Analysis

  • max time kernel
    116s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 03:11

General

  • Target

    124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe

  • Size

    97KB

  • MD5

    12552efed1e955111926e48b1d277910

  • SHA1

    4ffe01b76370a5d571ac7f1e14a44c738a3b1b50

  • SHA256

    124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43

  • SHA512

    99f58d14120100bbf0a155c7dfb6cf316a2bdeaac33dc4fb0a8008aef4ff21a2f817f5f4087e6fe7e44dc2201b28285d6ea31940bec62bd1a15ca3b52006a346

  • SSDEEP

    1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71qCi7w:1eOLK7hNIMLrCiS4+PwRjY5xhEAXQC3

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 64 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 64 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 14 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe
    "C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Windows\SysWOW64\wsvsq.exe
      "C:\Windows\system32\wsvsq.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Windows\SysWOW64\wqjortx.exe
        "C:\Windows\system32\wqjortx.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\SysWOW64\wohhq.exe
          "C:\Windows\system32\wohhq.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2008
          • C:\Windows\SysWOW64\wekmsexs.exe
            "C:\Windows\system32\wekmsexs.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:3240
            • C:\Windows\SysWOW64\wymnnjae.exe
              "C:\Windows\system32\wymnnjae.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:3308
              • C:\Windows\SysWOW64\wywxe.exe
                "C:\Windows\system32\wywxe.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:1772
                • C:\Windows\SysWOW64\wnowg.exe
                  "C:\Windows\system32\wnowg.exe"
                  8⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:3040
                  • C:\Windows\SysWOW64\wdoi.exe
                    "C:\Windows\system32\wdoi.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:4272
                    • C:\Windows\SysWOW64\wmloo.exe
                      "C:\Windows\system32\wmloo.exe"
                      10⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:1860
                      • C:\Windows\SysWOW64\wlruth.exe
                        "C:\Windows\system32\wlruth.exe"
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • Suspicious use of WriteProcessMemory
                        PID:1736
                        • C:\Windows\SysWOW64\wrhenplnf.exe
                          "C:\Windows\system32\wrhenplnf.exe"
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:4124
                          • C:\Windows\SysWOW64\wiki.exe
                            "C:\Windows\system32\wiki.exe"
                            13⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            PID:3932
                            • C:\Windows\SysWOW64\wxyyaqsu.exe
                              "C:\Windows\system32\wxyyaqsu.exe"
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              PID:3380
                              • C:\Windows\SysWOW64\wkrwf.exe
                                "C:\Windows\system32\wkrwf.exe"
                                15⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                PID:1236
                                • C:\Windows\SysWOW64\wphg.exe
                                  "C:\Windows\system32\wphg.exe"
                                  16⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  • Drops file in System32 directory
                                  PID:3928
                                  • C:\Windows\SysWOW64\wuwp.exe
                                    "C:\Windows\system32\wuwp.exe"
                                    17⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    PID:1612
                                    • C:\Windows\SysWOW64\wxocwtx.exe
                                      "C:\Windows\system32\wxocwtx.exe"
                                      18⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      PID:2872
                                      • C:\Windows\SysWOW64\whvsa.exe
                                        "C:\Windows\system32\whvsa.exe"
                                        19⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Adds Run key to start application
                                        • Drops file in System32 directory
                                        PID:1588
                                        • C:\Windows\SysWOW64\whxqmnbhw.exe
                                          "C:\Windows\system32\whxqmnbhw.exe"
                                          20⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Adds Run key to start application
                                          PID:3796
                                          • C:\Windows\SysWOW64\wujl.exe
                                            "C:\Windows\system32\wujl.exe"
                                            21⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Adds Run key to start application
                                            • System Location Discovery: System Language Discovery
                                            PID:5100
                                            • C:\Windows\SysWOW64\wtvvud.exe
                                              "C:\Windows\system32\wtvvud.exe"
                                              22⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Adds Run key to start application
                                              PID:4252
                                              • C:\Windows\SysWOW64\wrcaabc.exe
                                                "C:\Windows\system32\wrcaabc.exe"
                                                23⤵
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                PID:3876
                                                • C:\Windows\SysWOW64\whrrjpl.exe
                                                  "C:\Windows\system32\whrrjpl.exe"
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Adds Run key to start application
                                                  PID:3264
                                                  • C:\Windows\SysWOW64\wxtumb.exe
                                                    "C:\Windows\system32\wxtumb.exe"
                                                    25⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Adds Run key to start application
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2736
                                                    • C:\Windows\SysWOW64\wdjeh.exe
                                                      "C:\Windows\system32\wdjeh.exe"
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      PID:4320
                                                      • C:\Windows\SysWOW64\wkvfh.exe
                                                        "C:\Windows\system32\wkvfh.exe"
                                                        27⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Adds Run key to start application
                                                        • Drops file in System32 directory
                                                        PID:5104
                                                        • C:\Windows\SysWOW64\wyhb.exe
                                                          "C:\Windows\system32\wyhb.exe"
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Adds Run key to start application
                                                          • Drops file in System32 directory
                                                          PID:4224
                                                          • C:\Windows\SysWOW64\wpavt.exe
                                                            "C:\Windows\system32\wpavt.exe"
                                                            29⤵
                                                            • Executes dropped EXE
                                                            PID:2396
                                                            • C:\Windows\SysWOW64\wix.exe
                                                              "C:\Windows\system32\wix.exe"
                                                              30⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Adds Run key to start application
                                                              • Drops file in System32 directory
                                                              PID:4748
                                                              • C:\Windows\SysWOW64\wjhcpsila.exe
                                                                "C:\Windows\system32\wjhcpsila.exe"
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                PID:2588
                                                                • C:\Windows\SysWOW64\wuwhcslaa.exe
                                                                  "C:\Windows\system32\wuwhcslaa.exe"
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Adds Run key to start application
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:4916
                                                                  • C:\Windows\SysWOW64\wguobqy.exe
                                                                    "C:\Windows\system32\wguobqy.exe"
                                                                    33⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Adds Run key to start application
                                                                    • Drops file in System32 directory
                                                                    PID:4032
                                                                    • C:\Windows\SysWOW64\wovdrrma.exe
                                                                      "C:\Windows\system32\wovdrrma.exe"
                                                                      34⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Adds Run key to start application
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:4252
                                                                      • C:\Windows\SysWOW64\wmakx.exe
                                                                        "C:\Windows\system32\wmakx.exe"
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Adds Run key to start application
                                                                        • Drops file in System32 directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:4964
                                                                        • C:\Windows\SysWOW64\wcoy.exe
                                                                          "C:\Windows\system32\wcoy.exe"
                                                                          36⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Adds Run key to start application
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2756
                                                                          • C:\Windows\SysWOW64\wxrbcifc.exe
                                                                            "C:\Windows\system32\wxrbcifc.exe"
                                                                            37⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Adds Run key to start application
                                                                            • Drops file in System32 directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:4212
                                                                            • C:\Windows\SysWOW64\wugjtf.exe
                                                                              "C:\Windows\system32\wugjtf.exe"
                                                                              38⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Adds Run key to start application
                                                                              PID:2652
                                                                              • C:\Windows\SysWOW64\wbtsno.exe
                                                                                "C:\Windows\system32\wbtsno.exe"
                                                                                39⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Adds Run key to start application
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:4244
                                                                                • C:\Windows\SysWOW64\wtccd.exe
                                                                                  "C:\Windows\system32\wtccd.exe"
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Adds Run key to start application
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:676
                                                                                  • C:\Windows\SysWOW64\wlpdl.exe
                                                                                    "C:\Windows\system32\wlpdl.exe"
                                                                                    41⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Adds Run key to start application
                                                                                    PID:3116
                                                                                    • C:\Windows\SysWOW64\weavtd.exe
                                                                                      "C:\Windows\system32\weavtd.exe"
                                                                                      42⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Adds Run key to start application
                                                                                      PID:768
                                                                                      • C:\Windows\SysWOW64\wusqppnp.exe
                                                                                        "C:\Windows\system32\wusqppnp.exe"
                                                                                        43⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Adds Run key to start application
                                                                                        • Drops file in System32 directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:3016
                                                                                        • C:\Windows\SysWOW64\wxpegfs.exe
                                                                                          "C:\Windows\system32\wxpegfs.exe"
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:2320
                                                                                          • C:\Windows\SysWOW64\wmpqp.exe
                                                                                            "C:\Windows\system32\wmpqp.exe"
                                                                                            45⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:3056
                                                                                            • C:\Windows\SysWOW64\wpnfflpt.exe
                                                                                              "C:\Windows\system32\wpnfflpt.exe"
                                                                                              46⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Adds Run key to start application
                                                                                              PID:4504
                                                                                              • C:\Windows\SysWOW64\wdnrodh.exe
                                                                                                "C:\Windows\system32\wdnrodh.exe"
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Adds Run key to start application
                                                                                                PID:1712
                                                                                                • C:\Windows\SysWOW64\wfok.exe
                                                                                                  "C:\Windows\system32\wfok.exe"
                                                                                                  48⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Adds Run key to start application
                                                                                                  • Drops file in System32 directory
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:2856
                                                                                                  • C:\Windows\SysWOW64\wto.exe
                                                                                                    "C:\Windows\system32\wto.exe"
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Adds Run key to start application
                                                                                                    • Drops file in System32 directory
                                                                                                    PID:2296
                                                                                                    • C:\Windows\SysWOW64\wpku.exe
                                                                                                      "C:\Windows\system32\wpku.exe"
                                                                                                      50⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Adds Run key to start application
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:1688
                                                                                                      • C:\Windows\SysWOW64\wkbpjl.exe
                                                                                                        "C:\Windows\system32\wkbpjl.exe"
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Adds Run key to start application
                                                                                                        PID:4472
                                                                                                        • C:\Windows\SysWOW64\wvqutl.exe
                                                                                                          "C:\Windows\system32\wvqutl.exe"
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Adds Run key to start application
                                                                                                          • Drops file in System32 directory
                                                                                                          PID:1868
                                                                                                          • C:\Windows\SysWOW64\wsbkrnk.exe
                                                                                                            "C:\Windows\system32\wsbkrnk.exe"
                                                                                                            53⤵
                                                                                                            • Checks computer location settings
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            PID:2872
                                                                                                            • C:\Windows\SysWOW64\wyfwmqdb.exe
                                                                                                              "C:\Windows\system32\wyfwmqdb.exe"
                                                                                                              54⤵
                                                                                                              • Checks computer location settings
                                                                                                              • Executes dropped EXE
                                                                                                              • Adds Run key to start application
                                                                                                              • Drops file in System32 directory
                                                                                                              PID:1724
                                                                                                              • C:\Windows\SysWOW64\wkcclo.exe
                                                                                                                "C:\Windows\system32\wkcclo.exe"
                                                                                                                55⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:4976
                                                                                                                • C:\Windows\SysWOW64\wimrkr.exe
                                                                                                                  "C:\Windows\system32\wimrkr.exe"
                                                                                                                  56⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:4748
                                                                                                                  • C:\Windows\SysWOW64\welvcsw.exe
                                                                                                                    "C:\Windows\system32\welvcsw.exe"
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Adds Run key to start application
                                                                                                                    PID:2600
                                                                                                                    • C:\Windows\SysWOW64\wyxgcwj.exe
                                                                                                                      "C:\Windows\system32\wyxgcwj.exe"
                                                                                                                      58⤵
                                                                                                                      • Checks computer location settings
