432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 21:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe
Size

93KB
MD5

0dd0a86c205fb612c3ba72e205249b86
SHA1

dfd5d8118529198384b78e7391536e8c2104f42b
SHA256

432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04
SHA512

e59fd15d18180e2134f0ffffee418cc5de316979efbb80c8417d2b5f0e23ec9a50a9b1ddc8a5403865594071ec02bfb9de413ef4ae84e926e766b1ba72b2b670
SSDEEP

1536:xch3vwSbax3rHV6+HwsWGhG5JiBzQmVDH:BHTrhWiBzQOH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wicp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wghthjxon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wxlkofh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	waouqy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wfjqwh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wsbfuj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wmdsg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wxjhrkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	whnnkjm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wvvbhsufu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wodar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wvkb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wbwjy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	whjk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wffdqgmbv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wejxk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wjiui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wqlu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wwwekjn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wofttg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wisusta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	woc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	weja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wyjeocu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wefkror.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wtbpfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wcelmn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wkfpxiu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wjtbo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	woxbovtg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wskts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wfawhc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wmrra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wqsuyxk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wfvy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wjwkgsrh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wrmmhxbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wcmhicj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wlflx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	whfgnm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	whqglp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wvluk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wphmen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wlqf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wrlhqpw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wxapq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wleylh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wanukrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wypgirxct.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wlijmdsy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wnpyrdcl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wedddhj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wdvurrh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wfarxaqm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wmqdv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wlwhpw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	whivt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	weljfu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wiorarov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wtqep.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wlrbcqs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wmmyi.exe

Executes dropped EXE 64 IoCs

pid	Process
4408	wqlu.exe
2632	wcinq.exe
3952	wskts.exe
1660	wlkbsdr.exe
4424	wffdqgmbv.exe
3192	wejxk.exe
1152	weja.exe
852	woyf.exe
3664	wmmyi.exe
4668	wjsdnbn.exe
3188	wjiui.exe
3680	wxjhrkc.exe
4780	wggc.exe
548	wyjeocu.exe
4152	wcelmn.exe
5104	wwwekjn.exe
1716	wtvvud.exe
796	wqrcmr.exe
4824	wusyed.exe
4092	wkfpxiu.exe
2336	wghthjxon.exe
4088	wkpbotp.exe
1700	wmbjngka.exe
3236	wirdqf.exe
4056	wicohyrq.exe
3964	wfarxaqm.exe
1664	wtl.exe
1468	wvdarkqco.exe
4988	wocirtlja.exe
4072	wgfxlgk.exe
2684	wedddhj.exe
1960	wxapq.exe
3844	wmnrub.exe
4964	wiy.exe
2964	wjtbo.exe
1724	wxhcrnd.exe
1152	wqsuyxk.exe
4804	wxsojrf.exe
1404	wcnfwe.exe
384	wxlkofh.exe
1792	wavue.exe
3784	wbqocrs.exe
5116	wfawhc.exe
2072	wofttg.exe
4828	wleylh.exe
4564	whnnkjm.exe
3232	wanukrj.exe
2052	wmqdv.exe
3344	wvvbhsufu.exe
3792	wlqf.exe
5104	wdvurrh.exe
2956	wyxgcwj.exe
2064	wmrra.exe
3616	whtdjuwn.exe
2348	whivt.exe
396	weljfu.exe
364	waouqy.exe
4396	wdluw.exe
3408	wypgirxct.exe
1996	wjwkgsrh.exe
4800	wjmdpp.exe
3508	wkyvylyp.exe
4508	wrlhqpw.exe
3972	waje.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wvvbhsufu.exe	wmqdv.exe
File created	C:\Windows\SysWOW64\wqydm.exe	wlflx.exe
File created	C:\Windows\SysWOW64\wlijmdsy.exe	wiorarov.exe
File created	C:\Windows\SysWOW64\wrmmhxbk.exe	wvkb.exe
File opened for modification	C:\Windows\SysWOW64\wjsdnbn.exe	wmmyi.exe
File created	C:\Windows\SysWOW64\wvdarkqco.exe	wtl.exe
File opened for modification	C:\Windows\SysWOW64\wxhcrnd.exe	wjtbo.exe
File created	C:\Windows\SysWOW64\wqsuyxk.exe	wxhcrnd.exe
File opened for modification	C:\Windows\SysWOW64\wbwjy.exe	waje.exe
File opened for modification	C:\Windows\SysWOW64\wfjqwh.exe	wfvy.exe
File created	C:\Windows\SysWOW64\wirdqf.exe	wmbjngka.exe
File opened for modification	C:\Windows\SysWOW64\wtl.exe	wfarxaqm.exe
File opened for modification	C:\Windows\SysWOW64\wbqocrs.exe	wavue.exe
File created	C:\Windows\SysWOW64\wehjpxpsy.exe	wlurj.exe
File created	C:\Windows\SysWOW64\wfsp.exe	wnpyrdcl.exe
File opened for modification	C:\Windows\SysWOW64\wmdsg.exe	wljxkl.exe
File opened for modification	C:\Windows\SysWOW64\wfarxaqm.exe	wicohyrq.exe
File created	C:\Windows\SysWOW64\wtl.exe	wfarxaqm.exe
File created	C:\Windows\SysWOW64\wfawhc.exe	wbqocrs.exe
File opened for modification	C:\Windows\SysWOW64\wsuk.exe	wisusta.exe
File opened for modification	C:\Windows\SysWOW64\wrmmhxbk.exe	wvkb.exe
File opened for modification	C:\Windows\SysWOW64\wefkror.exe	wwocxgp.exe
File opened for modification	C:\Windows\SysWOW64\wxtxre.exe	wmdsg.exe
File opened for modification	C:\Windows\SysWOW64\wicp.exe	wlrbcqs.exe
File opened for modification	C:\Windows\SysWOW64\wqsuyxk.exe	wxhcrnd.exe
File opened for modification	C:\Windows\SysWOW64\wfsp.exe	wnpyrdcl.exe
File created	C:\Windows\SysWOW64\wmrra.exe	wyxgcwj.exe
File created	C:\Windows\SysWOW64\wocjlsqy.exe	wcmhicj.exe
File created	C:\Windows\SysWOW64\wtvvud.exe	wwwekjn.exe
File opened for modification	C:\Windows\SysWOW64\wrlhqpw.exe	wkyvylyp.exe
File opened for modification	C:\Windows\SysWOW64\wlwhpw.exe	wocjlsqy.exe
File created	C:\Windows\SysWOW64\wnpyrdcl.exe	wrmmhxbk.exe
File created	C:\Windows\SysWOW64\weja.exe	wejxk.exe
File created	C:\Windows\SysWOW64\woyf.exe	weja.exe
File created	C:\Windows\SysWOW64\whjk.exe	wqydm.exe
File opened for modification	C:\Windows\SysWOW64\wodar.exe	wyn.exe
File opened for modification	C:\Windows\SysWOW64\wkmgtsuw.exe	wvluk.exe
File created	C:\Windows\SysWOW64\wxlkofh.exe	wcnfwe.exe
File opened for modification	C:\Windows\SysWOW64\wphmen.exe	woxbovtg.exe
File opened for modification	C:\Windows\SysWOW64\wggc.exe	wxjhrkc.exe
File opened for modification	C:\Windows\SysWOW64\wusyed.exe	wqrcmr.exe
File created	C:\Windows\SysWOW64\wlwhpw.exe	wocjlsqy.exe
File opened for modification	C:\Windows\SysWOW64\wyjeocu.exe	wggc.exe
File created	C:\Windows\SysWOW64\wbqocrs.exe	wavue.exe
File created	C:\Windows\SysWOW64\wanukrj.exe	whnnkjm.exe
File created	C:\Windows\SysWOW64\wwocxgp.exe	wsuk.exe
File created	C:\Windows\SysWOW64\woc.exe	wvcwr.exe
File opened for modification	C:\Windows\SysWOW64\wwocxgp.exe	wsuk.exe
File created	C:\Windows\SysWOW64\whfgnm.exe	wguvy.exe
File created	C:\Windows\SysWOW64\wljxkl.exe	wsjp.exe
File created	C:\Windows\SysWOW64\wgfxlgk.exe	wocirtlja.exe
File opened for modification	C:\Windows\SysWOW64\wjtbo.exe	wiy.exe
File opened for modification	C:\Windows\SysWOW64\wvvbhsufu.exe	wmqdv.exe
File created	C:\Windows\SysWOW64\wlqf.exe	wvvbhsufu.exe
File opened for modification	C:\Windows\SysWOW64\waouqy.exe	weljfu.exe
File opened for modification	C:\Windows\SysWOW64\wvluk.exe	whfgnm.exe
File opened for modification	C:\Windows\SysWOW64\wleylh.exe	wofttg.exe
File created	C:\Windows\SysWOW64\wrlhqpw.exe	wkyvylyp.exe
File opened for modification	C:\Windows\SysWOW64\whjk.exe	wqydm.exe
File created	C:\Windows\SysWOW64\wiorarov.exe	wodar.exe
File opened for modification	C:\Windows\SysWOW64\wlijmdsy.exe	wiorarov.exe
File created	C:\Windows\SysWOW64\wisusta.exe	whjk.exe
File opened for modification	C:\Windows\SysWOW64\wlkbsdr.exe	wskts.exe
File created	C:\Windows\SysWOW64\wicohyrq.exe	wirdqf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
2408	4408	WerFault.exe	87
4424	3188	WerFault.exe	130
1680	5104	WerFault.exe	149
1512	4056	WerFault.exe	178
5068	1152	WerFault.exe	217
1172	1152	WerFault.exe	217
2288	2072	WerFault.exe	242
944	3792	WerFault.exe	262
1476	364	WerFault.exe	285
1012	1996	WerFault.exe	329
3964	1996	WerFault.exe	329

