615336c214d0a92d455d9aeb62f813cbc036e8a9771c43c141dccbc7830729e2

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe
Size

447KB
MD5

ecb9b33a23f053225b6447f148d44870
SHA1

c52164612b896fe8906d6224833574b77328fc2e
SHA256

615336c214d0a92d455d9aeb62f813cbc036e8a9771c43c141dccbc7830729e2
SHA512

64bf569fe20376ae83e36c2a58b75010c6eded79a2b5e8a2d367b8a8b175e6a0e1013a30bec2760bc7af25ea5ff65f3948f41af4eea4500f373ee62d4672cdf7
SSDEEP

12288:QT6SZhP46SCTbSwgS1IaPRJbDh4i0vm4OsKN5sTuGZb:QThhP46SCTbSwgS1IaPRJbDh4i0vm4Om

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 32 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x00090000000235f1-5.dat	family_berbew
behavioral2/files/0x00080000000235f5-19.dat	family_berbew
behavioral2/files/0x00080000000235f8-29.dat	family_berbew
behavioral2/files/0x0009000000023607-41.dat	family_berbew
behavioral2/files/0x000f0000000235fb-51.dat	family_berbew
behavioral2/files/0x0008000000023313-61.dat	family_berbew
behavioral2/files/0x000800000002296f-72.dat	family_berbew
behavioral2/files/0x0005000000022975-82.dat	family_berbew
behavioral2/files/0x000a0000000232fe-92.dat	family_berbew
behavioral2/files/0x000c000000023313-103.dat	family_berbew
behavioral2/files/0x0006000000022975-113.dat	family_berbew
behavioral2/files/0x000b0000000232fe-123.dat	family_berbew
behavioral2/files/0x000e000000023317-134.dat	family_berbew
behavioral2/files/0x0009000000022975-144.dat	family_berbew
behavioral2/files/0x000e000000023319-155.dat	family_berbew
behavioral2/files/0x000c000000023320-166.dat	family_berbew
behavioral2/files/0x000b0000000235f8-177.dat	family_berbew
behavioral2/files/0x000f000000023319-187.dat	family_berbew
behavioral2/files/0x0017000000023320-197.dat	family_berbew
behavioral2/files/0x000c0000000235f8-207.dat	family_berbew
behavioral2/files/0x0010000000023319-218.dat	family_berbew
behavioral2/files/0x0018000000023320-229.dat	family_berbew
behavioral2/files/0x000d0000000235f8-240.dat	family_berbew
behavioral2/files/0x0011000000023319-251.dat	family_berbew
behavioral2/files/0x0019000000023320-261.dat	family_berbew
behavioral2/files/0x000e0000000235f8-271.dat	family_berbew
behavioral2/files/0x0012000000023319-281.dat	family_berbew
behavioral2/files/0x001a000000023320-291.dat	family_berbew
behavioral2/files/0x000f0000000235f8-301.dat	family_berbew
behavioral2/files/0x0013000000023319-311.dat	family_berbew
behavioral2/files/0x000d000000023601-321.dat	family_berbew
behavioral2/files/0x000c000000023603-331.dat	family_berbew

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wbwqi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wpq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wxfsb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	whitq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	waxrynfp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wppii.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wymyogcr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wlikctkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wbmpti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wiidtka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wpnfflpt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wylmj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	weirkxl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	whc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wclplj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wmbw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	waipifoy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wvo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wvkirk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wdooa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wheldcxv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wpbsdneuw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wjafirm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wdljf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wruwmxe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wvtywlmjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wxpojxc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	woiko.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wajnri.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wgrjpyp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wqclda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wvhnj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wnsun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wybiij.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	weqs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wvrhgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wtcxjki.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wmbkcxdi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wrpxwn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wwsoogh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wwquef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wovdpl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wfuu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wcco.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wgprjyqb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wvlhhy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	woivjngj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wmg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wuim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wfmdjmv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wjl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wwld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wwj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wasttk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wdrcueyp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wiusij.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	woas.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wwb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wfern.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wgxof.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wlft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wxvakmo.exe