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:2708
                                                                                                                      • C:\Windows\SysWOW64\wnytm.exe
                                                                                                                        "C:\Windows\system32\wnytm.exe"
                                                                                                                        59⤵
                                                                                                                        • Checks computer location settings
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Adds Run key to start application
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:3580
                                                                                                                        • C:\Windows\SysWOW64\wdbx.exe
                                                                                                                          "C:\Windows\system32\wdbx.exe"
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Adds Run key to start application
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:3788
                                                                                                                          • C:\Windows\SysWOW64\wgocxpt.exe
                                                                                                                            "C:\Windows\system32\wgocxpt.exe"
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            PID:4840
                                                                                                                            • C:\Windows\SysWOW64\wcjbdsow.exe
                                                                                                                              "C:\Windows\system32\wcjbdsow.exe"
                                                                                                                              62⤵
                                                                                                                              • Checks computer location settings
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Adds Run key to start application
                                                                                                                              • Drops file in System32 directory
                                                                                                                              PID:1656
                                                                                                                              • C:\Windows\SysWOW64\wmyforsk.exe
                                                                                                                                "C:\Windows\system32\wmyforsk.exe"
                                                                                                                                63⤵
                                                                                                                                • Checks computer location settings
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                PID:4852
                                                                                                                                • C:\Windows\SysWOW64\wwauht.exe
                                                                                                                                  "C:\Windows\system32\wwauht.exe"
                                                                                                                                  64⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Adds Run key to start application
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:4904
                                                                                                                                  • C:\Windows\SysWOW64\wirtmnq.exe
                                                                                                                                    "C:\Windows\system32\wirtmnq.exe"
                                                                                                                                    65⤵
                                                                                                                                    • Checks computer location settings
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Adds Run key to start application
                                                                                                                                    PID:540
                                                                                                                                    • C:\Windows\SysWOW64\wavaoa.exe
                                                                                                                                      "C:\Windows\system32\wavaoa.exe"
                                                                                                                                      66⤵
                                                                                                                                      • Checks computer location settings
                                                                                                                                      PID:3996
                                                                                                                                      • C:\Windows\SysWOW64\wlkshvuxr.exe
                                                                                                                                        "C:\Windows\system32\wlkshvuxr.exe"
                                                                                                                                        67⤵
                                                                                                                                        • Checks computer location settings
                                                                                                                                        • Adds Run key to start application
                                                                                                                                        PID:4504
                                                                                                                                        • C:\Windows\SysWOW64\wifof.exe
                                                                                                                                          "C:\Windows\system32\wifof.exe"
                                                                                                                                          68⤵
                                                                                                                                          • Checks computer location settings
                                                                                                                                          • Adds Run key to start application
                                                                                                                                          PID:4620
                                                                                                                                          • C:\Windows\SysWOW64\webkvsrp.exe
                                                                                                                                            "C:\Windows\system32\webkvsrp.exe"
                                                                                                                                            69⤵
                                                                                                                                            • Adds Run key to start application
                                                                                                                                            PID:1428
                                                                                                                                            • C:\Windows\SysWOW64\wrogll.exe
                                                                                                                                              "C:\Windows\system32\wrogll.exe"
                                                                                                                                              70⤵
                                                                                                                                              • Checks computer location settings
                                                                                                                                              • Adds Run key to start application
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:4292
                                                                                                                                              • C:\Windows\SysWOW64\wpbp.exe
                                                                                                                                                "C:\Windows\system32\wpbp.exe"
                                                                                                                                                71⤵
                                                                                                                                                • Checks computer location settings
                                                                                                                                                PID:2736
                                                                                                                                                • C:\Windows\SysWOW64\wtnsnw.exe
                                                                                                                                                  "C:\Windows\system32\wtnsnw.exe"
                                                                                                                                                  72⤵
                                                                                                                                                  • Checks computer location settings
                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                  PID:212
                                                                                                                                                  • C:\Windows\SysWOW64\wuefq.exe
                                                                                                                                                    "C:\Windows\system32\wuefq.exe"
                                                                                                                                                    73⤵
                                                                                                                                                    • Checks computer location settings
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:5100
                                                                                                                                                    • C:\Windows\SysWOW64\wwts.exe
                                                                                                                                                      "C:\Windows\system32\wwts.exe"
                                                                                                                                                      74⤵
                                                                                                                                                        PID:4848
                                                                                                                                                        • C:\Windows\SysWOW64\wmjtv.exe
                                                                                                                                                          "C:\Windows\system32\wmjtv.exe"
                                                                                                                                                          75⤵
                                                                                                                                                          • Checks computer location settings
                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:2864
                                                                                                                                                          • C:\Windows\SysWOW64\wcxje.exe
                                                                                                                                                            "C:\Windows\system32\wcxje.exe"
                                                                                                                                                            76⤵
                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                            PID:2872
                                                                                                                                                            • C:\Windows\SysWOW64\wlgld.exe
                                                                                                                                                              "C:\Windows\system32\wlgld.exe"
                                                                                                                                                              77⤵
                                                                                                                                                              • Checks computer location settings
                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                              PID:2392
                                                                                                                                                              • C:\Windows\SysWOW64\wckcxxj.exe
                                                                                                                                                                "C:\Windows\system32\wckcxxj.exe"
                                                                                                                                                                78⤵
                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                PID:408
                                                                                                                                                                • C:\Windows\SysWOW64\wihnferv.exe
                                                                                                                                                                  "C:\Windows\system32\wihnferv.exe"
                                                                                                                                                                  79⤵
                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                  PID:1032
                                                                                                                                                                  • C:\Windows\SysWOW64\wsidw.exe
                                                                                                                                                                    "C:\Windows\system32\wsidw.exe"
                                                                                                                                                                    80⤵
                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:2824
                                                                                                                                                                    • C:\Windows\SysWOW64\wqukncw.exe
                                                                                                                                                                      "C:\Windows\system32\wqukncw.exe"
                                                                                                                                                                      81⤵
                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:1652
                                                                                                                                                                      • C:\Windows\SysWOW64\wtsafq.exe
                                                                                                                                                                        "C:\Windows\system32\wtsafq.exe"
                                                                                                                                                                        82⤵
                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                        PID:1784
                                                                                                                                                                        • C:\Windows\SysWOW64\wvy.exe
                                                                                                                                                                          "C:\Windows\system32\wvy.exe"
                                                                                                                                                                          83⤵
                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:4252
                                                                                                                                                                          • C:\Windows\SysWOW64\wdyucpwo.exe
                                                                                                                                                                            "C:\Windows\system32\wdyucpwo.exe"
                                                                                                                                                                            84⤵
                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            PID:5112
                                                                                                                                                                            • C:\Windows\SysWOW64\wfbofc.exe
                                                                                                                                                                              "C:\Windows\system32\wfbofc.exe"
                                                                                                                                                                              85⤵
                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              PID:1836
                                                                                                                                                                              • C:\Windows\SysWOW64\wpjgjbd.exe
                                                                                                                                                                                "C:\Windows\system32\wpjgjbd.exe"
                                                                                                                                                                                86⤵
                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                PID:1840
                                                                                                                                                                                • C:\Windows\SysWOW64\wmavv.exe
                                                                                                                                                                                  "C:\Windows\system32\wmavv.exe"
                                                                                                                                                                                  87⤵
                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                  PID:4684
                                                                                                                                                                                  • C:\Windows\SysWOW64\wvpqp.exe
                                                                                                                                                                                    "C:\Windows\system32\wvpqp.exe"
                                                                                                                                                                                    88⤵
                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    PID:4552
                                                                                                                                                                                    • C:\Windows\SysWOW64\wooyq.exe
                                                                                                                                                                                      "C:\Windows\system32\wooyq.exe"
                                                                                                                                                                                      89⤵
                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:1664
                                                                                                                                                                                      • C:\Windows\SysWOW64\wlgpcko.exe
