7d48185f0dbfea4fcf54b6f7038826fcc8b09cb40e8ffa26762415ca0f32f42c

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a02499a3d82ac43d223b08cade8d000_NeikiAnalytics.exe
Size

103KB
MD5

3a02499a3d82ac43d223b08cade8d000
SHA1

3a4090f5c79ff21e719a4e91c4698d091c0f95e7
SHA256

7d48185f0dbfea4fcf54b6f7038826fcc8b09cb40e8ffa26762415ca0f32f42c
SHA512

707a691aa5dd77443409b344d3d39079f4e7ddee56a28b876285d0bd82b416002fd502b451f6de3ee06663274818380860af34f7cac5bb498a101d4b87c59c34
SSDEEP

1536:2zfXIsxrhzk2nfsW3ou3yWW2dvcW6eHcBwUi6vWE0Dl27b58XBdqaMGxuA15:yfjxrhzk2nfsWhP7dvavi6vWEbh8XX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wovwjqpg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wvtsodeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wypefllp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wncqqldk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wnavpu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wqjtqsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wkhkxipl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wiptx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wplksyfm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wmisqo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wkkhu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wkuinyl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wpwvetg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	weibpaj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wloqon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	whlai.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wbbep.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	woeqf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	whowku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wnbnhtp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wejltyirb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wswefhcj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wacxoh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wiiujf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wigovcof.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	3a02499a3d82ac43d223b08cade8d000_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wiiuclc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wwbrcjd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wetau.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wqiwfbfmh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wvdvhhvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wkgdallxu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wqbtxsxm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wyjsywfh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wnpl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wre.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	whdubcj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wllir.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wqpake.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wcbpnm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wckqbay.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	whxjpfp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wrcvhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wbqvdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wvtcmwu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wofiqo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wwkncmq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wywlf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wvmdddy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wcsstfq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wtekp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wadwr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	worfe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wkbwntj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wdhkhpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wjdwy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wsbkrnk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wlurtx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wbxoek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wdrijy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wtcyavnj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	woenvkap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wpkgpil.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wgsvtgt.exe

Executes dropped EXE 64 IoCs

pid	Process
4244	wllmluy.exe
3036	wrcvhe.exe
1496	wre.exe
2920	wiiuclc.exe
440	wflhnpe.exe
4868	wwowh.exe
2628	wgsvtgt.exe
3236	wydnkj.exe
5040	wwbrcjd.exe
232	wahsvwp.exe
3756	wcpel.exe
2668	wdyoah.exe
3152	wqaak.exe
3036	wkhkxipl.exe
4316	wovwjqpg.exe
4948	wcbpnm.exe
1348	wquwtxb.exe
2536	wpwvetg.exe
2384	whdubcj.exe
4528	wpaoahsj.exe
4140	wetau.exe
5104	wywlf.exe
1812	whcjrjv.exe
1504	wvtsodeh.exe
4676	wbo.exe
4440	weibpaj.exe
3784	wpdoudq.exe
3540	wulvc.exe
2404	wmec.exe
4004	wajvru.exe
4852	womp.exe
1276	wbfap.exe
3668	wjrkhosbc.exe
4784	wnfyicmu.exe
4340	wvdvhhvs.exe
4524	wjoeqexr.exe
4984	wjdwy.exe
4392	wjf.exe
4464	wirxl.exe
4848	wng.exe
3292	wqenrt.exe
2544	wnuow.exe
1512	wbaiaru.exe
4600	wixe.exe
2920	wwfen.exe
1680	wjogjo.exe
2516	wbqvdb.exe
1640	wrnklpn.exe
2628	wpgmps.exe
4064	woeqf.exe
4960	whfw.exe
4568	wkgdallxu.exe
4828	wxdvpixj.exe
3532	wccuwxe.exe
2076	wtekp.exe
5044	wcuekk.exe
628	wloqon.exe
1696	wdrijy.exe
3308	wgewknec.exe
1736	wdsuc.exe
552	weudfm.exe
208	wexmhi.exe
5020	whlai.exe
3812	wqiwfbfmh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wflhnpe.exe	wiiuclc.exe
File created	C:\Windows\SysWOW64\wkhkxipl.exe	wqaak.exe
File created	C:\Windows\SysWOW64\wng.exe	wirxl.exe
File opened for modification	C:\Windows\SysWOW64\wng.exe	wirxl.exe
File opened for modification	C:\Windows\SysWOW64\wjogjo.exe	wwfen.exe
File opened for modification	C:\Windows\SysWOW64\woeqf.exe	wpgmps.exe
File created	C:\Windows\SysWOW64\wdsuc.exe	wgewknec.exe
File opened for modification	C:\Windows\SysWOW64\wgjheoa.exe	wwfkrlilf.exe
File created	C:\Windows\SysWOW64\wpaoahsj.exe	whdubcj.exe
File created	C:\Windows\SysWOW64\wjoeqexr.exe	wvdvhhvs.exe
File created	C:\Windows\SysWOW64\wpgmps.exe	wrnklpn.exe
File opened for modification	C:\Windows\SysWOW64\wnavpu.exe	wwqx.exe
File created	C:\Windows\SysWOW64\wsvbuqru.exe	wbxoek.exe
File created	C:\Windows\SysWOW64\wrnklpn.exe	wbqvdb.exe
File opened for modification	C:\Windows\SysWOW64\whowku.exe	wpkgpil.exe
File opened for modification	C:\Windows\SysWOW64\wypefllp.exe	wyblvo.exe
File created	C:\Windows\SysWOW64\wkkhu.exe	wcxvd.exe
File created	C:\Windows\SysWOW64\wpkgpil.exe	wgmkqcd.exe
File opened for modification	C:\Windows\SysWOW64\wqjtqsv.exe	wdqjvx.exe
File created	C:\Windows\SysWOW64\wmdhn.exe	wxthy.exe
File opened for modification	C:\Windows\SysWOW64\wbugbo.exe	wrbswmjmh.exe
File opened for modification	C:\Windows\SysWOW64\wsvbuqru.exe	wbxoek.exe
File opened for modification	C:\Windows\SysWOW64\wbfap.exe	womp.exe
File created	C:\Windows\SysWOW64\wpwvetg.exe	wquwtxb.exe
File opened for modification	C:\Windows\SysWOW64\whlai.exe	wexmhi.exe
File opened for modification	C:\Windows\SysWOW64\wqbtxsxm.exe	wacxoh.exe
File created	C:\Windows\SysWOW64\wbugbo.exe	wrbswmjmh.exe
File created	C:\Windows\SysWOW64\wgsvtgt.exe	wwowh.exe
File created	C:\Windows\SysWOW64\wcbpnm.exe	wovwjqpg.exe
File opened for modification	C:\Windows\SysWOW64\wetau.exe	wpaoahsj.exe
File opened for modification	C:\Windows\SysWOW64\wrnklpn.exe	wbqvdb.exe
File opened for modification	C:\Windows\SysWOW64\wfni.exe	wtcyavnj.exe
File opened for modification	C:\Windows\SysWOW64\wyjsywfh.exe	wvvexjlnn.exe
File created	C:\Windows\SysWOW64\wvmdddy.exe	wvakth.exe
File opened for modification	C:\Windows\SysWOW64\wvmdddy.exe	wvakth.exe
File opened for modification	C:\Windows\SysWOW64\wofiqo.exe	wvmdddy.exe
File opened for modification	C:\Windows\SysWOW64\woenvkap.exe	wjcibx.exe
File created	C:\Windows\SysWOW64\wjrkhosbc.exe	wbfap.exe
File created	C:\Windows\SysWOW64\wirxl.exe	wjf.exe
File created	C:\Windows\SysWOW64\whlai.exe	wexmhi.exe
File opened for modification	C:\Windows\SysWOW64\wsohpa.exe	wncqqldk.exe
File opened for modification	C:\Windows\SysWOW64\wjcibx.exe	wnavpu.exe
File opened for modification	C:\Windows\SysWOW64\wgmkqcd.exe	wkuinyl.exe
File created	C:\Windows\SysWOW64\wdhkhpha.exe	wqjtqsv.exe
File opened for modification	C:\Windows\SysWOW64\wdhkhpha.exe	wqjtqsv.exe
File created	C:\Windows\SysWOW64\wpdoudq.exe	weibpaj.exe
File created	C:\Windows\SysWOW64\wdrijy.exe	wloqon.exe
File opened for modification	C:\Windows\SysWOW64\wiptx.exe	wqbtxsxm.exe
File created	C:\Windows\SysWOW64\wgwmfbrfr.exe	whxjpfp.exe
File opened for modification	C:\Windows\SysWOW64\wqpake.exe	wgwmfbrfr.exe
File opened for modification	C:\Windows\SysWOW64\wvakth.exe	whwoitk.exe
File opened for modification	C:\Windows\SysWOW64\wjqdgs.exe	wmdhn.exe
File opened for modification	C:\Windows\SysWOW64\wgwmfbrfr.exe	whxjpfp.exe
File opened for modification	C:\Windows\SysWOW64\wpxm.exe	wic.exe
File opened for modification	C:\Windows\SysWOW64\wpwvetg.exe	wquwtxb.exe
File created	C:\Windows\SysWOW64\wbo.exe	wvtsodeh.exe
File opened for modification	C:\Windows\SysWOW64\wxdvpixj.exe	wkgdallxu.exe
File created	C:\Windows\SysWOW64\wyqdyh.exe	wpshbc.exe
File opened for modification	C:\Windows\SysWOW64\wcxvd.exe	wosbyke.exe
File opened for modification	C:\Windows\SysWOW64\wjlt.exe	wgxdm.exe
File opened for modification	C:\Windows\SysWOW64\wrcvhe.exe	wllmluy.exe
File created	C:\Windows\SysWOW64\wovwjqpg.exe	wkhkxipl.exe
File opened for modification	C:\Windows\SysWOW64\wywlf.exe	wetau.exe
File opened for modification	C:\Windows\SysWOW64\wwfen.exe	wixe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 25 IoCs

