456	620	wffrr.exe	118
PID 620 wrote to memory of 4004	620	wffrr.exe	119
PID 620 wrote to memory of 4004	620	wffrr.exe	119
PID 620 wrote to memory of 4004	620	wffrr.exe	119
PID 2456 wrote to memory of 1636	2456	wjupwsby.exe	121
PID 2456 wrote to memory of 1636	2456	wjupwsby.exe	121
PID 2456 wrote to memory of 1636	2456	wjupwsby.exe	121
PID 2456 wrote to memory of 3280	2456	wjupwsby.exe	122
PID 2456 wrote to memory of 3280	2456	wjupwsby.exe	122
PID 2456 wrote to memory of 3280	2456	wjupwsby.exe	122
PID 1636 wrote to memory of 3372	1636	wmgimeymj.exe	124
PID 1636 wrote to memory of 3372	1636	wmgimeymj.exe	124
PID 1636 wrote to memory of 3372	1636	wmgimeymj.exe	124
PID 1636 wrote to memory of 4916	1636	wmgimeymj.exe	125

C:\Users\Admin\AppData\Local\Temp\00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\SysWOW64\wfhxfo.exe
  "C:\Windows\system32\wfhxfo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\SysWOW64\wbnsunx.exe
    "C:\Windows\system32\wbnsunx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\SysWOW64\wtfdvvm.exe
      "C:\Windows\system32\wtfdvvm.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Windows\SysWOW64\wkvl.exe
        
        "C:\Windows\system32\wkvl.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1004
      - C:\Windows\SysWOW64\wprlp.exe
        
        "C:\Windows\system32\wprlp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\weodpb.exe
        
        "C:\Windows\system32\weodpb.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\wapsq.exe
        
        "C:\Windows\system32\wapsq.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\wffrr.exe
        
        "C:\Windows\system32\wffrr.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\wjupwsby.exe
        
        "C:\Windows\system32\wjupwsby.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\wmgimeymj.exe
        
        "C:\Windows\system32\wmgimeymj.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\wkw.exe
        
        "C:\Windows\system32\wkw.exe"
        12⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\wfnec.exe
        
        "C:\Windows\system32\wfnec.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\wdsarmbhw.exe
        
        "C:\Windows\system32\wdsarmbhw.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\wtaynv.exe
        
        "C:\Windows\system32\wtaynv.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\wqpeivw.exe
        
        "C:\Windows\system32\wqpeivw.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\wdtntr.exe
        
        "C:\Windows\system32\wdtntr.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\whqmkxapl.exe
        
        "C:\Windows\system32\whqmkxapl.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\wpx.exe
        
        "C:\Windows\system32\wpx.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:364
        
        C:\Windows\SysWOW64\wneolufd.exe
        
        "C:\Windows\system32\wneolufd.exe"
        20⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\waoykoh.exe
        
        "C:\Windows\system32\waoykoh.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\wee.exe
        
        "C:\Windows\system32\wee.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\wmec.exe
        
        "C:\Windows\system32\wmec.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3200
        
        C:\Windows\SysWOW64\wxocwtx.exe
        
        "C:\Windows\system32\wxocwtx.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\wwfdi.exe
        
        "C:\Windows\system32\wwfdi.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\wgeijk.exe
        
        "C:\Windows\system32\wgeijk.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\wofmjmx.exe
        
        "C:\Windows\system32\wofmjmx.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\wew.exe
        
        "C:\Windows\system32\wew.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\wqenrt.exe
        
        "C:\Windows\system32\wqenrt.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\wrpgl.exe
        
        "C:\Windows\system32\wrpgl.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\wlhpn.exe
        
        "C:\Windows\system32\wlhpn.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3684
        
        C:\Windows\SysWOW64\wxoqs.exe
        
        "C:\Windows\system32\wxoqs.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\wiuxqxr.exe
        
        "C:\Windows\system32\wiuxqxr.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\wvabvn.exe
        
        "C:\Windows\system32\wvabvn.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\wkhdae.exe
        
        "C:\Windows\system32\wkhdae.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\wrokoeo.exe
        
        "C:\Windows\system32\wrokoeo.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\wckf.exe
        
        "C:\Windows\system32\wckf.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\wqrjcrck.exe
        