                                                                                                                                                                                        "C:\Windows\system32\wlgpcko.exe"
                                                                                                                                                                                        90⤵
                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:4872
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wooyq.exe"
                                                                                                                                                                                        90⤵
                                                                                                                                                                                          PID:3712
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvpqp.exe"
                                                                                                                                                                                        89⤵
                                                                                                                                                                                          PID:5084
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmavv.exe"
                                                                                                                                                                                        88⤵
                                                                                                                                                                                          PID:64
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpjgjbd.exe"
                                                                                                                                                                                        87⤵
                                                                                                                                                                                          PID:4244
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfbofc.exe"
                                                                                                                                                                                        86⤵
                                                                                                                                                                                          PID:2652
                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1432
                                                                                                                                                                                          86⤵
                                                                                                                                                                                          • Program crash
                                                                                                                                                                                          PID:1648
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdyucpwo.exe"
                                                                                                                                                                                        85⤵
                                                                                                                                                                                          PID:4688
                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 116
                                                                                                                                                                                          85⤵
                                                                                                                                                                                          • Program crash
                                                                                                                                                                                          PID:3048
                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1536
                                                                                                                                                                                          85⤵
                                                                                                                                                                                          • Program crash
                                                                                                                                                                                          PID:1444
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvy.exe"
                                                                                                                                                                                        84⤵
                                                                                                                                                                                          PID:4280
                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1432
                                                                                                                                                                                          84⤵
                                                                                                                                                                                          • Program crash
                                                                                                                                                                                          PID:536
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsafq.exe"
                                                                                                                                                                                        83⤵
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:2440
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqukncw.exe"
                                                                                                                                                                                      82⤵
                                                                                                                                                                                        PID:4224
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsidw.exe"
                                                                                                                                                                                      81⤵
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:3796
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wihnferv.exe"
                                                                                                                                                                                    80⤵
                                                                                                                                                                                      PID:2396
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckcxxj.exe"
                                                                                                                                                                                    79⤵
                                                                                                                                                                                      PID:3388
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlgld.exe"
                                                                                                                                                                                    78⤵
                                                                                                                                                                                      PID:1800
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcxje.exe"
                                                                                                                                                                                    77⤵
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    PID:4620
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmjtv.exe"
                                                                                                                                                                                  76⤵
                                                                                                                                                                                    PID:1708
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwts.exe"
                                                                                                                                                                                  75⤵
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  PID:3996
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuefq.exe"
                                                                                                                                                                                74⤵
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                PID:2600
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtnsnw.exe"
                                                                                                                                                                              73⤵
                                                                                                                                                                                PID:4472
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbp.exe"
                                                                                                                                                                              72⤵
                                                                                                                                                                                PID:3976
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrogll.exe"
                                                                                                                                                                              71⤵
                                                                                                                                                                                PID:4936
                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1280
                                                                                                                                                                                71⤵
                                                                                                                                                                                • Program crash
                                                                                                                                                                                PID:3800
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\webkvsrp.exe"
                                                                                                                                                                              70⤵
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              PID:4964
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifof.exe"
                                                                                                                                                                            69⤵
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            PID:968
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkshvuxr.exe"
                                                                                                                                                                          68⤵
                                                                                                                                                                            PID:4244
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wavaoa.exe"
                                                                                                                                                                          67⤵
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:2864
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirtmnq.exe"
                                                                                                                                                                        66⤵
                                                                                                                                                                          PID:2360
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwauht.exe"
                                                                                                                                                                        65⤵
                                                                                                                                                                          PID:5100
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmyforsk.exe"
                                                                                                                                                                        64⤵
                                                                                                                                                                          PID:1860
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjbdsow.exe"
                                                                                                                                                                        63⤵
                                                                                                                                                                          PID:4492
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgocxpt.exe"
                                                                                                                                                                        62⤵
                                                                                                                                                                          PID:4964
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbx.exe"
                                                                                                                                                                        61⤵
                                                                                                                                                                          PID:2156
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnytm.exe"
                                                                                                                                                                        60⤵
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        PID:3484
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxgcwj.exe"
                                                                                                                                                                      59⤵
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:1116
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\welvcsw.exe"
                                                                                                                                                                    58⤵
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:3272
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimrkr.exe"
                                                                                                                                                                  57⤵
                                                                                                                                                                    PID:3108
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcclo.exe"
                                                                                                                                                                  56⤵
                                                                                                                                                                    PID:368
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyfwmqdb.exe"
                                                                                                                                                                  55⤵
                                                                                                                                                                    PID:1748
                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1340
                                                                                                                                                                    55⤵
                                                                                                                                                                    • Program crash
                                                                                                                                                                    PID:2008
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsbkrnk.exe"
                                                                                                                                                                  54⤵
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:4244
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqutl.exe"
                                                                                                                                                                53⤵
                                                                                                                                                                  PID:4740
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbpjl.exe"
                                                                                                                                                                52⤵
                                                                                                                                                                  PID:3536
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpku.exe"
                                                                                                                                                                51⤵
                                                                                                                                                                  PID:4200
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wto.exe"
                                                                                                                                                                50⤵
                                                                                                                                                                  PID:4412
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfok.exe"
                                                                                                                                                                49⤵
                                                                                                                                                                  PID:968
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnrodh.exe"
                                                                                                                                                                48⤵
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:1100
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpnfflpt.exe"
                                                                                                                                                              47⤵
                                                                                                                                                                PID:4832
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpqp.exe"
                                                                                                                                                              46⤵
                                                                                                                                                                PID:3272
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpegfs.exe"
                                                                                                                                                              45⤵
                                                                                                                                                                PID:1960
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wusqppnp.exe"
                                                                                                                                                              44⤵
                                                                                                                                                                PID:3676
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weavtd.exe"