pid	pid_target	Process	procid_target
3280	4316	WerFault.exe	129
3476	2384	WerFault.exe	144
4528	4004	WerFault.exe	181
2348	4852	WerFault.exe	184
5032	2516	WerFault.exe	237
1192	4828	WerFault.exe	257
1316	4828	WerFault.exe	257
2928	3532	WerFault.exe	260
1428	4828	WerFault.exe	257
3064	4828	WerFault.exe	257
3592	3308	WerFault.exe	285
2464	552	WerFault.exe	293
2196	3812	WerFault.exe	304
428	1252	WerFault.exe	399
4232	1252	WerFault.exe	399
1588	4140	WerFault.exe	402
4544	1252	WerFault.exe	399
1364	3564	WerFault.exe	431
5016	428	WerFault.exe	445
2776	3720	WerFault.exe	483
4020	2764	WerFault.exe	521
1140	3064	WerFault.exe	574
3236	1792	WerFault.exe	621
4392	1792	WerFault.exe	621
1228	4524	WerFault.exe	634

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 4244	3008	3a02499a3d82ac43d223b08cade8d000_NeikiAnalytics.exe	84
PID 3008 wrote to memory of 4244	3008	3a02499a3d82ac43d223b08cade8d000_NeikiAnalytics.exe	84
PID 3008 wrote to memory of 4244	3008	3a02499a3d82ac43d223b08cade8d000_NeikiAnalytics.exe	84
PID 3008 wrote to memory of 2764	3008	3a02499a3d82ac43d223b08cade8d000_NeikiAnalytics.exe	86
PID 3008 wrote to memory of 2764	3008	3a02499a3d82ac43d223b08cade8d000_NeikiAnalytics.exe	86
PID 3008 wrote to memory of 2764	3008	3a02499a3d82ac43d223b08cade8d000_NeikiAnalytics.exe	86
PID 4244 wrote to memory of 3036	4244	wllmluy.exe	89
PID 4244 wrote to memory of 3036	4244	wllmluy.exe	89
PID 4244 wrote to memory of 3036	4244	wllmluy.exe	89
PID 4244 wrote to memory of 4812	4244	wllmluy.exe	90
PID 4244 wrote to memory of 4812	4244	wllmluy.exe	90
PID 4244 wrote to memory of 4812	4244	wllmluy.exe	90
PID 3036 wrote to memory of 1496	3036	wrcvhe.exe	93
PID 3036 wrote to memory of 1496	3036	wrcvhe.exe	93
PID 3036 wrote to memory of 1496	3036	wrcvhe.exe	93
PID 3036 wrote to memory of 4516	3036	wrcvhe.exe	94
PID 3036 wrote to memory of 4516	3036	wrcvhe.exe	94
PID 3036 wrote to memory of 4516	3036	wrcvhe.exe	94
PID 1496 wrote to memory of 2920	1496	wre.exe	96
PID 1496 wrote to memory of 2920	1496	wre.exe	96
PID 1496 wrote to memory of 2920	1496	wre.exe	96
PID 1496 wrote to memory of 1052	1496	wre.exe	97
PID 1496 wrote to memory of 1052	1496	wre.exe	97
PID 1496 wrote to memory of 1052	1496	wre.exe	97
PID 2920 wrote to memory of 440	2920	wiiuclc.exe	99
PID 2920 wrote to memory of 440	2920	wiiuclc.exe	99
PID 2920 wrote to memory of 440	2920	wiiuclc.exe	99
PID 2920 wrote to memory of 1888	2920	wiiuclc.exe	100
PID 2920 wrote to memory of 1888	2920	wiiuclc.exe	100
PID 2920 wrote to memory of 1888	2920	wiiuclc.exe	100
PID 440 wrote to memory of 4868	440	wflhnpe.exe	102
PID 440 wrote to memory of 4868	440	wflhnpe.exe	102
PID 440 wrote to memory of 4868	440	wflhnpe.exe	102
PID 440 wrote to memory of 2240	440	wflhnpe.exe	103
PID 440 wrote to memory of 2240	440	wflhnpe.exe	103
PID 440 wrote to memory of 2240	440	wflhnpe.exe	103
PID 4868 wrote to memory of 2628	4868	wwowh.exe	105
PID 4868 wrote to memory of 2628	4868	wwowh.exe	105
PID 4868 wrote to memory of 2628	4868	wwowh.exe	105
PID 4868 wrote to memory of 468	4868	wwowh.exe	106
PID 4868 wrote to memory of 468	4868	wwowh.exe	106
PID 4868 wrote to memory of 468	4868	wwowh.exe	106
PID 2628 wrote to memory of 3236	2628	wgsvtgt.exe	108
PID 2628 wrote to memory of 3236	2628	wgsvtgt.exe	108
PID 2628 wrote to memory of 3236	2628	wgsvtgt.exe	108
PID 2628 wrote to memory of 2128	2628	wgsvtgt.exe	109
PID 2628 wrote to memory of 2128	2628	wgsvtgt.exe	109
PID 2628 wrote to memory of 2128	2628	wgsvtgt.exe	109
PID 3236 wrote to memory of 5040	3236	wydnkj.exe	111
PID 3236 wrote to memory of 5040	3236	wydnkj.exe	111
PID 3236 wrote to memory of 5040	3236	wydnkj.exe	111
PID 3236 wrote to memory of 4348	3236	wydnkj.exe	112
PID 3236 wrote to memory of 4348	3236	wydnkj.exe	112
PID 3236 wrote to memory of 4348	3236	wydnkj.exe	112
PID 5040 wrote to memory of 232	5040	wwbrcjd.exe	114
PID 5040 wrote to memory of 232	5040	wwbrcjd.exe	114
PID 5040 wrote to memory of 232	5040	wwbrcjd.exe	114
PID 5040 wrote to memory of 2300	5040	wwbrcjd.exe	115
PID 5040 wrote to memory of 2300	5040	wwbrcjd.exe	115
PID 5040 wrote to memory of 2300	5040	wwbrcjd.exe	115
PID 232 wrote to memory of 3756	232	wahsvwp.exe	117
PID 232 wrote to memory of 3756	232	wahsvwp.exe	117
PID 232 wrote to memory of 3756	232	wahsvwp.exe	117
PID 232 wrote to memory of 4960	232	wahsvwp.exe	118