        "C:\Windows\system32\wqrjcrck.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\whirfaqa.exe
        
        "C:\Windows\system32\whirfaqa.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\wynq.exe
        
        "C:\Windows\system32\wynq.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\wsuqxqyd.exe
        
        "C:\Windows\system32\wsuqxqyd.exe"
        41⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\wsstxfd.exe
        
        "C:\Windows\system32\wsstxfd.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\woixr.exe
        
        "C:\Windows\system32\woixr.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\wbpb.exe
        
        "C:\Windows\system32\wbpb.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\wyibkp.exe
        
        "C:\Windows\system32\wyibkp.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\wtjfv.exe
        
        "C:\Windows\system32\wtjfv.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\wdfbdp.exe
        
        "C:\Windows\system32\wdfbdp.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:376
        
        C:\Windows\SysWOW64\wumbyx.exe
        
        "C:\Windows\system32\wumbyx.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\wvjey.exe
        
        "C:\Windows\system32\wvjey.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\wjcqj.exe
        
        "C:\Windows\system32\wjcqj.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\wwwj.exe
        
        "C:\Windows\system32\wwwj.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\woeifcw.exe
        
        "C:\Windows\system32\woeifcw.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\wdvurrh.exe
        
        "C:\Windows\system32\wdvurrh.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\wqcwxi.exe
        
        "C:\Windows\system32\wqcwxi.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\SysWOW64\waysdis.exe
        
        "C:\Windows\system32\waysdis.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\weycnre.exe
        
        "C:\Windows\system32\weycnre.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\wnuy.exe
        
        "C:\Windows\system32\wnuy.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\weqps.exe
        
        "C:\Windows\system32\weqps.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\wsusg.exe
        
        "C:\Windows\system32\wsusg.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4644
        
        C:\Windows\SysWOW64\wtltsahs.exe
        
        "C:\Windows\system32\wtltsahs.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\wdrbga.exe
        
        "C:\Windows\system32\wdrbga.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\wdqdf.exe
        
        "C:\Windows\system32\wdqdf.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\wnldd.exe
        
        "C:\Windows\system32\wnldd.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\wsrdrkr.exe
        
        "C:\Windows\system32\wsrdrkr.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\wwn.exe
        
        "C:\Windows\system32\wwn.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\wphum.exe
        
        "C:\Windows\system32\wphum.exe"
        66⤵
        Checks computer location settings
        
        PID:4480
        
        C:\Windows\SysWOW64\wdnxslv.exe
        
        "C:\Windows\system32\wdnxslv.exe"
        67⤵
        Checks computer location settings
        
        PID:2560
        
        C:\Windows\SysWOW64\wmueh.exe
        
        "C:\Windows\system32\wmueh.exe"
        68⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\wucjvjo.exe
        
        "C:\Windows\system32\wucjvjo.exe"
        69⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\wmij.exe
        
        "C:\Windows\system32\wmij.exe"
        70⤵
        Checks computer location settings
        
        PID:2724
        
        C:\Windows\SysWOW64\wfar.exe
        
        "C:\Windows\system32\wfar.exe"
        71⤵
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\wthuapi.exe
        
        "C:\Windows\system32\wthuapi.exe"
        72⤵
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\wrllf.exe
        
        "C:\Windows\system32\wrllf.exe"
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\wgsolvtd.exe
        
        "C:\Windows\system32\wgsolvtd.exe"
        74⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\wfgvct.exe
        
        "C:\Windows\system32\wfgvct.exe"
        75⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\wnndqsh.exe
        
        "C:\Windows\system32\wnndqsh.exe"
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1164
        
        C:\Windows\SysWOW64\wwjyx.exe
        
        "C:\Windows\system32\wwjyx.exe"
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\wlpcegsl.exe
        
        "C:\Windows\system32\wlpcegsl.exe"
        78⤵
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\wgqrfi.exe
        
        "C:\Windows\system32\wgqrfi.exe"
        79⤵
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\wtxuj.exe
        
        "C:\Windows\system32\wtxuj.exe"
        80⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\wmdsg.exe
        
        "C:\Windows\system32\wmdsg.exe"
        81⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\wiuybf.exe
        