Executes dropped EXE 64 IoCs

pid	Process
4856	wpbsdneuw.exe
3144	wbmpti.exe
4992	wmbw.exe
1264	wyf.exe
5112	wbdr.exe
1248	wbslr.exe
4472	wasttk.exe
2340	wrxkn.exe
5068	wpiym.exe
4352	wpctj.exe
1780	wykw.exe
1140	wieklxov.exe
3792	wjafirm.exe
2092	woiko.exe
3628	whhsp.exe
1796	wmbkcxdi.exe
4216	wbwqi.exe
2764	wlft.exe
3096	wdonnuwn.exe
2224	wrpxwn.exe
3628	wcjlcq.exe
3744	wpnfflpt.exe
4556	whc.exe
2580	wthwc.exe
964	wgdeam.exe
4876	wmg.exe
624	wrbwrd.exe
3760	wvuofo.exe
1860	wwsoogh.exe
3608	wtpnsjbc.exe
4608	wiwmicbul.exe
228	wylmj.exe
2464	wajnri.exe
1200	waipifoy.exe
3684	wwld.exe
3924	wnejgt.exe
1124	wbhdjpxs.exe
436	wgrjpyp.exe
4780	wxvakmo.exe
2096	whhlcrmdu.exe
1112	wkglj.exe
4004	wgwnn.exe
4776	wdljf.exe
5008	wpq.exe
3376	wexd.exe
3928	wymyogcr.exe
2964	wiku.exe
4848	wwquef.exe
2608	waqul.exe
2068	wjcg.exe
3272	wdrcueyp.exe
2380	wqclda.exe
1244	wqqenw.exe
1420	wiusij.exe
4252	wjxcjeu.exe
4848	wfy.exe
4884	wvhnj.exe
516	wrkytb.exe
1220	weirkxl.exe
4856	wvaxw.exe
3480	wvo.exe
3760	wemmfmyv.exe
5060	wwdqr.exe
2276	wvgbtt.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wpbsdneuw.exe	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\wbdr.exe	wyf.exe
File created	C:\Windows\SysWOW64\whhlcrmdu.exe	wxvakmo.exe
File opened for modification	C:\Windows\SysWOW64\waqul.exe	wwquef.exe
File created	C:\Windows\SysWOW64\wrkytb.exe	wvhnj.exe
File created	C:\Windows\SysWOW64\wbgal.exe	wriel.exe
File created	C:\Windows\SysWOW64\wuim.exe	wbgal.exe
File opened for modification	C:\Windows\SysWOW64\wsef.exe	wipwwdtat.exe
File opened for modification	C:\Windows\SysWOW64\wrpxwn.exe	wdonnuwn.exe
File opened for modification	C:\Windows\SysWOW64\wjxcjeu.exe	wiusij.exe
File created	C:\Windows\SysWOW64\wvaxw.exe	weirkxl.exe
File created	C:\Windows\SysWOW64\wwyss.exe	wwwkpesr.exe
File opened for modification	C:\Windows\SysWOW64\wnftpakd.exe	wryy.exe
File created	C:\Windows\SysWOW64\wlikcpvh.exe	wyoahuk.exe
File created	C:\Windows\SysWOW64\wjl.exe	wrhfx.exe
File created	C:\Windows\SysWOW64\wdcgucun.exe	wijyh.exe
File created	C:\Windows\SysWOW64\wyxdds.exe	whc.exe
File created	C:\Windows\SysWOW64\waxrynfp.exe	wwyss.exe
File created	C:\Windows\SysWOW64\wbppury.exe	wfmdjmv.exe
File created	C:\Windows\SysWOW64\wjri.exe	wfesxjjfu.exe
File created	C:\Windows\SysWOW64\wvves.exe	wtiyiuv.exe
File opened for modification	C:\Windows\SysWOW64\wuim.exe	wbgal.exe
File opened for modification	C:\Windows\SysWOW64\wwwkpesr.exe	wjasahh.exe
File created	C:\Windows\SysWOW64\woeuoy.exe	wfhaptgpk.exe
File created	C:\Windows\SysWOW64\womlolw.exe	woxsg.exe
File opened for modification	C:\Windows\SysWOW64\wmbkcxdi.exe	whhsp.exe
File opened for modification	C:\Windows\SysWOW64\wiwmicbul.exe	wtpnsjbc.exe
File opened for modification	C:\Windows\SysWOW64\wqfvfmqg.exe	wnhv.exe
File opened for modification	C:\Windows\SysWOW64\wxfsb.exe	wlikctkh.exe
File created	C:\Windows\SysWOW64\wybiij.exe	wlikcpvh.exe
File opened for modification	C:\Windows\SysWOW64\wclplj.exe	woivjngj.exe
File created	C:\Windows\SysWOW64\wmdgpa.exe	wdjtk.exe
File created	C:\Windows\SysWOW64\wcjlcq.exe	wrpxwn.exe
File opened for modification	C:\Windows\SysWOW64\wajnri.exe	wylmj.exe
File created	C:\Windows\SysWOW64\wjxcjeu.exe	wiusij.exe
File created	C:\Windows\SysWOW64\wvgbtt.exe	wwdqr.exe
File created	C:\Windows\SysWOW64\wjgmakbm.exe	wftwav.exe
File opened for modification	C:\Windows\SysWOW64\wkglj.exe	whhlcrmdu.exe
File created	C:\Windows\SysWOW64\wvlhhy.exe	wryrhmr.exe
File opened for modification	C:\Windows\SysWOW64\wvkirk.exe	wvhbpoqhn.exe
File opened for modification	C:\Windows\SysWOW64\wlkksja.exe	wtft.exe
File created	C:\Windows\SysWOW64\wbwwo.exe	wwj.exe
File created	C:\Windows\SysWOW64\wgjndqfpe.exe	wiqpov.exe
File opened for modification	C:\Windows\SysWOW64\wwdqr.exe	wemmfmyv.exe
File created	C:\Windows\SysWOW64\woacyoe.exe	wsv.exe
File created	C:\Windows\SysWOW64\wfuu.exe	wjri.exe
File created	C:\Windows\SysWOW64\wgxof.exe	wjgmakbm.exe
File created	C:\Windows\SysWOW64\wdjtk.exe	wlgdokg.exe
File created	C:\Windows\SysWOW64\wymyogcr.exe	wexd.exe
File opened for modification	C:\Windows\SysWOW64\wadkef.exe	waaccikfv.exe
File created	C:\Windows\SysWOW64\wdrcueyp.exe	wjcg.exe
File opened for modification	C:\Windows\SysWOW64\wnwjxcg.exe	wruwmxe.exe
File created	C:\Windows\SysWOW64\woas.exe	wnwjxcg.exe
File created	C:\Windows\SysWOW64\wvnokt.exe	wvlhhy.exe
File created	C:\Windows\SysWOW64\wqfvfmqg.exe	wnhv.exe
File created	C:\Windows\SysWOW64\wdbtqxi.exe	wueyrra.exe
File opened for modification	C:\Windows\SysWOW64\wgprjyqb.exe	weqs.exe
File created	C:\Windows\SysWOW64\wlurtx.exe	wiidtka.exe
File opened for modification	C:\Windows\SysWOW64\wrkytb.exe	wvhnj.exe
File created	C:\Windows\SysWOW64\wjgfld.exe	wuim.exe
File opened for modification	C:\Windows\SysWOW64\wdcgucun.exe	wijyh.exe
File created	C:\Windows\SysWOW64\wmnsfyo.exe	wpl.exe
File created	C:\Windows\SysWOW64\wejl.exe	wbwwo.exe
File opened for modification	C:\Windows\SysWOW64\wjafirm.exe	wieklxov.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
2464	4856	WerFault.exe	95
3492	4856	WerFault.exe	95
4648	4472	WerFault.exe	127
4216	1140	WerFault.exe	146
4968	4608	WerFault.exe	207
212	1112	WerFault.exe	240
4092	4848	WerFault.exe	263
1188	4252	WerFault.exe	286
224	4396	WerFault.exe	349
632	1188	WerFault.exe	375
3480	4648	WerFault.exe	404
1988	4356	WerFault.exe	418
3816	2524	WerFault.exe	489
4776	3056	WerFault.exe	493
1952	2300	WerFault.exe	601
3288	4428	WerFault.exe	656

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 4856	2416	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe	95
PID 2416 wrote to memory of 4856	2416	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe	95
PID 2416 wrote to memory of 4856	2416	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe	95
PID 2416 wrote to memory of 376	2416	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe	97
PID 2416 wrote to memory of 376	2416	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe	97
PID 2416 wrote to memory of 376	2416	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe	97
PID 4856 wrote to memory of 3144	4856	wpbsdneuw.exe	99
PID 4856 wrote to memory of 3144	4856	wpbsdneuw.exe	99
PID 4856 wrote to memory of 3144	4856	wpbsdneuw.exe	99
PID 4856 wrote to memory of 2000	4856	wpbsdneuw.exe	100
PID 4856 wrote to memory of 2000	4856	wpbsdneuw.exe	100
PID 4856 wrote to memory of 2000	4856	wpbsdneuw.exe	100
PID 3144 wrote to memory of 4992	3144	wbmpti.exe	107
PID 3144 wrote to memory of 4992	3144	wbmpti.exe	107
PID 3144 wrote to memory of 4992	3144	wbmpti.exe	107
PID 3144 wrote to memory of 1220	3144	wbmpti.exe	108
PID 3144 wrote to memory of 1220	3144	wbmpti.exe	108
PID 3144 wrote to memory of 1220	3144	wbmpti.exe	108
PID 4992 wrote to memory of 1264	4992	wmbw.exe	112
PID 4992 wrote to memory of 1264	4992	wmbw.exe	112
PID 4992 wrote to memory of 1264	4992	wmbw.exe	112
PID 4992 wrote to memory of 2868	4992	wmbw.exe	113
PID 4992 wrote to memory of 2868	4992	wmbw.exe	113
PID 4992 wrote to memory of 2868	4992	wmbw.exe	113
PID 1264 wrote to memory of 5112	1264	wyf.exe	120
PID 1264 wrote to memory of 5112	1264	wyf.exe	120
PID 1264 wrote to memory of 5112	1264	wyf.exe	120
PID 1264 wrote to memory of 1692	1264	wyf.exe	121
PID 1264 wrote to memory of 1692	1264	wyf.exe	121
PID 1264 wrote to memory of 1692	1264	wyf.exe	121
PID 5112 wrote to memory of 1248	5112	wbdr.exe	124
PID 5112 wrote to memory of 1248	5112	wbdr.exe	124
PID 5112 wrote to memory of 1248	5112	wbdr.exe	124
PID 5112 wrote to memory of 5000	5112	wbdr.exe	125
PID 5112 wrote to memory of 5000	5112	wbdr.exe	125
PID 5112 wrote to memory of 5000	5112	wbdr.exe	125
PID 1248 wrote to memory of 4472	1248	wbslr.exe	127
PID 1248 wrote to memory of 4472	1248	wbslr.exe	127
PID 1248 wrote to memory of 4472	1248	wbslr.exe	127
PID 1248 wrote to memory of 5004	1248	wbslr.exe	128
PID 1248 wrote to memory of 5004	1248	wbslr.exe	128
PID 1248 wrote to memory of 5004	1248	wbslr.exe	128
PID 4472 wrote to memory of 2340	4472	wasttk.exe	130
PID 4472 wrote to memory of 2340	4472	wasttk.exe	130
PID 4472 wrote to memory of 2340	4472	wasttk.exe	130
PID 4472 wrote to memory of 1884	4472	wasttk.exe	131
PID 4472 wrote to memory of 1884	4472	wasttk.exe	131
PID 4472 wrote to memory of 1884	4472	wasttk.exe	131
PID 2340 wrote to memory of 5068	2340	wrxkn.exe	136
PID 2340 wrote to memory of 5068	2340	wrxkn.exe	136
PID 2340 wrote to memory of 5068	2340	wrxkn.exe	136
PID 2340 wrote to memory of 1676	2340	wrxkn.exe	137
PID 2340 wrote to memory of 1676	2340	wrxkn.exe	137
PID 2340 wrote to memory of 1676	2340	wrxkn.exe	137
PID 5068 wrote to memory of 4352	5068	wpiym.exe	139
PID 5068 wrote to memory of 4352	5068	wpiym.exe	139
PID 5068 wrote to memory of 4352	5068	wpiym.exe	139
PID 5068 wrote to memory of 3044	5068	wpiym.exe	140
PID 5068 wrote to memory of 3044	5068	wpiym.exe	140
PID 5068 wrote to memory of 3044	5068	wpiym.exe	140
PID 4352 wrote to memory of 1780	4352	wpctj.exe	142
PID 4352 wrote to memory of 1780	4352	wpctj.exe	142
PID 4352 wrote to memory of 1780	4352	wpctj.exe	142
PID 4352 wrote to memory of 1424	4352	wpctj.exe	143

