369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe
Size

92KB
MD5

834ea8fc617dca265698a98ecdd90620
SHA1

4b9e5efe5b9d48677e9a364d4692bf8514b477f0
SHA256

369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45
SHA512

c80659cf3efaca3269a3f1e77bcbb22ebf66e0a09907e8a71ef918d8280766e3a473985124500be428dec02c18861fb0d616920e0ececed15d4e566238ad671e
SSDEEP

1536:xch3vwSbax3rHV6+HwsWGhG5JiBzQmVDe:BHTrhWiBzQOe

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2600	wghgf.exe
2448	whkp.exe
1668	wndvi.exe
284	wcg.exe
2164	wsydj.exe
852	wmlgyj.exe
2112	wweurh.exe
1620	wmwh.exe
1520	wkjgjq.exe
2612	wunfimb.exe
1504	wjert.exe
1644	wlyne.exe
1244	wwpdw.exe
2188	wrsvg.exe
1436	wbbc.exe
2932	wqeypq.exe
2780	wbhyqmxa.exe
2628	wujqyra.exe
2524	wkbdj.exe
2964	wlnx.exe
2288	wgqp.exe
2316	wtsmgn.exe
2744	wnvdpsghh.exe
1744	wen.exe
2020	wcod.exe
1436	wyqt.exe
2840	wboxcoh.exe
2976	whwgxs.exe
2884	wcjjnyo.exe
2808	wxlxmvs.exe
2612	wkemg.exe
1700	wifcf.exe
1892	woqr.exe
2748	whfujbqe.exe
2864	wonf.exe
2252	wlps.exe
2900	wkbqkygfi.exe
2836	wyfocmep.exe
2876	wuhnum.exe
2312	wstl.exe
1192	wugixaswb.exe
3012	wowp.exe
1420	wdb.exe
912	wwdeyx.exe
1068	wxoywmbs.exe
704	wkhoqh.exe
2840	wyjjivim.exe
2980	wjdab.exe
2488	wvtotm.exe
2752	woxhcs.exe
1652	waagdou.exe
1892	wpssn.exe
2988	wevo.exe
1924	wkrpywo.exe
1592	wvau.exe
2740	womxbxxsh.exe
2672	weqtrmv.exe
2556	wwy.exe
1668	wlcyod.exe
2036	wfepvjeo.exe
1284	wxrsm.exe
3024	wokfvce.exe
2064	wdcqg.exe
2724	wwejo.exe