                                                                                                                                                              43⤵
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:2736
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlpdl.exe"
                                                                                                                                                            42⤵
                                                                                                                                                              PID:2352
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtccd.exe"
                                                                                                                                                            41⤵
                                                                                                                                                              PID:1708
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbtsno.exe"
                                                                                                                                                            40⤵
                                                                                                                                                              PID:3928
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugjtf.exe"
                                                                                                                                                            39⤵
                                                                                                                                                              PID:1824
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxrbcifc.exe"
                                                                                                                                                            38⤵
                                                                                                                                                              PID:2108
                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 768
                                                                                                                                                              38⤵
                                                                                                                                                              • Program crash
                                                                                                                                                              PID:4492
                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 116
                                                                                                                                                              38⤵
                                                                                                                                                              • Program crash
                                                                                                                                                              PID:4852
                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1476
                                                                                                                                                              38⤵
                                                                                                                                                              • Program crash
                                                                                                                                                              PID:3848
                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 304
                                                                                                                                                              38⤵
                                                                                                                                                              • Program crash
                                                                                                                                                              PID:4992
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcoy.exe"
                                                                                                                                                            37⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:2920
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmakx.exe"
                                                                                                                                                          36⤵
                                                                                                                                                            PID:4716
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovdrrma.exe"
                                                                                                                                                          35⤵
                                                                                                                                                            PID:1628
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wguobqy.exe"
                                                                                                                                                          34⤵
                                                                                                                                                            PID:3680
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwhcslaa.exe"
                                                                                                                                                          33⤵
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:3108
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhcpsila.exe"
                                                                                                                                                        32⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:1544
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wix.exe"
                                                                                                                                                      31⤵
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:1424
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpavt.exe"
                                                                                                                                                    30⤵
                                                                                                                                                      PID:4016
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyhb.exe"
                                                                                                                                                    29⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:1348
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvfh.exe"
                                                                                                                                                  28⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:2928
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdjeh.exe"
                                                                                                                                                27⤵
                                                                                                                                                  PID:1580
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxtumb.exe"
                                                                                                                                                26⤵
                                                                                                                                                  PID:968
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whrrjpl.exe"
                                                                                                                                                25⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:1956
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrcaabc.exe"
                                                                                                                                              24⤵
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:3324
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 116
                                                                                                                                              24⤵
                                                                                                                                              • Program crash
                                                                                                                                              PID:336
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvvud.exe"
                                                                                                                                            23⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:3284
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujl.exe"
                                                                                                                                          22⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:1872
                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 1652
                                                                                                                                          22⤵
                                                                                                                                          • Program crash
                                                                                                                                          PID:1528
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxqmnbhw.exe"
                                                                                                                                        21⤵
                                                                                                                                          PID:1460
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whvsa.exe"
                                                                                                                                        20⤵
                                                                                                                                          PID:1428
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxocwtx.exe"
                                                                                                                                        19⤵
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:2156
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwp.exe"
                                                                                                                                      18⤵
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:536
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphg.exe"
                                                                                                                                    17⤵
                                                                                                                                      PID:3284
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkrwf.exe"
                                                                                                                                    16⤵
                                                                                                                                      PID:4492
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxyyaqsu.exe"
                                                                                                                                    15⤵
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:4700
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiki.exe"
                                                                                                                                  14⤵
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:4620
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhenplnf.exe"
                                                                                                                                13⤵
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:2440
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlruth.exe"
                                                                                                                              12⤵
                                                                                                                                PID:4292
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 1472
                                                                                                                                12⤵
                                                                                                                                • Program crash
                                                                                                                                PID:3324
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmloo.exe"
                                                                                                                              11⤵
                                                                                                                                PID:4604
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdoi.exe"
                                                                                                                              10⤵
                                                                                                                                PID:4976
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnowg.exe"
                                                                                                                              9⤵
                                                                                                                                PID:2320
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywxe.exe"
                                                                                                                              8⤵
                                                                                                                                PID:1056
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymnnjae.exe"
                                                                                                                              7⤵
                                                                                                                                PID:3264
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekmsexs.exe"
                                                                                                                              6⤵
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:2600
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohhq.exe"
                                                                                                                            5⤵
                                                                                                                              PID:4792
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqjortx.exe"
                                                                                                                            4⤵
                                                                                                                              PID:1564
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsvsq.exe"
                                                                                                                            3⤵
                                                                                                                              PID:1392
                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1580
                                                                                                                              3⤵
                                                                                                                              • Program crash
                                                                                                                              PID:2768
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"
                                                                                                                            2⤵
                                                                                                                              PID:3276
                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3644 -ip 3644
                                                                                                                            1⤵
                                                                                                                              PID:4620
                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 124 -p 1736 -ip 1736
                                                                                                                              1⤵
                                                                                                                                PID:3516
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5100 -ip 5100
                                                                                                                                1⤵
                                                                                                                                  PID:2652
                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3876 -ip 3876
                                                                                                                                  1⤵
                                                                                                                                    PID:1348
                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4212 -ip 4212
                                                                                                                                    1⤵
                                                                                                                                      PID:1020
                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4212 -ip 4212
                                                                                                                                      1⤵
                                                                                                                                        PID:928
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4212 -ip 4212
                                                                                                                                        1⤵
                                                                                                                                          PID:4700
                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4212 -ip 4212
                                                                                                                                          1⤵
                                                                                                                                            PID:1632
                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1724 -ip 1724
                                                                                                                                            1⤵
                                                                                                                                              PID:3352
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4292 -ip 4292
                                                                                                                                              1⤵
                                                                                                                                                PID:1836
                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4252 -ip 4252
                                                                                                                                                1⤵
                                                                                                                                                  PID:4316
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5112 -ip 5112
                                                                                                                                                  1⤵
                                                                                                                                                    PID:4540
                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5112 -ip 5112
                                                                                                                                                    1⤵
                                                                                                                                                      PID:2896
                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1836 -ip 1836
                                                                                                                                                      1⤵
                                                                                                                                                        PID:4804

