dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe
Size

82KB
MD5

7929e93dbc597f670ac84bf281b6c4fc
SHA1

20079a9ab42e178f31c8a7cb91e8bfebb4ccdb92
SHA256

dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb
SHA512

fc65304c725292de4715337662d9094bca951148dec0abd6b8035c779ab68c4cf2bde4259487daa398dbada6865320761214f861ae9614b4920eb16be9548c12
SSDEEP

1536:azUQz74LIvK/+Czax4IHVdmRvW1BDVwrVXw62:qUQz74TmFnmRvW1gXw62

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2672	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2560	wbif.exe
2384	wqyf.exe
2660	wbweevcba.exe
1776	whiusdak.exe
2252	wsiy.exe
1772	wgwp.exe
1588	wqheo.exe
2440	weptr.exe
2616	wkbk.exe
2464	wee.exe
1836	wiptdd.exe
2044	wbvufl.exe
2756	wmhili.exe
2068	wbs.exe
1604	wsmife.exe
1772	wspxec.exe
352	wgkqi.exe
2740	wqhptqaej.exe
2540	wejy.exe
2764	wkvq.exe
2396	wurp.exe
2244	wepnjjrlv.exe
1704	wonqi.exe
2424	wqblfv.exe
1912	wwnctb.exe
856	wqhs.exe
3008	wbsgu.exe
2488	wooaaw.exe
2088	wpbux.exe
2164	wfmeub.exe
2360	wmmbjd.exe
1360	wgsalm.exe
1704	wgsl.exe
344	weyivyok.exe
2548	wjlakgl.exe
2072	wrmgs.exe
2896	wtyb.exe
2052	wak.exe
2384	wevkun.exe
936	wpo.exe
2220	wwlbkqc.exe
1028	wbwrww.exe
1660	wwoay.exe
2728	wkkudr.exe
2368	wtgqppq.exe
1608	wnchkw.exe
2632	wlrlfs.exe
2144	waapolee.exe
2044	wgmherc.exe
1728	wlm.exe
1684	wfaqad.exe
1768	wllhp.exe
864	wmmthxh.exe
1364	wpndw.exe
2072	wyjbjkaha.exe
2476	wfvsyqxqd.exe
1936	wiwdpf.exe
1964	wnuflm.exe
1668	wuult.exe
332	wfgaa.exe
324	wyir.exe
2412	wcqssevm.exe
620	wickhkt.exe
2644	wbikjrv.exe