C:\Users\Admin\AppData\Local\Temp\ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\wpbsdneuw.exe
  "C:\Windows\system32\wpbsdneuw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\wbmpti.exe
    "C:\Windows\system32\wbmpti.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\SysWOW64\wmbw.exe
      "C:\Windows\system32\wmbw.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\SysWOW64\wyf.exe
        
        "C:\Windows\system32\wyf.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1264
      - C:\Windows\SysWOW64\wbdr.exe
        
        "C:\Windows\system32\wbdr.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\wbslr.exe
        
        "C:\Windows\system32\wbslr.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\wasttk.exe
        
        "C:\Windows\system32\wasttk.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\wrxkn.exe
        
        "C:\Windows\system32\wrxkn.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\wpiym.exe
        
        "C:\Windows\system32\wpiym.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\wpctj.exe
        
        "C:\Windows\system32\wpctj.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\wykw.exe
        
        "C:\Windows\system32\wykw.exe"
        12⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\wieklxov.exe
        
        "C:\Windows\system32\wieklxov.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\wjafirm.exe
        
        "C:\Windows\system32\wjafirm.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\woiko.exe
        
        "C:\Windows\system32\woiko.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\whhsp.exe
        
        "C:\Windows\system32\whhsp.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\wmbkcxdi.exe
        
        "C:\Windows\system32\wmbkcxdi.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\wbwqi.exe
        
        "C:\Windows\system32\wbwqi.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\wlft.exe
        
        "C:\Windows\system32\wlft.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\wdonnuwn.exe
        
        "C:\Windows\system32\wdonnuwn.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\wrpxwn.exe
        
        "C:\Windows\system32\wrpxwn.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\wcjlcq.exe
        
        "C:\Windows\system32\wcjlcq.exe"
        22⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\wpnfflpt.exe
        
        "C:\Windows\system32\wpnfflpt.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3744
        
        C:\Windows\SysWOW64\whc.exe
        
        "C:\Windows\system32\whc.exe"
        24⤵
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\wthwc.exe
        
        "C:\Windows\system32\wthwc.exe"
        25⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\wgdeam.exe
        
        "C:\Windows\system32\wgdeam.exe"
        26⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\wmg.exe
        
        "C:\Windows\system32\wmg.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\wrbwrd.exe
        
        "C:\Windows\system32\wrbwrd.exe"
        28⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\wvuofo.exe
        
        "C:\Windows\system32\wvuofo.exe"
        29⤵
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\SysWOW64\wwsoogh.exe
        
        "C:\Windows\system32\wwsoogh.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\wtpnsjbc.exe
        
        "C:\Windows\system32\wtpnsjbc.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\wiwmicbul.exe
        
        "C:\Windows\system32\wiwmicbul.exe"
        32⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\wylmj.exe
        
        "C:\Windows\system32\wylmj.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\wajnri.exe
        
        "C:\Windows\system32\wajnri.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\waipifoy.exe
        
        "C:\Windows\system32\waipifoy.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1200
        
        C:\Windows\SysWOW64\wwld.exe
        
        "C:\Windows\system32\wwld.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\wnejgt.exe
        
        "C:\Windows\system32\wnejgt.exe"
        37⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\wbhdjpxs.exe
        
        "C:\Windows\system32\wbhdjpxs.exe"
        38⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\wgrjpyp.exe
        
        "C:\Windows\system32\wgrjpyp.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\wxvakmo.exe
        
        "C:\Windows\system32\wxvakmo.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\whhlcrmdu.exe
        
        "C:\Windows\system32\whhlcrmdu.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\wkglj.exe
        
        "C:\Windows\system32\wkglj.exe"
        42⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\wgwnn.exe
        
        "C:\Windows\system32\wgwnn.exe"
        43⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\wdljf.exe
        
        "C:\Windows\system32\wdljf.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\wpq.exe
        
        "C:\Windows\system32\wpq.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\wexd.exe
        
        "C:\Windows\system32\wexd.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\wymyogcr.exe
        
        "C:\Windows\system32\wymyogcr.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\SysWOW64\wiku.exe
        
        "C:\Windows\system32\wiku.exe"
        48⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\wwquef.exe
        
        "C:\Windows\system32\wwquef.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\waqul.exe
        
        "C:\Windows\system32\waqul.exe"
        50⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\wjcg.exe
        
        "C:\Windows\system32\wjcg.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\wdrcueyp.exe
        
        "C:\Windows\system32\wdrcueyp.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3272
        
        C:\Windows\SysWOW64\wqclda.exe
        
        "C:\Windows\system32\wqclda.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\wqqenw.exe
        
        "C:\Windows\system32\wqqenw.exe"
        54⤵
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\SysWOW64\wiusij.exe
        
        "C:\Windows\system32\wiusij.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\wjxcjeu.exe
        
        "C:\Windows\system32\wjxcjeu.exe"
        56⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\wfy.exe
        
        "C:\Windows\system32\wfy.exe"
        57⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\wvhnj.exe
        
        "C:\Windows\system32\wvhnj.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\wrkytb.exe
        
        "C:\Windows\system32\wrkytb.exe"
        59⤵
        Executes dropped EXE
        
        PID:516
        
        C:\Windows\SysWOW64\weirkxl.exe
        
        "C:\Windows\system32\weirkxl.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\wvaxw.exe
        
        "C:\Windows\system32\wvaxw.exe"
        61⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\wvo.exe
        
        "C:\Windows\system32\wvo.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\wemmfmyv.exe
        
        "C:\Windows\system32\wemmfmyv.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\wwdqr.exe
        
        "C:\Windows\system32\wwdqr.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\wvgbtt.exe
        
        "C:\Windows\system32\wvgbtt.exe"
        65⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\wruwmxe.exe
        
        "C:\Windows\system32\wruwmxe.exe"
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\wnwjxcg.exe
        
        "C:\Windows\system32\wnwjxcg.exe"
        67⤵
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\woas.exe
        
        "C:\Windows\system32\woas.exe"
        68⤵
        Checks computer location settings
        
        PID:116
        
        C:\Windows\SysWOW64\wryrhmr.exe
        
        "C:\Windows\system32\wryrhmr.exe"
        69⤵
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\wvlhhy.exe
        
        "C:\Windows\system32\wvlhhy.exe"
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\wvnokt.exe
        
        "C:\Windows\system32\wvnokt.exe"
        71⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\wnje.exe
        