Loads dropped DLL 64 IoCs

pid	Process
2208	369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe
2208	369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe
2208	369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe
2208	369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe
2600	wghgf.exe
2600	wghgf.exe
2600	wghgf.exe
2600	wghgf.exe
2448	whkp.exe
2448	whkp.exe
2448	whkp.exe
2448	whkp.exe
1668	wndvi.exe
1668	wndvi.exe
1668	wndvi.exe
1668	wndvi.exe
284	wcg.exe
284	wcg.exe
284	wcg.exe
284	wcg.exe
2164	wsydj.exe
2164	wsydj.exe
2164	wsydj.exe
2164	wsydj.exe
852	wmlgyj.exe
852	wmlgyj.exe
852	wmlgyj.exe
852	wmlgyj.exe
2112	wweurh.exe
2112	wweurh.exe
2112	wweurh.exe
2112	wweurh.exe
1620	wmwh.exe
1620	wmwh.exe
1620	wmwh.exe
1620	wmwh.exe
1520	wkjgjq.exe
1520	wkjgjq.exe
1520	wkjgjq.exe
1520	wkjgjq.exe
2612	wunfimb.exe
2612	wunfimb.exe
2612	wunfimb.exe
2612	wunfimb.exe
1504	wjert.exe
1504	wjert.exe
1504	wjert.exe
1504	wjert.exe
1644	wlyne.exe
1644	wlyne.exe
1644	wlyne.exe
1644	wlyne.exe
1244	wwpdw.exe
1244	wwpdw.exe
1244	wwpdw.exe
1244	wwpdw.exe
2188	wrsvg.exe
2188	wrsvg.exe
2188	wrsvg.exe
2188	wrsvg.exe
1436	wbbc.exe
1436	wbbc.exe
1436	wbbc.exe
1436	wbbc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wifcf.exe	wkemg.exe
File opened for modification	C:\Windows\SysWOW64\wcwvulise.exe	wktdmgfre.exe
File created	C:\Windows\SysWOW64\wvknkawgo.exe	wgrbcmjj.exe
File opened for modification	C:\Windows\SysWOW64\wkemg.exe	wxlxmvs.exe
File opened for modification	C:\Windows\SysWOW64\wtabdmnlv.exe	wxn.exe
File opened for modification	C:\Windows\SysWOW64\wnvdpsghh.exe	wtsmgn.exe
File created	C:\Windows\SysWOW64\wwejo.exe	wdcqg.exe
File created	C:\Windows\SysWOW64\whsvqj.exe	wfhbsuue.exe
File opened for modification	C:\Windows\SysWOW64\wcjjcyao.exe	wkvhn.exe
File created	C:\Windows\SysWOW64\wweurh.exe	wmlgyj.exe
File created	C:\Windows\SysWOW64\wwy.exe	weqtrmv.exe
File opened for modification	C:\Windows\SysWOW64\wptof.exe	wrmvc.exe
File opened for modification	C:\Windows\SysWOW64\wqpoii.exe	wodulson.exe
File created	C:\Windows\SysWOW64\wgrbcmjj.exe	wjfcup.exe
File opened for modification	C:\Windows\SysWOW64\wbofj.exe	wrii.exe
File opened for modification	C:\Windows\SysWOW64\wcg.exe	wndvi.exe
File opened for modification	C:\Windows\SysWOW64\wkbdj.exe	wujqyra.exe
File created	C:\Windows\SysWOW64\wcjjcyao.exe	wkvhn.exe
File opened for modification	C:\Windows\SysWOW64\wtrxq.exe	wbofj.exe
File created	C:\Windows\SysWOW64\wakvqk.exe	wfidig.exe
File opened for modification	C:\Windows\SysWOW64\wugixaswb.exe	wstl.exe
File opened for modification	C:\Windows\SysWOW64\wxlxmvs.exe	wcjjnyo.exe
File created	C:\Windows\SysWOW64\wtrxq.exe	wbofj.exe
File opened for modification	C:\Windows\SysWOW64\wonf.exe	whfujbqe.exe
File opened for modification	C:\Windows\SysWOW64\wvtotm.exe	wjdab.exe
File created	C:\Windows\SysWOW64\wpejlis.exe	wvmckfbp.exe
File created	C:\Windows\SysWOW64\wfidig.exe	wpeiqsjy.exe
File created	C:\Windows\SysWOW64\wcwvulise.exe	wktdmgfre.exe
File opened for modification	C:\Windows\SysWOW64\wfhbsuue.exe	wqpoii.exe
File created	C:\Windows\SysWOW64\wbofj.exe	wrii.exe
File created	C:\Windows\SysWOW64\wwpdw.exe	wlyne.exe
File opened for modification	C:\Windows\SysWOW64\wgrbcmjj.exe	wjfcup.exe
File created	C:\Windows\SysWOW64\wmlgyj.exe	wsydj.exe
File created	C:\Windows\SysWOW64\wodulson.exe	wtabdmnlv.exe
File created	C:\Windows\SysWOW64\wcjjnyo.exe	whwgxs.exe
File opened for modification	C:\Windows\SysWOW64\wwpdw.exe	wlyne.exe
File opened for modification	C:\Windows\SysWOW64\wxvvpkr.exe	wvknkawgo.exe
File opened for modification	C:\Windows\SysWOW64\wkrpywo.exe	wevo.exe
File opened for modification	C:\Windows\SysWOW64\weqtrmv.exe	womxbxxsh.exe
File created	C:\Windows\SysWOW64\wdcqg.exe	wokfvce.exe
File opened for modification	C:\Windows\SysWOW64\wdcqg.exe	wokfvce.exe
File opened for modification	C:\Windows\SysWOW64\wwdeyx.exe	wdb.exe
File created	C:\Windows\SysWOW64\wkbdj.exe	wujqyra.exe
File opened for modification	C:\Windows\SysWOW64\wcod.exe	wen.exe
File opened for modification	C:\Windows\SysWOW64\wsydj.exe	wcg.exe
File created	C:\Windows\SysWOW64\wcod.exe	wen.exe
File created	C:\Windows\SysWOW64\womxbxxsh.exe	wvau.exe
File created	C:\Windows\SysWOW64\wyjjivim.exe	wkhoqh.exe
File created	C:\Windows\SysWOW64\wstl.exe	wuhnum.exe
File created	C:\Windows\SysWOW64\wbhyqmxa.exe	wqeypq.exe
File created	C:\Windows\SysWOW64\woxhcs.exe	wvtotm.exe
File opened for modification	C:\Windows\SysWOW64\wokfvce.exe	wxrsm.exe
File created	C:\Windows\SysWOW64\wkvhn.exe	wptof.exe
File opened for modification	C:\Windows\SysWOW64\wfehshrl.exe	wryoyp.exe
File opened for modification	C:\Windows\SysWOW64\wktdmgfre.exe	wqsleb.exe
File opened for modification	C:\Windows\SysWOW64\wlnx.exe	wkbdj.exe
File created	C:\Windows\SysWOW64\wjfcup.exe	wpejlis.exe
File created	C:\Windows\SysWOW64\wlnx.exe	wkbdj.exe
File opened for modification	C:\Windows\SysWOW64\wyqt.exe	wcod.exe
File opened for modification	C:\Windows\SysWOW64\whwgxs.exe	wboxcoh.exe
File created	C:\Windows\SysWOW64\wkemg.exe	wxlxmvs.exe
File opened for modification	C:\Windows\SysWOW64\woqr.exe	wifcf.exe
File created	C:\Windows\SysWOW64\waagdou.exe	woxhcs.exe
File opened for modification	C:\Windows\SysWOW64\wfidig.exe	wpeiqsjy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
1300	2748	WerFault.exe	130
2304	2312	WerFault.exe	149
836	2964	WerFault.exe	231
2348	1508	WerFault.exe	241
1696	2128	WerFault.exe	261