C:\Users\Admin\AppData\Local\Temp\3a02499a3d82ac43d223b08cade8d000_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3a02499a3d82ac43d223b08cade8d000_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\wllmluy.exe
  "C:\Windows\system32\wllmluy.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SysWOW64\wrcvhe.exe
    "C:\Windows\system32\wrcvhe.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\SysWOW64\wre.exe
      "C:\Windows\system32\wre.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1496
    - - C:\Windows\SysWOW64\wiiuclc.exe
        
        "C:\Windows\system32\wiiuclc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\SysWOW64\wflhnpe.exe
        
        "C:\Windows\system32\wflhnpe.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\wwowh.exe
        
        "C:\Windows\system32\wwowh.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\wgsvtgt.exe
        
        "C:\Windows\system32\wgsvtgt.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\wydnkj.exe
        
        "C:\Windows\system32\wydnkj.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\wwbrcjd.exe
        
        "C:\Windows\system32\wwbrcjd.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\wahsvwp.exe
        
        "C:\Windows\system32\wahsvwp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\wcpel.exe
        
        "C:\Windows\system32\wcpel.exe"
        12⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\wdyoah.exe
        
        "C:\Windows\system32\wdyoah.exe"
        13⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\wqaak.exe
        
        "C:\Windows\system32\wqaak.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\wkhkxipl.exe
        
        "C:\Windows\system32\wkhkxipl.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\wovwjqpg.exe
        
        "C:\Windows\system32\wovwjqpg.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\wcbpnm.exe
        
        "C:\Windows\system32\wcbpnm.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\wquwtxb.exe
        
        "C:\Windows\system32\wquwtxb.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\wpwvetg.exe
        
        "C:\Windows\system32\wpwvetg.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\whdubcj.exe
        
        "C:\Windows\system32\whdubcj.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\wpaoahsj.exe
        
        "C:\Windows\system32\wpaoahsj.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\wetau.exe
        
        "C:\Windows\system32\wetau.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\wywlf.exe
        
        "C:\Windows\system32\wywlf.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\whcjrjv.exe
        
        "C:\Windows\system32\whcjrjv.exe"
        24⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\wvtsodeh.exe
        
        "C:\Windows\system32\wvtsodeh.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\wbo.exe
        
        "C:\Windows\system32\wbo.exe"
        26⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\weibpaj.exe
        
        "C:\Windows\system32\weibpaj.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\wpdoudq.exe
        
        "C:\Windows\system32\wpdoudq.exe"
        28⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\wulvc.exe
        
        "C:\Windows\system32\wulvc.exe"
        29⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\wmec.exe
        
        "C:\Windows\system32\wmec.exe"
        30⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\wajvru.exe
        
        "C:\Windows\system32\wajvru.exe"
        31⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\womp.exe
        
        "C:\Windows\system32\womp.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\wbfap.exe
        
        "C:\Windows\system32\wbfap.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1276
        
        C:\Windows\SysWOW64\wjrkhosbc.exe
        
        "C:\Windows\system32\wjrkhosbc.exe"
        34⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\wnfyicmu.exe
        
        "C:\Windows\system32\wnfyicmu.exe"
        35⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\wvdvhhvs.exe
        
        "C:\Windows\system32\wvdvhhvs.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\wjoeqexr.exe
        
        "C:\Windows\system32\wjoeqexr.exe"
        37⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\wjdwy.exe
        
        "C:\Windows\system32\wjdwy.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\wjf.exe
        
        "C:\Windows\system32\wjf.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\wirxl.exe
        
        "C:\Windows\system32\wirxl.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\wng.exe
        
        "C:\Windows\system32\wng.exe"
        41⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\wqenrt.exe
        
        "C:\Windows\system32\wqenrt.exe"
        42⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\wnuow.exe
        
        "C:\Windows\system32\wnuow.exe"
        43⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\wbaiaru.exe
        
        "C:\Windows\system32\wbaiaru.exe"
        44⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\wixe.exe
        
        "C:\Windows\system32\wixe.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\wwfen.exe
        
        "C:\Windows\system32\wwfen.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\wjogjo.exe
        
        "C:\Windows\system32\wjogjo.exe"
        47⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\wbqvdb.exe
        
        "C:\Windows\system32\wbqvdb.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\wrnklpn.exe
        
        "C:\Windows\system32\wrnklpn.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\wpgmps.exe
        
        "C:\Windows\system32\wpgmps.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2628
        
        C:\Windows\SysWOW64\woeqf.exe
        
        "C:\Windows\system32\woeqf.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\whfw.exe
        
        "C:\Windows\system32\whfw.exe"
        52⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\wkgdallxu.exe
        
        "C:\Windows\system32\wkgdallxu.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\wxdvpixj.exe
        
        "C:\Windows\system32\wxdvpixj.exe"
        54⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\wccuwxe.exe
        
        "C:\Windows\system32\wccuwxe.exe"
        55⤵
        Executes dropped EXE
        
        PID:3532
        
        C:\Windows\SysWOW64\wtekp.exe
        
        "C:\Windows\system32\wtekp.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\SysWOW64\wcuekk.exe
        
        "C:\Windows\system32\wcuekk.exe"
        57⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\wloqon.exe
        
        "C:\Windows\system32\wloqon.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\wdrijy.exe
        
        "C:\Windows\system32\wdrijy.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\wgewknec.exe
        
        "C:\Windows\system32\wgewknec.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\wdsuc.exe
        
        "C:\Windows\system32\wdsuc.exe"
        61⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\weudfm.exe
        
        "C:\Windows\system32\weudfm.exe"
        62⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\wexmhi.exe
        
        "C:\Windows\system32\wexmhi.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\whlai.exe
        
        "C:\Windows\system32\whlai.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\wqiwfbfmh.exe
        
        "C:\Windows\system32\wqiwfbfmh.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\wllir.exe
        
        "C:\Windows\system32\wllir.exe"
        66⤵
        Checks computer location settings
        
        PID:2212
        
        C:\Windows\SysWOW64\wxiahd.exe
        
        "C:\Windows\system32\wxiahd.exe"
        67⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\wqbgu.exe
        
        "C:\Windows\system32\wqbgu.exe"
        68⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\wlpdl.exe
        
        "C:\Windows\system32\wlpdl.exe"
        69⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\wyblvo.exe
        
        "C:\Windows\system32\wyblvo.exe"
        70⤵
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\wypefllp.exe
        
        "C:\Windows\system32\wypefllp.exe"
        71⤵
        Checks computer location settings
        
        PID:3476
        
        C:\Windows\SysWOW64\wacxoh.exe
        
        "C:\Windows\system32\wacxoh.exe"
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\wqbtxsxm.exe
        
        "C:\Windows\system32\wqbtxsxm.exe"
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\wiptx.exe
        
        "C:\Windows\system32\wiptx.exe"
        74⤵
        Checks computer location settings
        
        PID:4904
        
        C:\Windows\SysWOW64\wyibkp.exe
        
        "C:\Windows\system32\wyibkp.exe"
        75⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\wummwu.exe
        