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 4408	4832	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe	87
PID 4832 wrote to memory of 4408	4832	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe	87
PID 4832 wrote to memory of 4408	4832	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe	87
PID 4832 wrote to memory of 4276	4832	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe	89
PID 4832 wrote to memory of 4276	4832	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe	89
PID 4832 wrote to memory of 4276	4832	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe	89
PID 4408 wrote to memory of 2632	4408	wqlu.exe	91
PID 4408 wrote to memory of 2632	4408	wqlu.exe	91
PID 4408 wrote to memory of 2632	4408	wqlu.exe	91
PID 4408 wrote to memory of 1876	4408	wqlu.exe	92
PID 4408 wrote to memory of 1876	4408	wqlu.exe	92
PID 4408 wrote to memory of 1876	4408	wqlu.exe	92
PID 2632 wrote to memory of 3952	2632	wcinq.exe	97
PID 2632 wrote to memory of 3952	2632	wcinq.exe	97
PID 2632 wrote to memory of 3952	2632	wcinq.exe	97
PID 2632 wrote to memory of 4720	2632	wcinq.exe	98
PID 2632 wrote to memory of 4720	2632	wcinq.exe	98
PID 2632 wrote to memory of 4720	2632	wcinq.exe	98
PID 3952 wrote to memory of 1660	3952	wskts.exe	104
PID 3952 wrote to memory of 1660	3952	wskts.exe	104
PID 3952 wrote to memory of 1660	3952	wskts.exe	104
PID 3952 wrote to memory of 4736	3952	wskts.exe	106
PID 3952 wrote to memory of 4736	3952	wskts.exe	106
PID 3952 wrote to memory of 4736	3952	wskts.exe	106
PID 1660 wrote to memory of 4424	1660	wlkbsdr.exe	109
PID 1660 wrote to memory of 4424	1660	wlkbsdr.exe	109
PID 1660 wrote to memory of 4424	1660	wlkbsdr.exe	109
PID 1660 wrote to memory of 5036	1660	wlkbsdr.exe	110
PID 1660 wrote to memory of 5036	1660	wlkbsdr.exe	110
PID 1660 wrote to memory of 5036	1660	wlkbsdr.exe	110
PID 4424 wrote to memory of 3192	4424	wffdqgmbv.exe	113
PID 4424 wrote to memory of 3192	4424	wffdqgmbv.exe	113
PID 4424 wrote to memory of 3192	4424	wffdqgmbv.exe	113
PID 4424 wrote to memory of 1300	4424	wffdqgmbv.exe	114
PID 4424 wrote to memory of 1300	4424	wffdqgmbv.exe	114
PID 4424 wrote to memory of 1300	4424	wffdqgmbv.exe	114
PID 3192 wrote to memory of 1152	3192	wejxk.exe	116
PID 3192 wrote to memory of 1152	3192	wejxk.exe	116
PID 3192 wrote to memory of 1152	3192	wejxk.exe	116
PID 3192 wrote to memory of 2328	3192	wejxk.exe	117
PID 3192 wrote to memory of 2328	3192	wejxk.exe	117
PID 3192 wrote to memory of 2328	3192	wejxk.exe	117
PID 1152 wrote to memory of 852	1152	weja.exe	121
PID 1152 wrote to memory of 852	1152	weja.exe	121
PID 1152 wrote to memory of 852	1152	weja.exe	121
PID 1152 wrote to memory of 4244	1152	weja.exe	122
PID 1152 wrote to memory of 4244	1152	weja.exe	122
PID 1152 wrote to memory of 4244	1152	weja.exe	122
PID 852 wrote to memory of 3664	852	woyf.exe	124
PID 852 wrote to memory of 3664	852	woyf.exe	124
PID 852 wrote to memory of 3664	852	woyf.exe	124
PID 852 wrote to memory of 4452	852	woyf.exe	125
PID 852 wrote to memory of 4452	852	woyf.exe	125
PID 852 wrote to memory of 4452	852	woyf.exe	125
PID 3664 wrote to memory of 4668	3664	wmmyi.exe	127
PID 3664 wrote to memory of 4668	3664	wmmyi.exe	127
PID 3664 wrote to memory of 4668	3664	wmmyi.exe	127
PID 3664 wrote to memory of 3092	3664	wmmyi.exe	128
PID 3664 wrote to memory of 3092	3664	wmmyi.exe	128
PID 3664 wrote to memory of 3092	3664	wmmyi.exe	128
PID 4668 wrote to memory of 3188	4668	wjsdnbn.exe	130
PID 4668 wrote to memory of 3188	4668	wjsdnbn.exe	130
PID 4668 wrote to memory of 3188	4668	wjsdnbn.exe	130
PID 4668 wrote to memory of 1548	4668	wjsdnbn.exe	131

C:\Users\Admin\AppData\Local\Temp\432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe
"C:\Users\Admin\AppData\Local\Temp\432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\SysWOW64\wqlu.exe
  "C:\Windows\system32\wqlu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\SysWOW64\wcinq.exe
    "C:\Windows\system32\wcinq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\wskts.exe
      "C:\Windows\system32\wskts.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3952
    - - C:\Windows\SysWOW64\wlkbsdr.exe
        
        "C:\Windows\system32\wlkbsdr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\SysWOW64\wffdqgmbv.exe
        
        "C:\Windows\system32\wffdqgmbv.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\wejxk.exe
        
        "C:\Windows\system32\wejxk.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\weja.exe
        
        "C:\Windows\system32\weja.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\woyf.exe
        
        "C:\Windows\system32\woyf.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\wmmyi.exe
        
        "C:\Windows\system32\wmmyi.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\wjsdnbn.exe
        
        "C:\Windows\system32\wjsdnbn.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\wjiui.exe
        
        "C:\Windows\system32\wjiui.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\wxjhrkc.exe
        
        "C:\Windows\system32\wxjhrkc.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\wggc.exe
        
        "C:\Windows\system32\wggc.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\wyjeocu.exe
        
        "C:\Windows\system32\wyjeocu.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\wcelmn.exe
        
        "C:\Windows\system32\wcelmn.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4152
        
        C:\Windows\SysWOW64\wwwekjn.exe
        
        "C:\Windows\system32\wwwekjn.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\wtvvud.exe
        
        "C:\Windows\system32\wtvvud.exe"
        18⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\wqrcmr.exe
        
        "C:\Windows\system32\wqrcmr.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:796
        
        C:\Windows\SysWOW64\wusyed.exe
        
        "C:\Windows\system32\wusyed.exe"
        20⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\wkfpxiu.exe
        
        "C:\Windows\system32\wkfpxiu.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\wghthjxon.exe
        
        "C:\Windows\system32\wghthjxon.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\wkpbotp.exe
        
        "C:\Windows\system32\wkpbotp.exe"
        23⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\wmbjngka.exe
        
        "C:\Windows\system32\wmbjngka.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\wirdqf.exe
        
        "C:\Windows\system32\wirdqf.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\wicohyrq.exe
        
        "C:\Windows\system32\wicohyrq.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\wfarxaqm.exe
        
        "C:\Windows\system32\wfarxaqm.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\wtl.exe
        
        "C:\Windows\system32\wtl.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\wvdarkqco.exe
        
        "C:\Windows\system32\wvdarkqco.exe"
        29⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\wocirtlja.exe
        
        "C:\Windows\system32\wocirtlja.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\wgfxlgk.exe
        
        "C:\Windows\system32\wgfxlgk.exe"
        31⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\wedddhj.exe
        
        "C:\Windows\system32\wedddhj.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\wxapq.exe
        
        "C:\Windows\system32\wxapq.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\wmnrub.exe
        
        "C:\Windows\system32\wmnrub.exe"
        34⤵
        Executes dropped EXE
        
        PID:3844
        
        C:\Windows\SysWOW64\wiy.exe
        
        "C:\Windows\system32\wiy.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\wjtbo.exe
        
        "C:\Windows\system32\wjtbo.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\wxhcrnd.exe
        
        "C:\Windows\system32\wxhcrnd.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\wqsuyxk.exe
        
        "C:\Windows\system32\wqsuyxk.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\wxsojrf.exe
        
        "C:\Windows\system32\wxsojrf.exe"
        39⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\wcnfwe.exe
        
        "C:\Windows\system32\wcnfwe.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\wxlkofh.exe
        
        "C:\Windows\system32\wxlkofh.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\wavue.exe
        
        "C:\Windows\system32\wavue.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\wbqocrs.exe
        
        "C:\Windows\system32\wbqocrs.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\wfawhc.exe
        
        "C:\Windows\system32\wfawhc.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\wofttg.exe
        
        "C:\Windows\system32\wofttg.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\wleylh.exe
        
        "C:\Windows\system32\wleylh.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\whnnkjm.exe
        
        "C:\Windows\system32\whnnkjm.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\wanukrj.exe
        
        "C:\Windows\system32\wanukrj.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\wmqdv.exe
        
        "C:\Windows\system32\wmqdv.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2052
        
        C:\Windows\SysWOW64\wvvbhsufu.exe
        
        "C:\Windows\system32\wvvbhsufu.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3344
        
        C:\Windows\SysWOW64\wlqf.exe
        
        "C:\Windows\system32\wlqf.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\wdvurrh.exe
        
        "C:\Windows\system32\wdvurrh.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\wyxgcwj.exe
        
        "C:\Windows\system32\wyxgcwj.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\wmrra.exe
        
        "C:\Windows\system32\wmrra.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\whtdjuwn.exe
        
        "C:\Windows\system32\whtdjuwn.exe"
        55⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\whivt.exe
        
        "C:\Windows\system32\whivt.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\weljfu.exe
        
        "C:\Windows\system32\weljfu.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\waouqy.exe
        
        "C:\Windows\system32\waouqy.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:364
        
        C:\Windows\SysWOW64\wdluw.exe
        
        "C:\Windows\system32\wdluw.exe"
        59⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\wypgirxct.exe
        
        "C:\Windows\system32\wypgirxct.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3408
        
        C:\Windows\SysWOW64\wjwkgsrh.exe
        
        "C:\Windows\system32\wjwkgsrh.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\wjmdpp.exe
        
        "C:\Windows\system32\wjmdpp.exe"
        62⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\wkyvylyp.exe
        
        "C:\Windows\system32\wkyvylyp.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\wrlhqpw.exe
        
        "C:\Windows\system32\wrlhqpw.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\waje.exe
        
        "C:\Windows\system32\waje.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\wbwjy.exe
        
        "C:\Windows\system32\wbwjy.exe"
        66⤵
        Checks computer location settings
        
        PID:1292
        
        C:\Windows\SysWOW64\wlflx.exe
        
        "C:\Windows\system32\wlflx.exe"
        67⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\wqydm.exe
        
        "C:\Windows\system32\wqydm.exe"
        68⤵
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\whjk.exe
        
        "C:\Windows\system32\whjk.exe"
        69⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\wisusta.exe
        
        "C:\Windows\system32\wisusta.exe"
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\wsuk.exe
        
        "C:\Windows\system32\wsuk.exe"
        71⤵
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\wwocxgp.exe
        
        "C:\Windows\system32\wwocxgp.exe"
        72⤵
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\wefkror.exe
        
        "C:\Windows\system32\wefkror.exe"
        73⤵
        Checks computer location settings
        
        PID:2744
        
        C:\Windows\SysWOW64\wyn.exe
        
        "C:\Windows\system32\wyn.exe"
        74⤵
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\wodar.exe
        
        "C:\Windows\system32\wodar.exe"
        75⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\wiorarov.exe
        
        "C:\Windows\system32\wiorarov.exe"
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\wlijmdsy.exe
        
        "C:\Windows\system32\wlijmdsy.exe"
        77⤵
        Checks computer location settings
        
        PID:1840
        
        C:\Windows\SysWOW64\wvcwr.exe
        
        "C:\Windows\system32\wvcwr.exe"
        78⤵
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\woc.exe
        
        "C:\Windows\system32\woc.exe"
        79⤵
        Checks computer location settings
        
        PID:3032
        
        C:\Windows\SysWOW64\wccpci.exe
        
        "C:\Windows\system32\wccpci.exe"
        80⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\wguvy.exe
        
        "C:\Windows\system32\wguvy.exe"
        81⤵
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\whfgnm.exe
        
        "C:\Windows\system32\whfgnm.exe"
        82⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\wvluk.exe
        
        "C:\Windows\system32\wvluk.exe"
        83⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\wkmgtsuw.exe
        
        "C:\Windows\system32\wkmgtsuw.exe"
        84⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\wlurj.exe
        
        "C:\Windows\system32\wlurj.exe"
        85⤵
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\wehjpxpsy.exe
        
        "C:\Windows\system32\wehjpxpsy.exe"
        86⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\wbfnixpoc.exe
        
        "C:\Windows\system32\wbfnixpoc.exe"
        87⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\wtqep.exe
        
        "C:\Windows\system32\wtqep.exe"
        88⤵
        Checks computer location settings
        
        PID:3860
        
        C:\Windows\SysWOW64\wtbpfc.exe
        
        "C:\Windows\system32\wtbpfc.exe"
        89⤵
        Checks computer location settings
        
        PID:464
        
        C:\Windows\SysWOW64\wvkb.exe
        
        "C:\Windows\system32\wvkb.exe"
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\wrmmhxbk.exe
        
        "C:\Windows\system32\wrmmhxbk.exe"
        91⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\wnpyrdcl.exe
        
        "C:\Windows\system32\wnpyrdcl.exe"
        92⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\SysWOW64\wfsp.exe
        
        "C:\Windows\system32\wfsp.exe"
        93⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\wfvy.exe
        
        "C:\Windows\system32\wfvy.exe"
        94⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\wfjqwh.exe
        
        "C:\Windows\system32\wfjqwh.exe"
        95⤵
        Checks computer location settings
        
        PID:2212
        
        C:\Windows\SysWOW64\wbwool.exe
        
        "C:\Windows\system32\wbwool.exe"
        96⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\whqglp.exe
        
        "C:\Windows\system32\whqglp.exe"
        97⤵
        Checks computer location settings
        
        PID:364
        
        C:\Windows\SysWOW64\wsbfuj.exe
        
        "C:\Windows\system32\wsbfuj.exe"
        98⤵
        Checks computer location settings
        
        PID:1908
        
        C:\Windows\SysWOW64\wsjp.exe
        
        "C:\Windows\system32\wsjp.exe"
        99⤵
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\wljxkl.exe
        
        "C:\Windows\system32\wljxkl.exe"
        100⤵
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\wmdsg.exe
        
        "C:\Windows\system32\wmdsg.exe"
        101⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\wxtxre.exe
        
        "C:\Windows\system32\wxtxre.exe"
        102⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\wspwwhy.exe
        
        "C:\Windows\system32\wspwwhy.exe"
        103⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\wbdgajd.exe
        
        "C:\Windows\system32\wbdgajd.exe"
        104⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\wuxtplxyf.exe
        
        "C:\Windows\system32\wuxtplxyf.exe"
        105⤵
        
        PID:620
        
        C:\Windows\SysWOW64\woxbovtg.exe
        
        "C:\Windows\system32\woxbovtg.exe"
        106⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\wphmen.exe
        
        "C:\Windows\system32\wphmen.exe"
        107⤵
        Checks computer location settings
        
        PID:444
        
        C:\Windows\SysWOW64\wlrbcqs.exe
        
        "C:\Windows\system32\wlrbcqs.exe"
        108⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\wicp.exe
        
        "C:\Windows\system32\wicp.exe"
        109⤵
        Checks computer location settings
        
        PID:4728
        
        C:\Windows\SysWOW64\wcmhicj.exe
        
        "C:\Windows\system32\wcmhicj.exe"
        110⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:796
        
        C:\Windows\SysWOW64\wocjlsqy.exe
        
        "C:\Windows\system32\wocjlsqy.exe"
        111⤵
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\wlwhpw.exe
        
        "C:\Windows\system32\wlwhpw.exe"
        112⤵
        Checks computer location settings
        
        PID:4576
        
        C:\Windows\SysWOW64\wqgow.exe
        
        "C:\Windows\system32\wqgow.exe"
        113⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwhpw.exe"
        113⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wocjlsqy.exe"
        112⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcmhicj.exe"
        111⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wicp.exe"
        110⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrbcqs.exe"
        109⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphmen.exe"
        108⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxbovtg.exe"
        107⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuxtplxyf.exe"
        106⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbdgajd.exe"
        105⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wspwwhy.exe"
        104⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxtxre.exe"
        103⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmdsg.exe"
        102⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wljxkl.exe"
        101⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjp.exe"
        100⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsbfuj.exe"
        99⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whqglp.exe"
        98⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwool.exe"
        97⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfjqwh.exe"
        96⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfvy.exe"
        95⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfsp.exe"
        94⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnpyrdcl.exe"
        93⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrmmhxbk.exe"
        92⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkb.exe"
        91⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtbpfc.exe"
        90⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtqep.exe"
        89⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbfnixpoc.exe"
        88⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wehjpxpsy.exe"
        87⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlurj.exe"
        86⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkmgtsuw.exe"
        85⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvluk.exe"
        84⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whfgnm.exe"
        83⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wguvy.exe"
        82⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccpci.exe"
        81⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woc.exe"
        80⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvcwr.exe"
        79⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlijmdsy.exe"
        78⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiorarov.exe"
        77⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wodar.exe"
        76⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyn.exe"
        75⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wefkror.exe"
        74⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwocxgp.exe"
        73⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsuk.exe"
        72⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wisusta.exe"
        71⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 116
        71⤵
        Program crash
        
        PID:1012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1536
        71⤵
        Program crash
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whjk.exe"
        70⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqydm.exe"
        69⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlflx.exe"
        68⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwjy.exe"
        67⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waje.exe"
        66⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrlhqpw.exe"
        65⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkyvylyp.exe"
        64⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjmdpp.exe"
        63⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwkgsrh.exe"
        62⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wypgirxct.exe"
        61⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdluw.exe"
        60⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waouqy.exe"
        59⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 1232
        59⤵
        Program crash
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weljfu.exe"
        58⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whivt.exe"
        57⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whtdjuwn.exe"
        56⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrra.exe"
        55⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxgcwj.exe"
        54⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvurrh.exe"
        53⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqf.exe"
        52⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 680
        52⤵
        Program crash
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvvbhsufu.exe"
        51⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmqdv.exe"
        50⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wanukrj.exe"
        49⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whnnkjm.exe"
        48⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wleylh.exe"
        47⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofttg.exe"
        46⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1400
        46⤵
        Program crash
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfawhc.exe"
        45⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbqocrs.exe"
        44⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wavue.exe"
        43⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxlkofh.exe"
        42⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcnfwe.exe"
        41⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxsojrf.exe"
        40⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqsuyxk.exe"
        39⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 116
        39⤵
        Program crash
        
        PID:5068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1536
        39⤵
        Program crash
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxhcrnd.exe"
        38⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjtbo.exe"
        37⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiy.exe"
        36⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmnrub.exe"
        35⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxapq.exe"
        34⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wedddhj.exe"
        33⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgfxlgk.exe"
        32⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wocirtlja.exe"
        31⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdarkqco.exe"
        30⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtl.exe"
        29⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfarxaqm.exe"
        28⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wicohyrq.exe"
        27⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1680
        27⤵
        Program crash
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirdqf.exe"
        26⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmbjngka.exe"
        25⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkpbotp.exe"
        24⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghthjxon.exe"
        23⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkfpxiu.exe"
        22⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wusyed.exe"
        21⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqrcmr.exe"
        20⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvvud.exe"
        19⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwwekjn.exe"
        18⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1352
        18⤵
        Program crash
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcelmn.exe"
        17⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyjeocu.exe"
        16⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wggc.exe"
        15⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxjhrkc.exe"
        14⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjiui.exe"
        13⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 1704
        13⤵
        Program crash
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjsdnbn.exe"
        12⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmyi.exe"
        11⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woyf.exe"
        10⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weja.exe"
        9⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wejxk.exe"
        8⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wffdqgmbv.exe"
        7⤵
        
        PID:1300
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkbsdr.exe"
        6⤵
        
        PID:5036
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wskts.exe"
        5⤵
        
        PID:4736
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcinq.exe"
      4⤵
      PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqlu.exe"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 748
    3⤵
    - Program crash
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe"
  2⤵
  PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4408 -ip 4408
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3188 -ip 3188
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5104 -ip 5104
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4056 -ip 4056
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1152 -ip 1152
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1152 -ip 1152
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2072 -ip 2072
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3792 -ip 3792
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 364 -ip 364
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1996 -ip 1996
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1996 -ip 1996
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wcelmn.exe

Filesize
93KB

MD5
8aca6492e88f4984c95e8a8aed979876

SHA1
05307b86d09535e5f9dda893eab50aff21edef4a

SHA256
8f254e0ab7e277fc400f1d0e2a55189b8e1e8e6f5babe88410366d903ae9c337

SHA512
cd633297066c69b1ee4fd02b2cffd28e837cd900d3016b43d5907d4374afc30ab16f5e6eaed2ddaacb35fa4a0bc990bc0d9a698c3b861af3360311f72d0f1850

Download Submit
C:\Windows\SysWOW64\wcinq.exe

Filesize
93KB

MD5
a6c0a66016dfe37eb1f6dfe36a01e235

SHA1
c3974a86169bd6e43f3a3b35646e081db1e5889a

SHA256
48c90699b04a4a816318725715c2180b9a33519130346ab54671c4c0e6ca04dd

SHA512
85249aad4b859539a1e33e61c3a3ed66ed17e2bc8ca70651a7357c07d8774be9d3fe79259c10c563842d5a26f430a262ac181f420af7c86c11e4c24d656f51a0

Download Submit
C:\Windows\SysWOW64\wedddhj.exe

Filesize
93KB

MD5
b3f66c95f66c16540a62afdb7245c9e3

SHA1
f43c613a57ea84d520e7350494e2719261d8aca0

SHA256
7a8487ec2ca85f4c3b253ecbcf8556f6b79375e98651577fcc45d1b97c231e5f

SHA512
801b73e87fb2ad0646de2be72a72b9316403fcab1a405a7519a49eed7038647121733d690d2838d24805a0f9f90abfe9ff8383bedc30dbd12c7e6f6ffb1db70a

Download Submit
C:\Windows\SysWOW64\weja.exe

Filesize
93KB

MD5
254a54ff7e6d38335086ea4515cb176b

SHA1
993d30caee8f7ba67854a51b450577044eec5df5

SHA256
c12795b70e51100899324e6e02419eb40aaf1435d5b019792b56490e6ee8dac4

SHA512
07a1cabbc3d71d8f2989a31cca61adabfef448b113bfc4d76ed654e722eaf12e6e7b3b13c10257b2ac10bd78260dd0a4a17495d14c4e11955882d217945afca3

Download Submit
C:\Windows\SysWOW64\wejxk.exe

Filesize
93KB

MD5
bb493e30b00fa0d2b42f8f01079c19e0

SHA1
7f15ef9c7b6b340389a63099cb85d05709187aa9

SHA256
503ec6572627b4e2a3c6837aa42e18459baac4cc30111c33a77065740ed4fa83

SHA512
e853870f6bd83e977d4bd26c71f10ba8f6fa0885172855d99b4a3513814c5434289974aec163bc2df1a5cc2916c279039e9c692ca5eea839372a745cace0ceef

Download Submit
C:\Windows\SysWOW64\wfarxaqm.exe

Filesize
93KB

MD5
153e8c3cbc8a2790ad70a14055bdd3bc

SHA1
7ab4be5f835806eeba5245ab12dd76ff1585237d

SHA256
14931a12671d98612c3fdc9a5f0c1a237550e59017f15164310038a38c3570b7

SHA512
7313deea951fb083af13f6e4dc2889e6a07a532366fa73f8dbd5ea1759e67dd64c174e8a0485f8f79c377c237eae529f52ada0bcc4d4ca69cecd553ce6c1990f

Download Submit
C:\Windows\SysWOW64\wffdqgmbv.exe

Filesize
93KB

MD5
beb0b42cfe34387b5b65e941997d3eb8

SHA1
1eb6f4022e5d91071f222b1d3be8dc849df9fc26

SHA256
6a0cb3f8d032a174461c844f7ade755a828d450cf4b65c8bc3280916217250d9

SHA512
a961098cfbf54b65b2f3e7a849bbeb90fdb0efa9df7add44e630104b38254a2af56abde104e333b24ed7721c7b15265827841f58a1dbed48a482ab1e154ae81d

Download Submit
C:\Windows\SysWOW64\wgfxlgk.exe

Filesize
93KB

MD5
2f9a1222d028710a35c3b30c70d94627

SHA1
c7483530d69ed50f03bb24d1b6f2d5ddb42f7c59

SHA256
c4ef0855192c8008c3049f39dc5768ea92ff2b5287b1cd7ff337f16e990ccc5a

SHA512
f2c35ee5118871c9c335b7a57a77433bc63a1f18ab5ad67731a215e5e4ddd210245950e1b48d94c434778cf087b2dbafb3971e5dc82ca129282f8844de1834e2

Download Submit
C:\Windows\SysWOW64\wggc.exe

Filesize
93KB

MD5
9862415e3d70a662c87513864ff0acb9

SHA1
f1e0fa5512e4ffa08c79abb7689709a776d171fe

SHA256
f4d3172af972fcc951f9680b07b9dcc03c9d6dee1b0ec6c3561534b3822d63c0

SHA512
740b5465669aae1123d8259c4036a191efa2bf5145ffed1afe608b156456c2b0b44eb19be8b330908192a723c32f1d658042d8d211e43eea0324c59f0ed673c4

Download Submit
C:\Windows\SysWOW64\wghthjxon.exe

Filesize
93KB

MD5
7067e7c425fb1f65eb522065311e7bb0

SHA1
68e30144314aa142bf26f74e7c80d3aa18a5cc48

SHA256
f6165119bc9e0f2e790baa99fbe87496be8f46c3ad8e3010e8292a0424174576

SHA512
ad9fe5a67d4964b385d0e8c320475687a3694d319eedd7b5b587007b8a88422100eda803c8f7dcc65680c09224edf357f68b35d7be5031fa5e633ffaffc4c74b

Download Submit
C:\Windows\SysWOW64\wicohyrq.exe

Filesize
93KB

MD5
7c6e947cc5470741783740ee89c9802b

SHA1
d1125f27f6e0877810879c1dfd46c61e21b785db

SHA256
47d1339c1990826e705c6d0f0141973f8813088a5f4485dd93dfc502f550d833

SHA512
73b8b591abbf1d347199d1a6753142aba796ff9b2214e8f7f3f3e267aba027899e36b4cde1015bdfab4658822c0591436f6d069e228ee9ec2293344cc8f782d4

Download Submit
C:\Windows\SysWOW64\wirdqf.exe

Filesize
93KB

MD5
6e9797543ef719f2b682702ded6f0f49

SHA1
26c8feed09dbc1e5b36a85868ed0c45c3fd06887

SHA256
8e09a7fee7693110c0ce51ece7ce423f93bc0a189467ddefeaab42eb10176606

SHA512
9837249c4aae780986367c55d6181ab1d286425446d53ca40ee1dc56e11255b078fae49f017078c7ed2852408f035aefc3ef579c561858143a3b286138af08c3

Download Submit
C:\Windows\SysWOW64\wjiui.exe

Filesize
93KB

MD5
32d48204725c6b354307385f1b47c965

SHA1
b07d55a6b42476a87fbe9a9d383147947c693200

SHA256
b5325867887a6a86b8f97670103b72678e0444c06036a7667158f331153d7f29

SHA512
bf875c518e95d2b9d429997d82ed9834a3d185da8d2cacd854086b57fc64d9fe8cf1d44a08bb99c4f83e72d275a4afcf277831c9fa1fc7564cde84b6a7116cb1

Download Submit
C:\Windows\SysWOW64\wjsdnbn.exe

Filesize
93KB

MD5
0697c7573d928f76db5b58c169e27715

SHA1
7b8bedad3a97d450c29c0d1c28237376387e8410

SHA256
166794ef06f87c2e029eec0c5a32d6bb0bd5867f9deea6a196159a17d19c14af

SHA512
3894b6c8b72f6ef48432dac69a549dbf71acc8ab8f9e169adcc6acfdf987a8cd2977d99abddba948f968afaa9fd5d0df8b27f79136ac7e721fc8bd5a74e696fe

Download Submit
C:\Windows\SysWOW64\wkfpxiu.exe

Filesize
93KB

MD5
22c861c5e0ce0da3966f9e06a1a37049

SHA1
745015b4dbd8326f60a503cc65f9dc943f4ce0c5

SHA256
63aa82edbc9019cd46e3a62d425af77dd03777a77a30e96dab49d10f8c433093

SHA512
17d4bbb3357c321f068f6004801cc4fa71d2bd4c999facc7b77f26b038f3828a9d255b077da08fe52fe2ab4c8f0101cae980f500287dd5d1f495d2154f9eb340

Download Submit
C:\Windows\SysWOW64\wkpbotp.exe

Filesize
93KB

MD5
7ff0c40ab2fb52d8ec82470563bccab4

SHA1
1a95c093884ed99d825876bae2dee85ff29c8a27

SHA256
0f6890233437430c7078bcde7786709e919eb8fdeaae0c116298aed3c3d17602

SHA512
661181aca518ef62df74b0d5ce7015168d4492f84b8b23c8b5ec7a250bd0547d9a8be6d2637de473ae3d079e5c6d72a3f76f8498f0ffed9a087b365e35f2da26

Download Submit
C:\Windows\SysWOW64\wlkbsdr.exe

Filesize
93KB

MD5
726638ae8ee08e499075b014d1396996

SHA1
1d5fe231390d4a161c9d3d1b8d5afadbf25acd75

SHA256
f3c8a4dcf25ebe36c3bbb848b39444dd7de14e797abfff4877a0f041395264f8

SHA512
83dc71db3d863b8c0cd396d1ea049a33158fde0952ca21c49c38c75ba404c601811f822d27b7ee503f413af98c8050c4f7c3d76e595abac4c35bce9ceab6aacf

Download Submit
C:\Windows\SysWOW64\wmbjngka.exe

Filesize
93KB

MD5
b2d62fe0bb61dedebadfa961193e20ae

SHA1
48f43ab8cffab9d8e9ec1c68239730e70215253d

SHA256
01daeade50a5f8625c9a92a616d3fda3332cddd388a37b659208b0d34dac44b7

SHA512
8a1e362ca370b08b1d9af33d2559820f6b5df5233f6a5b8f8cd7c536d6d5b9130e733ced727f4fb49125b36f332c770d1df167ca979ca382f759b1f7484d28ec

Download Submit
C:\Windows\SysWOW64\wmmyi.exe

Filesize
93KB

MD5
2acdad900702b93b768f9364efbf9981

SHA1
b64aa7e6373c5f8c7d12d995bb1b293fd16cdf4a

SHA256
1003e867aec2dcd6626384a0ca17fd01522e214bbfdfcb2c23467c6e40f520ce

SHA512
3ba91b0a5267424a4d24ba27f6f6a20e68630adbd9f2d1a07d83a93a4dbf676c7d024bbbb237b550d8b20d413f5b2edbd817eb95376590586c2dd580fe7e6b89

Download Submit
C:\Windows\SysWOW64\wocirtlja.exe

Filesize
93KB

MD5
89f82901c94464d575a6e44c5b822978

SHA1
55a31ea69da49ceb05d256f4fa717655e4d8f1d0

SHA256
565b4948ee7ab29cd7bc67cc99a1655857c7d987c6f8fa76641f6d356decf835

SHA512
960d6ae8d83159f536d7c9b84da0f5d6150df59cdcc7f7f70959022ce40829bb18447e17f9ada4c5e8acb51ec7e047044f7bbd4feefa3ce1ba154878ca10ce07

Download Submit
C:\Windows\SysWOW64\woyf.exe

Filesize
93KB

MD5
e24a469c17fe41930c9706a2a445773e

SHA1
5ee57a4d28fbaac36e284bed7e81e09aff59d0bb

SHA256
2c2156d63c0af8a9a9f11b46459f8839f7f20eefeb58f216f4af96e09c8ed57a

SHA512
aaacf42748d611b0faeb43a64e8fbc195274a2b9abaafa9a0585ef20a6b185685405315f80f7ceecba61a8e0d7e1e920ae7ef30586ffc54ed6574d0249c3ba91

Download Submit
C:\Windows\SysWOW64\wqlu.exe

Filesize
93KB

MD5
18338e882943e1db85c61b9c96fc006f

SHA1
67f11b8b1c2c03a02ee27335d278021673545dfd

SHA256
135d430c9ae26cbc6716d0b28f0ca93dfa0bd42d9472baddcc7544486145f157

SHA512
ee448b7444a1641f1b194971971cbc2e73c14f92e14f655904230fbd93cd12b1a9c85c4fe9378f0c2613fe779e06c0b5631370eddf831d76979227a5de279fc1

Download Submit
C:\Windows\SysWOW64\wqrcmr.exe

Filesize
93KB

MD5
2808056778db7ce3ec1e0e8f0dd014b1

SHA1
4e4d4514f9ac2ad3aac243c576a3089007f2a5fb

SHA256
ea99bf97a9e731ee3abf9359867640f71af2fa99adeaa0d85778a5f586cd62f3

SHA512
ceed516c111a43d3ceb782718da9ee76c64c21056bc5c309e24848f74892b20127873259f648899364e62ec32cfca78eac60a8cfd9d237094ea1cd6fe660ec10