Loads dropped DLL 64 IoCs

pid	Process
1484	dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe
1484	dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe
1484	dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe
1484	dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe
2560	wbif.exe
2560	wbif.exe
2560	wbif.exe
2560	wbif.exe
2560	wbif.exe
2384	wqyf.exe
2384	wqyf.exe
2384	wqyf.exe
2384	wqyf.exe
2384	wqyf.exe
2660	wbweevcba.exe
2660	wbweevcba.exe
2660	wbweevcba.exe
2660	wbweevcba.exe
2660	wbweevcba.exe
1776	whiusdak.exe
1776	whiusdak.exe
1776	whiusdak.exe
1776	whiusdak.exe
1776	whiusdak.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2252	wsiy.exe
2252	wsiy.exe
2252	wsiy.exe
2252	wsiy.exe
2252	wsiy.exe
1772	wgwp.exe
1772	wgwp.exe
1772	wgwp.exe
1772	wgwp.exe
1772	wgwp.exe
1588	wqheo.exe
1588	wqheo.exe
1588	wqheo.exe
1588	wqheo.exe
1588	wqheo.exe
2440	weptr.exe
2440	weptr.exe
2440	weptr.exe
2440	weptr.exe
2440	weptr.exe
2616	wkbk.exe
2616	wkbk.exe
2616	wkbk.exe
2616	wkbk.exe
2616	wkbk.exe
2464	wee.exe
2464	wee.exe
2464	wee.exe
2464	wee.exe
2464	wee.exe
1836	wiptdd.exe
1836	wiptdd.exe
1836	wiptdd.exe
1836	wiptdd.exe
1836	wiptdd.exe
2044	wbvufl.exe
2044	wbvufl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wejy.exe	wqhptqaej.exe
File created	C:\Windows\SysWOW64\wfaqad.exe	wlm.exe
File opened for modification	C:\Windows\SysWOW64\wllhp.exe	wfaqad.exe
File opened for modification	C:\Windows\SysWOW64\waprt.exe	wli.exe
File opened for modification	C:\Windows\SysWOW64\whbun.exe	wylypkrnr.exe
File created	C:\Windows\SysWOW64\wminevw.exe	wgwu.exe
File opened for modification	C:\Windows\SysWOW64\wsmife.exe	wbs.exe
File opened for modification	C:\Windows\SysWOW64\wwlbkqc.exe	wpo.exe
File opened for modification	C:\Windows\SysWOW64\wiwdpf.exe	wfvsyqxqd.exe
File opened for modification	C:\Windows\SysWOW64\wlaay.exe	wwpr.exe
File opened for modification	C:\Windows\SysWOW64\wee.exe	wkbk.exe
File created	C:\Windows\SysWOW64\wmnsogmdr.exe	wkdgkuv.exe
File opened for modification	C:\Windows\SysWOW64\wbwrww.exe	wwlbkqc.exe
File created	C:\Windows\SysWOW64\wfgaa.exe	wuult.exe
File opened for modification	C:\Windows\SysWOW64\wyvkxurl.exe	wpyomuf.exe
File opened for modification	C:\Windows\SysWOW64\wkvydu.exe	wsbihmb.exe
File opened for modification	C:\Windows\SysWOW64\wbif.exe	dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe
File opened for modification	C:\Windows\SysWOW64\wlrlfs.exe	wnchkw.exe
File opened for modification	C:\Windows\SysWOW64\wllxfbddb.exe	wfygru.exe
File created	C:\Windows\SysWOW64\wvnojmrs.exe	wlecd.exe
File created	C:\Windows\SysWOW64\wipqgwih.exe	wpiqeneci.exe
File created	C:\Windows\SysWOW64\wbweevcba.exe	wqyf.exe
File opened for modification	C:\Windows\SysWOW64\wgkqi.exe	wspxec.exe
File created	C:\Windows\SysWOW64\wdygrwx.exe	worbg.exe
File opened for modification	C:\Windows\SysWOW64\wmnsogmdr.exe	wkdgkuv.exe
File opened for modification	C:\Windows\SysWOW64\wejy.exe	wqhptqaej.exe
File opened for modification	C:\Windows\SysWOW64\wjlakgl.exe	weyivyok.exe
File opened for modification	C:\Windows\SysWOW64\wrmgs.exe	wjlakgl.exe
File created	C:\Windows\SysWOW64\wieqqn.exe	wcrychb.exe
File created	C:\Windows\SysWOW64\wqheo.exe	wgwp.exe
File opened for modification	C:\Windows\SysWOW64\wrhbfrbk.exe	wekhbb.exe
File created	C:\Windows\SysWOW64\wpbux.exe	wooaaw.exe
File created	C:\Windows\SysWOW64\wwoay.exe	wbwrww.exe
File opened for modification	C:\Windows\SysWOW64\waapolee.exe	wlrlfs.exe
File created	C:\Windows\SysWOW64\wruppmkr.exe	wdy.exe
File opened for modification	C:\Windows\SysWOW64\wfygru.exe	wpovt.exe
File created	C:\Windows\SysWOW64\wonqi.exe	wepnjjrlv.exe
File opened for modification	C:\Windows\SysWOW64\wpyomuf.exe	wmnsogmdr.exe
File opened for modification	C:\Windows\SysWOW64\wipqgwih.exe	wpiqeneci.exe
File created	C:\Windows\SysWOW64\whiusdak.exe	wbweevcba.exe
File created	C:\Windows\SysWOW64\wbvufl.exe	wiptdd.exe
File created	C:\Windows\SysWOW64\wlrlfs.exe	wnchkw.exe
File opened for modification	C:\Windows\SysWOW64\wpndw.exe	wmmthxh.exe
File opened for modification	C:\Windows\SysWOW64\wonncqsa.exe	whbun.exe
File created	C:\Windows\SysWOW64\wcwcy.exe	wobiudg.exe
File created	C:\Windows\SysWOW64\wgsl.exe	wgsalm.exe
File created	C:\Windows\SysWOW64\wobiudg.exe	wipqgwih.exe
File opened for modification	C:\Windows\SysWOW64\weyivyok.exe	wgsl.exe
File created	C:\Windows\SysWOW64\wqhs.exe	wwnctb.exe
File created	C:\Windows\SysWOW64\wmmbjd.exe	wfmeub.exe
File created	C:\Windows\SysWOW64\wagrjqse.exe	wllxfbddb.exe
File opened for modification	C:\Windows\SysWOW64\wwoay.exe	wbwrww.exe
File opened for modification	C:\Windows\SysWOW64\wcqssevm.exe	wyir.exe
File created	C:\Windows\SysWOW64\wgkqi.exe	wspxec.exe
File opened for modification	C:\Windows\SysWOW64\wtyb.exe	wrmgs.exe
File created	C:\Windows\SysWOW64\wvyndqi.exe	wylpws.exe
File opened for modification	C:\Windows\SysWOW64\wnchkw.exe	wtgqppq.exe
File opened for modification	C:\Windows\SysWOW64\wgmherc.exe	waapolee.exe
File opened for modification	C:\Windows\SysWOW64\wylpws.exe	wkbfae.exe
File created	C:\Windows\SysWOW64\wiptdd.exe	wee.exe
File created	C:\Windows\SysWOW64\wooaaw.exe	wbsgu.exe
File opened for modification	C:\Windows\SysWOW64\wyjbjkaha.exe	wpndw.exe
File created	C:\Windows\SysWOW64\wnuflm.exe	wiwdpf.exe
File created	C:\Windows\SysWOW64\wkvq.exe	wejy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2852	1776	WerFault.exe	37