        "C:\Windows\system32\wummwu.exe"
        76⤵
        
        PID:400
        
        C:\Windows\SysWOW64\wpshbc.exe
        
        "C:\Windows\system32\wpshbc.exe"
        77⤵
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\wyqdyh.exe
        
        "C:\Windows\system32\wyqdyh.exe"
        78⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\wquutt.exe
        
        "C:\Windows\system32\wquutt.exe"
        79⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\wadwr.exe
        
        "C:\Windows\system32\wadwr.exe"
        80⤵
        Checks computer location settings
        
        PID:3500
        
        C:\Windows\SysWOW64\wnbnhtp.exe
        
        "C:\Windows\system32\wnbnhtp.exe"
        81⤵
        Checks computer location settings
        
        PID:3192
        
        C:\Windows\SysWOW64\wvtcmwu.exe
        
        "C:\Windows\system32\wvtcmwu.exe"
        82⤵
        Checks computer location settings
        
        PID:4744
        
        C:\Windows\SysWOW64\wvvk.exe
        
        "C:\Windows\system32\wvvk.exe"
        83⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\wbjaqe.exe
        
        "C:\Windows\system32\wbjaqe.exe"
        84⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\wig.exe
        
        "C:\Windows\system32\wig.exe"
        85⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\wsbkrnk.exe
        
        "C:\Windows\system32\wsbkrnk.exe"
        86⤵
        Checks computer location settings
        
        PID:1752
        
        C:\Windows\SysWOW64\wno.exe
        
        "C:\Windows\system32\wno.exe"
        87⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\wsqke.exe
        
        "C:\Windows\system32\wsqke.exe"
        88⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\wplksyfm.exe
        
        "C:\Windows\system32\wplksyfm.exe"
        89⤵
        Checks computer location settings
        
        PID:452
        
        C:\Windows\SysWOW64\wqfeos.exe
        
        "C:\Windows\system32\wqfeos.exe"
        90⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\wiiujf.exe
        
        "C:\Windows\system32\wiiujf.exe"
        91⤵
        Checks computer location settings
        
        PID:1468
        
        C:\Windows\SysWOW64\wwrtxa.exe
        
        "C:\Windows\system32\wwrtxa.exe"
        92⤵
        
        PID:212
        
        C:\Windows\SysWOW64\wnfuan.exe
        
        "C:\Windows\system32\wnfuan.exe"
        93⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\wejltyirb.exe
        
        "C:\Windows\system32\wejltyirb.exe"
        94⤵
        Checks computer location settings
        
        PID:4848
        
        C:\Windows\SysWOW64\wwbqglw.exe
        
        "C:\Windows\system32\wwbqglw.exe"
        95⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\wgvelnch.exe
        
        "C:\Windows\system32\wgvelnch.exe"
        96⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\wtaxni.exe
        
        "C:\Windows\system32\wtaxni.exe"
        97⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\wdljf.exe
        
        "C:\Windows\system32\wdljf.exe"
        98⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\wkyv.exe
        
        "C:\Windows\system32\wkyv.exe"
        99⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\wyreumc.exe
        
        "C:\Windows\system32\wyreumc.exe"
        100⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\wugclq.exe
        
        "C:\Windows\system32\wugclq.exe"
        101⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\wmxhy.exe
        
        "C:\Windows\system32\wmxhy.exe"
        102⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\wvvexjlnn.exe
        
        "C:\Windows\system32\wvvexjlnn.exe"
        103⤵
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SysWOW64\wyjsywfh.exe
        
        "C:\Windows\system32\wyjsywfh.exe"
        104⤵
        Checks computer location settings
        
        PID:3564
        
        C:\Windows\SysWOW64\wigovcof.exe
        
        "C:\Windows\system32\wigovcof.exe"
        105⤵
        Checks computer location settings
        
        PID:2308
        
        C:\Windows\SysWOW64\wmisqo.exe
        
        "C:\Windows\system32\wmisqo.exe"
        106⤵
        Checks computer location settings
        
        PID:2628
        
        C:\Windows\SysWOW64\whwoitk.exe
        
        "C:\Windows\system32\whwoitk.exe"
        107⤵
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\wvakth.exe
        
        "C:\Windows\system32\wvakth.exe"
        108⤵
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\SysWOW64\wvmdddy.exe
        
        "C:\Windows\system32\wvmdddy.exe"
        109⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\wofiqo.exe
        
        "C:\Windows\system32\wofiqo.exe"
        110⤵
        Checks computer location settings
        
        PID:2264
        
        C:\Windows\SysWOW64\wosbyke.exe
        
        "C:\Windows\system32\wosbyke.exe"
        111⤵
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\wcxvd.exe
        
        "C:\Windows\system32\wcxvd.exe"
        112⤵
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\wkkhu.exe
        
        "C:\Windows\system32\wkkhu.exe"
        113⤵
        Checks computer location settings
        
        PID:1924
        
        C:\Windows\SysWOW64\wgxdm.exe
        
        "C:\Windows\system32\wgxdm.exe"
        114⤵
        Drops file in System32 directory
        
        PID:3156
        
        C:\Windows\SysWOW64\wjlt.exe
        
        "C:\Windows\system32\wjlt.exe"
        115⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\wswefhcj.exe
        
        "C:\Windows\system32\wswefhcj.exe"
        116⤵
        Checks computer location settings
        
        PID:432
        
        C:\Windows\SysWOW64\wncqqldk.exe
        
        "C:\Windows\system32\wncqqldk.exe"
        117⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:732
        
        C:\Windows\SysWOW64\wsohpa.exe
        
        "C:\Windows\system32\wsohpa.exe"
        118⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\wtcyavnj.exe
        
        "C:\Windows\system32\wtcyavnj.exe"
        119⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\wfni.exe
        
        "C:\Windows\system32\wfni.exe"
        120⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\wwqx.exe
        
        "C:\Windows\system32\wwqx.exe"
        121⤵
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\wnavpu.exe
        
        "C:\Windows\system32\wnavpu.exe"
        122⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\wjcibx.exe
        
        "C:\Windows\system32\wjcibx.exe"
        123⤵
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\woenvkap.exe
        
        "C:\Windows\system32\woenvkap.exe"
        124⤵
        Checks computer location settings
        
        PID:3280
        
        C:\Windows\SysWOW64\worfe.exe
        
        "C:\Windows\system32\worfe.exe"
        125⤵
        Checks computer location settings
        
        PID:3252
        
        C:\Windows\SysWOW64\wckqbay.exe
        
        "C:\Windows\system32\wckqbay.exe"
        126⤵
        Checks computer location settings
        
        PID:4776
        
        C:\Windows\SysWOW64\wotsx.exe
        
        "C:\Windows\system32\wotsx.exe"
        127⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\wkkub.exe
        
        "C:\Windows\system32\wkkub.exe"
        128⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\wgyqsgbe.exe
        
        "C:\Windows\system32\wgyqsgbe.exe"
        129⤵
        
        PID:740
        
        C:\Windows\SysWOW64\wkbwntj.exe
        
        "C:\Windows\system32\wkbwntj.exe"
        130⤵
        Checks computer location settings
        
        PID:3068
        
        C:\Windows\SysWOW64\wbiub.exe
        
        "C:\Windows\system32\wbiub.exe"
        131⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\wsca.exe
        
        "C:\Windows\system32\wsca.exe"
        132⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\wxayuje.exe
        
        "C:\Windows\system32\wxayuje.exe"
        133⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\wbbep.exe
        
        "C:\Windows\system32\wbbep.exe"
        134⤵
        Checks computer location settings
        
        PID:428
        
        C:\Windows\SysWOW64\wlurtx.exe
        
        "C:\Windows\system32\wlurtx.exe"
        135⤵
        Checks computer location settings
        
        PID:4584
        
        C:\Windows\SysWOW64\wtsnre.exe
        
        "C:\Windows\system32\wtsnre.exe"
        136⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\wcpjqj.exe
        