        "C:\Windows\system32\wiuybf.exe"
        82⤵
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\wujrcuc.exe
        
        "C:\Windows\system32\wujrcuc.exe"
        83⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\wnoqac.exe
        
        "C:\Windows\system32\wnoqac.exe"
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\wjgw.exe
        
        "C:\Windows\system32\wjgw.exe"
        85⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\wnbvjife.exe
        
        "C:\Windows\system32\wnbvjife.exe"
        86⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\wwidxh.exe
        
        "C:\Windows\system32\wwidxh.exe"
        87⤵
        Drops file in System32 directory
        
        PID:3764
        
        C:\Windows\SysWOW64\whqjl.exe
        
        "C:\Windows\system32\whqjl.exe"
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\wmcyulwe.exe
        
        "C:\Windows\system32\wmcyulwe.exe"
        89⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whqjl.exe"
        89⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwidxh.exe"
        88⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbvjife.exe"
        87⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjgw.exe"
        86⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnoqac.exe"
        85⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujrcuc.exe"
        84⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1416
        84⤵
        Program crash
        
        PID:3692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1460
        84⤵
        Program crash
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiuybf.exe"
        83⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmdsg.exe"
        82⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxuj.exe"
        81⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqrfi.exe"
        80⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlpcegsl.exe"
        79⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjyx.exe"
        78⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnndqsh.exe"
        77⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfgvct.exe"
        76⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1096
        76⤵
        Program crash
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsolvtd.exe"
        75⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrllf.exe"
        74⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wthuapi.exe"
        73⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfar.exe"
        72⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmij.exe"
        71⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wucjvjo.exe"
        70⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmueh.exe"
        69⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnxslv.exe"
        68⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphum.exe"
        67⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwn.exe"
        66⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsrdrkr.exe"
        65⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnldd.exe"
        64⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdqdf.exe"
        63⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1468
        63⤵
        Program crash
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrbga.exe"
        62⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtltsahs.exe"
        61⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsusg.exe"
        60⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weqps.exe"
        59⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnuy.exe"
        58⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weycnre.exe"
        57⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waysdis.exe"
        56⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqcwxi.exe"
        55⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1680
        55⤵
        Program crash
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvurrh.exe"
        54⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woeifcw.exe"
        53⤵
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwwj.exe"
        52⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjcqj.exe"
        51⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvjey.exe"
        50⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wumbyx.exe"
        49⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1536
        49⤵
        Program crash
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdfbdp.exe"
        48⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtjfv.exe"
        47⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyibkp.exe"
        46⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpb.exe"
        45⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woixr.exe"
        44⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsstxfd.exe"
        43⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 116
        43⤵
        Program crash
        
        PID:2456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1536
        43⤵
        Program crash
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsuqxqyd.exe"
        42⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 8
        42⤵
        Program crash
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wynq.exe"
        41⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whirfaqa.exe"
        40⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqrjcrck.exe"
        39⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckf.exe"
        38⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrokoeo.exe"
        37⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkhdae.exe"
        36⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvabvn.exe"
        35⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiuxqxr.exe"
        34⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxoqs.exe"
        33⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlhpn.exe"
        32⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrpgl.exe"
        31⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqenrt.exe"
        30⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wew.exe"
        29⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofmjmx.exe"
        28⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgeijk.exe"
        27⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1620
        27⤵
        Program crash
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfdi.exe"
        26⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxocwtx.exe"
        25⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmec.exe"
        24⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wee.exe"
        23⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waoykoh.exe"
        22⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wneolufd.exe"
        21⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpx.exe"
        20⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whqmkxapl.exe"
        19⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdtntr.exe"
        18⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpeivw.exe"
        17⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtaynv.exe"
        16⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdsarmbhw.exe"
        15⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfnec.exe"
        14⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkw.exe"
        13⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmgimeymj.exe"
        12⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjupwsby.exe"
        11⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wffrr.exe"
        10⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wapsq.exe"
        9⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weodpb.exe"
        8⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wprlp.exe"
        7⤵
        
        PID:4492
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvl.exe"
        6⤵
        
        PID:2200
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtfdvvm.exe"
        5⤵
        