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2560	1484	dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe	28
PID 1484 wrote to memory of 2560	1484	dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe	28
PID 1484 wrote to memory of 2560	1484	dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe	28
PID 1484 wrote to memory of 2560	1484	dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe	28
PID 1484 wrote to memory of 2672	1484	dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe	29
PID 1484 wrote to memory of 2672	1484	dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe	29
PID 1484 wrote to memory of 2672	1484	dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe	29
PID 1484 wrote to memory of 2672	1484	dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe	29
PID 2560 wrote to memory of 2384	2560	wbif.exe	31
PID 2560 wrote to memory of 2384	2560	wbif.exe	31
PID 2560 wrote to memory of 2384	2560	wbif.exe	31
PID 2560 wrote to memory of 2384	2560	wbif.exe	31
PID 2560 wrote to memory of 2964	2560	wbif.exe	32
PID 2560 wrote to memory of 2964	2560	wbif.exe	32
PID 2560 wrote to memory of 2964	2560	wbif.exe	32
PID 2560 wrote to memory of 2964	2560	wbif.exe	32
PID 2384 wrote to memory of 2660	2384	wqyf.exe	34
PID 2384 wrote to memory of 2660	2384	wqyf.exe	34
PID 2384 wrote to memory of 2660	2384	wqyf.exe	34
PID 2384 wrote to memory of 2660	2384	wqyf.exe	34
PID 2384 wrote to memory of 2164	2384	wqyf.exe	35
PID 2384 wrote to memory of 2164	2384	wqyf.exe	35
PID 2384 wrote to memory of 2164	2384	wqyf.exe	35
PID 2384 wrote to memory of 2164	2384	wqyf.exe	35
PID 2660 wrote to memory of 1776	2660	wbweevcba.exe	37
PID 2660 wrote to memory of 1776	2660	wbweevcba.exe	37
PID 2660 wrote to memory of 1776	2660	wbweevcba.exe	37
PID 2660 wrote to memory of 1776	2660	wbweevcba.exe	37
PID 2660 wrote to memory of 320	2660	wbweevcba.exe	38
PID 2660 wrote to memory of 320	2660	wbweevcba.exe	38
PID 2660 wrote to memory of 320	2660	wbweevcba.exe	38
PID 2660 wrote to memory of 320	2660	wbweevcba.exe	38
PID 1776 wrote to memory of 2252	1776	whiusdak.exe	40
PID 1776 wrote to memory of 2252	1776	whiusdak.exe	40
PID 1776 wrote to memory of 2252	1776	whiusdak.exe	40
PID 1776 wrote to memory of 2252	1776	whiusdak.exe	40
PID 1776 wrote to memory of 2208	1776	whiusdak.exe	41
PID 1776 wrote to memory of 2208	1776	whiusdak.exe	41
PID 1776 wrote to memory of 2208	1776	whiusdak.exe	41
PID 1776 wrote to memory of 2208	1776	whiusdak.exe	41
PID 1776 wrote to memory of 2852	1776	whiusdak.exe	43
PID 1776 wrote to memory of 2852	1776	whiusdak.exe	43
PID 1776 wrote to memory of 2852	1776	whiusdak.exe	43
PID 1776 wrote to memory of 2852	1776	whiusdak.exe	43
PID 2252 wrote to memory of 1772	2252	wsiy.exe	44
PID 2252 wrote to memory of 1772	2252	wsiy.exe	44
PID 2252 wrote to memory of 1772	2252	wsiy.exe	44
PID 2252 wrote to memory of 1772	2252	wsiy.exe	44
PID 2252 wrote to memory of 2284	2252	wsiy.exe	45
PID 2252 wrote to memory of 2284	2252	wsiy.exe	45
PID 2252 wrote to memory of 2284	2252	wsiy.exe	45
PID 2252 wrote to memory of 2284	2252	wsiy.exe	45
PID 1772 wrote to memory of 1588	1772	wgwp.exe	47
PID 1772 wrote to memory of 1588	1772	wgwp.exe	47
PID 1772 wrote to memory of 1588	1772	wgwp.exe	47
PID 1772 wrote to memory of 1588	1772	wgwp.exe	47
PID 1772 wrote to memory of 1852	1772	wgwp.exe	48
PID 1772 wrote to memory of 1852	1772	wgwp.exe	48
PID 1772 wrote to memory of 1852	1772	wgwp.exe	48
PID 1772 wrote to memory of 1852	1772	wgwp.exe	48
PID 1588 wrote to memory of 2440	1588	wqheo.exe	50
PID 1588 wrote to memory of 2440	1588	wqheo.exe	50
PID 1588 wrote to memory of 2440	1588	wqheo.exe	50
PID 1588 wrote to memory of 2440	1588	wqheo.exe	50

C:\Users\Admin\AppData\Local\Temp\dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe
"C:\Users\Admin\AppData\Local\Temp\dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\wbif.exe
  "C:\Windows\system32\wbif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\wqyf.exe
    "C:\Windows\system32\wqyf.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\SysWOW64\wbweevcba.exe
      "C:\Windows\system32\wbweevcba.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\whiusdak.exe
        
        "C:\Windows\system32\whiusdak.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1776
      - C:\Windows\SysWOW64\wsiy.exe
        
        "C:\Windows\system32\wsiy.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\wgwp.exe
        
        "C:\Windows\system32\wgwp.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\wqheo.exe
        
        "C:\Windows\system32\wqheo.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\weptr.exe
        
        "C:\Windows\system32\weptr.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2440
        
        C:\Windows\SysWOW64\wkbk.exe
        
        "C:\Windows\system32\wkbk.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\wee.exe
        