        "C:\Windows\system32\wcpjqj.exe"
        137⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\wcsstfq.exe
        
        "C:\Windows\system32\wcsstfq.exe"
        138⤵
        Checks computer location settings
        
        PID:1260
        
        C:\Windows\SysWOW64\wnpl.exe
        
        "C:\Windows\system32\wnpl.exe"
        139⤵
        Checks computer location settings
        
        PID:2520
        
        C:\Windows\SysWOW64\wktwtgfb.exe
        
        "C:\Windows\system32\wktwtgfb.exe"
        140⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\wkgpdb.exe
        
        "C:\Windows\system32\wkgpdb.exe"
        141⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\wkuinyl.exe
        
        "C:\Windows\system32\wkuinyl.exe"
        142⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\wgmkqcd.exe
        
        "C:\Windows\system32\wgmkqcd.exe"
        143⤵
        Drops file in System32 directory
        
        PID:932
        
        C:\Windows\SysWOW64\wpkgpil.exe
        
        "C:\Windows\system32\wpkgpil.exe"
        144⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\whowku.exe
        
        "C:\Windows\system32\whowku.exe"
        145⤵
        Checks computer location settings
        
        PID:4048
        
        C:\Windows\SysWOW64\wdqjvx.exe
        
        "C:\Windows\system32\wdqjvx.exe"
        146⤵
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\wqjtqsv.exe
        
        "C:\Windows\system32\wqjtqsv.exe"
        147⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\wdhkhpha.exe
        
        "C:\Windows\system32\wdhkhpha.exe"
        148⤵
        Checks computer location settings
        
        PID:1956
        
        C:\Windows\SysWOW64\wxthy.exe
        
        "C:\Windows\system32\wxthy.exe"
        149⤵
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\wmdhn.exe
        
        "C:\Windows\system32\wmdhn.exe"
        150⤵
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\wjqdgs.exe
        
        "C:\Windows\system32\wjqdgs.exe"
        151⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\wwkncmq.exe
        
        "C:\Windows\system32\wwkncmq.exe"
        152⤵
        Checks computer location settings
        
        PID:1712
        
        C:\Windows\SysWOW64\wjdww.exe
        
        "C:\Windows\system32\wjdww.exe"
        153⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\wrbswmjmh.exe
        
        "C:\Windows\system32\wrbswmjmh.exe"
        154⤵
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\wbugbo.exe
        
        "C:\Windows\system32\wbugbo.exe"
        155⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\wbxoek.exe
        
        "C:\Windows\system32\wbxoek.exe"
        156⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\wsvbuqru.exe
        
        "C:\Windows\system32\wsvbuqru.exe"
        157⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\wxevjc.exe
        
        "C:\Windows\system32\wxevjc.exe"
        158⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\whxjpfp.exe
        
        "C:\Windows\system32\whxjpfp.exe"
        159⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\wgwmfbrfr.exe
        
        "C:\Windows\system32\wgwmfbrfr.exe"
        160⤵
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\wqpake.exe
        
        "C:\Windows\system32\wqpake.exe"
        161⤵
        Checks computer location settings
        
        PID:5080
        
        C:\Windows\SysWOW64\wic.exe
        
        "C:\Windows\system32\wic.exe"
        162⤵
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\wpxm.exe
        
        "C:\Windows\system32\wpxm.exe"
        163⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\wmcyulwe.exe
        
        "C:\Windows\system32\wmcyulwe.exe"
        164⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\wmrdw.exe
        
        "C:\Windows\system32\wmrdw.exe"
        165⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\wsjuse.exe
        
        "C:\Windows\system32\wsjuse.exe"
        166⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\wwfkrlilf.exe
        
        "C:\Windows\system32\wwfkrlilf.exe"
        167⤵
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\wgjheoa.exe
        
        "C:\Windows\system32\wgjheoa.exe"
        168⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfkrlilf.exe"
        168⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1412
        168⤵
        Program crash
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjuse.exe"
        167⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrdw.exe"
        166⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmcyulwe.exe"
        165⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 116
        165⤵
        Program crash
        
        PID:3236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 1536
        165⤵
        Program crash
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpxm.exe"
        164⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wic.exe"
        163⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpake.exe"
        162⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwmfbrfr.exe"
        161⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxjpfp.exe"
        160⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxevjc.exe"
        159⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsvbuqru.exe"
        158⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbxoek.exe"
        157⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbugbo.exe"
        156⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrbswmjmh.exe"
        155⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdww.exe"
        154⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwkncmq.exe"
        153⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjqdgs.exe"
        152⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmdhn.exe"
        151⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxthy.exe"
        150⤵
        
        PID:320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1072
        150⤵
        Program crash
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdhkhpha.exe"
        149⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqjtqsv.exe"
        148⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdqjvx.exe"
        147⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whowku.exe"
        146⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpkgpil.exe"
        145⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgmkqcd.exe"
        144⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkuinyl.exe"
        143⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkgpdb.exe"
        142⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wktwtgfb.exe"
        141⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnpl.exe"
        140⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcsstfq.exe"
        139⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcpjqj.exe"
        138⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsnre.exe"
        137⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlurtx.exe"
        136⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbbep.exe"
        135⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxayuje.exe"
        134⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsca.exe"
        133⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 1340
        133⤵
        Program crash
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbiub.exe"
        132⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbwntj.exe"
        131⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgyqsgbe.exe"
        130⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkkub.exe"
        129⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wotsx.exe"
        128⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckqbay.exe"
        127⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\worfe.exe"
        126⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woenvkap.exe"
        125⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjcibx.exe"
        124⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnavpu.exe"
        123⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwqx.exe"
        122⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfni.exe"
        121⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 1220
        121⤵
        Program crash
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtcyavnj.exe"
        120⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsohpa.exe"
        119⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wncqqldk.exe"
        118⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wswefhcj.exe"
        117⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjlt.exe"
        116⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxdm.exe"
        115⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkkhu.exe"
        114⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcxvd.exe"
        113⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wosbyke.exe"
        112⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofiqo.exe"
        111⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvmdddy.exe"
        110⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvakth.exe"
        109⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 1436
        109⤵
        Program crash
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwoitk.exe"
        108⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmisqo.exe"
        107⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigovcof.exe"
        106⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyjsywfh.exe"
        105⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 1412
        105⤵
        Program crash
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvvexjlnn.exe"
        104⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmxhy.exe"
        103⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugclq.exe"
        102⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyreumc.exe"
        101⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkyv.exe"
        100⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdljf.exe"
        99⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtaxni.exe"
        98⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1444
        98⤵
        Program crash
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgvelnch.exe"
        97⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1404
        97⤵
        Program crash
        
        PID:428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1444
        97⤵
        Program crash
        
        PID:4232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 748
        97⤵
        Program crash
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbqglw.exe"
        96⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wejltyirb.exe"
        95⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnfuan.exe"
        94⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrtxa.exe"
        93⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiiujf.exe"
        92⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqfeos.exe"
        91⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wplksyfm.exe"
        90⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsqke.exe"
        89⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wno.exe"
        88⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsbkrnk.exe"
        87⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wig.exe"
        86⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbjaqe.exe"
        85⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvvk.exe"
        84⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtcmwu.exe"
        83⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbnhtp.exe"
        82⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wadwr.exe"
        81⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wquutt.exe"
        80⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyqdyh.exe"
        79⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpshbc.exe"
        78⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wummwu.exe"
        77⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyibkp.exe"
        76⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiptx.exe"
        75⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqbtxsxm.exe"
        74⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wacxoh.exe"
        73⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wypefllp.exe"
        72⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyblvo.exe"
        71⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlpdl.exe"
        70⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqbgu.exe"
        69⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxiahd.exe"
        68⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllir.exe"
        67⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqiwfbfmh.exe"
        66⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 1432
        66⤵
        Program crash
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whlai.exe"
        65⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexmhi.exe"
        64⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weudfm.exe"
        63⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1384
        63⤵
        Program crash
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdsuc.exe"
        62⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgewknec.exe"
        61⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1556
        61⤵
        Program crash
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrijy.exe"
        60⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wloqon.exe"
        59⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcuekk.exe"
        58⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtekp.exe"
        57⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccuwxe.exe"
        56⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 1668
        56⤵
        Program crash
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxdvpixj.exe"
        55⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 768
        55⤵
        Program crash
        