                                                                                                                                                      Network

                                                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                                                            Replay Monitor

                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                            Downloads

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\install[2].htm

                                                                                                                                                              Filesize

                                                                                                                                                              7KB

                                                                                                                                                              MD5

                                                                                                                                                              9463ba07743e8a9aca3b55373121b7c5

                                                                                                                                                              SHA1

                                                                                                                                                              4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

                                                                                                                                                              SHA256

                                                                                                                                                              d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

                                                                                                                                                              SHA512

                                                                                                                                                              6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

                                                                                                                                                            • C:\Windows\SysWOW64\wdjeh.exe

                                                                                                                                                              Filesize

                                                                                                                                                              98KB

                                                                                                                                                              MD5

                                                                                                                                                              77e6dbbf8a93f98e96348cb49c7416b7

                                                                                                                                                              SHA1

                                                                                                                                                              a443ec10330cc0d528fe1d2da99b0d79d9621803

                                                                                                                                                              SHA256

                                                                                                                                                              f7f476e2edb42d33efcdb5e7d6ef1ddc11a63c42d8df5f6dc496259cafe82f19

                                                                                                                                                              SHA512

                                                                                                                                                              eecb06b56d9c49f7c45506a480aaf68d9bc96c73e68c6e002137f7b0312ae9a60d2b04ac0e54137d08082f5377b438f63e4d2700548731b4445cf69f565992d3

                                                                                                                                                            • C:\Windows\SysWOW64\wdoi.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              db0b3a23c309931dc16c044ea0f58355

                                                                                                                                                              SHA1

                                                                                                                                                              4be40147f9dad11271ccc6bdb8dbcc174af83d32

                                                                                                                                                              SHA256

                                                                                                                                                              c57c3d7c12e11bf29099b2495ed60e8803348b465bac1e744e12557daac5d045

                                                                                                                                                              SHA512

                                                                                                                                                              c9443f878e37ce51a1c895c94d8bd0c94ed1eb0b8bb342f5f25e07312620c08bf9e25e407da208f1a071d8accf66aab6c32be5def7dd49aad55b3d53a56be4c8

                                                                                                                                                            • C:\Windows\SysWOW64\wekmsexs.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              c8af3a1c47423afb0ada0f0671abdce0

                                                                                                                                                              SHA1

                                                                                                                                                              20e49dc3ff52d1232df8389eda0bbf5819600bd2

                                                                                                                                                              SHA256

                                                                                                                                                              25dba8e405896f09c769ecb2860f726a4955424468ddee20906c6c09fb1535e4

                                                                                                                                                              SHA512

                                                                                                                                                              c9eb8c4647a3ddf56f5f8123f0c4ac032439deb5ad3d3c9f182c24b349b7f525fb057403283459a734a623980a527fd8d789b2544df08eaeafbc903ab2f5e7b1

                                                                                                                                                            • C:\Windows\SysWOW64\wguobqy.exe

                                                                                                                                                              Filesize

                                                                                                                                                              98KB

                                                                                                                                                              MD5

                                                                                                                                                              0f09c91c815b2a0a7f5958b383bc19e5

                                                                                                                                                              SHA1

                                                                                                                                                              d25eab49d9dcb143039ee31ba8758349214222e7

                                                                                                                                                              SHA256

                                                                                                                                                              88f7b24d18e24d7bed8ddf3f688951d71f7bd30ba385ce43883fb72527ecbe41

                                                                                                                                                              SHA512

                                                                                                                                                              816dc0e7f025591fcc08e91da424804f81f1ce465fa5dbaf983def2420b09ba115c7e69777dfa1118af41bf57fbc4e3df531af06681d5aaabff2f5a3436e5233

                                                                                                                                                            • C:\Windows\SysWOW64\whrrjpl.exe

                                                                                                                                                              Filesize

                                                                                                                                                              98KB

                                                                                                                                                              MD5

                                                                                                                                                              df14ee5596c34746f3f059ab12d6670f

                                                                                                                                                              SHA1

                                                                                                                                                              d184d07cae732e3bb0dce4c8d84e7a7cca8a366c

                                                                                                                                                              SHA256

                                                                                                                                                              2c8d020e818722af31916f7648113066bffec81ab558192d3c5e14cd3956ab15

                                                                                                                                                              SHA512

                                                                                                                                                              138d2887ea5c86e9b4567908d16b4bb431031119a56e5470ccb2787198660413bc53aeaaa821359393c01276a5400af586168496748173450bb655ce502827ec

                                                                                                                                                            • C:\Windows\SysWOW64\whvsa.exe

                                                                                                                                                              Filesize

                                                                                                                                                              98KB

                                                                                                                                                              MD5

                                                                                                                                                              3ec5849eccc463c2de50e7a05b86e61d

                                                                                                                                                              SHA1

                                                                                                                                                              01629e1733e2e6586088046018370e254945078a

                                                                                                                                                              SHA256

                                                                                                                                                              ef1436f589ee0c717ce873134fcb831d52a1bd4a0fe0f339766ae604eeb29608

                                                                                                                                                              SHA512

                                                                                                                                                              1ae9286e41e887c31cda8435de00a96a4fa2a5ccf46e4db074fd01a80c74512a6864f2e9bcc28a86c47b9646f1b718f5155ec213b5d37a35179f23956b497fd3