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2600	2208	369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2600	2208	369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2600	2208	369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2600	2208	369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2636	2208	369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe	29
PID 2208 wrote to memory of 2636	2208	369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe	29
PID 2208 wrote to memory of 2636	2208	369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe	29
PID 2208 wrote to memory of 2636	2208	369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe	29
PID 2600 wrote to memory of 2448	2600	wghgf.exe	31
PID 2600 wrote to memory of 2448	2600	wghgf.exe	31
PID 2600 wrote to memory of 2448	2600	wghgf.exe	31
PID 2600 wrote to memory of 2448	2600	wghgf.exe	31
PID 2600 wrote to memory of 472	2600	wghgf.exe	32
PID 2600 wrote to memory of 472	2600	wghgf.exe	32
PID 2600 wrote to memory of 472	2600	wghgf.exe	32
PID 2600 wrote to memory of 472	2600	wghgf.exe	32
PID 2448 wrote to memory of 1668	2448	whkp.exe	34
PID 2448 wrote to memory of 1668	2448	whkp.exe	34
PID 2448 wrote to memory of 1668	2448	whkp.exe	34
PID 2448 wrote to memory of 1668	2448	whkp.exe	34
PID 2448 wrote to memory of 2116	2448	whkp.exe	35
PID 2448 wrote to memory of 2116	2448	whkp.exe	35
PID 2448 wrote to memory of 2116	2448	whkp.exe	35
PID 2448 wrote to memory of 2116	2448	whkp.exe	35
PID 1668 wrote to memory of 284	1668	wndvi.exe	37
PID 1668 wrote to memory of 284	1668	wndvi.exe	37
PID 1668 wrote to memory of 284	1668	wndvi.exe	37
PID 1668 wrote to memory of 284	1668	wndvi.exe	37
PID 1668 wrote to memory of 1280	1668	wndvi.exe	38
PID 1668 wrote to memory of 1280	1668	wndvi.exe	38
PID 1668 wrote to memory of 1280	1668	wndvi.exe	38
PID 1668 wrote to memory of 1280	1668	wndvi.exe	38
PID 284 wrote to memory of 2164	284	wcg.exe	40
PID 284 wrote to memory of 2164	284	wcg.exe	40
PID 284 wrote to memory of 2164	284	wcg.exe	40
PID 284 wrote to memory of 2164	284	wcg.exe	40
PID 284 wrote to memory of 2188	284	wcg.exe	41
PID 284 wrote to memory of 2188	284	wcg.exe	41
PID 284 wrote to memory of 2188	284	wcg.exe	41
PID 284 wrote to memory of 2188	284	wcg.exe	41
PID 2164 wrote to memory of 852	2164	wsydj.exe	43
PID 2164 wrote to memory of 852	2164	wsydj.exe	43
PID 2164 wrote to memory of 852	2164	wsydj.exe	43
PID 2164 wrote to memory of 852	2164	wsydj.exe	43
PID 2164 wrote to memory of 356	2164	wsydj.exe	44
PID 2164 wrote to memory of 356	2164	wsydj.exe	44
PID 2164 wrote to memory of 356	2164	wsydj.exe	44
PID 2164 wrote to memory of 356	2164	wsydj.exe	44
PID 852 wrote to memory of 2112	852	wmlgyj.exe	46
PID 852 wrote to memory of 2112	852	wmlgyj.exe	46
PID 852 wrote to memory of 2112	852	wmlgyj.exe	46
PID 852 wrote to memory of 2112	852	wmlgyj.exe	46
PID 852 wrote to memory of 292	852	wmlgyj.exe	47
PID 852 wrote to memory of 292	852	wmlgyj.exe	47
PID 852 wrote to memory of 292	852	wmlgyj.exe	47
PID 852 wrote to memory of 292	852	wmlgyj.exe	47
PID 2112 wrote to memory of 1620	2112	wweurh.exe	49
PID 2112 wrote to memory of 1620	2112	wweurh.exe	49
PID 2112 wrote to memory of 1620	2112	wweurh.exe	49
PID 2112 wrote to memory of 1620	2112	wweurh.exe	49
PID 2112 wrote to memory of 2064	2112	wweurh.exe	50
PID 2112 wrote to memory of 2064	2112	wweurh.exe	50
PID 2112 wrote to memory of 2064	2112	wweurh.exe	50
PID 2112 wrote to memory of 2064	2112	wweurh.exe	50

C:\Users\Admin\AppData\Local\Temp\369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\wghgf.exe
  "C:\Windows\system32\wghgf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\whkp.exe
    "C:\Windows\system32\whkp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\wndvi.exe
      "C:\Windows\system32\wndvi.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Windows\SysWOW64\wcg.exe
        
        "C:\Windows\system32\wcg.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:284
      - C:\Windows\SysWOW64\wsydj.exe
        
        "C:\Windows\system32\wsydj.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\wmlgyj.exe
        
        "C:\Windows\system32\wmlgyj.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\wweurh.exe
        
        "C:\Windows\system32\wweurh.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\wmwh.exe
        