        PID:1192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 116
        55⤵
        Program crash
        
        PID:1316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 660
        55⤵
        Program crash
        
        PID:1428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1680
        55⤵
        Program crash
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkgdallxu.exe"
        54⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whfw.exe"
        53⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woeqf.exe"
        52⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpgmps.exe"
        51⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrnklpn.exe"
        50⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbqvdb.exe"
        49⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 1656
        49⤵
        Program crash
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjogjo.exe"
        48⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfen.exe"
        47⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wixe.exe"
        46⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbaiaru.exe"
        45⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnuow.exe"
        44⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqenrt.exe"
        43⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wng.exe"
        42⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirxl.exe"
        41⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjf.exe"
        40⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdwy.exe"
        39⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjoeqexr.exe"
        38⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdvhhvs.exe"
        37⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnfyicmu.exe"
        36⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjrkhosbc.exe"
        35⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbfap.exe"
        34⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womp.exe"
        33⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1680
        33⤵
        Program crash
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wajvru.exe"
        32⤵
        
        PID:612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1668
        32⤵
        Program crash
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmec.exe"
        31⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wulvc.exe"
        30⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpdoudq.exe"
        29⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weibpaj.exe"
        28⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbo.exe"
        27⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtsodeh.exe"
        26⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whcjrjv.exe"
        25⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywlf.exe"
        24⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wetau.exe"
        23⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpaoahsj.exe"
        22⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdubcj.exe"
        21⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1452
        21⤵
        Program crash
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpwvetg.exe"
        20⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wquwtxb.exe"
        19⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcbpnm.exe"
        18⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovwjqpg.exe"
        17⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 1536
        17⤵
        Program crash
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkhkxipl.exe"
        16⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqaak.exe"
        15⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdyoah.exe"
        14⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcpel.exe"
        13⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahsvwp.exe"
        12⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbrcjd.exe"
        11⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydnkj.exe"
        10⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsvtgt.exe"
        9⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwowh.exe"
        8⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wflhnpe.exe"
        7⤵
        
        PID:2240
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiiuclc.exe"
        6⤵
        
        PID:1888
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wre.exe"
        5⤵
        
        PID:1052
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrcvhe.exe"
      4⤵
      PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllmluy.exe"
    3⤵
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\3a02499a3d82ac43d223b08cade8d000_NeikiAnalytics.exe"
  2⤵
  PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4316 -ip 4316
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2384 -ip 2384
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4004 -ip 4004
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4852 -ip 4852
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2516 -ip 2516
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4828 -ip 4828
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4828 -ip 4828
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3532 -ip 3532
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4828 -ip 4828
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4828 -ip 4828
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3308 -ip 3308
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 552 -ip 552
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3812 -ip 3812
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1252 -ip 1252
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1252 -ip 1252
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4140 -ip 4140
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1252 -ip 1252
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3564 -ip 3564
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 428 -ip 428
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3720 -ip 3720
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2764 -ip 2764
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3064 -ip 3064
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1792 -ip 1792
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1792 -ip 1792
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4524 -ip 4524
1⤵
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wahsvwp.exe

Filesize
104KB

MD5
c59e701a3c046a00d58264ed65b4c46f

SHA1
14adce290622fc95d847006560b1d6fbed956cc0

SHA256
d45927e77c440de3beefb971431e6f723971bca69a479914c8cac6f9877b9e9a

SHA512
6449f0880c2efae296e51dc22a5706a99430b2a92c8c149d30ccb01b3022c3c0b0e6939f5482bd8dd556a9bbae453545be5b50faa0be270bb72c55277d9f950f

Download Submit
C:\Windows\SysWOW64\wajvru.exe

Filesize
104KB

MD5
f47b8e485981d67f3802c9c19dea5ce2

SHA1
fee6cfb1210b06f9eb0532e664456f51a36ca4a7

SHA256
4bfa963afe033aa87c408cad8ff6172d5bc775c3cd07c12b5f8244d186c8a752

SHA512
298f76c4db6a1f74febb544e712658b511ba5fb14b7141c8ef955d7fb625e25c421023c1951d82e87ed02015b16bfad14032cd960f0cd7e617cc90fdbb7dcc94

Download Submit
C:\Windows\SysWOW64\wbfap.exe

Filesize
104KB

MD5
58bf0a6216c547305af9cb2bf7d6cebe

SHA1
99e57f77fcada5c38a6f657bbfd961c208d05327

SHA256
1bde0442a122ed4ef051a539be53c7e175b2e00c82dad513dc493c618bb7bb17

SHA512
c9d9a704309e7f167b3d3ebdff499998de575c7235795c33243afc29a062c35426c8bfe40cb2c27d9eac7d618d0cfe3d99d1099fe11d823d08db22c51539c713

Download Submit
C:\Windows\SysWOW64\wbo.exe

Filesize
104KB

MD5
ff85cfa19cdfe5aa8d4747e79bd9849a

SHA1
82abf542e9b0414e59d9afa9dafa8aab73d33639

SHA256
7ed8ad64be67c0845843be9fe4d420ae991045d67f72adc070841fdd40fc2cbd

SHA512
b058fdf243dd501a99e94b9a01448699c7a76c9957fc84c9eebbd92881badc1b6a8e6b965e67dfe2dca5ae55d4dd06f6579d2ac0acacae3c6887e90f122537ad

Download Submit
C:\Windows\SysWOW64\wcbpnm.exe

Filesize
104KB

MD5
0a383087d462ea1b460f94607d672797

SHA1
a8d68368e9afbdcdf110d78cfc2b4161ee0f86ca

SHA256
cd4f89990ba8ab28f23eb40b6cd5c4154dffba8f65510f3cb7c024eec1b004e8

SHA512
9f7f59d554e07eaee2197873ec592b30756eff74e8661efef3d599a396fba42baa0c8bba0db93f546a65aae1fe3aa51de7200c20261d013d707e6432e0d9bfbe

Download Submit
C:\Windows\SysWOW64\wcpel.exe

Filesize
104KB

MD5
8b1e468382ab72e6be0a2950487aa0ab

SHA1
f1da4ed866caa4b389d9d58167a21bc00b22938b

SHA256
bfba29801fc15bfc5a126e20dfc9c6830fc174c23965ede1e2b081b92a0e8dab

SHA512
bb2c97d5476fd4203be2733512d0be03119fc5534327c82f9d580b6f21634292761e47b710df2dca1faa55c26d8abb8183af16f0f86b87ac4757dfb4b83baade

Download Submit
C:\Windows\SysWOW64\wdyoah.exe

Filesize
104KB

MD5
137be597584da7473eb405bd20e6199d

SHA1
56414fd646455b5547f1be37e85bf6ba70f2e2c2

SHA256
54519ae9753cb6434681c63ec4b0a13f6da36795664a5cab44d66edf674fea12

SHA512
3caf896c592fda4533064d4352c5cf30d01e1a2c8e2f90458358f8431dc416578a6425bb4595d532f5937cb83261786f81742a0d701e2c82b53ea8d6b4af0501