        "C:\Windows\system32\wee.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\wiptdd.exe
        
        "C:\Windows\system32\wiptdd.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\wbvufl.exe
        
        "C:\Windows\system32\wbvufl.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2044
        
        C:\Windows\SysWOW64\wmhili.exe
        
        "C:\Windows\system32\wmhili.exe"
        14⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\wbs.exe
        
        "C:\Windows\system32\wbs.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\wsmife.exe
        
        "C:\Windows\system32\wsmife.exe"
        16⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\wspxec.exe
        
        "C:\Windows\system32\wspxec.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\wgkqi.exe
        
        "C:\Windows\system32\wgkqi.exe"
        18⤵
        Executes dropped EXE
        
        PID:352
        
        C:\Windows\SysWOW64\wqhptqaej.exe
        
        "C:\Windows\system32\wqhptqaej.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\wejy.exe
        
        "C:\Windows\system32\wejy.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\wkvq.exe
        
        "C:\Windows\system32\wkvq.exe"
        21⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\wurp.exe
        
        "C:\Windows\system32\wurp.exe"
        22⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\wepnjjrlv.exe
        
        "C:\Windows\system32\wepnjjrlv.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\wonqi.exe
        
        "C:\Windows\system32\wonqi.exe"
        24⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\wqblfv.exe
        
        "C:\Windows\system32\wqblfv.exe"
        25⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\wwnctb.exe
        
        "C:\Windows\system32\wwnctb.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\wqhs.exe
        
        "C:\Windows\system32\wqhs.exe"
        27⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Windows\SysWOW64\wbsgu.exe
        
        "C:\Windows\system32\wbsgu.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\wooaaw.exe
        
        "C:\Windows\system32\wooaaw.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\wpbux.exe
        
        "C:\Windows\system32\wpbux.exe"
        30⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\wfmeub.exe
        
        "C:\Windows\system32\wfmeub.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\wmmbjd.exe
        
        "C:\Windows\system32\wmmbjd.exe"
        32⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\wgsalm.exe
        
        "C:\Windows\system32\wgsalm.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\wgsl.exe
        
        "C:\Windows\system32\wgsl.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\weyivyok.exe
        
        "C:\Windows\system32\weyivyok.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:344
        
        C:\Windows\SysWOW64\wjlakgl.exe
        
        "C:\Windows\system32\wjlakgl.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\wrmgs.exe
        
        "C:\Windows\system32\wrmgs.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\wtyb.exe
        
        "C:\Windows\system32\wtyb.exe"
        38⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\wak.exe
        
        "C:\Windows\system32\wak.exe"
        39⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\wevkun.exe
        
        "C:\Windows\system32\wevkun.exe"
        40⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\wpo.exe
        
        "C:\Windows\system32\wpo.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\wwlbkqc.exe
        
        "C:\Windows\system32\wwlbkqc.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\wbwrww.exe
        
        "C:\Windows\system32\wbwrww.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\wwoay.exe
        
        "C:\Windows\system32\wwoay.exe"
        44⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\wkkudr.exe
        
        "C:\Windows\system32\wkkudr.exe"
        45⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\wtgqppq.exe
        
        "C:\Windows\system32\wtgqppq.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\wnchkw.exe
        
        "C:\Windows\system32\wnchkw.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\wlrlfs.exe
        
        "C:\Windows\system32\wlrlfs.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\waapolee.exe
        
        "C:\Windows\system32\waapolee.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\wgmherc.exe
        
        "C:\Windows\system32\wgmherc.exe"
        50⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\wlm.exe
        
        "C:\Windows\system32\wlm.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\wfaqad.exe
        
        "C:\Windows\system32\wfaqad.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\wllhp.exe
        
        "C:\Windows\system32\wllhp.exe"
        53⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\wmmthxh.exe
        
        "C:\Windows\system32\wmmthxh.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\wpndw.exe
        
        "C:\Windows\system32\wpndw.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\wyjbjkaha.exe
        
        "C:\Windows\system32\wyjbjkaha.exe"
        56⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\wfvsyqxqd.exe
        
        "C:\Windows\system32\wfvsyqxqd.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\wiwdpf.exe
        
        "C:\Windows\system32\wiwdpf.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\wnuflm.exe
        
        "C:\Windows\system32\wnuflm.exe"
        59⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\wuult.exe
        
        "C:\Windows\system32\wuult.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\wfgaa.exe
        
        "C:\Windows\system32\wfgaa.exe"
        61⤵
        Executes dropped EXE
        
        PID:332
        
        C:\Windows\SysWOW64\wyir.exe
        
        "C:\Windows\system32\wyir.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:324
        
        C:\Windows\SysWOW64\wcqssevm.exe
        
        "C:\Windows\system32\wcqssevm.exe"
        63⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\wickhkt.exe
        
        "C:\Windows\system32\wickhkt.exe"
        64⤵
        Executes dropped EXE
        
        PID:620
        
        C:\Windows\SysWOW64\wbikjrv.exe
        
        "C:\Windows\system32\wbikjrv.exe"
        65⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\wli.exe
        
        "C:\Windows\system32\wli.exe"
        66⤵
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\waprt.exe
        
        "C:\Windows\system32\waprt.exe"
        67⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\wkbfae.exe
        