        "C:\Windows\system32\wmwh.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1620
        
        C:\Windows\SysWOW64\wkjgjq.exe
        
        "C:\Windows\system32\wkjgjq.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1520
        
        C:\Windows\SysWOW64\wunfimb.exe
        
        "C:\Windows\system32\wunfimb.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2612
        
        C:\Windows\SysWOW64\wjert.exe
        
        "C:\Windows\system32\wjert.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1504
        
        C:\Windows\SysWOW64\wlyne.exe
        
        "C:\Windows\system32\wlyne.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\wwpdw.exe
        
        "C:\Windows\system32\wwpdw.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1244
        
        C:\Windows\SysWOW64\wrsvg.exe
        
        "C:\Windows\system32\wrsvg.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2188
        
        C:\Windows\SysWOW64\wbbc.exe
        
        "C:\Windows\system32\wbbc.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1436
        
        C:\Windows\SysWOW64\wqeypq.exe
        
        "C:\Windows\system32\wqeypq.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\wbhyqmxa.exe
        
        "C:\Windows\system32\wbhyqmxa.exe"
        18⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\wujqyra.exe
        
        "C:\Windows\system32\wujqyra.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2628
        
        C:\Windows\SysWOW64\wkbdj.exe
        
        "C:\Windows\system32\wkbdj.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\wlnx.exe
        
        "C:\Windows\system32\wlnx.exe"
        21⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\wgqp.exe
        
        "C:\Windows\system32\wgqp.exe"
        22⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\wtsmgn.exe
        
        "C:\Windows\system32\wtsmgn.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\wnvdpsghh.exe
        
        "C:\Windows\system32\wnvdpsghh.exe"
        24⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\SysWOW64\wen.exe
        
        "C:\Windows\system32\wen.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\wcod.exe
        
        "C:\Windows\system32\wcod.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\wyqt.exe
        
        "C:\Windows\system32\wyqt.exe"
        27⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\SysWOW64\wboxcoh.exe
        
        "C:\Windows\system32\wboxcoh.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\whwgxs.exe
        
        "C:\Windows\system32\whwgxs.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\wcjjnyo.exe
        
        "C:\Windows\system32\wcjjnyo.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\wxlxmvs.exe
        
        "C:\Windows\system32\wxlxmvs.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\wkemg.exe
        
        "C:\Windows\system32\wkemg.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\wifcf.exe
        
        "C:\Windows\system32\wifcf.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\woqr.exe
        
        "C:\Windows\system32\woqr.exe"
        34⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\whfujbqe.exe
        
        "C:\Windows\system32\whfujbqe.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\wonf.exe
        
        "C:\Windows\system32\wonf.exe"
        36⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\wlps.exe
        
        "C:\Windows\system32\wlps.exe"
        37⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\wkbqkygfi.exe
        
        "C:\Windows\system32\wkbqkygfi.exe"
        38⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\wyfocmep.exe
        
        "C:\Windows\system32\wyfocmep.exe"
        39⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\wuhnum.exe
        
        "C:\Windows\system32\wuhnum.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\wstl.exe
        
        "C:\Windows\system32\wstl.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\wugixaswb.exe
        
        "C:\Windows\system32\wugixaswb.exe"
        42⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\wowp.exe
        
        "C:\Windows\system32\wowp.exe"
        43⤵
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\wdb.exe
        
        "C:\Windows\system32\wdb.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\wwdeyx.exe
        
        "C:\Windows\system32\wwdeyx.exe"
        45⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\wxoywmbs.exe
        
        "C:\Windows\system32\wxoywmbs.exe"
        46⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\SysWOW64\wkhoqh.exe
        
        "C:\Windows\system32\wkhoqh.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:704
        
        C:\Windows\SysWOW64\wyjjivim.exe
        
        "C:\Windows\system32\wyjjivim.exe"
        48⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\wjdab.exe
        
        "C:\Windows\system32\wjdab.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\wvtotm.exe
        
        "C:\Windows\system32\wvtotm.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\woxhcs.exe
        
        "C:\Windows\system32\woxhcs.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\waagdou.exe
        
        "C:\Windows\system32\waagdou.exe"
        52⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\wpssn.exe
        
        "C:\Windows\system32\wpssn.exe"
        53⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\wevo.exe
        
        "C:\Windows\system32\wevo.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\wkrpywo.exe
        
        "C:\Windows\system32\wkrpywo.exe"
        55⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\wvau.exe
        
        "C:\Windows\system32\wvau.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\womxbxxsh.exe
        
        "C:\Windows\system32\womxbxxsh.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\weqtrmv.exe
        
        "C:\Windows\system32\weqtrmv.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\wwy.exe
        
        "C:\Windows\system32\wwy.exe"
        59⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\wlcyod.exe
        
        "C:\Windows\system32\wlcyod.exe"
        60⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\wfepvjeo.exe
        
        "C:\Windows\system32\wfepvjeo.exe"
        61⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\wxrsm.exe
        
        "C:\Windows\system32\wxrsm.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\wokfvce.exe
        
        "C:\Windows\system32\wokfvce.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\wdcqg.exe
        