Download Submit
C:\Windows\SysWOW64\weibpaj.exe

Filesize
104KB

MD5
bdbb503df26094e989bca1626da978e1

SHA1
5d6af851c9a10778dbc0b78a7d1884613dfbcb63

SHA256
97cf718bebb83e218046dbf0697d4484dbca2044f87aa4c4189feb61191a8678

SHA512
f49df98ceaf3845e2fb73670961abe07e117487f075ba6a3fd469c9a69a51768841782d5ba47b2c9b93e834d09da43b093584f275224893dd5a26af4215c398d

Download Submit
C:\Windows\SysWOW64\wetau.exe

Filesize
104KB

MD5
62ee0d6ea331a5371ee1e73b5fe9addd

SHA1
0a0fe4f9f6d5f0ed7553ba77377860921d05b09d

SHA256
c2ea8cbfdcff3ffe4148a08ab9ec1a580d2c4437949f40dd9855b4774f921c72

SHA512
373a105c0ba7c0607f8756891d3e7648431725901159100ffadca559b282c25fdf0c1ad558ba820c69b4fe4203f3f714f19d528afac80a158b74a372b2367e02

Download Submit
C:\Windows\SysWOW64\wflhnpe.exe

Filesize
104KB

MD5
3465f8c718cb745e65d02292d7347765

SHA1
24103252383d583dbf9cdfadbc7084607d0c8b4f

SHA256
12fc7e4df5197a456a6d5f0e0ddcc30f29f98001fb15ddde45ef9d9d50502a97

SHA512
8c7e2e0c420b883e8142c2e6a52f23e7bfca56221235bc4806b4ae09d76f406d2a47574deac9c9ddc057ae6b6942e9fb84dcc5e27ad266a12c58483b1c485365

Download Submit
C:\Windows\SysWOW64\wgsvtgt.exe

Filesize
104KB

MD5
fc87d9bcdd2517311bfca9fb48bee8aa

SHA1
a1c90570a54939281517fcc2828c05e9889fb7f4

SHA256
a5e0d431665f0a86fce32c20895a36bea65b2e1c7df472277c9fe3510832d05e

SHA512
f729206dcf42b51d563093ecba564c8446b26fd7df69538bc7bd47f9a02757c0fabeac7a51906a48d4aa17a6809285ef9dcd59a2d7324f406228dffdad5c2796

Download Submit
C:\Windows\SysWOW64\whcjrjv.exe

Filesize
104KB

MD5
89d6cfc2b163189e68d724e93ad99fce

SHA1
2c9990861d9b824a434e278d668376716eca77ed

SHA256
3be604811a3bd071f747bac321fd10166220420c76d5a7060fd2d5bfe0e729b9

SHA512
bf2eceb0f5959c05b03a7319d96c91b406a7333b49de97c6d961e30017c0f7717b862c19c731635d80fea4fdd6b55e121ab29ed2821f140541fd758629bfddb4

Download Submit
C:\Windows\SysWOW64\whdubcj.exe

Filesize
104KB

MD5
6f66b8bbc57add637a67630cb744f3ac

SHA1
3bfe5e5caca0af59d512fa32fccf060aa82d11df

SHA256
e4612e0f663bc18d27f0761da5222938f987047891b18fb17cfc5977dd7a8425

SHA512
f336007f4ad3a7b821bacf267b21ed887ce130584bde5acae1a49960647f853b3b813fda7150b3a147e9eb1836c195387adec3657c4d4fcd89fb10f695c09144

Download Submit
C:\Windows\SysWOW64\wiiuclc.exe

Filesize
104KB

MD5
a6cba8ef7bb8bae65b29c94e75cd9a4d

SHA1
625ff7b5f04875d22e5e084928c84c68b280ceb0

SHA256
76a78f8fd83ec2df199fc8e3f6c1d64d7f79e5f737f33c876ca767eaad07dc98

SHA512
e720152775b2b1ced62f8bc5f992787a5cb93577bfa2c7548ddd082e0688108a9cc549ecacc2baafda3bdd221b7be14776924aba93dd0ad0561758601e290c07

Download Submit
C:\Windows\SysWOW64\wkhkxipl.exe

Filesize
104KB

MD5
653ad7c4d796e235ca8ed814069c575b

SHA1
e55af748ab395c5feeb3c10a9ce34722d5bec37c

SHA256
94a369044a06d68d9e9230cfd2bd592a8308acd0dab5ed82ae39c18004bdb9ab

SHA512
e4c0cd2c924baeca271bfadc1ee45a4ba37791c1c2928ea8fb2ff0ada061a2de1158c07a27153942a0311477614cb3b0727c53574e00d9c15088258e964e9207

Download Submit
C:\Windows\SysWOW64\wllmluy.exe

Filesize
103KB

MD5
8c49872a96829fe3b1236629ecb30228

SHA1
bfb5f395e307e19453494739f11b1d5b7db17c4d

SHA256
1d4d0003241069cc0cf84bace2681bdeac420662d963dd02d0cd75208d9fd06c

SHA512
ea2584a71a28de3cf0650edfcd24dfd8a42c0b896a943735fe9931dd5be6656b50afb0428db472d8e1d33ce416050fab1c36130801529bae15208619409b36b6

Download Submit
C:\Windows\SysWOW64\wmec.exe

Filesize
104KB

MD5
8de6e90ef547ec3e21a71ebe4dfbcb4e

SHA1
217d7c5f95f656dcfbba5551931de2edba2edd45

SHA256
9ef128897068343c32dfdbeaafebd8afcc5d1bda8a01e03c08ad75ee6014888c

SHA512
2d1643f21b4f746f71fee4db0881bffab40147b2e3cc617318a3dbe5b3ad8abc2466b7595ddcd8de6c8321cd838c0affdce17f8d838bc65fa4eb5cc5d310bcf3

Download Submit
C:\Windows\SysWOW64\womp.exe

Filesize
104KB

MD5
dcc94fb618bbd373b61642f52aa99524

SHA1
c862e9dd8e39c760dd58da7b3a22ef68974ce159

SHA256
8d94ef96a042385c06c66c2929092a988aa0565a9e4a861b5a2ef48b9e8f0669

SHA512
c2594eeb20713b867fef89d5e9cf3cfe9e2a0ecb16e288c30335553135791361ff0c85ccfca0126a2774dd5fe771f2078100b789d7bd91d5fdbf6bfe00d0faac

Download Submit
C:\Windows\SysWOW64\wovwjqpg.exe

Filesize
104KB

MD5
7b2e490f694096c91ec1d7a791bad06e

SHA1
d45e59fc5cb0b787db30840de198839cecf85ece

SHA256
bd540d0537c19b7ada7cfc161f8856080d1cabc63795d36648ca5ac33a2f2c96

SHA512
53195befe641f466f248ac710f4728dd30b1961999c756ecf469ade03569c73d1f5885d9ee93d1b6b17ec198e5dd9ca00d933f4067dff83e96d61775f8322f7e

Download Submit
C:\Windows\SysWOW64\wpaoahsj.exe

Filesize
104KB

MD5
818aedb63a6dded99f6155e32f1e73ec

SHA1
5fa5fb8f3649b4ef353a990d157d020e7fd902d0

SHA256
0f545d80a7d8c11695a093a27c2569d300c83458985ca645d50c727ae9fde059

SHA512
af83285ca3d65ca7dd8fe127ea35079c035f7bc3f7d2c687ac32dfe4be3b9213f5b63b84602b38374b775e263416fb9b916f80c83017aa91330580ef56c817e4

Download Submit
C:\Windows\SysWOW64\wpdoudq.exe

Filesize
104KB

MD5
c74459e593eca9a17a60e2b0b0b4a0df

SHA1
5571ddd39f44d8f64b321e03c7335849029b3eed

SHA256
4def9815b3bfca15686e7787883f95ec038015e89394d14c8f8059428fcc0971

SHA512
cf67edafcb7ef603c094f9bee06bfe292e2171fda2d8f3c9a121e489f7f0d703991b80903ae71ccfe79a109c0de37e1a89ae9165324d8b1f4d9734302c537d9b