                                                                                                                                                            • C:\Windows\SysWOW64\whxqmnbhw.exe

                                                                                                                                                              Filesize

                                                                                                                                                              98KB

                                                                                                                                                              MD5

                                                                                                                                                              7f76bf5ca8508b8a75230f61ead5c7a6

                                                                                                                                                              SHA1

                                                                                                                                                              da745acfdd3a53228fba000ca31d36cae7894514

                                                                                                                                                              SHA256

                                                                                                                                                              9dfaa4d66d8bb83b296dac68f029b77aa4c238829d0b095861f9809055635717

                                                                                                                                                              SHA512

                                                                                                                                                              2c8a54e2df78eca5132540f41872a2c629b641a8e1cbfec580eef43bc505d657a38a35618625dc22074467d354409764d1bafa05ba7511086160bbcffaae1b6d

                                                                                                                                                            • C:\Windows\SysWOW64\wiki.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              40e3141563be09b21481196e85d61139

                                                                                                                                                              SHA1

                                                                                                                                                              28b3dbb53d9323c4b7b35ec4da044d68377cf495

                                                                                                                                                              SHA256

                                                                                                                                                              fa8049f5139c9acd931e4e63743da8e209a467062d874aa3770acb0649001599

                                                                                                                                                              SHA512

                                                                                                                                                              636342c3a9f96954891eb1e6b7796bb8b3454a86970c0e7aa9b48b3002dd66baa19ba8fcc06eb3dbe8fb9af50693ec3efc2c876b09c427fcd90cd59c4668d684

                                                                                                                                                            • C:\Windows\SysWOW64\wix.exe

                                                                                                                                                              Filesize

                                                                                                                                                              98KB

                                                                                                                                                              MD5

                                                                                                                                                              924f81118cc0b39aadfa280abbc30e48

                                                                                                                                                              SHA1

                                                                                                                                                              666ac213346d837aa0ce308e95969478582d7111

                                                                                                                                                              SHA256

                                                                                                                                                              5fe1b048b81175c125bb38a33d134881642a28cab704924a0e21cead23ebf4ad

                                                                                                                                                              SHA512

                                                                                                                                                              b37cdef5394add6d2f163da7264e55d6a7195c2919ae14b861985cb98eb978b8742c0aa68ec337b922fa087af83ba991e840477030a5a0bfc98aa41e784766d0

                                                                                                                                                            • C:\Windows\SysWOW64\wjhcpsila.exe

                                                                                                                                                              Filesize

                                                                                                                                                              98KB

                                                                                                                                                              MD5

                                                                                                                                                              a9fc168d43eebcf2bd25e244cbb182cf

                                                                                                                                                              SHA1

                                                                                                                                                              8062d5b650cc263a3bc0023796154e49d03df83b

                                                                                                                                                              SHA256

                                                                                                                                                              e152b471a642450251d2b4cc0aae3f199aa750d19063e930539f5646ce27c7e8

                                                                                                                                                              SHA512

                                                                                                                                                              d9010cdc74dcb7e5d750997591721d60668526d8fd39170976355958ac83ffe8796e0372ecfe86d459f3f82460aff077d96b3031c5447c15322a8f49b0f201dd

                                                                                                                                                            • C:\Windows\SysWOW64\wkrwf.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              819f1b4a86a2e43858745e81ecc737a0

                                                                                                                                                              SHA1

                                                                                                                                                              f6b7be000411efc76e64c17f56d908ccd7aa46f3

                                                                                                                                                              SHA256

                                                                                                                                                              66ea7d519b589c0270b00fbebb629e0a23d33b2c686775934754ebc9b2274b61

                                                                                                                                                              SHA512

                                                                                                                                                              37d374fb8b6a1edc1ad7b9f4941554151ec2e42c8ec50c958f1157f8c4b1e1322148ba3a56440969cdefbd9678a429b312b55404722bbd458ca7ff5e151460ad

                                                                                                                                                            • C:\Windows\SysWOW64\wkvfh.exe

                                                                                                                                                              Filesize

                                                                                                                                                              98KB

                                                                                                                                                              MD5

                                                                                                                                                              4a5949517c4588034ce413b42d858ece

                                                                                                                                                              SHA1

                                                                                                                                                              10a4190ffad3246a83bcc38d5a975800b64b9c99

                                                                                                                                                              SHA256

                                                                                                                                                              5d50e1014764562556d821b329124661a722657655576ca558071a925153bbdb

                                                                                                                                                              SHA512

                                                                                                                                                              882634c68b5f3aac69a77d870cce30ef4c1d49e7774f490f0199297f4d7ecf3314bd89d4f176fe067c3836cac957b0c8b374452fc5975a8c10233b20223d6877

                                                                                                                                                            • C:\Windows\SysWOW64\wlruth.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              83ab5f8499894a3c825329919fd68f20

                                                                                                                                                              SHA1

                                                                                                                                                              d3128cacce00bcd85e86a3a26b5eab1cfbb32eac

                                                                                                                                                              SHA256

                                                                                                                                                              c09b6b2e4c02ae0fe06a573b66239e772cf36e8879aaf39d6e7b120eed4ce721

                                                                                                                                                              SHA512

                                                                                                                                                              c19630e3fe789decb9d04567df29d253bd2b909d05410a3aebe847233dc189e476f0555886a33ac0c30196d498af62759e41835631a2cbe6fc41c7bf97177504

                                                                                                                                                            • C:\Windows\SysWOW64\wmloo.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              62e3e78913dfa2f5505a409034cf008b

                                                                                                                                                              SHA1

                                                                                                                                                              6ce19da561ff9aad01e18f015fe50df94661698e

                                                                                                                                                              SHA256

                                                                                                                                                              92eee4d29082b25fc5273e251d74b73afc65501d9d2d79e7455e5d5717ccf4c0

                                                                                                                                                              SHA512

                                                                                                                                                              fcd2ba170827aa2c59c0468aeb743ec16b00d0051d6c0507b29e575acf6c8e78ffae22dd10b5d3229609dcebe65633c63a308dbcea5323e56c55df40ff3006f2

                                                                                                                                                            • C:\Windows\SysWOW64\wnowg.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              22dc67482dadc2b408b0baa1dee03224

                                                                                                                                                              SHA1

                                                                                                                                                              cd948d2c70e3b273ff78bc5ec2e30e3c2dfb9921

                                                                                                                                                              SHA256

                                                                                                                                                              99d7013ba2bd54d6e3027aceb3e50ba4091ee0316426b3ccdc2d6d7b60c49e29

                                                                                                                                                              SHA512

                                                                                                                                                              c8d0eee042e2cf4f8180ed742e34750227eb97f51968746841e8080ec111a3ed43e356395422e86c825334d56c0266958d3b403d12e3a26a358e47c68ee48508

                                                                                                                                                            • C:\Windows\SysWOW64\wohhq.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              3ab55e66b5d8714f712774038310dd36