        "C:\Windows\system32\wdcqg.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\wwejo.exe
        
        "C:\Windows\system32\wwejo.exe"
        65⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\wqsleb.exe
        
        "C:\Windows\system32\wqsleb.exe"
        66⤵
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\wktdmgfre.exe
        
        "C:\Windows\system32\wktdmgfre.exe"
        67⤵
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\wcwvulise.exe
        
        "C:\Windows\system32\wcwvulise.exe"
        68⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\wxn.exe
        
        "C:\Windows\system32\wxn.exe"
        69⤵
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\wtabdmnlv.exe
        
        "C:\Windows\system32\wtabdmnlv.exe"
        70⤵
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\wodulson.exe
        
        "C:\Windows\system32\wodulson.exe"
        71⤵
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\wqpoii.exe
        
        "C:\Windows\system32\wqpoii.exe"
        72⤵
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\wfhbsuue.exe
        
        "C:\Windows\system32\wfhbsuue.exe"
        73⤵
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\whsvqj.exe
        
        "C:\Windows\system32\whsvqj.exe"
        74⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\waommqhp.exe
        
        "C:\Windows\system32\waommqhp.exe"
        75⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\wfbebxfa.exe
        
        "C:\Windows\system32\wfbebxfa.exe"
        76⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\wgugjbou.exe
        
        "C:\Windows\system32\wgugjbou.exe"
        77⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\wrmvc.exe
        
        "C:\Windows\system32\wrmvc.exe"
        78⤵
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\wptof.exe
        
        "C:\Windows\system32\wptof.exe"
        79⤵
        Drops file in System32 directory
        
        PID:1004
        
        C:\Windows\SysWOW64\wkvhn.exe
        
        "C:\Windows\system32\wkvhn.exe"
        80⤵
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\wcjjcyao.exe
        
        "C:\Windows\system32\wcjjcyao.exe"
        81⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\wvmckfbp.exe
        
        "C:\Windows\system32\wvmckfbp.exe"
        82⤵
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\wpejlis.exe
        
        "C:\Windows\system32\wpejlis.exe"
        83⤵
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\wjfcup.exe
        
        "C:\Windows\system32\wjfcup.exe"
        84⤵
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\wgrbcmjj.exe
        
        "C:\Windows\system32\wgrbcmjj.exe"
        85⤵
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\wvknkawgo.exe
        
        "C:\Windows\system32\wvknkawgo.exe"
        86⤵
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\SysWOW64\wxvvpkr.exe
        
        "C:\Windows\system32\wxvvpkr.exe"
        87⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\wryoyp.exe
        
        "C:\Windows\system32\wryoyp.exe"
        88⤵
        Drops file in System32 directory
        
        PID:888
        
        C:\Windows\SysWOW64\wfehshrl.exe
        
        "C:\Windows\system32\wfehshrl.exe"
        89⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\wuwsdu.exe
        
        "C:\Windows\system32\wuwsdu.exe"
        90⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\woykla.exe
        
        "C:\Windows\system32\woykla.exe"
        91⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\wrii.exe
        
        "C:\Windows\system32\wrii.exe"
        92⤵
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\wbofj.exe
        
        "C:\Windows\system32\wbofj.exe"
        93⤵
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\wtrxq.exe
        
        "C:\Windows\system32\wtrxq.exe"
        94⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\wpeiqsjy.exe
        
        "C:\Windows\system32\wpeiqsjy.exe"
        95⤵
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\wfidig.exe
        
        "C:\Windows\system32\wfidig.exe"
        96⤵
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\wakvqk.exe
        
        "C:\Windows\system32\wakvqk.exe"
        97⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfidig.exe"
        97⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpeiqsjy.exe"
        96⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtrxq.exe"
        95⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbofj.exe"
        94⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrii.exe"
        93⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woykla.exe"
        92⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwsdu.exe"
        91⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfehshrl.exe"
        90⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryoyp.exe"
        89⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxvvpkr.exe"
        88⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvknkawgo.exe"
        87⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrbcmjj.exe"
        86⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjfcup.exe"
        85⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpejlis.exe"
        84⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvmckfbp.exe"
        83⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjjcyao.exe"
        82⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvhn.exe"
        81⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wptof.exe"
        80⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrmvc.exe"
        79⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgugjbou.exe"
        78⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 204
        78⤵
        Program crash
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfbebxfa.exe"
        77⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waommqhp.exe"
        76⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whsvqj.exe"
        75⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfhbsuue.exe"
        74⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpoii.exe"
        73⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wodulson.exe"
        72⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 204
        72⤵
        Program crash
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtabdmnlv.exe"
        71⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxn.exe"
        70⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwvulise.exe"
        69⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 180
        69⤵
        Program crash
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wktdmgfre.exe"
        68⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqsleb.exe"
        67⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwejo.exe"
        66⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcqg.exe"
        65⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wokfvce.exe"
        64⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxrsm.exe"
        63⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfepvjeo.exe"
        62⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlcyod.exe"
        61⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwy.exe"
        60⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weqtrmv.exe"
        59⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womxbxxsh.exe"
        58⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvau.exe"
        57⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkrpywo.exe"
        56⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wevo.exe"
        55⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpssn.exe"
        54⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waagdou.exe"
        53⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxhcs.exe"
        52⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtotm.exe"
        51⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdab.exe"
        50⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyjjivim.exe"
        49⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkhoqh.exe"
        48⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxoywmbs.exe"
        47⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwdeyx.exe"
        46⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdb.exe"
        45⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wowp.exe"
        44⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugixaswb.exe"
        43⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wstl.exe"
        42⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 880
        42⤵
        Program crash
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhnum.exe"
        41⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyfocmep.exe"
        40⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbqkygfi.exe"
        39⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlps.exe"
        38⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wonf.exe"
        37⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whfujbqe.exe"
        36⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 568
        36⤵
        Program crash
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woqr.exe"
        35⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifcf.exe"
        34⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkemg.exe"
        33⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxlxmvs.exe"
        32⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjjnyo.exe"
        31⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwgxs.exe"
        30⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wboxcoh.exe"
        29⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyqt.exe"
        28⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcod.exe"
        27⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wen.exe"
        26⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnvdpsghh.exe"
        25⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsmgn.exe"
        24⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqp.exe"
        23⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnx.exe"
        22⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbdj.exe"
        21⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujqyra.exe"
        20⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhyqmxa.exe"
        19⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqeypq.exe"
        18⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbbc.exe"
        17⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrsvg.exe"
        16⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwpdw.exe"
        15⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyne.exe"
        14⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjert.exe"
        13⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunfimb.exe"
        12⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjgjq.exe"
        11⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmwh.exe"
        10⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wweurh.exe"
        9⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmlgyj.exe"
        8⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsydj.exe"
        7⤵
        
        PID:356
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcg.exe"
        6⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wndvi.exe"
        5⤵
        
        PID:1280
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whkp.exe"
      4⤵
      PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghgf.exe"
    3⤵
    PID:472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\369d5d4abfea7ea70ead254a1562fa33b45df38c0cc9453203d9799be8caab45_NeikiAnalytics.exe"
  2⤵
  - Deletes itself
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QBFTDUJ7.txt

Filesize
99B

MD5
00fc26019a8770cf80f825922fa5610a

SHA1
466042e95ee4b1fdabe3c61b982f2ffca9f1af7d

SHA256
465e17fc791985b018240d32119c1c922d792f5b7079ee71a8663bae3adad304

SHA512
a0f640944bc21405bcca4a2df1247f39b34ff2ce42e73caef274616d2626db29f09562c786939bf40135a087e3802f13338e98e6d5fd4336f420bcce37ffdcdb

Download Submit
\Windows\SysWOW64\wcg.exe

Filesize
92KB

MD5
e091fe8f3f4cce1399a59ddd5dc8d538

SHA1
7b61a51d800073fbad284eb9500e9e76ce9d0e15

SHA256
f32fe4e2a0fb9924b8ed745d4e539e85aff494747ab9c9f5f8b7cbf3366e81de

SHA512
6031f08f89a9362a09591e42f6cfe27d003853cc750aab3ba11b877acba96ec8e3d9c8ef4b55d9f7080bd0137f29354c7abcb69beeb4498d4492174efe2ae283

Download Submit
\Windows\SysWOW64\wghgf.exe

Filesize
92KB

MD5
3472da2ebbf06aa3abaacfd2eef7eaf8

SHA1
f4a37b003ee0ede931354c247ff335a9f5f7c5ff

SHA256
b9990b0a40ff6f72c807248687eb311fb91d1cd63d75e3a1118eea6711bcf3ff

SHA512
4b0bf73bf487727681f1ec3f5dd529c1c50b8c9119b06e2c19d0bb392ee41a8969e34c3a99f06f6a5e39959aae73cdf26cd34dec70acb7b802a7f52691fbd464

Download Submit
\Windows\SysWOW64\whkp.exe

Filesize
92KB

MD5
585a6cf674acce76b797e53deac4d36e

SHA1
267bdb438aee1433695ea10e99558cb59d5f2acd

SHA256
c64cebffeb7ee41ea3ee67317b95d24e4b9049af2b3404aac3661570a4098b23

SHA512
0b785f2cb371d634933eaa8222d1c594b968f7c194487cb383bdeed4444e71c4103a9eb780ab62d69fcd7a799e93fdccde11fa7de78f34d06f53f07d453a2c98

Download Submit
\Windows\SysWOW64\wjert.exe

Filesize
92KB

MD5
db016b7377a40a266011798eff3dff97

SHA1
c7bfe444a2e7f0400334e85a465f3c4cf185e852

SHA256
4242d00086f3393c26808bf90f4778a2e72e7cf1ea729c1bc8ceed17625c345c

SHA512
bb2582501e7e940c1bfbd877605ee129f0558c44a6be49fe8d37444e347948f8964f2fcdab5c9e6df6346b4b6f577422a493ac5e286083fd4ba477be7baae0a0

Download Submit
\Windows\SysWOW64\wkjgjq.exe

Filesize
92KB

MD5
c6621e58e959468522cba2d5b9fe83cd

SHA1
64ed0618ad2d2feb59739747037fba58b06feae4

SHA256
334dda1dc73d43ea57e1238d481d1f048922d1ad590431e21a7c4a4a70724704

SHA512
b778e1aab87108d90c5c903e075c6e90d3cec9c0e53199c2c750ee2c18669f02661aa5bd29bc151a547bf784bf3f37691f100eeffa8fe68546dd8c6afb6b9bfc

Download Submit
\Windows\SysWOW64\wmlgyj.exe

Filesize
92KB

MD5
dafe7343d2ed093ffb2504c7ab91b4c9

SHA1
109f74bc84575cc365b76c9279dcc8de257be711

SHA256
ea1797938ee64d45f77c1340f4fbc05bf74ce77dd40971ab4e7604dbd9e00d52

SHA512
e772ded4afd5b13040b8e8abeeaae621d17ae6336d40a10b7db9a6c2271fb70e6a6bb42a06426d96d71667237ba5fd79a0552282373c22f6a36142359046067e

Download Submit
\Windows\SysWOW64\wmwh.exe

Filesize
92KB

MD5
01877a36184ec22cc72923ec434e50ba

SHA1
267ca87a9af8a24570c1b354be92b10f0d2d87ef

SHA256
ada90fe62b74a8514d102ec42418b473e0b728a2d3e73cee7363135e3fdbedc0

SHA512
2fbf72f075a48de5dc1648bdc75a39bbda50e0e9459d9402663d328529cb15bc2f26ae9d8b38d7b50b109f073c5f288039a0ca63273914247d839853eafa84e2

Download Submit
\Windows\SysWOW64\wndvi.exe

Filesize
92KB

MD5
4af617a9854f56276a346b17033cea06

SHA1
c0093e7dfb4cd424ed2244960122bd0f7598c298

SHA256
d9b2744614e8b035253582d5f31cd6a6682d38e9f756926adff925c595a8154e

SHA512
1e5fde42d9cff9014116bc390080537a8dd60e912f68a739c9ba130c5e3eefe96ab827803ad8efb7ca8e5ef50745299579d4cb6b9bf85dd0553a361d67305656

Download Submit
\Windows\SysWOW64\wsydj.exe

Filesize
92KB

MD5
4684c2fc133f98c0ebb1ae08956f99af

SHA1
d94899160bffbabcbb15c56437272a8292714211

SHA256
c2f028aba7e11be72c2a18075c46f8ddfec1ab8f07b26c28c4becb8392a03f89

SHA512
ed48f4a960157a9c1af26bae58f4cb7e053631a90bf44ef309cc64aa55766621cab87b4bd02dbbdff21a9adb96908190a289e253f795df8afb57ac41f1d762c0

Download Submit
\Windows\SysWOW64\wunfimb.exe

Filesize
92KB

MD5
df9f1f02fdbd0857fff3f402e85a86c4

SHA1
a4dfd2087393d909ace2a4001a8bdbcff83961d1

SHA256
47a8483f9ba098237b40c1619b93cfaa90534e3faeaaddf5dc809704cceedbc2

SHA512
b92a15e00120eba8cd8632e4c87f3707f07784122f004df489d8520b5c9804666442d5adf65aaf77efad67c048d639e92433265567a0334a1788193d24d22a22

Download Submit
\Windows\SysWOW64\wweurh.exe

Filesize
92KB

MD5
06fd5d990bdc9c907b1c51744b61793a

SHA1
12f4515357dd1e13646ace54a75a91bd6e200ac8

SHA256
5a49451fa01c5c7182dc0d88808309d834b7b8cd15b90e343810e851cd67543e

SHA512
15d6416b8afb018f7d096b837cb4638a7f496d94fc53e11bd09d664913d8176c62b23adbd3aeff9d97d9bfab623f4ab5a4bfd9c717bc9d561943001745a67c03

Download Submit
memory/284-88-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/284-108-0x00000000035E0000-0x00000000035F7000-memory.dmp

Filesize
92KB

Download
memory/284-107-0x00000000035E0000-0x00000000035F7000-memory.dmp

Filesize
92KB

Download
memory/284-109-0x00000000035E0000-0x00000000035F7000-memory.dmp

Filesize
92KB

Download
memory/284-110-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/852-151-0x0000000003E00000-0x0000000003E17000-memory.dmp

Filesize
92KB

Download
memory/852-133-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/852-154-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/852-150-0x00000000022F0000-0x0000000002307000-memory.dmp

Filesize
92KB

Download
memory/852-149-0x00000000022F0000-0x0000000002307000-memory.dmp

Filesize
92KB

Download
memory/1244-267-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1244-279-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1436-310-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1436-308-0x0000000003A90000-0x0000000003AA7000-memory.dmp

Filesize
92KB

Download
memory/1436-309-0x0000000003AA0000-0x0000000003AB7000-memory.dmp

Filesize
92KB

Download
memory/1436-295-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1504-252-0x0000000004270000-0x0000000004287000-memory.dmp

Filesize
92KB

Download
memory/1504-237-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1504-253-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1504-250-0x0000000003BA0000-0x0000000003BB7000-memory.dmp