        PID:3096
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbnsunx.exe"
      4⤵
      PID:4612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfhxfo.exe"
    3⤵
    PID:4668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\00b28c98a10ec90e91f8dfae7d40d550_NeikiAnalytics.exe"
  2⤵
  PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4548 -ip 4548
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2036 -ip 2036
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4476 -ip 4476
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4476 -ip 4476
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1636 -ip 1636
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1636 -ip 1636
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3580 -ip 3580
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4596 -ip 4596
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2216 -ip 2216
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4068 -ip 4068
1⤵
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4068 -ip 4068
1⤵
PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Windows\SysWOW64\waoykoh.exe

Filesize
41KB

MD5
c08ccf4c836ad9dfe4114d980bb900d7

SHA1
e4657d031e9eee36627e63207f5c404e89f87ba7

SHA256
102a7fb889fba90130676ba979980df598e7f97cde5f104674a9ad00f5b593e3

SHA512
799dfa2c31b515811ae09df11a9055d05e2b84c785afef0e50a669035fbbd701d353939484139e63e4f2e9defdd331884ee5f33859903769258bd48b85819db7

Download Submit
C:\Windows\SysWOW64\wapsq.exe

Filesize
40KB

MD5
1c3d8b1cd9ed1d3dd7d32a1d55602edc

SHA1
597ff600cd7884b4eb75a701e2e9069b7ea85b52

SHA256
289256808d21df58d61daf28d776c03d7d986d4d9b3165aec56da3ef1d3b0a86

SHA512
246f9013ff80e9c033a8d39cbba6890f6c13ea721d8560ab11f48b334c0e4275331098bef2b8872d1d237c66d783b33e4c393e69594f4b0d577d9604003a571e

Download Submit
C:\Windows\SysWOW64\wbnsunx.exe

Filesize
40KB

MD5
646eeab73936ccd7c0cd2d531468820d

SHA1
776862c9b963123e040db7c41c6eda0c4f873596

SHA256
f921c97942e68b5ee8f8541489667363f9751186fc746be7276bf4b51059d9d7

SHA512
b2b33822321a765435fc7dc763fb76b654d287bd1807baeafc26bc49af6b0c6a279df342142ee10c9e9ad72adf03a4a3a9b28914fad350b55999135626bd7303

Download Submit
C:\Windows\SysWOW64\wdsarmbhw.exe

Filesize
41KB

MD5
80f0f90ef817729ec1b2fc742e6c59fe

SHA1
43911b228059d20dd4bc1a7fe225b149ab98d85d

SHA256
ef64ce15734c158e2569ebba4b7283f1c77cd3a59095486abe7370cd9e1d3ed2

SHA512
aa7d0b2d346c7a05ad21ffcf4b45651affcd0a26f49dea6142fc2eeebbd7058e709675b61d8edabd7c5512e8a4eac9e5436eccddef1ba0fba51218c09c1253a8

Download Submit
C:\Windows\SysWOW64\wdtntr.exe

Filesize
41KB

MD5
bcfada414b3446d255d87f0fb0c6c04f

SHA1
1920514509d74a2c32a97356ff9654762c53aa75

SHA256
39c569944046be8172c206ed7da16280c39fe26e79884dcacd2310e2a0b47e58

SHA512
89fc49b918b2a378086c30e9ae6120d19bad50afd26ce50f15f4b74e09fe79dcdc994ba32ac0f9c7a6ab89c602835c58b94b0f7b963de0ddaf4f6e7d0cab196a

Download Submit
C:\Windows\SysWOW64\wee.exe

Filesize
41KB

MD5
ea5ef99879340b9315e42abcb2c7c4fd

SHA1
3f2dbdadeaeeded91dcddba143d79523e1ef357e

SHA256
3e02e7b7f66460ebc04d1d20903bb26bb55119d711ab33167fb4899f695aca86

SHA512
c19375bfff1cdd715683f0a9e9091202a59720cbc00bf2f10b9c59246b0f21eef8dfc14e92029d53f07c71162800adca3b060626f56be8ddf3b6b12ad3e1ac8e

Download Submit
C:\Windows\SysWOW64\weodpb.exe

Filesize
40KB

MD5
5dd53b0aa1062c6d830bada25a7cac4b

SHA1
d4c1aaee3b3e2a2b45c5f7f4b0d54ecf082f2371

SHA256
c94a7edcbc724c8a3ec9ccb55525660f7cfef8368331f56d3a1c5711fe6e0177

SHA512
a4878ec8c0ad85e0ab7a901f468119d4fac42a7075d4b1a45ac5589549a7be3cd86832ae78f82e13efcec2e4bdd118312e6e7efa17a88824e143a1e932e345ef

Download Submit
C:\Windows\SysWOW64\wew.exe

Filesize
41KB

MD5
6b9fb17f4972607829d1ff7d5ebf207d

SHA1
6c8192513aee226634e80a5bf16b32678b7f953d

SHA256
ba60c7401c3ef763a8f686c0ff0ef4e32a7e4e72a76c962ec4d1e5b25c5587ff

SHA512
a51066fec77a68b4081e63b6b4e59476c8065cc9b18e938c28c62cf5c9bfb81aa09436689f01976b25bb8eba83388e0d53e5805bfc4ba01d912a018cee950550

Download Submit
C:\Windows\SysWOW64\wffrr.exe

Filesize
40KB

MD5
071f16dabf4ba59a46372648034aa789

SHA1
c3693ccefa657a91cb84a77b467a4efbb6550eaa

SHA256
d263f4b97250d8ed55196dc026d7659a581860f1dbbfd0d631c532a25ad903b5

SHA512
def76a2d42a8704a11a5161aca82fd4d85e426702c89e51f287b5496784863ff42a39391c4ad52b8a85b96c8ab33b2f300a167ec452940268c14cd7b77cdec22

Download Submit
C:\Windows\SysWOW64\wfhxfo.exe

Filesize
40KB

MD5
2d57dd6f007ed6af0a2cbcf24be19221

SHA1
91ef5230d99b02903cff810e9d452d91f62d59f2

SHA256
e30fabc617c4b1e3bc33c6988d183343d6f84419ce63397761e6e2e3125d32f2

SHA512
a67788e5bd7d1eb5b139432acadc30930088a99f7661c679a5a8d221e785cd47863d3b8e3f91a220731b7590a1278f34c370191a54fd5c129958db9b4f55fa65

Download Submit
C:\Windows\SysWOW64\wfnec.exe

Filesize
41KB

MD5
cad4247d91378e283cc8335071786787

SHA1
5e95f5868490b5c26aff4b41ee22a3df67517951

SHA256
0bf08bad4b68091b978ebd75a2d02a2bebac8da4419982627223814959dc100f

SHA512
647465c51872e410ee2612ee18e2bd1c3e0c844912bc8869060fb7260ec1d5040ed4d8453d92b3c94327f7ecb1ca9a3b2a0274572108cc1612af2ab5ba176fdb

Download Submit
C:\Windows\SysWOW64\wgeijk.exe

Filesize
41KB

MD5
15c31667439c058c6b7b47484deeb362

SHA1
25b5656133d17a1ddb9f3e2d5725808890829c03

SHA256
f38b0d33a0e819d3b18428c377967b83f761abd3f7531e962019ef42b06ac402

SHA512
d061f5797c4349f313376b292d3016a6f62b5b66c76594dcd50f569282ab4f5870a21aebbd464317472cab7a500c8f4d480f462d18217cc1aec3f31c6fbef992

Download Submit
C:\Windows\SysWOW64\whqmkxapl.exe

Filesize
41KB

MD5
ecdf35f5bb9a4c3ecaa7db944617a113

SHA1
ed89fef8569f31deda819654b35ef2c147d5de08

SHA256
52a51917c23eff88323ab75a5f2239281ccc5ccc206257853e45df14a8069ea2

SHA512
47ed5e84d235419d5e253092a11176f5b19c7dcd2b689a8ed50e7e448e60f9589686524f0bb4ac847e1b2b5b1797729e238f2daab313579050393e8f2cdb32b1

Download Submit
C:\Windows\SysWOW64\wiuxqxr.exe

Filesize
41KB

MD5
5a417b1562edf7691135ddfec7c483a6

SHA1
e87d37395df91a41eed3d1b32438e1eb844ed11c

SHA256
b330bb27020b23436c6bd1f9949f1fc3a80ed757100511d4bf8950f343d21156

SHA512
4b6ffbfb23cdc109a2e741e58ccf7340c93bdad5c6d83d19809f48ccd9b09f06d3df047898e33224ba46039bebb56c4ec8752bc36e01a0b720ee6a4210c4ad8d

Download Submit
C:\Windows\SysWOW64\wjupwsby.exe

Filesize
40KB

MD5
5d588ecbf98c3250c06863e78649f587

SHA1
5f7194c09a6e522c501aa61f1ea88df55983110e

SHA256
d29236152aaf7f0dc9fd35960a947bda21d58c30e66e99a461b95995c36e829b

SHA512
41c7e58477b553557456d95f48523c8d7b1413215bc47caca7a7c4be33bdf6987a3c0355d48f630880a58b7330653cd5c568f4facc579e2f3edb15275cb8aec1

Download Submit
C:\Windows\SysWOW64\wkvl.exe

Filesize
40KB

MD5
dbc67005ea0d1cb8e4187a4a461aa072

SHA1
55300e88a847d2f6f6d990f91c0fb37ba7838078

SHA256
e69e95de4104c49c413cd95bf45f347e2a8c30a629177753d333e047ffbb67c7

SHA512
b45ce4159afd1d7498b5bb05532e8ce8cf5ff37174720f3731cb45f8971969c38686649acd1f54bd67e1bec762771d0f30dc66da22eee2fecfa876942457cfa0

Download Submit
C:\Windows\SysWOW64\wkw.exe

Filesize
41KB

MD5
6f967e3ef5e8c95e804caf5218784145

SHA1
fd3c3404b7db02fdad8a9c66f2a4ef3737836daf

SHA256
14b4f370f8242bebd41e2b5154d70cf4454575b4f69b2b2885b85e521ab5b5c6

SHA512
4efe3ccb04576f3905174fb89c69f12c3a0c5d3d64277ebbe147759f4726933f0f6d94b9d676df7507f39d43ad6b9e57cf62e2dcafce49bd7195159773cc12ce

Download Submit
C:\Windows\SysWOW64\wlhpn.exe

Filesize
41KB

MD5
edae5d51672b5432b1b5bc7a3df9ee1f

SHA1
05e25cb690bb8b0ca7e2e21de3dfe4069be7c62c

SHA256
cee22387e895a59c4d943d5ee858fef7c411f7e515d74694a422271f34f69cdc

SHA512
8814eb6658cedbdde7025919e2a660658c985acb09dfe020c0e400b1637cdbabec3863bfa7ff3183e8e53149b3474a21b44189a29ea3f1a8b0eb8754acc8e4b7

Download Submit
C:\Windows\SysWOW64\wmec.exe

Filesize
41KB

MD5
b68deca109488983d6c4946dd872ea81

SHA1
6abaa82cd537863cad28ce50dd066380b5aaf152

SHA256
f661fbd58947bfa784bd30eedf690a97b9df92f9149e358294ac865405a1f0b4

SHA512
d117bb092d61e4251a44a5cd587a2ce0cc5654e23cacf7ff14dd10611f0bb2e1b5fe74aea0a175bbe42b8d85e22fecdf91b09b261e893a8e8d0a4bb6c8db5fb5

Download Submit
C:\Windows\SysWOW64\wmgimeymj.exe

Filesize
40KB

MD5
6b315019fa9001c18936aa4f4e44f93f

SHA1
85467f106692d3873dbe35a9affdc127aacb83af

SHA256
d9838ddcca5b52bd7baad56faec3ec8d226d6e095377023ebe11a41c72999da2

SHA512
8fd5e45f7a4692ca28d91ccc3e9f6754ad04f0b250f1f4332a50c47d6b34702bf4250143587733c9ef677c16657a7231f58570db87eda457751d366606c51d7c

Download Submit
C:\Windows\SysWOW64\wneolufd.exe

Filesize
41KB

MD5
50d0b6119543e5924f67e0aca5ccfc15

SHA1
102c5c594433281efa9868e2711c952f6f41f852

SHA256
b090a85f62e75371b036ea39e53a290b972cc496d0dbeba12c265c4840406634

SHA512
5f67ab6c7776982589f6fb48859acfb9532fd8e25b226ad40a852874609e0d2414a3abbb9c3d98f5f5134c986d9ac267cbd854ccd9b509ac656ad75d86b97eab

Download Submit
C:\Windows\SysWOW64\wofmjmx.exe

Filesize
41KB

MD5
7739a3b2c52f7434589191c13a2a8ade

SHA1
a975fcd34ce4024382b59c2ae663ec2e8757e2f6

SHA256
8bc751f825da3e0c255e6b089af1322d2fda7bff8985f0831355fef2d70e1c6a

SHA512
02fa258d523cf26661868e8e80f86efc84fca56771d10a22c130a71cbfaf69841a951b8d8b3968b97d93bc16e9e1100c8676f8f92ae32ba6e889cf824859886e

Download Submit
C:\Windows\SysWOW64\wprlp.exe

Filesize
40KB

MD5
18e8793ededa5811937ab4f98d5f685e

SHA1
55d0cd09118db801c8783cb85deba58f860e62a5

SHA256
958ec62803aeb75765182f293ba763457dbd55049055ce0df1616ace9517d56c

SHA512
49cbe8fec008ed833687b9504963244de8241b7fc2d2f71575dd515e90e833f0ffc517982bf9a05d5d38c3650aae674400187152811ca97ae0a0101fdcd5da2e

Download Submit
C:\Windows\SysWOW64\wpx.exe

Filesize
41KB

MD5
94ce96a78530f74ade07b0b3088fbbfe

SHA1
40cd78665ae7063fd0532113dcb86502dfd24ded

SHA256
a469ed7f72ba3657a4df024969dcf6f98079403c77a609d8238c4ebfd0c8579e

SHA512
eda55c76faa737cd26603280285d655b3c2ad00fc4adf68e9dfab68a12b25e7cf1f2c38d7ef2b382c1af27ba1dd7d870563d281570f0e129e6495c169cf5ba8e

Download Submit
C:\Windows\SysWOW64\wqenrt.exe

Filesize
41KB

MD5
2b842c943361a8d42fa77f18d83682ca

SHA1
4752bc81bd2a3032efa5c20063ad6b2c205eeca7

SHA256
07d08c009622b06254a19ef1148d0ccb3d9d4d22723c80b67306dba5e3a3a167

SHA512
3e92e6f62745e1015f8e80581a731ac9ae64cdd93ce5f468c1857d0a6e9637af8e7b15cebdae9412b8ceebc1be75cc63fb896b3a7a914ece700ddf5952929da2

Download Submit
C:\Windows\SysWOW64\wqpeivw.exe

Filesize
41KB

MD5
468c69cf9ba39e0a12e01a659ae12492

SHA1
b18291787eb65774cb2f8b136dcffec0b64f1dc1

SHA256
ca40bdd36a2cc7b8288c11ddea6b21cc62cc0d73bb8ebd8be8a56c947ccfd846

SHA512
b2b84f0fdc1b113e97872ca2e66782a0d949a341639d1ba6ddb3240ab1044ab8b72be7816b3fed9c2253fc039e8b48b254c021f2e13b577819ab67fe452ae0fd

Download Submit
C:\Windows\SysWOW64\wrpgl.exe

Filesize
41KB

MD5
2392d2d562cfaf7f744c580e6ec1d26a

SHA1
78fceaf1743773e20461ca56d361c680c1047a8a

SHA256
e39031c7890cf12d8aea733d2b9c6e3e78a53bb2da7f1854a43f65fbe9dcc1b6

SHA512
4214e894d29f7dc68a85e2a0eb02fa1dbd717104f573e10b9dc9b4312d88f19a61fe0551e8e328aaf7daf7c5c60857bb56b292828c49fc928e32d4641de79d88

Download Submit
C:\Windows\SysWOW64\wtaynv.exe

Filesize
41KB

MD5
5a6f394bba1e42faba7042b00e154d46

SHA1
9a3e9e197e8f120c3248050f8998d83e010485d0

SHA256
67c4b48c50cdb3b64d45fdaa5e9feaa91ee2a6453def3d40c371cf027250cb7e

SHA512
c6b9428d50d34a849dc684b5ef73eebd10001f25d1a5003ed1ad8593dc56c2e00f5cd0563fef5ff4dc4df300cf28af5d013f6876c2f946a8e8f0292ef63d0994