                                                                                                                                                              SHA1

                                                                                                                                                              171a6081849a3e4f98730dce8e3274cb9d131354

                                                                                                                                                              SHA256

                                                                                                                                                              ab0a1c9dc2081991e45259f3577107844f1b85b93ff249505fb60a6900c84dc2

                                                                                                                                                              SHA512

                                                                                                                                                              5fc367ca2566588701582974e7af23eaa8be1e7ec28995eee174b9d8dfeffcf4e9c4bba5d193d2d51bca4121ee8b909ef5acb8abde7ce332e8cd813a9d1838b3

                                                                                                                                                            • C:\Windows\SysWOW64\wpavt.exe

                                                                                                                                                              Filesize

                                                                                                                                                              98KB

                                                                                                                                                              MD5

                                                                                                                                                              2750bf5c79f1cc17cd3c62bb9368d678

                                                                                                                                                              SHA1

                                                                                                                                                              ac8bd532d877ae663165514726dd47943d74e1be

                                                                                                                                                              SHA256

                                                                                                                                                              c1f138d3a4629c7a412bce99afbc12c8b606ee7928db2bc43a9b4865094115a6

                                                                                                                                                              SHA512

                                                                                                                                                              e9f623a86ca4c5c9c75ffd06d08324399f8ad11f4aea72e42225be3cbcc56d15ada2e1d2b35d8b8934ee1d22bace0d96cd2bab5f4e88264f4ba028914b635a9c

                                                                                                                                                            • C:\Windows\SysWOW64\wphg.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              0d2e94c9da2f382395f7c77e0a14b184

                                                                                                                                                              SHA1

                                                                                                                                                              e34e0cca9eca36b2e804a28af1a24874271b12b1

                                                                                                                                                              SHA256

                                                                                                                                                              6564cca5ffc72d667c372a99a4353e6f3baffb415cc453390b3905344636a951

                                                                                                                                                              SHA512

                                                                                                                                                              dcb754b5f15913756d62e5bcf3d90683c8abd8f27eca1ff30c944e8d7f70644929b586d96bf088136dc6f77e5ed3972b0aad4345a1680488a1859cbadd9b69df

                                                                                                                                                            • C:\Windows\SysWOW64\wqjortx.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              bd79d1b71c59756bb620f08855e12ff7

                                                                                                                                                              SHA1

                                                                                                                                                              ade6e3db661edd87fbcf36f742cb91b80bde88cc

                                                                                                                                                              SHA256

                                                                                                                                                              a034de828ff3b4c6b2a80d2512ab86a981b9f6a0813d453b266b791facfc4e4e

                                                                                                                                                              SHA512

                                                                                                                                                              73221984330becaa0869775d65de8c71eea9304fa0cc0af040eae37fcf3faf835991c772b0e72b0bd89fb79ef52fb79bb1f9f5ba89d1346a48cb9c05d50d20ad

                                                                                                                                                            • C:\Windows\SysWOW64\wrcaabc.exe

                                                                                                                                                              Filesize

                                                                                                                                                              98KB

                                                                                                                                                              MD5

                                                                                                                                                              1d57fa01e8af11b31dbf230fd8607fc9

                                                                                                                                                              SHA1

                                                                                                                                                              98deb4a383eb6d7af9e7819f2c7a81c065131a68

                                                                                                                                                              SHA256

                                                                                                                                                              5e49e757a9726607b284ddd12fbf6d93833a7712887be8ebf1462fec3adfc5bb

                                                                                                                                                              SHA512

                                                                                                                                                              736e73cb67220b2089199d5ee01ab038f1ef8685de79067a6108cad09ddfc5d869c45ca829f89cad3d93ead815e1758004aa90f38ea7f0d8cddd45ab6954a3d5

                                                                                                                                                            • C:\Windows\SysWOW64\wrhenplnf.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              35f169fe8f13cb866606f4053647e2cc

                                                                                                                                                              SHA1

                                                                                                                                                              dac258ae29b2b733d8e4e544358e44f83ce9662c

                                                                                                                                                              SHA256

                                                                                                                                                              88ab98a55c746c3dec2eab338fbefc6df29872a4ef8f15ba1e53c19d3cfdba77

                                                                                                                                                              SHA512

                                                                                                                                                              8d798ad7f519926b839071e8aa8db2aa096882ac054ee41ab4ebbf7abd8b7afa8506d8d5de8c61a81656a71fc2a1420a0208b26d9f9a7e316669b2af0182396f

                                                                                                                                                            • C:\Windows\SysWOW64\wsvsq.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              b7d62339335b5bf423750329fd4746dc

                                                                                                                                                              SHA1

                                                                                                                                                              1b30bfc356359dacec9347280c9a1ece09da7e63

                                                                                                                                                              SHA256

                                                                                                                                                              f540f879dc0bbc82a6e5e4b3188560c8faf83b9535445763f90ad0f813f343bc

                                                                                                                                                              SHA512

                                                                                                                                                              9d7ec67aa07efc3db63abbcfb06bbb3ca2079bc543b7c03c7e7d41676c5dade32d68536210adf52604166f9c2461d658776787ab0e204b78115a60da9c4c5f42

                                                                                                                                                            • C:\Windows\SysWOW64\wtvvud.exe

                                                                                                                                                              Filesize

                                                                                                                                                              98KB

                                                                                                                                                              MD5

                                                                                                                                                              95acecac4479b1eab1c5e30e00d94c56

                                                                                                                                                              SHA1

                                                                                                                                                              49f969b49f2b69f2a9d15fa6bf5b9b27fc77e103

                                                                                                                                                              SHA256

                                                                                                                                                              41b9b699ca06977206e180fdf7408f8eca77c9c243b0fb83e78f0688135ac65a

                                                                                                                                                              SHA512

                                                                                                                                                              9a2b4c8a2f92dd6251c5409025c1bf7416287955013c93cea76c778215342ba24ea8bcef34c6e679c8ca0285b05672e94b8695a2d70fbb5221ca7784625143ce

                                                                                                                                                            • C:\Windows\SysWOW64\wujl.exe

                                                                                                                                                              Filesize

                                                                                                                                                              98KB

                                                                                                                                                              MD5

                                                                                                                                                              a5290f088d94926ac916039f7a32ca7a

                                                                                                                                                              SHA1

                                                                                                                                                              7324330a73c14a4df82211c9fc773b7030619713

                                                                                                                                                              SHA256

                                                                                                                                                              d62a70c127f57a26815dc16c9c8c72eeb74965f3fe3c1bbd63f1e766664ffb61

                                                                                                                                                              SHA512

                                                                                                                                                              669dfee63bd3b95bbd96cc5bac5260aad87c7187ca4f1e87585ecc8ac59210bde5d398bdfcaab6d1470a50a7e1cf9b7d07ad02636be5e2e8c65bfbc989498a7f

                                                                                                                                                            • C:\Windows\SysWOW64\wuwhcslaa.exe

                                                                                                                                                              Filesize

                                                                                                                                                              98KB

                                                                                                                                                              MD5

                                                                                                                                                              5e0eddbc51f40c909c09217bcd525ba8

                                                                                                                                                              SHA1

                                                                                                                                                              64086068ff62fbadbc4a43a2390d0721bc43c726

                                                                                                                                                              SHA256

                                                                                                                                                              a65f247dd033822a5512d652a963851884ae9e0b5ea55a57ec703a89439870ac

                                                                                                                                                              SHA512

                                                                                                                                                              5de21080686b8bc067ea65e606c23014d34d99d31933f8420db47b8a3093239b701b2f5cd08c5a356166812ca5312f0a609c360be32bfacbd840d2e01ffb6bdc