Download Submit
C:\Windows\SysWOW64\wskts.exe

Filesize
93KB

MD5
c3de4c3a90aef406e22917722e614201

SHA1
8a81eadfa9fbd5821def7cb3893f937aef938606

SHA256
0ec812e6e4e66f181792f59ecd50da37a7ced362c096e9a7ba0479a977a26177

SHA512
f0c5c37e36045db9aec94d407f3eec83bc921cec5f536f0d4d87d43631d513066486513513593f2d1ef0c9fcabba53f104e79c77d4b8404e17eb680377f230ff

Download Submit
C:\Windows\SysWOW64\wtl.exe

Filesize
93KB

MD5
bee91238aa0fc849c55123d19a1ded00

SHA1
91807108ea662cd0814afd1ce5375b05063cbd92

SHA256
318589b995d8d824de24a6a510a49e7e31ec302af70b65d87da321e765e6df5d

SHA512
15d99ec82895bf6324f82d9237373a37f226d2612538c658c321e7d1ee8140352cd1f99fdec35f63798b7373cfab97121d5d977ae109eb64d8a1fdf7e0b15db5

Download Submit
C:\Windows\SysWOW64\wtvvud.exe

Filesize
93KB

MD5
6e38930f562ed38b5d80fcdd804b2ed7

SHA1
13b5e5ec7da796e77ad4cca66d22e6f0384e5bd9

SHA256
0720c5f621e5cfcdc50514dbf903e37a9f36a0d746a3749d79d71a29597a4074

SHA512
4d2b265466f64a23c208afd12f4bedf111ceb7366d22c12d3e1161a62d961c9bd4683c5c038089424d55b4497e1057782c44b93ed8453fe483e4b1b9efabe54c

Download Submit
C:\Windows\SysWOW64\wusyed.exe

Filesize
93KB

MD5
1941a46717f02aa2bd1c2b6ce7b6ed01

SHA1
c71d90dc508ec291d03e1c9204562740b17956c2

SHA256
4bfcce50b6830037e26f4a040502c0a4aa3bcf8cfccd4530ba95b9273fae9a2b

SHA512
0715ca13fcc448a4024b2dce18c2cf8b797b2b5ac9fd4a9f8159d6d6e9df104daf2248d82b7dc2fead68ce468ebc6687aec9197392ac4e1cdd30f4d3bbfad904

Download Submit
C:\Windows\SysWOW64\wvdarkqco.exe

Filesize
93KB

MD5
1318ddfab4f6de65a00d38aa5b7e036e

SHA1
3704238b8abae16a0cc075a2fd4b2521387cc1eb

SHA256
0f46a731c53364fe564d58b1f3a45da9106dc79d9aadc74508122964b886560f

SHA512
b3cf011e6b8e13c610f73b42fcb1acc46b292de8622f9376f87d31300e1cea1681b5aad0af4ae0f5a79c435a1bffe34bfe5b1c7dc3ba22b90f2d6cdec3de1765

Download Submit
C:\Windows\SysWOW64\wwwekjn.exe

Filesize
93KB

MD5
a583f85e7d5560ba34e1c1f5b85dce2a

SHA1
0826ea7bf123737b11e6f1ee846f079ce8a02fbe

SHA256
aa61ad826f74fa4d9147d363abc8f2173764e7536f05d34ce877787fb5a95f25

SHA512
da2b95cd3f4da4ae8ad09af7089f10e338e5c25b0bdbd78c4f7ac63ff9c28253cb8d681111f1daca37585f1ec5383ed36f0473ced1a905e53198de6016bfaac1

Download Submit
C:\Windows\SysWOW64\wxapq.exe

Filesize
93KB

MD5
7cf8b06b70cd3b986f28971e3dbbce2e

SHA1
2d39233acfa63c3d2db7edff9364424d2959ba44

SHA256
20ec543415a937bb407afe7f0eea9c53ab13affce5387a1bc2450fa9ec52eca1

SHA512
bceee312a922975e10ed8955ab679ba32d192be97b1b33622bb708ddef8e28ee40619c1378847281a6760d29f1ae09caaa61525df22becd2871d06538e71a90f

Download Submit
C:\Windows\SysWOW64\wxjhrkc.exe

Filesize
93KB

MD5
1b699d7c816a1d59069fb3bbc2244f29

SHA1
6969fcee8003b166e5cb559cadc48e837811f6b8

SHA256
f19a0204304651cec52789ab0cf07f17bcc542e59d4d919878e93cdb2f1475f8

SHA512
8966612f44d957a185f987eaf9e2cf39bee6ca1db2127deacec8853c398f5e8d297206ccc97ca5784d08cef4ee0f6db6afe9b19ca23da61c63b6d625d4d0ef3f

Download Submit
C:\Windows\SysWOW64\wyjeocu.exe

Filesize
93KB

MD5
19a7376ba9ee74b2e50c6853cabfe44e

SHA1
c72114ca39769ef2bee5e80083f33f00c59997db

SHA256
caf479d76f4e608e4840ed844613eaea708b889812a9c8fdd0d1e34d141b341d

SHA512
bd33a82159454f738d1088821295d4e8ec548b4496d9c3e36646462cfc0612bf9366e5e64addf1fce1d49222e1d1012559d07105b645da23b872be9a459275db

Download Submit
memory/364-559-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/384-414-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/396-550-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/548-157-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/548-146-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/796-197-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/852-94-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/852-83-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1152-380-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1152-389-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1152-84-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1152-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1292-615-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1404-397-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1404-406-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1468-294-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1468-306-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1660-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1660-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1664-283-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1664-295-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1700-251-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1700-240-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1716-187-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1724-381-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1724-371-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1792-422-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1960-337-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1960-346-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1996-583-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-474-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-483-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2064-526-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2072-448-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2072-438-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2336-219-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2336-230-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2348-542-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2632-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2684-338-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2956-508-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2956-517-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2964-372-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2964-362-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3188-114-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3188-125-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3192-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3232-465-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3232-475-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3236-262-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3344-491-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3408-575-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3508-599-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3616-534-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3616-525-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3664-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3680-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3784-430-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3792-500-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3844-354-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3952-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3952-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3964-284-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3964-272-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3972-616-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4056-261-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4056-273-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4072-316-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4072-327-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4088-241-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4092-208-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4092-220-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4152-167-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4396-567-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4396-558-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4408-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4424-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4508-607-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4564-466-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4668-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4780-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4780-147-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4800-591-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4804-398-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4824-209-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4828-456-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4828-447-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4832-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4832-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4964-363-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4988-305-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4988-317-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5104-499-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5104-177-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5104-509-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5116-439-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download