        "C:\Windows\system32\wkbfae.exe"
        68⤵
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\wylpws.exe
        
        "C:\Windows\system32\wylpws.exe"
        69⤵
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\wvyndqi.exe
        
        "C:\Windows\system32\wvyndqi.exe"
        70⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\wdy.exe
        
        "C:\Windows\system32\wdy.exe"
        71⤵
        Drops file in System32 directory
        
        PID:648
        
        C:\Windows\SysWOW64\wruppmkr.exe
        
        "C:\Windows\system32\wruppmkr.exe"
        72⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\wkqfltc.exe
        
        "C:\Windows\system32\wkqfltc.exe"
        73⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\wylypkrnr.exe
        
        "C:\Windows\system32\wylypkrnr.exe"
        74⤵
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\whbun.exe
        
        "C:\Windows\system32\whbun.exe"
        75⤵
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\wonncqsa.exe
        
        "C:\Windows\system32\wonncqsa.exe"
        76⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\wpovt.exe
        
        "C:\Windows\system32\wpovt.exe"
        77⤵
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\wfygru.exe
        
        "C:\Windows\system32\wfygru.exe"
        78⤵
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\wllxfbddb.exe
        
        "C:\Windows\system32\wllxfbddb.exe"
        79⤵
        Drops file in System32 directory
        
        PID:320
        
        C:\Windows\SysWOW64\wagrjqse.exe
        
        "C:\Windows\system32\wagrjqse.exe"
        80⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\worbg.exe
        
        "C:\Windows\system32\worbg.exe"
        81⤵
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\wdygrwx.exe
        
        "C:\Windows\system32\wdygrwx.exe"
        82⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\wrjqoncx.exe
        
        "C:\Windows\system32\wrjqoncx.exe"
        83⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\wkdgkuv.exe
        
        "C:\Windows\system32\wkdgkuv.exe"
        84⤵
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\wmnsogmdr.exe
        
        "C:\Windows\system32\wmnsogmdr.exe"
        85⤵
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\wpyomuf.exe
        
        "C:\Windows\system32\wpyomuf.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\wyvkxurl.exe
        
        "C:\Windows\system32\wyvkxurl.exe"
        87⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\wlecd.exe
        
        "C:\Windows\system32\wlecd.exe"
        88⤵
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\wvnojmrs.exe
        
        "C:\Windows\system32\wvnojmrs.exe"
        89⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\weoxqre.exe
        
        "C:\Windows\system32\weoxqre.exe"
        90⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\wxxdtq.exe
        
        "C:\Windows\system32\wxxdtq.exe"
        91⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\wekhbb.exe
        
        "C:\Windows\system32\wekhbb.exe"
        92⤵
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\wrhbfrbk.exe
        
        "C:\Windows\system32\wrhbfrbk.exe"
        93⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\wpiqeneci.exe
        
        "C:\Windows\system32\wpiqeneci.exe"
        94⤵
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\wipqgwih.exe
        
        "C:\Windows\system32\wipqgwih.exe"
        95⤵
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\wobiudg.exe
        
        "C:\Windows\system32\wobiudg.exe"
        96⤵
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\wcwcy.exe
        
        "C:\Windows\system32\wcwcy.exe"
        97⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\wkwihyho.exe
        
        "C:\Windows\system32\wkwihyho.exe"
        98⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\wcrychb.exe
        
        "C:\Windows\system32\wcrychb.exe"
        99⤵
        Drops file in System32 directory
        
        PID:904
        
        C:\Windows\SysWOW64\wieqqn.exe
        
        "C:\Windows\system32\wieqqn.exe"
        100⤵
        
        PID:332
        
        C:\Windows\SysWOW64\wgwtb.exe
        
        "C:\Windows\system32\wgwtb.exe"
        101⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\wwpr.exe
        
        "C:\Windows\system32\wwpr.exe"
        102⤵
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\wlaay.exe
        
        "C:\Windows\system32\wlaay.exe"
        103⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\wsbihmb.exe
        
        "C:\Windows\system32\wsbihmb.exe"
        104⤵
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\wkvydu.exe
        
        "C:\Windows\system32\wkvydu.exe"
        105⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\wsoqfx.exe
        
        "C:\Windows\system32\wsoqfx.exe"
        106⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\wgwu.exe
        
        "C:\Windows\system32\wgwu.exe"
        107⤵
        Drops file in System32 directory
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsoqfx.exe"
        107⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvydu.exe"
        106⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsbihmb.exe"
        105⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlaay.exe"
        104⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwpr.exe"
        103⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwtb.exe"
        102⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wieqqn.exe"
        101⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcrychb.exe"
        100⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkwihyho.exe"
        99⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwcy.exe"
        98⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobiudg.exe"
        97⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipqgwih.exe"
        96⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpiqeneci.exe"
        95⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhbfrbk.exe"
        94⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekhbb.exe"
        93⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxdtq.exe"
        92⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weoxqre.exe"
        91⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvnojmrs.exe"
        90⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlecd.exe"
        89⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyvkxurl.exe"
        88⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpyomuf.exe"
        87⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmnsogmdr.exe"
        86⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkdgkuv.exe"
        85⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjqoncx.exe"
        84⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdygrwx.exe"
        83⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\worbg.exe"
        82⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wagrjqse.exe"
        81⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllxfbddb.exe"
        80⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfygru.exe"
        79⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpovt.exe"
        78⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wonncqsa.exe"
        77⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whbun.exe"
        76⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wylypkrnr.exe"
        75⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkqfltc.exe"
        74⤵
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wruppmkr.exe"
        73⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdy.exe"
        72⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvyndqi.exe"
        71⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wylpws.exe"
        70⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbfae.exe"
        69⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waprt.exe"
        68⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wli.exe"
        67⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbikjrv.exe"
        66⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wickhkt.exe"
        65⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcqssevm.exe"
        64⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyir.exe"
        63⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfgaa.exe"
        62⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuult.exe"
        61⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnuflm.exe"
        60⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiwdpf.exe"
        59⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfvsyqxqd.exe"
        58⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyjbjkaha.exe"
        57⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpndw.exe"
        56⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmthxh.exe"
        55⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllhp.exe"
        54⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfaqad.exe"
        53⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlm.exe"
        52⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgmherc.exe"
        51⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waapolee.exe"
        50⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrlfs.exe"
        49⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnchkw.exe"
        48⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtgqppq.exe"
        47⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkkudr.exe"
        46⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwoay.exe"
        45⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwrww.exe"
        44⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwlbkqc.exe"
        43⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpo.exe"
        42⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wevkun.exe"
        41⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wak.exe"
        40⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtyb.exe"
        39⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrmgs.exe"
        38⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjlakgl.exe"
        37⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weyivyok.exe"
        36⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsl.exe"
        35⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsalm.exe"
        34⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmbjd.exe"
        33⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfmeub.exe"
        32⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbux.exe"
        31⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wooaaw.exe"
        30⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbsgu.exe"
        29⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqhs.exe"
        28⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwnctb.exe"
        27⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqblfv.exe"
        26⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wonqi.exe"
        25⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wepnjjrlv.exe"
        24⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wurp.exe"
        23⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvq.exe"
        22⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wejy.exe"
        21⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqhptqaej.exe"
        20⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkqi.exe"
        19⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wspxec.exe"
        18⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsmife.exe"
        17⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbs.exe"
        16⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmhili.exe"
        15⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvufl.exe"
        14⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiptdd.exe"
        13⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wee.exe"
        12⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbk.exe"
        11⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weptr.exe"
        10⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqheo.exe"
        9⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwp.exe"
        8⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsiy.exe"
        7⤵
        
        PID:2284
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whiusdak.exe"
        6⤵
        
        PID:2208
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 420
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbweevcba.exe"
        5⤵
        
        PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqyf.exe"
      4⤵
      PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbif.exe"
    3⤵
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\dc2ad32293b9db66368622325b02755f02bf164260d1a0651aede213a3644ccb.exe"
  2⤵
  - Deletes itself
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AHRG0R0V.txt

Filesize
98B

MD5
88b268db450b6ba3244e8bcb035080d5

SHA1
0462ab6626b651e13155196d5fe2168cbde046d0

SHA256
7bd168adcfdca2d7628499608a0ecab044d00110958409ad6d1ed8a921862158

SHA512
6f58565dc4b3c97411d39ec05e78eaf255e821034d6ffa8d71d6a3bf8a60a030da3ff8bc9fb9c9e86e5ce129e640ffe5bb922a4d56d6b94bdbc7467e547037db

Download Submit
\Windows\SysWOW64\wbif.exe

Filesize
82KB

MD5
eb7b427df6cd3fa25e8d10755558fe42

SHA1
a0cfc2a8cea9e92268738a26d2b7d0f36a7f4cb0

SHA256
1b38d2fec0d53d92f8d586cffa4790a07a65948ec525aafc76496cb002289ef9

SHA512
1b3a7805af258fad4f10a4fdd464e18c7f658e6e827e884e83b4017d8292fafd0e8d3e3371b003673bc213e548a77dc1f275a4aa3567229028871c83ab877c90

Download Submit
\Windows\SysWOW64\wbweevcba.exe

Filesize
82KB

MD5
4da88cf473f66c2e57575f0d43f51a92

SHA1
d6f68fcee45f21b814d14b678aff2492971f5c6f

SHA256
b9d2eb78f9db62ca1857187edb69edb0898f056e428843b9ae4d3d939b22a10f

SHA512
00043938c23a5eabfbfe3eefbab8d3b6bc8fc17b9e457ec7e4d1af6f1bafae9749007748064bc1a998ac4eab78854bfaa1b8044e774e826dd0fe83af5b22b520

Download Submit
\Windows\SysWOW64\weptr.exe

Filesize
82KB

MD5
be29c77731c46a01a87ad61de11aabce

SHA1
cc310b6745ed2d6c3dbccc65c5fbe407998f0a42

SHA256
b2f82d4e4a098800e2c454505f5f5ec8fb510606934eed882798b65db44a0256

SHA512
00c43fd919dac04bdd4e6c549946c65fa34c76caace259912ba08e007a99ee574e9fc7c91e31ed49d6d7cf0336d6a5ec80e691dfbe37d9b8312f1fb577fbc5c3

Download Submit
\Windows\SysWOW64\wgwp.exe

Filesize
82KB

MD5
9b678c76476cb1cb825d4d27ae0f2c33

SHA1
b41df4209d135cb5c45ecfef646f6c74db235ee0

SHA256
aaea972ea1d308bc725d5da66fb6b7621aacc08fafa54863cbe9fbf6e255a0d0

SHA512
f416af793a8de8646cafb766cae9a900a8ddf8eebffd32e36c31eddbaa44d16dc84af4e50c733ee587fbccdd71a30e894af1c0ebbdba65f8b2c3a5003bb5c5d1

Download Submit
\Windows\SysWOW64\whiusdak.exe

Filesize
82KB

MD5
9350c2afa69c100f6a798621a02adc3f

SHA1
080d78c8d40ff178f9cdd0b9ed28bc32ec3e8183

SHA256
d501abb12d1b20a0477657441b819e2ace01396ad415b7d4b59c7e18b1c6dc55

SHA512
159d84476b14163c4fc97758eb8b0073a169045fcc2877b4d27b892a7c810c7057795dbed2641b07b6ade9c214216d327fc6a7e42032ee2b2e5e8b97eb2b1087

Download Submit
\Windows\SysWOW64\wkbk.exe

Filesize
82KB

MD5
8e2b23d07232c4358f329b44717fb67e

SHA1
fe577e02f429b4197daca937b9f21fff6474b2ba

SHA256
cbe2ffc4b60607fd4c70b6e53cf1612fb5f508a0bfd35ea4ac974322f529d310

SHA512
89f8f357069cd9525e161e4f1c8cf38e2d0ae25f122affd9838f0a880a331eddc3d034971f4174bf67a4c45dc7759361a1867bc4c99a38a16bdd4f9e562b697d

Download Submit
\Windows\SysWOW64\wqheo.exe

Filesize
82KB

MD5
ae48f416c2ec1629cccc5104f2198622

SHA1
d846804b7193746ee1b1d1385314c30f2496250a

SHA256
e3d1a6da655925d5e7ede4c55ef9383edea12b1dcf8b0ecd0ae30856819637bb

SHA512
ade2ba8b15ce3537d48b223f9bf0cd1eb8636e0fa86eec16db192909a5b12f4757f4736431f7531993b971129cead28dcf28cca2158abbc054dbfbd93cf03f50

Download Submit
\Windows\SysWOW64\wqyf.exe

Filesize
82KB

MD5
64988bc25e763fc94207eebdefa83651

SHA1
dff7f466af0e2c5558d36cdbf7aefff5d25fe91c

SHA256
f42054cb9377d737d097fbd3b9f640280e7c2ca5758857289264a492684f275e

SHA512
6b52e5992dccaee85152c20507eafd6ee96034e72af67f67829ad7f70af4504056bb311f03b8cbe7e4f2d5a90139a2318e1031295adc50971bc17811ce4a9de0

Download Submit
\Windows\SysWOW64\wsiy.exe

Filesize
82KB

MD5
63b51b663d75b3a486bdf34301b4f79b

SHA1
92e9bb963b48b60bdf52c6a313e84cea52424d38

SHA256
1998a6687e0c8ec20b5f6502919dd21337ea441748405ab6166f869781d8fdb8

SHA512
d5e8410ddd45c6f4f7070234843263de9a51cb24953b300d190de28a0143c2d049130e75a936779f38381c6e201b65615ed7a9bf0901a59f5273910586066433

Download Submit
memory/352-349-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/352-348-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/352-346-0x0000000002400000-0x0000000002417000-memory.dmp

Filesize
92KB

Download
memory/352-334-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1484-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1484-25-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1484-6-0x00000000033B0000-0x00000000033C7000-memory.dmp

Filesize
92KB

Download
memory/1484-12-0x00000000033B0000-0x00000000033C7000-memory.dmp

Filesize
92KB

Download
memory/1484-19-0x00000000033B0000-0x00000000033C7000-memory.dmp

Filesize
92KB

Download
memory/1484-20-0x00000000033B0000-0x00000000033C7000-memory.dmp

Filesize
92KB

Download
memory/1484-24-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/1588-183-0x0000000000B20000-0x0000000000B37000-memory.dmp

Filesize
92KB

Download
memory/1588-176-0x0000000000B20000-0x0000000000B37000-memory.dmp

Filesize
92KB

Download
memory/1588-163-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1588-187-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1604-313-0x00000000032A0000-0x00000000032B7000-memory.dmp

Filesize
92KB

Download
memory/1604-315-0x0000000003B70000-0x0000000003B87000-memory.dmp

Filesize
92KB

Download
memory/1604-317-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1604-314-0x0000000003B70000-0x0000000003B87000-memory.dmp

Filesize
92KB

Download
memory/1604-312-0x00000000032A0000-0x00000000032B7000-memory.dmp

Filesize
92KB

Download
memory/1772-333-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1772-161-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/1772-316-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1772-330-0x0000000003FF0000-0x0000000004007000-memory.dmp

Filesize
92KB

Download
memory/1772-141-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1772-331-0x0000000003FF0000-0x0000000004007000-memory.dmp

Filesize
92KB

Download
memory/1772-162-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/1772-329-0x0000000003FF0000-0x0000000004007000-memory.dmp