        "C:\Windows\system32\wnje.exe"
        72⤵
        
        PID:624
        
        C:\Windows\SysWOW64\wvhbpoqhn.exe
        
        "C:\Windows\system32\wvhbpoqhn.exe"
        73⤵
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\wvkirk.exe
        
        "C:\Windows\system32\wvkirk.exe"
        74⤵
        Checks computer location settings
        
        PID:672
        
        C:\Windows\SysWOW64\wnhv.exe
        
        "C:\Windows\system32\wnhv.exe"
        75⤵
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\wqfvfmqg.exe
        
        "C:\Windows\system32\wqfvfmqg.exe"
        76⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\whckm.exe
        
        "C:\Windows\system32\whckm.exe"
        77⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\wdxvlhaal.exe
        
        "C:\Windows\system32\wdxvlhaal.exe"
        78⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\wtft.exe
        
        "C:\Windows\system32\wtft.exe"
        79⤵
        Drops file in System32 directory
        
        PID:3324
        
        C:\Windows\SysWOW64\wlkksja.exe
        
        "C:\Windows\system32\wlkksja.exe"
        80⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\wtvuko.exe
        
        "C:\Windows\system32\wtvuko.exe"
        81⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\wiidtka.exe
        
        "C:\Windows\system32\wiidtka.exe"
        82⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\wlurtx.exe
        
        "C:\Windows\system32\wlurtx.exe"
        83⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\wlikctkh.exe
        
        "C:\Windows\system32\wlikctkh.exe"
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\wxfsb.exe
        
        "C:\Windows\system32\wxfsb.exe"
        85⤵
        Checks computer location settings
        
        PID:4248
        
        C:\Windows\SysWOW64\wriel.exe
        
        "C:\Windows\system32\wriel.exe"
        86⤵
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\wbgal.exe
        
        "C:\Windows\system32\wbgal.exe"
        87⤵
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\wuim.exe
        
        "C:\Windows\system32\wuim.exe"
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\wjgfld.exe
        
        "C:\Windows\system32\wjgfld.exe"
        89⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\wnsun.exe
        
        "C:\Windows\system32\wnsun.exe"
        90⤵
        Checks computer location settings
        
        PID:4320
        
        C:\Windows\SysWOW64\wovdpl.exe
        
        "C:\Windows\system32\wovdpl.exe"
        91⤵
        Checks computer location settings
        
        PID:2352
        
        C:\Windows\SysWOW64\wijyh.exe
        
        "C:\Windows\system32\wijyh.exe"
        92⤵
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\wdcgucun.exe
        
        "C:\Windows\system32\wdcgucun.exe"
        93⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\wcf.exe
        
        "C:\Windows\system32\wcf.exe"
        94⤵
        Checks computer location settings
        
        PID:3012
        
        C:\Windows\SysWOW64\wxiopxel.exe
        
        "C:\Windows\system32\wxiopxel.exe"
        95⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\wxthy.exe
        
        "C:\Windows\system32\wxthy.exe"
        96⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\whitq.exe
        
        "C:\Windows\system32\whitq.exe"
        97⤵
        Checks computer location settings
        
        PID:4356
        
        C:\Windows\SysWOW64\wmthqlm.exe
        
        "C:\Windows\system32\wmthqlm.exe"
        98⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\wxgqyjoq.exe
        
        "C:\Windows\system32\wxgqyjoq.exe"
        99⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\wpl.exe
        
        "C:\Windows\system32\wpl.exe"
        100⤵
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\wmnsfyo.exe
        
        "C:\Windows\system32\wmnsfyo.exe"
        101⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\whc.exe
        
        "C:\Windows\system32\whc.exe"
        102⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\wyxdds.exe
        
        "C:\Windows\system32\wyxdds.exe"
        103⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\wtbqov.exe
        
        "C:\Windows\system32\wtbqov.exe"
        104⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\wueyrra.exe
        
        "C:\Windows\system32\wueyrra.exe"
        105⤵
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\wdbtqxi.exe
        
        "C:\Windows\system32\wdbtqxi.exe"
        106⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\wdooa.exe
        
        "C:\Windows\system32\wdooa.exe"
        107⤵
        Checks computer location settings
        
        PID:2092
        
        C:\Windows\SysWOW64\wpmfop.exe
        
        "C:\Windows\system32\wpmfop.exe"
        108⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\wheldcxv.exe
        
        "C:\Windows\system32\wheldcxv.exe"
        109⤵
        Checks computer location settings
        
        PID:1408
        
        C:\Windows\SysWOW64\wpch.exe
        
        "C:\Windows\system32\wpch.exe"
        110⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\wvtywlmjg.exe
        
        "C:\Windows\system32\wvtywlmjg.exe"
        111⤵
        Checks computer location settings
        
        PID:4264
        
        C:\Windows\SysWOW64\wjasahh.exe
        
        "C:\Windows\system32\wjasahh.exe"
        112⤵
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\wwwkpesr.exe
        
        "C:\Windows\system32\wwwkpesr.exe"
        113⤵
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\wwyss.exe
        
        "C:\Windows\system32\wwyss.exe"
        114⤵
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\waxrynfp.exe
        
        "C:\Windows\system32\waxrynfp.exe"
        115⤵
        Checks computer location settings
        
        PID:1096
        
        C:\Windows\SysWOW64\waaccikfv.exe
        
        "C:\Windows\system32\waaccikfv.exe"
        116⤵
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\wadkef.exe
        
        "C:\Windows\system32\wadkef.exe"
        117⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\wryy.exe
        
        "C:\Windows\system32\wryy.exe"
        118⤵
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\wnftpakd.exe
        
        "C:\Windows\system32\wnftpakd.exe"
        119⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\wyckf.exe
        
        "C:\Windows\system32\wyckf.exe"
        120⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\wipwwdtat.exe
        
        "C:\Windows\system32\wipwwdtat.exe"
        121⤵
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\wsef.exe
        
        "C:\Windows\system32\wsef.exe"
        122⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\wfvousjnk.exe
        
        "C:\Windows\system32\wfvousjnk.exe"
        123⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\wvfn.exe
        
        "C:\Windows\system32\wvfn.exe"
        124⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\wsv.exe
        
        "C:\Windows\system32\wsv.exe"
        125⤵
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\woacyoe.exe
        
        "C:\Windows\system32\woacyoe.exe"
        126⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\wsxbee.exe
        
        "C:\Windows\system32\wsxbee.exe"
        127⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\wwyg.exe
        
        "C:\Windows\system32\wwyg.exe"
        128⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\wsocr.exe
        
        "C:\Windows\system32\wsocr.exe"
        129⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\wwb.exe
        
        "C:\Windows\system32\wwb.exe"
        130⤵
        Checks computer location settings
        
        PID:4252
        
        C:\Windows\SysWOW64\wfmdjmv.exe
        
        "C:\Windows\system32\wfmdjmv.exe"
        131⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\wbppury.exe
        
        "C:\Windows\system32\wbppury.exe"
        132⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\wjnltwh.exe
        
        "C:\Windows\system32\wjnltwh.exe"
        133⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\wfrxfbh.exe
        
        "C:\Windows\system32\wfrxfbh.exe"
        134⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\wfern.exe
        
        "C:\Windows\system32\wfern.exe"
        135⤵
        Checks computer location settings
        
        PID:1636
        
        C:\Windows\SysWOW64\wfhaptgpk.exe
        
        "C:\Windows\system32\wfhaptgpk.exe"
        136⤵
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\woeuoy.exe
        
        "C:\Windows\system32\woeuoy.exe"
        137⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\wvrhgd.exe
        
        "C:\Windows\system32\wvrhgd.exe"
        138⤵
        Checks computer location settings
        
        PID:4756
        
        C:\Windows\SysWOW64\wfesxjjfu.exe
        
        "C:\Windows\system32\wfesxjjfu.exe"
        139⤵
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\wjri.exe
        