Filesize
92KB

Download
memory/1504-251-0x0000000004270000-0x0000000004287000-memory.dmp

Filesize
92KB

Download
memory/1520-199-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1520-216-0x00000000031E0000-0x00000000031F7000-memory.dmp

Filesize
92KB

Download
memory/1520-218-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1620-196-0x00000000030F0000-0x0000000003107000-memory.dmp

Filesize
92KB

Download
memory/1620-193-0x00000000030F0000-0x0000000003107000-memory.dmp

Filesize
92KB

Download
memory/1620-194-0x00000000030F0000-0x0000000003107000-memory.dmp

Filesize
92KB

Download
memory/1620-175-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1620-198-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1620-195-0x00000000030F0000-0x0000000003107000-memory.dmp

Filesize
92KB

Download
memory/1644-254-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1644-266-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1668-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1668-86-0x00000000023E0000-0x00000000023F7000-memory.dmp

Filesize
92KB

Download
memory/1668-85-0x00000000022B0000-0x00000000022C7000-memory.dmp

Filesize
92KB

Download
memory/1668-89-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1668-84-0x00000000022B0000-0x00000000022C7000-memory.dmp

Filesize
92KB

Download
memory/2112-172-0x0000000002290000-0x00000000022A7000-memory.dmp

Filesize
92KB

Download
memory/2112-176-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2112-171-0x0000000002290000-0x00000000022A7000-memory.dmp

Filesize
92KB

Download
memory/2112-173-0x0000000002290000-0x00000000022A7000-memory.dmp

Filesize
92KB

Download
memory/2112-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2164-131-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2164-129-0x0000000003170000-0x0000000003187000-memory.dmp

Filesize
92KB

Download
memory/2164-123-0x0000000003170000-0x0000000003187000-memory.dmp

Filesize
92KB

Download
memory/2164-121-0x0000000003170000-0x0000000003187000-memory.dmp

Filesize
92KB

Download
memory/2188-296-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2188-294-0x0000000003E60000-0x0000000003E77000-memory.dmp

Filesize
92KB

Download
memory/2188-292-0x0000000003E60000-0x0000000003E77000-memory.dmp

Filesize
92KB

Download
memory/2188-293-0x0000000003E60000-0x0000000003E77000-memory.dmp

Filesize
92KB

Download
memory/2188-280-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2208-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2208-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2208-11-0x0000000003560000-0x0000000003577000-memory.dmp

Filesize
92KB

Download
memory/2208-19-0x0000000003560000-0x0000000003577000-memory.dmp

Filesize
92KB

Download
memory/2208-12-0x0000000003560000-0x0000000003577000-memory.dmp

Filesize
92KB

Download
memory/2288-401-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2288-388-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2288-397-0x0000000003AB0000-0x0000000003AC7000-memory.dmp

Filesize
92KB

Download
memory/2316-402-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2448-64-0x00000000034B0000-0x00000000034C7000-memory.dmp

Filesize
92KB

Download
memory/2448-63-0x00000000034B0000-0x00000000034C7000-memory.dmp

Filesize
92KB

Download
memory/2448-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2448-68-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2524-357-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2524-370-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/2524-369-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/2524-371-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2600-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2600-43-0x0000000003AF0000-0x0000000003B07000-memory.dmp

Filesize
92KB

Download
memory/2600-42-0x0000000003AF0000-0x0000000003B07000-memory.dmp

Filesize
92KB

Download
memory/2600-41-0x0000000003550000-0x0000000003567000-memory.dmp

Filesize
92KB

Download
memory/2600-40-0x0000000003550000-0x0000000003567000-memory.dmp

Filesize
92KB

Download
memory/2600-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2612-235-0x0000000003BE0000-0x0000000003BF7000-memory.dmp

Filesize
92KB

Download
memory/2612-236-0x0000000003BE0000-0x0000000003BF7000-memory.dmp

Filesize
92KB

Download
memory/2612-234-0x00000000034D0000-0x00000000034E7000-memory.dmp

Filesize
92KB

Download
memory/2612-238-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2628-341-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2628-355-0x0000000003AF0000-0x0000000003B07000-memory.dmp

Filesize
92KB

Download
memory/2628-354-0x0000000003AF0000-0x0000000003B07000-memory.dmp

Filesize
92KB

Download
memory/2628-356-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2780-342-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2780-340-0x0000000003690000-0x00000000036A7000-memory.dmp

Filesize
92KB

Download
memory/2780-339-0x0000000003690000-0x00000000036A7000-memory.dmp

Filesize
92KB

Download
memory/2780-338-0x0000000003680000-0x0000000003697000-memory.dmp

Filesize
92KB

Download
memory/2932-311-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2932-320-0x00000000034D0000-0x00000000034E7000-memory.dmp

Filesize
92KB

Download
memory/2932-321-0x00000000034D0000-0x00000000034E7000-memory.dmp

Filesize
92KB

Download
memory/2932-326-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2932-325-0x00000000034E0000-0x00000000034F7000-memory.dmp

Filesize
92KB

Download
memory/2964-372-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2964-385-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/2964-387-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2964-386-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/2964-384-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download