Download Submit
C:\Windows\SysWOW64\wtfdvvm.exe

Filesize
40KB

MD5
66b8bd80bde2c207f2315de29ed17a4d

SHA1
990f0024879861bae246b9b74f86de57de8d95ae

SHA256
634ca193f02ff7b5bcc6f3fd4a291ddcfc2ad6689503edac8685950ffd92b369

SHA512
60b01deec6fc52de8279c493c6ccf020296e8adb7428de36530c4be9e2c27991e774a8f2da2ee04f57ca92a3280f7061b9347a86bff1e621760189b9d7e30de7

Download Submit
C:\Windows\SysWOW64\wwfdi.exe

Filesize
41KB

MD5
e39b15efc2a0ece12811a39e24bb4daa

SHA1
4be66899a43bdf3c4333ca9f0370d4c912140c13

SHA256
4e9bc201fb9865ab592c6700c24309ebf7ca3c247022a547655482bf4f61e50f

SHA512
ed74c71496366dc98c2cd392d7addc018076e9698073f51b15fda3789df8951f0498b15082eb76f29340214d0ec2f85b5d27e93803298e4fe61146d008e41dfe

Download Submit
C:\Windows\SysWOW64\wxocwtx.exe

Filesize
41KB

MD5
c24110673e3f807057a0acd93b5eb9a4

SHA1
8cbc487d6de2156dc14b29285a2235a05c4952c3

SHA256
23cbdbce39db95da587f5ee15ac4107dc8a7cf5eaab5dbee5cc8b7ae72cdf93e

SHA512
e5d43571bba53f001af087dca252042c71a8ea5370730d8d1a23fe72d7ed35dd7b8c7105f3f5cf06ef64575e0b8cb414ecb56d165c7f8eaa6174ecd5304c8c72

Download Submit
C:\Windows\SysWOW64\wxoqs.exe

Filesize
41KB

MD5
8de2a3289931d9b228902fd6bf30f301

SHA1
fe579fe499857394dd4ba429f6f9ee2f534a77b1

SHA256
15d78e341ad95b5d3ebdcfa7fcae2db1396a4edfd607fdf3b9c75d1a54e1c636

SHA512
43c49a0861175ecd21bd7be1525e9a0e8bf39a1a6b19799173235bca2ad5dcc4f6ab7983329934d9c7ad932e1ab41cb70062e3f71cf9a8839fba2cdde1e9bb1c

Download Submit
memory/364-210-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/364-198-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/376-498-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/376-486-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/620-99-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/632-322-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/844-590-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/940-619-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/940-607-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/960-22-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/972-739-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1004-55-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1164-767-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1164-385-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1164-376-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1220-301-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1220-288-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1248-386-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1248-395-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1400-188-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1636-424-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1636-109-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1636-496-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1636-121-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1636-507-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1696-155-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1696-141-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1816-200-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2036-441-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2036-599-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2084-561-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2084-570-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2160-617-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2160-628-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2216-758-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2216-747-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2352-66-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2392-422-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2392-433-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2456-111-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2456-98-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2460-267-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2460-277-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2472-403-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2472-414-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2476-459-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2560-683-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2604-795-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2604-405-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2724-700-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2724-711-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2832-786-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2832-775-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2948-702-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2960-367-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2960-356-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2960-525-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3032-167-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3032-153-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3064-516-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3144-177-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3144-166-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3200-243-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3200-255-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3252-44-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3340-681-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3340-692-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3368-334-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3372-131-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3580-581-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3640-233-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3676-478-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3676-467-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3684-346-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3684-332-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3824-749-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3996-804-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4008-88-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4048-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4048-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4060-344-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4060-358-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4100-375-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4380-654-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4380-646-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-534-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4440-266-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4440-254-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4464-580-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4472-457-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4472-469-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4476-143-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4476-449-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4480-662-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4480-211-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4480-221-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4480-673-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4512-729-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4540-488-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4548-289-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4592-299-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4592-311-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4596-627-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4596-636-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4612-645-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4644-609-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4648-777-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4652-544-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4756-720-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4784-33-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4784-21-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4836-77-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4836-65-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4856-543-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4856-553-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5016-664-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5052-244-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5052-231-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download