        "C:\Windows\system32\wjri.exe"
        140⤵
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\wfuu.exe
        
        "C:\Windows\system32\wfuu.exe"
        141⤵
        Checks computer location settings
        
        PID:4856
        
        C:\Windows\SysWOW64\wftwav.exe
        
        "C:\Windows\system32\wftwav.exe"
        142⤵
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\wjgmakbm.exe
        
        "C:\Windows\system32\wjgmakbm.exe"
        143⤵
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\wgxof.exe
        
        "C:\Windows\system32\wgxof.exe"
        144⤵
        Checks computer location settings
        
        PID:4320
        
        C:\Windows\SysWOW64\wkkeebm.exe
        
        "C:\Windows\system32\wkkeebm.exe"
        145⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\woxsg.exe
        
        "C:\Windows\system32\woxsg.exe"
        146⤵
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\womlolw.exe
        
        "C:\Windows\system32\womlolw.exe"
        147⤵
        
        PID:932
        
        C:\Windows\SysWOW64\wwj.exe
        
        "C:\Windows\system32\wwj.exe"
        148⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\wbwwo.exe
        
        "C:\Windows\system32\wbwwo.exe"
        149⤵
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\wejl.exe
        
        "C:\Windows\system32\wejl.exe"
        150⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\wcco.exe
        
        "C:\Windows\system32\wcco.exe"
        151⤵
        Checks computer location settings
        
        PID:736
        
        C:\Windows\SysWOW64\wwg.exe
        
        "C:\Windows\system32\wwg.exe"
        152⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\wtiyiuv.exe
        
        "C:\Windows\system32\wtiyiuv.exe"
        153⤵
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\wvves.exe
        
        "C:\Windows\system32\wvves.exe"
        154⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\wiqpov.exe
        
        "C:\Windows\system32\wiqpov.exe"
        155⤵
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\wgjndqfpe.exe
        
        "C:\Windows\system32\wgjndqfpe.exe"
        156⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\wyoahuk.exe
        
        "C:\Windows\system32\wyoahuk.exe"
        157⤵
        Drops file in System32 directory
        
        PID:1308
        
        C:\Windows\SysWOW64\wlikcpvh.exe
        
        "C:\Windows\system32\wlikcpvh.exe"
        158⤵
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\wybiij.exe
        
        "C:\Windows\system32\wybiij.exe"
        159⤵
        Checks computer location settings
        
        PID:3792
        
        C:\Windows\SysWOW64\wppii.exe
        
        "C:\Windows\system32\wppii.exe"
        160⤵
        Checks computer location settings
        
        PID:3372
        
        C:\Windows\SysWOW64\wtcxjki.exe
        
        "C:\Windows\system32\wtcxjki.exe"
        161⤵
        Checks computer location settings
        
        PID:4092
        
        C:\Windows\SysWOW64\wxpojxc.exe
        
        "C:\Windows\system32\wxpojxc.exe"
        162⤵
        Checks computer location settings
        
        PID:3384
        
        C:\Windows\SysWOW64\weqs.exe
        
        "C:\Windows\system32\weqs.exe"
        163⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\wgprjyqb.exe
        
        "C:\Windows\system32\wgprjyqb.exe"
        164⤵
        Checks computer location settings
        
        PID:3012
        
        C:\Windows\SysWOW64\wrxvibm.exe
        
        "C:\Windows\system32\wrxvibm.exe"
        165⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\wrhfx.exe
        
        "C:\Windows\system32\wrhfx.exe"
        166⤵
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\wjl.exe
        
        "C:\Windows\system32\wjl.exe"
        167⤵
        Checks computer location settings
        
        PID:4320
        
        C:\Windows\SysWOW64\wbommsw.exe
        
        "C:\Windows\system32\wbommsw.exe"
        168⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\woivjngj.exe
        
        "C:\Windows\system32\woivjngj.exe"
        169⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\wclplj.exe
        
        "C:\Windows\system32\wclplj.exe"
        170⤵
        Checks computer location settings
        
        PID:4092
        
        C:\Windows\SysWOW64\wlgdokg.exe
        
        "C:\Windows\system32\wlgdokg.exe"
        171⤵
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\wdjtk.exe
        
        "C:\Windows\system32\wdjtk.exe"
        172⤵
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\wmdgpa.exe
        
        "C:\Windows\system32\wmdgpa.exe"
        173⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdjtk.exe"
        173⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlgdokg.exe"
        172⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1676
        172⤵
        Program crash
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wclplj.exe"
        171⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woivjngj.exe"
        170⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbommsw.exe"
        169⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjl.exe"
        168⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhfx.exe"
        167⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrxvibm.exe"
        166⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgprjyqb.exe"
        165⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weqs.exe"
        164⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpojxc.exe"
        163⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtcxjki.exe"
        162⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wppii.exe"
        161⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybiij.exe"
        160⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlikcpvh.exe"
        159⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyoahuk.exe"
        158⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgjndqfpe.exe"
        157⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiqpov.exe"
        156⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvves.exe"
        155⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 1360
        155⤵
        Program crash
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtiyiuv.exe"
        154⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwg.exe"
        153⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcco.exe"
        152⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wejl.exe"
        151⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwwo.exe"
        150⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwj.exe"
        149⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womlolw.exe"
        148⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxsg.exe"
        147⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkkeebm.exe"
        146⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxof.exe"
        145⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjgmakbm.exe"
        144⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wftwav.exe"
        143⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfuu.exe"
        142⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjri.exe"
        141⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfesxjjfu.exe"
        140⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvrhgd.exe"
        139⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woeuoy.exe"
        138⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfhaptgpk.exe"
        137⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfern.exe"
        136⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfrxfbh.exe"
        135⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjnltwh.exe"
        134⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbppury.exe"
        133⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfmdjmv.exe"
        132⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwb.exe"
        131⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsocr.exe"
        130⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwyg.exe"
        129⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxbee.exe"
        128⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woacyoe.exe"
        127⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsv.exe"
        126⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvfn.exe"
        125⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfvousjnk.exe"
        124⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsef.exe"
        123⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipwwdtat.exe"
        122⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyckf.exe"
        121⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1352
        121⤵
        Program crash
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnftpakd.exe"
        120⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1668
        120⤵
        Program crash
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryy.exe"
        119⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wadkef.exe"
        118⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waaccikfv.exe"
        117⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waxrynfp.exe"
        116⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwyss.exe"
        115⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwwkpesr.exe"
        114⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjasahh.exe"
        113⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtywlmjg.exe"
        112⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpch.exe"
        111⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wheldcxv.exe"
        110⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpmfop.exe"
        109⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdooa.exe"
        108⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbtqxi.exe"
        107⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wueyrra.exe"
        106⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtbqov.exe"
        105⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxdds.exe"
        104⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whc.exe"
        103⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmnsfyo.exe"
        102⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpl.exe"
        101⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxgqyjoq.exe"
        100⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmthqlm.exe"
        99⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whitq.exe"
        98⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1404
        98⤵
        Program crash
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxthy.exe"
        97⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxiopxel.exe"
        96⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcf.exe"
        95⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcgucun.exe"
        94⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 1448
        94⤵
        Program crash
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wijyh.exe"
        93⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovdpl.exe"
        92⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnsun.exe"
        91⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjgfld.exe"
        90⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuim.exe"
        89⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbgal.exe"
        88⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wriel.exe"
        87⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxfsb.exe"
        86⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlikctkh.exe"
        85⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 1440
        85⤵
        Program crash
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlurtx.exe"
        84⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiidtka.exe"
        83⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvuko.exe"
        82⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkksja.exe"
        81⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtft.exe"
        80⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxvlhaal.exe"
        79⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whckm.exe"
        78⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqfvfmqg.exe"
        77⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 116
        77⤵
        Program crash
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnhv.exe"
        76⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkirk.exe"
        75⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvhbpoqhn.exe"
        74⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnje.exe"
        73⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvnokt.exe"
        72⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvlhhy.exe"
        71⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryrhmr.exe"
        70⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woas.exe"
        69⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwjxcg.exe"
        68⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wruwmxe.exe"
        67⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgbtt.exe"
        66⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwdqr.exe"
        65⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemmfmyv.exe"
        64⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvo.exe"
        63⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvaxw.exe"
        62⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weirkxl.exe"
        61⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkytb.exe"
        60⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvhnj.exe"
        59⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfy.exe"
        58⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjxcjeu.exe"
        57⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1456
        57⤵
        Program crash
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiusij.exe"
        56⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqenw.exe"
        55⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqclda.exe"
        54⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrcueyp.exe"
        53⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjcg.exe"
        52⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waqul.exe"
        51⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwquef.exe"
        50⤵
        
        PID:228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1440
        50⤵
        Program crash
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiku.exe"
        49⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymyogcr.exe"
        48⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexd.exe"
        47⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpq.exe"
        46⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdljf.exe"
        45⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwnn.exe"
        44⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkglj.exe"
        43⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1492
        43⤵
        Program crash
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whhlcrmdu.exe"
        42⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxvakmo.exe"
        41⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrjpyp.exe"
        40⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhdjpxs.exe"
        39⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnejgt.exe"
        38⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwld.exe"
        37⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waipifoy.exe"
        36⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wajnri.exe"
        35⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wylmj.exe"
        34⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiwmicbul.exe"
        33⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1440
        33⤵
        Program crash
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtpnsjbc.exe"
        32⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwsoogh.exe"
        31⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvuofo.exe"
        30⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrbwrd.exe"
        29⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmg.exe"
        28⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgdeam.exe"
        27⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wthwc.exe"
        26⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whc.exe"
        25⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpnfflpt.exe"
        24⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjlcq.exe"
        23⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrpxwn.exe"
        22⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdonnuwn.exe"
        21⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlft.exe"
        20⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwqi.exe"
        19⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmbkcxdi.exe"
        18⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whhsp.exe"
        17⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woiko.exe"
        16⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjafirm.exe"
        15⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wieklxov.exe"
        14⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 116
        14⤵
        Program crash
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wykw.exe"
        13⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpctj.exe"
        12⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpiym.exe"
        11⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrxkn.exe"
        10⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wasttk.exe"
        9⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1648
        9⤵
        Program crash
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbslr.exe"
        8⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbdr.exe"
        7⤵
        
        PID:5000
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyf.exe"
        6⤵
        
        PID:1692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmbw.exe"
        5⤵
        
        PID:2868
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbmpti.exe"
      4⤵
      PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbsdneuw.exe"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 116
    3⤵
    - Program crash
    PID:2464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1280
    3⤵
    - Program crash
    PID:3492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe"
  2⤵
  PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4856 -ip 4856
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4856 -ip 4856
1⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4216,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:8
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4472 -ip 4472
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1140 -ip 1140
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4608 -ip 4608
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1112 -ip 1112
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4848 -ip 4848
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4252 -ip 4252
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4396 -ip 4396
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1188 -ip 1188
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4648 -ip 4648
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4356 -ip 4356
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2524 -ip 2524
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3056 -ip 3056
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2300 -ip 2300
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4428 -ip 4428
1⤵
PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wasttk.exe

Filesize
447KB

MD5
07a53b3f34245642f7e84a1830ce92b5

SHA1
393933ecf6b367b7909d68a97179f49c3862108f

SHA256
2f3b19a713ac7f691e46597a6143bfae33b5a4fe350cee622eef4e3a9ff3c85a

SHA512
4eacbe93e1134497668d898a3e1c044cfed769bcb3d5b2a5ba3235ebb208326864b722879a2793ec7919a6b813c2b779cabb2c9303b3ce69e67661f01b1fbb1e

Download Submit
C:\Windows\SysWOW64\wbdr.exe

Filesize
447KB

MD5
dc7d9323496b7a55bd88902368b239dd

SHA1
f2d764d2d6cc8059052c4a7514680b966231df85

SHA256
a4455f71a7214bad614a1a57f02a3222f7033451f795a125d2fd1b3d347131db

SHA512
f44bfe445d26c08691cec4eecdbddde8b0a9d188a68d1fd70c89c79de1af9fa39e82a8f06aa169d66b7f0e41ac877f477c257291d82c7f5a838e8db6a544f12a

Download Submit
C:\Windows\SysWOW64\wbmpti.exe

Filesize
447KB

MD5
b890c49a6186d3315767a901323fc8d5

SHA1
50a62e3e147cf9e0b0e9b90df64842851bd43740

SHA256
32db24e4c3eaa3e3b5f4ec4ba3f057743d8106ef79eba9c7788ee9a0e2f60e31

SHA512
4deb8d39dc33908ed8723ae38b4912782154709f079017879403f5074880b1595b2b02b65eb5b2c82d393e5ba2879ff9b194a2dcf8c90f8007ab9f8ce15035d6

Download Submit
C:\Windows\SysWOW64\wbslr.exe

Filesize
447KB

MD5
aaccc15821a7a9b85fd611eb790f01cb

SHA1
7629f0a3eb591cf18931a730095e71c0a048ba5c

SHA256
2cf8cef29aefd2e55737fa2f079d63a01df6c8e2810727cfa2cccbd6a5ed4d63

SHA512
7e1c46eb582a05dd14e844d9d7e9399ed0b20ac701f6f0d537ff2c167f665868aa0db18f0674a4dcbf798c0b14c078b88ac8fd6fa171dcb862436ee39658d759

Download Submit
C:\Windows\SysWOW64\wbwqi.exe

Filesize
448KB

MD5
56508b6f1d040864b6f35348f7d310f3

SHA1
47ea3c427eb553e641ddb571eeea5b0fd8adbe06

SHA256
52a716202c7c1a62f5ced91cd4e48fa9e9f8639f401577fd0dedfa090cff1a08

SHA512
bd8eded937f54960a637463f78876508deffbdde80b8d474f29a2a35b058c5f18e4af5b374193f3878d60323b3dc3ebf8db8082e71c4940a5cc06c20aff35d7a

Download Submit
C:\Windows\SysWOW64\wcjlcq.exe

Filesize
448KB

MD5
086691d45153cbd47a53b2da7434647d

SHA1
973cbe322f1f58b8cef21c597a7459c4e4dd68c9

SHA256
9271f2ad84e32d6270fdbb570b2f82987bee78d088d9d74f7b2c2268e2fde9f1

SHA512
46ff41a40d53091864295be6a52f54be3b1c26b63f502cfa3f73be19e5a41195cef78d5c1bfe2d3015e7f7e7e591f374174d288884f071ae3bfcdbbbb8a25165

Download Submit
C:\Windows\SysWOW64\wdonnuwn.exe

Filesize
448KB

MD5
b9f5297b386e89fbfd0b7956b7d21ba0

SHA1
c963023a15a79baf79fc2cb1642e3b732853fa5f

SHA256
a4ce9d3e117e7aaad7d08e2990ee5965cccba70fcfac8da3a18e919e6c1908b5

SHA512
db8af5a7c05034fa6236426eb3fad3ee4d884959f3a8909f9e0c0be63a6ff05129770596dee35a1dacf92abe0c88c0bd1c3598450ecaedae8e260efb53178c2f

Download Submit
C:\Windows\SysWOW64\wgdeam.exe

Filesize
448KB

MD5
aeb2ed0bbef6d91064853630d685ab0e

SHA1
e1fdf4b760119da7efaffba2564ff20a7c569403

SHA256
33a76512ec66602330547333853d8ed378e1d972e6526ed0076cae3f27cf2147

SHA512
75b8ab92e3aff3c532e7b1c92e13985076146cded4ca5d9e3525a12385211047a2575dada2b782ac7bd96c8fe3ce99a7d69271518d601880d6f351c93f306762

Download Submit
C:\Windows\SysWOW64\whc.exe

Filesize
448KB

MD5
a3ce5858bef3969bb5b8b2a63573b628

SHA1
4d7123a488da958c33e73708d92a843db6c5dd30

SHA256
9955ee6c88e650f653aaa685cd13222858efaa140605818369cf6e35dc68ba75

SHA512
dbd620858de92f5ff6915ea1a934da97e96563e54f88004f2bc5faa8bddd72632b4e08512be279b8b6f65ef0d9c307a055ed57e1170d6ccf1a1983d420fcc91a

Download Submit
C:\Windows\SysWOW64\whhsp.exe

Filesize
448KB

MD5
c94b701f2e967ca30006555c81f46cd9

SHA1
d2d8a967966595d5a92686db8cab4502dca00ac3

SHA256
8a24bb96cf285b2c40fb004ab54a713090c4f6a1867308bb8371a0b276e17d15

SHA512
eba18d46efda2fe155ef4cb1855a347c58dba3686f5dfc685162b6059a48ebc537f7160cda771c096bb00472a02faddc5117c47d035e7dba5e1ca7b50bb61050

Download Submit
C:\Windows\SysWOW64\wieklxov.exe

Filesize
447KB

MD5
eb1a8c0fbd12f0bd69bf4dd279e5f683

SHA1
e0a338f940380484c879c369e3649a8960e0c0bc

SHA256
b0c4c883348bf54f398e04017b0f2ba092593147a63eb07c63bc97822a428d5a

SHA512
3e8de7d4d6277123c7dd7f5b0b7c7dbb9d793b6c97d4da9034de7db0036828184af3b2a6e8e6f81733347fc39c25e1d60205f03725f9bfa8b65f23f36fbf139a

Download Submit
C:\Windows\SysWOW64\wiwmicbul.exe

Filesize
448KB

MD5
7357c3e7cc95120f9aaa8ba97385c819

SHA1
b5bab3c24d657781364f8881e77fe5afc1bd0987

SHA256
4ffd5392d30d80a709cbf07ff8958a2da8e6e28f6bb01c6adac59a2c0781d51c

SHA512
94bd0532bdcdcfa7ef14907541279c9ae1aebff64d54825e247d81ebc430e861922c898827a10706485d0d01a96035fa7d7426b30585616d743717ea41cdf0e8

Download Submit
C:\Windows\SysWOW64\wjafirm.exe

Filesize
447KB

MD5
098c359bef409b9e88426065be3b3879

SHA1
ddb38262f8c4dda12bd4bcbba864d0c742eb3d86

SHA256
bf54087e589b2fb92282993b6e19457b9efb4dceaabbf3d0d8ecb5610e18d42f

SHA512
57e95dc3375dd8e83dec4f53ff70f11de75676fa9e70759c881686b7cfb1496f850302d06db668dc582a29a9bdc45eee583978862781c0014e688d0c1ed5f516

Download Submit
C:\Windows\SysWOW64\wlft.exe

Filesize
448KB

MD5
e592a6cb2da03b5ab475540df78cbff8

SHA1
8a2c1b7538744691bc56993fc8c6debea644357e

SHA256
9734da7c2c6458e7e1205423c1e6877e072c2a83e3f3ec35f39dc770dc33087d

SHA512
edda2392812f62928d9219f76ddbcb12cfedff61b7ced46e239b99f5d50b061ce95de9fc6bacf72c977eef40d7e0a98dd6be9b060d31c9d80d1b61316e733208

Download Submit
C:\Windows\SysWOW64\wmbkcxdi.exe

Filesize
448KB

MD5
0c6399f166e3a68a7bae3411938b82f4

SHA1
ecaba69b69fe1ae7750c645bdac1c94e9d8aa1a7

SHA256
25516b82b920bd1fa1ac5954f32a1f48957fe9876d5652493b08aaebf3003959

SHA512
912978624f1bf0517accc52b253b31a445abd934c21c4d8a0e57703dfd98c8798849b61f01e6c713b76db415f4d2d86596b96614f5c14fee37fdf47b288209b9

Download Submit
C:\Windows\SysWOW64\wmbw.exe

Filesize
447KB

MD5
a0e905c10defc8b90a26b4d7e8be28a8

SHA1
f3f55a8ffd9895cbe97c4a571a2852908424cf64

SHA256
6ed499f44de9f7a511ee37b5b35aeecaf368afa2973f1e2a629541ff89a7cabf

SHA512
316c6316730467a2181bed30648b94ab63c59e3cdb6997f9839bec6f7f31d4778d1ab50492eb8a73fbee594cc16f4d8542ffa4ec678a0fc9360fc61b1c0da17f

Download Submit
C:\Windows\SysWOW64\wmg.exe

Filesize
448KB

MD5
053856cbcf74dce8f2dba055a3d3e42e

SHA1
5f6c13ffaf27ff3582d9696298c46a677f87cc51

SHA256
95f38d95a5f5bc2915456305f1d82b221f8b3dd2d4737ffde21cf726145220a4

SHA512
57371041ab77f9e1c1270ee103cd012af1bad95d8aca5c19f3d4bd3700f9ef7d6d4256a216c083dbbf20ceb3ef0ffcf99b12157f8b4a1781f113ecabae02dc6f

Download Submit
C:\Windows\SysWOW64\woiko.exe

Filesize
448KB

MD5
9d7af27853d2a90291435c45f93c4f90

SHA1
5df22392b20cd521ef7741a26ec5eb7f978f3a8f

SHA256
24f91d87bac5a545097a4d2c87df483dd1ea4bcd76642340c62883f7e5e7e33a

SHA512
e8f85c06eb2349c48b9ba0c0a60d85a93ad9f36e26e3969379e3acad6da3e79e8cbd3a357d9aabf47f6d4c2b592e9ab5c98268bc5dfe241f1b50ef4abd83f139

Download Submit
C:\Windows\SysWOW64\wpbsdneuw.exe

Filesize
447KB

MD5
2105378d1c4e2216ada22f77b356c92f

SHA1
02c7766c0880f852ee74ffcbfc9271d5adb4d1be

SHA256
224d3865a270b63905e9a343c699ed4aa853b43c1faf8ebd3d3d807819b4423b

SHA512
fa4e529d2d8569ecbc47e50fc8db7a8d9470661600cf13a36a3dddf10da3010251fddf073fa29510ef68df5174d12f2f54715c1815d82f6d35b532cdd71bede6

Download Submit
C:\Windows\SysWOW64\wpctj.exe

Filesize
447KB

MD5
0a028282188f4ae8146123821ba118bb

SHA1
3a896cac53d254b34fa15abd3053b46c420a0542

SHA256
1b2bc0cdc26483d91173ee49ac9c376fce8784ecf90546d7e7102821fe9bce74

SHA512
ea30a9606cc66ff175444f210077e6473a4d367ca577d8ac9875d86c3e19e2c1d7d823ac000ddeeb567f51ee908e9bb59b9c40ddebe9b007c4c982a6242c9b2a

Download Submit
C:\Windows\SysWOW64\wpiym.exe

Filesize
447KB

MD5
8f7617444bebd50f2c549ba6b8fc314d

SHA1
d896c962812213f2b5056d0e456e0a6a36ab9cca

SHA256
01ed51e2a9441d00126d54ceded0c19615a1faef861f491223cf5d6eb7c03b7c

SHA512
17c567fe169ccf9e1f9ead1e5d8d81dc8500de0f282082a373b75d7f29f22127d812a47f0417ed3e3a5e5b030c97025906d2217f46c71ad726029195315aa85c

Download Submit
C:\Windows\SysWOW64\wpnfflpt.exe

Filesize
448KB

MD5
033648bc2228b48fcd23c5ee33396bee

SHA1
507b692f9e16b4eae55d95b1ace44520ad350498

SHA256
9744c7f47219cfeadd6515ee6467e90f750d2043d0f16e041c8834f89a2af227

SHA512
0bb14e556102311da08388fb26af61e54696c9b5964366c6d7de26a4416852cf39964b34d1aa710898a2331275c56f50149a6021f12048e2bf65bd04e5e1638a

Download Submit
C:\Windows\SysWOW64\wrbwrd.exe

Filesize
448KB

MD5
1b9183bd1ad14fc5ff5abdf18cfad20f

SHA1
78da68d5188c4d828063927e372780dc382e8865

SHA256
6b6a6f51a6ab2b9dd6a3b8c1200bc9c7d0aa7506b6bdaff4879e127b1621702a

SHA512
eecd30c513fc9c596db5216380a3b8bd50d09fa68757d9f84946ea3437f1cf453dc1736e84b666fdd4c6962a3ade5e76c31375634f3e6751f5af9e31b530e92c

Download Submit
C:\Windows\SysWOW64\wrpxwn.exe

Filesize
448KB

MD5
95fddd346ff4f34fd9ae50ce1592a0ca

SHA1
8a32bb5e3df3b3e4dc5a31537158d584f5a84ec3

SHA256
093f0947b7ed6da99413fb222f766928bf9d571b95a1206380489940efba9c92

SHA512
aaf6f7787cb3a8fe5d1ef3142ea21f02ab2cb721a6377e73de304dc998303854a85ae554d83648d7a2ced1ce198f722ff206ad0a40cee4a2d446b8aeab2f95f5

Download Submit
C:\Windows\SysWOW64\wrxkn.exe

Filesize
447KB

MD5
7e0eb6e435003370928aac0b16f6a3ea

SHA1
5b0cef674833ee20ab29a189e60c6e1cbdd03f9f

SHA256
53355784485db5c23d7d97842f9090a8de52f512eead6049e724328ec2402fdd

SHA512
657e1a222637068737ecf83e89e0abadf14830bc759a77643d6854ee49e9da7223c396f87138268be1e1469bf248ba442ff89627267087089deb1b2cb8e6df64

Download Submit
C:\Windows\SysWOW64\wthwc.exe

Filesize
448KB

MD5
fa788646f841a3eb0853fd6cd30ccddb

SHA1
6df49d61787109213f59977c4b64cc741f2a35b0

SHA256
c522d359cb777c90f8b033fc8b52aaa0eb406921354854010b55d28204b65596

SHA512
dc834ba677e730d2dab41a4ae8a49f4c4ace26e13364f2009fcf285f859a03946d8a1fa14471fbd944e4593b669310042f0b5cdace7038ec56db419f56f3f0cc

Download Submit
C:\Windows\SysWOW64\wtpnsjbc.exe

Filesize
448KB

MD5
88e88fd5bd9bb6ccb17b5749196241c9

SHA1
6210d357426f14bf098256f55d86449a3ee40c04

SHA256
8cab0cb39f81cabef0c33ed50de975381d0b9ae77b9f58c7bce6a1e0417a7c27

SHA512
7d0001e3c88c59e65cf554086af7f4555609f893c0c3733ef98391c3446e3b79f198dbc76d504c22123d12ef782b292d21f3a76c3f4a8e1d462296a547055613

Download Submit
C:\Windows\SysWOW64\wvuofo.exe

Filesize
448KB

MD5
18a13d60628e71ff89bac82e81de2347

SHA1
b0497cae54c02eabc068ae2d7566488cec961245

SHA256
c477d2c49893869058194745ec2d1a4032ec8fa928fd8009bcb219b38e1d39ec

SHA512
5e114069790d0fa37c9aeae2fa9ca32f96fbb87b27d88ac0a3814cb3441fe1314926517fe7bf88ee37f566728b1277b4edc737f03d22df9fe004165452229688

Download Submit
C:\Windows\SysWOW64\wwsoogh.exe

Filesize
448KB

MD5
c66ba15d04ea564f85b754a8ffc18b72

SHA1
a82573553cf5739eff86e7d61d595bd8d2477b6e

SHA256
79b0fd98ac299c5c00c2f97c886a0b1efb9b700e953a5cfd9f4a89758df8fceb

SHA512
c3a85b4873eb1d6083f009df86e991938e9631f174f63df3b094a84665d7b4eef1b7734138178b488be696b6da0f1e7296b016207e4b32fbd398f4d70ff250ca

Download Submit
C:\Windows\SysWOW64\wyf.exe

Filesize
447KB

MD5
a6b8e0f6d6a681319d0ad47a835783d9

SHA1
6e0d89236e0e42b375a8b4a59a8637c5f3e76ced

SHA256
8148a3555d9de441dd21e56e91ab3a77479468080cff1661731dd9d29c5d90de

SHA512
3551e69e3cc8c655571a99268a73fee987f665a515ae4fa27aeaa8d9e620f5bd561e8fce94086707d3c95274239d5ea8e4d868b8c6a23c5c0623d944fde48901

Download Submit
C:\Windows\SysWOW64\wykw.exe

Filesize
447KB

MD5
6267e5fcea04aecda1e7aed7910dec3f

SHA1
f92937be61c1ac6055cf730524e4dbcbd15a0b69

SHA256
9f3fd59a84eede808f2e9b3a16ce75d96c1459e1faf2a0a9d749988cf08d26e6

SHA512
0da5d5f7981b31d048284ca436c5b9053f91048f89cb275843112431ea4387d6bb1e02b9b79ca6d7f1d455e7d644d68d4d1bae55de8ea28c67bff9fe2bd6e53f

Download Submit
C:\Windows\SysWOW64\wylmj.exe

Filesize
448KB

MD5
99d61de9c202c5cbb0f53a604a9cb83f

SHA1
c59e677e9e3511b44ef837ce8bca26103537149f

SHA256
d654e24d9f4262c5bb449b71b566022d907ef724def3dc30336aa3b407b2259a

SHA512
eb933e26a08be2dc35ade05dd1786da9a1a6b5b1d0f44ef7c2c7a742ca176eaccdc1c37b841fd7b38c59fade273e33fc1226e76ac2fba37d49b3d8e04f297145

Download Submit
memory/116-625-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/116-634-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/228-341-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/436-390-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/516-560-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/624-293-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/964-273-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1112-416-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1112-406-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1124-382-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1140-136-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1140-125-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1200-358-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1220-568-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1220-559-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1244-509-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1244-518-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1248-74-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1248-63-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1264-42-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1264-53-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1420-527-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1780-126-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1796-179-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1796-168-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1860-313-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2068-483-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2068-492-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2092-158-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2092-146-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2096-407-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2224-221-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2224-209-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2276-609-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2340-94-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2380-500-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2380-510-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2416-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2416-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2464-349-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2524-626-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2580-263-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2608-474-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2608-484-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2764-199-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2964-466-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3096-210-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3144-32-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3144-21-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3272-501-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3376-449-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3480-576-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3480-585-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3608-323-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3628-232-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3628-220-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3628-157-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3628-169-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3684-366-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3684-357-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3692-635-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3744-243-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3744-231-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3760-593-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3760-303-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3792-147-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3924-374-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3928-457-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3928-448-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4004-424-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4004-415-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4216-189-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4252-535-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4252-526-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4352-104-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4352-115-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4472-84-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4556-253-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4556-242-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4608-333-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4776-432-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4780-398-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4848-475-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4848-543-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4848-465-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4856-31-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4856-577-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4856-10-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4876-283-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4884-551-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4992-43-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5000-617-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5008-440-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5060-601-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5068-105-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5112-64-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download