Download Submit
C:\Windows\SysWOW64\wpwvetg.exe

Filesize
104KB

MD5
4d77876e6ff984a14bafd959020501e2

SHA1
09d16baa01dfa66d71a43aa0660fd384988e15a5

SHA256
392ddb4169945e9038f69a0cdaad705e9ec4018481e1486cef4ef9160d85fd49

SHA512
aa57fd5bfed139dddba806baa4a6353a60af8595cc6d71a6aafb718c89fbb84d25681d6760e70cdb01f3392d7165ba143d1e98c9f46ae33e5e046136d15cb085

Download Submit
C:\Windows\SysWOW64\wqaak.exe

Filesize
104KB

MD5
115caed0029785a69ae709f46fafe59c

SHA1
252d9bebaf70ab420e3aeba737155182902aa7f6

SHA256
f7c309516c0885806235f71c1454396a70e4e5516868524f4065f234b3f87831

SHA512
c32ca6ffb573a1e47539bf1d08e92b5fe0b563d643c22af52982078d8b95a545e818d5695439ab05c3d534bea19a40bc74cb7e27417b8a80b8a43af49a1beeec

Download Submit
C:\Windows\SysWOW64\wquwtxb.exe

Filesize
104KB

MD5
2466d5bc6dec3cf7aa87db317fd53955

SHA1
8f535de99a7cbc0d9be137584ecbf2a9650f912c

SHA256
bc8a4d35c97509645514e7c434d33dac29148fa92cc8c7e48c0be118266927cc

SHA512
60c4a31d4b2c10c0b99fcc4ee20b4bd18ce3a129fff90679fe146cb856f1a19aa001ed5f275a7f6e14311e893085701f0798845b27e799153d288465e368c22e

Download Submit
C:\Windows\SysWOW64\wrcvhe.exe

Filesize
103KB

MD5
f7289ab48252e677af0f25628f5e7ba2

SHA1
e701100463db0be0906063a959f30aee22e632fb

SHA256
5dbf047115c529261bac2d4d384ac32b4bcfb569db83ef5a150f70c503ca21d3

SHA512
a3a53e7f05350717933a46d73a57c6d56e15c716404e4e40aec817dabef22794070ecc6c6020474ca9e65830f3af1b2cca13c309dbf93d7aeea8a75fbbea6766

Download Submit
C:\Windows\SysWOW64\wre.exe

Filesize
103KB

MD5
ace1c5fd40320af78ae4af9fa34efb3f

SHA1
2bcfa32ea03056f32e4612914e9c1509441d560a

SHA256
6d6acd19bb0cb7273f3cfd03608323398c6839fbd0ab6cb9f929433d9f0174f6

SHA512
244845f1e5343c69df6fd6972f9ec47c5c134d7147d029513e3900c56cfd7ac5e526bfde1264ca99899283abae32f3b5884ce2e353c3c28d7becb5da3846bd6d

Download Submit
C:\Windows\SysWOW64\wulvc.exe

Filesize
104KB

MD5
de3147072a6ac9445906915619bf5a56

SHA1
5bdefd4fecd80abd5fe718f557a68b98c2063fce

SHA256
87dcd2b081f744a5aa09c10a5d53c6dbe4269b800d92733fb7b332ef3cbb2e1e

SHA512
238463165bd430e34ddd092fcba857697b0dbf1ea3e1571098938f77f2d20d84d608dc3428ec9190c3cfd6faa0de39452bf6754b240f1270bcc0e4cb30b78276

Download Submit
C:\Windows\SysWOW64\wvtsodeh.exe

Filesize
104KB

MD5
737fbbfecbaf8f11bd7ca482d83d0b41

SHA1
72d886fbcd9ee64807e1951ea1bd660388c6f2ba

SHA256
b2de37889a608f66382e4699c816064710d9f3f7cda947a82edf634f383aa6b3

SHA512
5cfe41972abcb022ee989dfa4f11a08530e48be8b3bb6b9a14aaa8988e50e08eb41a44e707043b4ecf2c1bec9c8d332fcf5e08e8834315e7fcf999377be16113

Download Submit
C:\Windows\SysWOW64\wwbrcjd.exe

Filesize
104KB

MD5
cf8079c2bff1f0f450cea0b6269a87a5

SHA1
81ae89cebaafe1166744e39e7b088e8be33a8b76

SHA256
09d7a27f06f45050ae5d2f453bfdbd8f8f1332c774533cce32a1ffe8efb90ad6

SHA512
7f183732d0a9892d5e51a4771fa4c76d8f0affd3364afb01077245d5f1c31959f99f281cc4b18840fcbfef965dfd84bd0c0b38745951cfc61bebe6f72f8974f6

Download Submit
C:\Windows\SysWOW64\wwowh.exe

Filesize
104KB

MD5
38538eeeb2f7a275fe271f28d236f9ff

SHA1
c452ee3da9be43efaebcb12f9261bf265ab945c0

SHA256
c1441aef66df9d30fe5924f3120c1c7c71f5fe351cbd9aedd390a32eabf7edc1

SHA512
c78bc9dbf4288d42194714d556776b5c7e580f368462ecfc9b39fdaa63a1bd2caa6416ec2b20c5b76e02bd00862873502308711671f6a6d550a506a1f8264b8c

Download Submit
C:\Windows\SysWOW64\wydnkj.exe

Filesize
104KB

MD5
86f47156d208b5431b5e976a96685cd6

SHA1
aae7c91831b780b1e8a172f6641c8fb3c2747260

SHA256
789b7cd2e2045351f1aed95b2214fa4381d0d267b19a173a4cd66ed167d27552

SHA512
44fcdd814ebce7a4e6a4983b4735e607bfdc1c70e02ebadcd73772721566a9a5d0aa63b8bd116001198db98e840b31ee8895ba41f3f99f971b785c89c3f3fa4c

Download Submit
C:\Windows\SysWOW64\wywlf.exe

Filesize
104KB

MD5
9336ae062c2d5e9de6736237f4ff1c05

SHA1
0d3a6acd92710a5b9a27b8efab855b18aaa66a56

SHA256
b112f7d0c430257ae96f7a71b2d0e2a6a552ee4b4f3c3789d9e5669ef2b18696

SHA512
2c0d98fad52ec5eb4d7113d69ad27f351c93fc3146e457b01876cba4e364effe8b7d6b55b749a8be1d9b022cb95daf8dd4172e503c104692b87623ac7b90418d

Download Submit
memory/208-597-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/232-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/440-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/552-588-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/552-579-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/628-543-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/628-553-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1276-342-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1348-189-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1496-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1496-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1504-263-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1512-433-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1640-474-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1640-465-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1680-457-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1696-562-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1696-552-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1736-570-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1736-580-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1812-252-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1812-241-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2076-524-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2076-534-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2212-614-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2384-210-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2384-199-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2404-315-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2404-304-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2516-475-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2536-188-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2536-200-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2544-424-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2628-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2628-473-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2628-84-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2628-483-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2668-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2920-449-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2920-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2920-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3008-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3008-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3036-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3036-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3152-146-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3152-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3236-83-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3236-95-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3292-416-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3308-571-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3308-561-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3532-525-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3540-305-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3668-351-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3756-125-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3784-294-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3812-615-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3812-605-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4064-491-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4140-231-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4244-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4316-178-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4340-367-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4392-392-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4440-273-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4440-284-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4464-400-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4464-391-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4524-375-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4528-220-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4568-499-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4568-509-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4600-441-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4600-432-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4676-274-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4676-262-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4784-359-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4784-350-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4828-535-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4828-508-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4848-408-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4852-334-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4868-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4948-177-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4948-166-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4960-500-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4984-383-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5020-606-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5020-596-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5040-94-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5040-105-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5044-544-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5044-533-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5104-230-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5104-242-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download