Filesize
92KB

Download
memory/1772-164-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1772-332-0x0000000003FF0000-0x0000000004007000-memory.dmp

Filesize
92KB

Download
memory/1776-114-0x0000000003F70000-0x0000000003F87000-memory.dmp

Filesize
92KB

Download
memory/1776-193-0x0000000003F70000-0x0000000003F80000-memory.dmp

Filesize
64KB

Download
memory/1776-93-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1776-117-0x0000000003F70000-0x0000000003F80000-memory.dmp

Filesize
64KB

Download
memory/1776-182-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1776-188-0x0000000003F70000-0x0000000003F87000-memory.dmp

Filesize
92KB

Download
memory/1836-255-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1836-240-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1836-253-0x0000000003330000-0x0000000003347000-memory.dmp

Filesize
92KB

Download
memory/1836-254-0x0000000003330000-0x0000000003347000-memory.dmp

Filesize
92KB

Download
memory/1836-245-0x0000000003330000-0x0000000003347000-memory.dmp

Filesize
92KB

Download
memory/2044-270-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2044-267-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/2044-268-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/2044-269-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/2064-1337-0x0000000077320000-0x000000007743F000-memory.dmp

Filesize
1.1MB

Download
memory/2064-1338-0x0000000077220000-0x000000007731A000-memory.dmp

Filesize
1000KB

Download
memory/2064-1339-0x0000000003DC0000-0x0000000003F84000-memory.dmp

Filesize
1.8MB

Download
memory/2068-300-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2068-297-0x0000000003DB0000-0x0000000003DC7000-memory.dmp

Filesize
92KB

Download
memory/2068-298-0x0000000003DB0000-0x0000000003DC7000-memory.dmp

Filesize
92KB

Download
memory/2068-299-0x0000000003B20000-0x0000000003B30000-memory.dmp

Filesize
64KB

Download
memory/2068-283-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2252-132-0x0000000003E40000-0x0000000003E57000-memory.dmp

Filesize
92KB

Download
memory/2252-131-0x0000000003E40000-0x0000000003E57000-memory.dmp

Filesize
92KB

Download
memory/2252-140-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2384-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2384-70-0x0000000003C20000-0x0000000003C30000-memory.dmp

Filesize
64KB

Download
memory/2384-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2384-66-0x0000000003F80000-0x0000000003F97000-memory.dmp

Filesize
92KB

Download
memory/2384-65-0x0000000003F80000-0x0000000003F97000-memory.dmp

Filesize
92KB

Download
memory/2384-64-0x0000000003F80000-0x0000000003F97000-memory.dmp

Filesize
92KB

Download
memory/2440-200-0x00000000036D0000-0x00000000036E7000-memory.dmp

Filesize
92KB

Download
memory/2440-208-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2440-206-0x00000000036E0000-0x00000000036F7000-memory.dmp

Filesize
92KB

Download
memory/2464-236-0x00000000033D0000-0x00000000033E7000-memory.dmp

Filesize
92KB

Download
memory/2464-239-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2464-238-0x0000000003430000-0x0000000003447000-memory.dmp

Filesize
92KB

Download
memory/2464-237-0x0000000003430000-0x0000000003447000-memory.dmp

Filesize
92KB

Download
memory/2464-235-0x00000000033D0000-0x00000000033E7000-memory.dmp

Filesize
92KB

Download
memory/2540-378-0x00000000040D0000-0x00000000040E7000-memory.dmp

Filesize
92KB

Download
memory/2540-382-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2540-379-0x00000000040D0000-0x00000000040E7000-memory.dmp

Filesize
92KB

Download
memory/2540-374-0x00000000034E0000-0x00000000034F7000-memory.dmp

Filesize
92KB

Download
memory/2540-381-0x00000000034F0000-0x0000000003500000-memory.dmp

Filesize
64KB

Download
memory/2560-48-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2560-43-0x0000000004040000-0x0000000004057000-memory.dmp

Filesize
92KB

Download
memory/2560-37-0x00000000038D0000-0x00000000038E7000-memory.dmp

Filesize
92KB

Download
memory/2560-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2616-216-0x00000000022F0000-0x0000000002307000-memory.dmp

Filesize
92KB

Download
memory/2616-223-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2616-217-0x00000000022F0000-0x0000000002307000-memory.dmp

Filesize
92KB

Download
memory/2616-222-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/2660-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-89-0x0000000003E60000-0x0000000003E77000-memory.dmp

Filesize
92KB

Download
memory/2660-90-0x0000000003E70000-0x0000000003E87000-memory.dmp

Filesize
92KB

Download
memory/2660-88-0x0000000003E60000-0x0000000003E77000-memory.dmp

Filesize
92KB

Download
memory/2660-95-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-94-0x0000000003E70000-0x0000000003E80000-memory.dmp

Filesize
64KB

Download
memory/2740-357-0x0000000003ED0000-0x0000000003EE7000-memory.dmp

Filesize
92KB

Download
memory/2740-365-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2740-362-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/2740-363-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/2740-364-0x0000000003EE0000-0x0000000003EF0000-memory.dmp

Filesize
64KB

Download
memory/2740-347-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2756-284-0x00000000033A0000-0x00000000033B0000-memory.dmp

Filesize
64KB

Download
memory/2756-271-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2756-285-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2764-380-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download