                                                                                                                                                            • C:\Windows\SysWOW64\wuwp.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              d3ffbd90c661d491ce1e3d0482237ef3

                                                                                                                                                              SHA1

                                                                                                                                                              8aee8191b6a5827cdb329841142504e3e15f969b

                                                                                                                                                              SHA256

                                                                                                                                                              430288c8a4ac458e2630027479d8af9b0cae6a077a021ae1ab7a8d305a1cb22b

                                                                                                                                                              SHA512

                                                                                                                                                              92c9f3595ed1277007c8ecfcd713e33c586f26c9f8a2653dcf44f1c1bb0cde2ca00b3213086a3b60b5b92252c7637c504b71f2fd03e2d2b102a4f96991c296c4

                                                                                                                                                            • C:\Windows\SysWOW64\wxocwtx.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              9a9c364bd5c5cd2e2091b76ad534a07a

                                                                                                                                                              SHA1

                                                                                                                                                              65d7f5858e4743401864c801929ceef56f424ad4

                                                                                                                                                              SHA256

                                                                                                                                                              e0f9c93b70f52bfe461df92a06f86433d26d213f3614c46dab755f80de152f94

                                                                                                                                                              SHA512

                                                                                                                                                              3f49781847d548078944b50acfd74a7788cd60e878c2f1f70b5264661104a4ab7227013aa7df092ea360ff8fdd9debfd08f7f9a416509384f6e5f4333e8260c7

                                                                                                                                                            • C:\Windows\SysWOW64\wxtumb.exe

                                                                                                                                                              Filesize

                                                                                                                                                              98KB

                                                                                                                                                              MD5

                                                                                                                                                              20cc9e5b2b6c3b3724f477e1cd51c945

                                                                                                                                                              SHA1

                                                                                                                                                              3ec629cbb3bc8ced170927d9c3bc718ed0c5afc1

                                                                                                                                                              SHA256

                                                                                                                                                              be5bcf3c3561520dd918c16db1fac64ab78c98d3bdc9cc111fb426b2ea50887a

                                                                                                                                                              SHA512

                                                                                                                                                              a4c2e6e8e69b0f50122a4f4791e4d1ef099ef5d33976db114e131f282a1ce282d1ae588e20fb1087e0324e299cb2de4ec06d5187699331d0d50adc5b3b089de3

                                                                                                                                                            • C:\Windows\SysWOW64\wxyyaqsu.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              08c280a7291c193c66eb6224daa59d95

                                                                                                                                                              SHA1

                                                                                                                                                              beecf291378831f1eaf30a5cf0fc387ef2ccad90

                                                                                                                                                              SHA256

                                                                                                                                                              39b76f112cd82cba486e2e0d9c5f2b7e78436c96e90eb61702959d3f86f202f1

                                                                                                                                                              SHA512

                                                                                                                                                              1a31ce195f1a4cb1bb1c9a43fb51eee2397a0cda8e4ca834a5fbf4c83a59455fb3b8961970b23256c2be31433db095f0e8d116259e4b33b292fa34b8f73f8d5f

                                                                                                                                                            • C:\Windows\SysWOW64\wyhb.exe

                                                                                                                                                              Filesize

                                                                                                                                                              98KB

                                                                                                                                                              MD5

                                                                                                                                                              97f0c65c3b009f01fa0507a9d761dadf

                                                                                                                                                              SHA1

                                                                                                                                                              ae8655228644e655edc04d5167659c2f5fb59506

                                                                                                                                                              SHA256

                                                                                                                                                              e894dd2a59a290311955a5451f33fa0689b75541a063b2851930aa7e6ccbe6ab

                                                                                                                                                              SHA512

                                                                                                                                                              b25fdd1e6e7080fd869c4fcfe6e58cc72860aa3067293058ab35f41bac75119ee251b1655e9de340b91fe0b9b87ff0d91265d5023aa23f5c06e7c6ea666a092b

                                                                                                                                                            • C:\Windows\SysWOW64\wymnnjae.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              58fef14e4df1e9e0396ef41a3cc93c57

                                                                                                                                                              SHA1

                                                                                                                                                              45a33ac021123158762af66dd4c7434ef7075cdd

                                                                                                                                                              SHA256

                                                                                                                                                              b1816ec9c3789b6df846a2f88658e901fab85c1097341b38cd7f1d57a2fb4c98

                                                                                                                                                              SHA512

                                                                                                                                                              0ac4f6017b17224007ff9716d75addc41c90e8a076c733ee63b2e3d7880fb7a3dff24bf05efcfa441f6f1f6cde28173fb7c10c58c3e4398d31b65eaf91f6782d

                                                                                                                                                            • C:\Windows\SysWOW64\wywxe.exe

                                                                                                                                                              Filesize

                                                                                                                                                              97KB

                                                                                                                                                              MD5

                                                                                                                                                              1ffcdfdcc734919c7a04c233a4177c8a

                                                                                                                                                              SHA1

                                                                                                                                                              3bce12c094ab7d9de1a90c812a8634c380840206

                                                                                                                                                              SHA256

                                                                                                                                                              5f3737afca2d5f3d59dc609398244f5914f87bd7492a75b50f90e96f59118426

                                                                                                                                                              SHA512

                                                                                                                                                              a345a3f6d983e2f98ad73669d1b98c4dd7fbc2f3089d73bd52a1403e1f464dfdb7c465e34288e163d1f8d76465359bd67cf444294b9742e5df2ef64317905e89

                                                                                                                                                            • memory/212-676-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/408-726-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/540-617-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/676-404-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/768-422-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1032-735-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1236-158-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1428-651-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1588-200-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1612-179-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1652-752-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1656-590-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1664-817-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1688-489-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1712-464-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1724-523-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1736-116-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1772-74-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1784-760-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1840-793-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1860-105-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/1868-506-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2008-43-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2296-480-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2320-439-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2392-718-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2396-306-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2588-327-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2600-548-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2652-387-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2708-557-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2736-264-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2736-668-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2756-371-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2824-33-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2824-744-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2856-472-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2864-701-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2872-709-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2872-515-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/2872-190-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3016-430-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3040-85-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3056-447-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3116-413-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3240-53-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3264-253-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3308-64-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3380-148-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3492-0-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3492-11-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3580-566-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3644-22-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3788-574-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3796-211-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3876-243-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3928-168-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3932-138-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/3996-625-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4032-345-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4124-127-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4212-379-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4224-296-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4244-396-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4252-769-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4252-232-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4252-353-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4272-95-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4292-660-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4320-274-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4472-488-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4472-497-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4504-634-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4504-456-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4552-809-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4620-642-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4684-801-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4748-316-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4748-540-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4840-582-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4848-693-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4852-599-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4872-818-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4904-608-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4916-337-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4964-362-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/4976-531-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/5100-221-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/5100-684-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/5104-285-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                            • memory/5112-778-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB