Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:40

General

  • Target

    af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe

  • Size

    107KB

  • MD5

    e4bbd14f58c9db9a9f161b1aa5247350

  • SHA1

    6d0efd03776876e34c7adf5f9e3d807a1ec7762f

  • SHA256

    af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066

  • SHA512

    2f15d097a0140dc41db54b33a184a953b77bbd8f7576bb30f6dd35af837b7a4e891d9e23effcba19407702bb034c8f3c007f2c6750416277eb2c5a9eadc980c7

  • SSDEEP

    1536:2zfXIsxrhzk2nfsW3ou3yWW2dvcW6eHcBwUi6vWE0Dl27b58XBdqaMGxuA1n1:yfjxrhzk2nfsWhP7dvavi6vWEbh8X/

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe
    "C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\wvqdrf.exe
      "C:\Windows\system32\wvqdrf.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\wvbbguf.exe
        "C:\Windows\system32\wvbbguf.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\SysWOW64\wolrla.exe
          "C:\Windows\system32\wolrla.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1104
          • C:\Windows\SysWOW64\wokudwoj.exe
            "C:\Windows\system32\wokudwoj.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2004
            • C:\Windows\SysWOW64\wdantqvcx.exe
              "C:\Windows\system32\wdantqvcx.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2960
              • C:\Windows\SysWOW64\whuflhgh.exe
                "C:\Windows\system32\whuflhgh.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:568
                • C:\Windows\SysWOW64\wwuptuaw.exe
                  "C:\Windows\system32\wwuptuaw.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:2556
                  • C:\Windows\SysWOW64\wuwpmv.exe
                    "C:\Windows\system32\wuwpmv.exe"
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    PID:2236
                    • C:\Windows\SysWOW64\wmuacc.exe
                      "C:\Windows\system32\wmuacc.exe"
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      PID:1816
                      • C:\Windows\SysWOW64\woxjilhe.exe
                        "C:\Windows\system32\woxjilhe.exe"
                        11⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        PID:1692
                        • C:\Windows\SysWOW64\wmpathdt.exe
                          "C:\Windows\system32\wmpathdt.exe"
                          12⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          PID:2920
                          • C:\Windows\SysWOW64\wflbh.exe
                            "C:\Windows\system32\wflbh.exe"
                            13⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            PID:664
                            • C:\Windows\SysWOW64\wbduawlg.exe
                              "C:\Windows\system32\wbduawlg.exe"
                              14⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              PID:944
                              • C:\Windows\SysWOW64\whxkm.exe
                                "C:\Windows\system32\whxkm.exe"
                                15⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:2472
                                • C:\Windows\SysWOW64\wmvjsrtn.exe
                                  "C:\Windows\system32\wmvjsrtn.exe"
                                  16⤵
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  PID:1744
                                  • C:\Windows\SysWOW64\wmfwqqgv.exe
                                    "C:\Windows\system32\wmfwqqgv.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    PID:2864
                                    • C:\Windows\SysWOW64\wgxpit.exe
                                      "C:\Windows\system32\wgxpit.exe"
                                      18⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      PID:2216
                                      • C:\Windows\SysWOW64\wttwfn.exe
                                        "C:\Windows\system32\wttwfn.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:1668
                                        • C:\Windows\SysWOW64\wssx.exe
                                          "C:\Windows\system32\wssx.exe"
                                          20⤵
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          PID:2096
                                          • C:\Windows\SysWOW64\wsjogghc.exe
                                            "C:\Windows\system32\wsjogghc.exe"
                                            21⤵
                                            • Executes dropped EXE
                                            PID:1984
                                            • C:\Windows\SysWOW64\wch.exe
                                              "C:\Windows\system32\wch.exe"
                                              22⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              PID:1620
                                              • C:\Windows\SysWOW64\wjp.exe
                                                "C:\Windows\system32\wjp.exe"
                                                23⤵
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                PID:1844
                                                • C:\Windows\SysWOW64\wrktcvntk.exe
                                                  "C:\Windows\system32\wrktcvntk.exe"
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2744
                                                  • C:\Windows\SysWOW64\wmpc.exe
                                                    "C:\Windows\system32\wmpc.exe"
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    PID:2836
                                                    • C:\Windows\SysWOW64\wqam.exe
                                                      "C:\Windows\system32\wqam.exe"
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      PID:3036
                                                      • C:\Windows\SysWOW64\wyir.exe
                                                        "C:\Windows\system32\wyir.exe"
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1976
                                                        • C:\Windows\SysWOW64\wcsb.exe
                                                          "C:\Windows\system32\wcsb.exe"
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          PID:852
                                                          • C:\Windows\SysWOW64\wbtbmgyr.exe
                                                            "C:\Windows\system32\wbtbmgyr.exe"
                                                            29⤵
                                                            • Executes dropped EXE
                                                            PID:348
                                                            • C:\Windows\SysWOW64\wxvuisl.exe
                                                              "C:\Windows\system32\wxvuisl.exe"
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              PID:1200
                                                              • C:\Windows\SysWOW64\wvgif.exe
                                                                "C:\Windows\system32\wvgif.exe"
                                                                31⤵
                                                                • Executes dropped EXE
                                                                PID:1920
                                                                • C:\Windows\SysWOW64\wepokwq.exe
                                                                  "C:\Windows\system32\wepokwq.exe"
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2864
                                                                  • C:\Windows\SysWOW64\wyotjdow.exe
                                                                    "C:\Windows\system32\wyotjdow.exe"
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    PID:2808
                                                                    • C:\Windows\SysWOW64\wyoxya.exe
                                                                      "C:\Windows\system32\wyoxya.exe"
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      PID:2472
                                                                      • C:\Windows\SysWOW64\wcirupp.exe
                                                                        "C:\Windows\system32\wcirupp.exe"
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2856
                                                                        • C:\Windows\SysWOW64\wgrbie.exe
                                                                          "C:\Windows\system32\wgrbie.exe"
                                                                          36⤵
                                                                          • Executes dropped EXE
                                                                          PID:1668
                                                                          • C:\Windows\SysWOW64\webpfc.exe
                                                                            "C:\Windows\system32\webpfc.exe"
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1888
                                                                            • C:\Windows\SysWOW64\wnyymedj.exe
                                                                              "C:\Windows\system32\wnyymedj.exe"
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1900
                                                                              • C:\Windows\SysWOW64\wfuby.exe
                                                                                "C:\Windows\system32\wfuby.exe"
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                PID:740
                                                                                • C:\Windows\SysWOW64\wvmwbb.exe
                                                                                  "C:\Windows\system32\wvmwbb.exe"
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:2192
                                                                                  • C:\Windows\SysWOW64\wntkvoj.exe
                                                                                    "C:\Windows\system32\wntkvoj.exe"
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:2872
                                                                                    • C:\Windows\SysWOW64\wmrmkk.exe
                                                                                      "C:\Windows\system32\wmrmkk.exe"
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:1088
                                                                                      • C:\Windows\SysWOW64\wylypkrnr.exe
                                                                                        "C:\Windows\system32\wylypkrnr.exe"
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:2908
                                                                                        • C:\Windows\SysWOW64\womjvwmax.exe
                                                                                          "C:\Windows\system32\womjvwmax.exe"
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:2744
                                                                                          • C:\Windows\SysWOW64\wsuskndvi.exe
                                                                                            "C:\Windows\system32\wsuskndvi.exe"
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:3068
                                                                                            • C:\Windows\SysWOW64\wgsahgpq.exe
                                                                                              "C:\Windows\system32\wgsahgpq.exe"
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:2508
                                                                                              • C:\Windows\SysWOW64\wksuou.exe
                                                                                                "C:\Windows\system32\wksuou.exe"
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:1504
                                                                                                • C:\Windows\SysWOW64\wwblto.exe
                                                                                                  "C:\Windows\system32\wwblto.exe"
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:580
                                                                                                  • C:\Windows\SysWOW64\wtwjxrr.exe
                                                                                                    "C:\Windows\system32\wtwjxrr.exe"
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:2372
                                                                                                    • C:\Windows\SysWOW64\woocpvj.exe
                                                                                                      "C:\Windows\system32\woocpvj.exe"
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:2760
                                                                                                      • C:\Windows\SysWOW64\wkguja.exe
                                                                                                        "C:\Windows\system32\wkguja.exe"
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        PID:3052
                                                                                                        • C:\Windows\SysWOW64\wdbxxk.exe
                                                                                                          "C:\Windows\system32\wdbxxk.exe"
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:2888
                                                                                                          • C:\Windows\SysWOW64\wbcb.exe
                                                                                                            "C:\Windows\system32\wbcb.exe"
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:1908
                                                                                                            • C:\Windows\SysWOW64\winpmrprw.exe
                                                                                                              "C:\Windows\system32\winpmrprw.exe"
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              PID:2096
                                                                                                              • C:\Windows\SysWOW64\wgqbvrs.exe
                                                                                                                "C:\Windows\system32\wgqbvrs.exe"
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                PID:1124
                                                                                                                • C:\Windows\SysWOW64\wficyqmx.exe
                                                                                                                  "C:\Windows\system32\wficyqmx.exe"
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:2460
                                                                                                                  • C:\Windows\SysWOW64\whvtg.exe
                                                                                                                    "C:\Windows\system32\whvtg.exe"
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:2292
                                                                                                                    • C:\Windows\SysWOW64\wkybgyll.exe
                                                                                                                      "C:\Windows\system32\wkybgyll.exe"
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:3040
                                                                                                                      • C:\Windows\SysWOW64\werhshbg.exe
                                                                                                                        "C:\Windows\system32\werhshbg.exe"
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:2828
                                                                                                                        • C:\Windows\SysWOW64\whsntyi.exe
                                                                                                                          "C:\Windows\system32\whsntyi.exe"
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:2980
                                                                                                                          • C:\Windows\SysWOW64\wgwydy.exe
                                                                                                                            "C:\Windows\system32\wgwydy.exe"
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:2808
                                                                                                                            • C:\Windows\SysWOW64\wiyge.exe
                                                                                                                              "C:\Windows\system32\wiyge.exe"
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:2348
                                                                                                                              • C:\Windows\SysWOW64\wlqdyhp.exe
                                                                                                                                "C:\Windows\system32\wlqdyhp.exe"
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:1668
                                                                                                                                • C:\Windows\SysWOW64\wjtoig.exe
                                                                                                                                  "C:\Windows\system32\wjtoig.exe"
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  PID:2224
                                                                                                                                  • C:\Windows\SysWOW64\weveant.exe
                                                                                                                                    "C:\Windows\system32\weveant.exe"
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    PID:2196
                                                                                                                                    • C:\Windows\SysWOW64\wcngdnnqd.exe
                                                                                                                                      "C:\Windows\system32\wcngdnnqd.exe"
                                                                                                                                      66⤵
                                                                                                                                        PID:2032
                                                                                                                                        • C:\Windows\SysWOW64\wxgkovckj.exe
                                                                                                                                          "C:\Windows\system32\wxgkovckj.exe"
                                                                                                                                          67⤵
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          PID:1608
                                                                                                                                          • C:\Windows\SysWOW64\waisonjx.exe
                                                                                                                                            "C:\Windows\system32\waisonjx.exe"
                                                                                                                                            68⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            • Suspicious use of UnmapMainImage
                                                                                                                                            PID:284
                                                                                                                                            • C:\Windows\SysWOW64\wdvjweca.exe
                                                                                                                                              "C:\Windows\system32\wdvjweca.exe"
                                                                                                                                              69⤵
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              PID:1684
                                                                                                                                              • C:\Windows\SysWOW64\wbnlbd.exe
                                                                                                                                                "C:\Windows\system32\wbnlbd.exe"
                                                                                                                                                70⤵
                                                                                                                                                  PID:1828
                                                                                                                                                  • C:\Windows\SysWOW64\wugrll.exe
                                                                                                                                                    "C:\Windows\system32\wugrll.exe"
                                                                                                                                                    71⤵
                                                                                                                                                      PID:2980
                                                                                                                                                      • C:\Windows\SysWOW64\wpkfetk.exe
                                                                                                                                                        "C:\Windows\system32\wpkfetk.exe"
                                                                                                                                                        72⤵
                                                                                                                                                          PID:1360
                                                                                                                                                          • C:\Windows\SysWOW64\wnmqms.exe
                                                                                                                                                            "C:\Windows\system32\wnmqms.exe"
                                                                                                                                                            73⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:2744
                                                                                                                                                            • C:\Windows\SysWOW64\wifvxb.exe
                                                                                                                                                              "C:\Windows\system32\wifvxb.exe"
                                                                                                                                                              74⤵
                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:2044
                                                                                                                                                              • C:\Windows\SysWOW64\wlicy.exe
                                                                                                                                                                "C:\Windows\system32\wlicy.exe"
                                                                                                                                                                75⤵
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:1432
                                                                                                                                                                • C:\Windows\SysWOW64\wdefndcyi.exe
                                                                                                                                                                  "C:\Windows\system32\wdefndcyi.exe"
                                                                                                                                                                  76⤵
                                                                                                                                                                    PID:2832
                                                                                                                                                                    • C:\Windows\SysWOW64\wjqulm.exe
                                                                                                                                                                      "C:\Windows\system32\wjqulm.exe"
                                                                                                                                                                      77⤵
                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                      PID:2544
                                                                                                                                                                      • C:\Windows\SysWOW64\wqdhkwsf.exe
                                                                                                                                                                        "C:\Windows\system32\wqdhkwsf.exe"
                                                                                                                                                                        78⤵
                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        PID:2692
                                                                                                                                                                        • C:\Windows\SysWOW64\wgkgym.exe
                                                                                                                                                                          "C:\Windows\system32\wgkgym.exe"
                                                                                                                                                                          79⤵
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:3052
                                                                                                                                                                          • C:\Windows\SysWOW64\wmxvwur.exe
                                                                                                                                                                            "C:\Windows\system32\wmxvwur.exe"
                                                                                                                                                                            80⤵
                                                                                                                                                                              PID:1088
                                                                                                                                                                              • C:\Windows\SysWOW64\wlcfgv.exe
                                                                                                                                                                                "C:\Windows\system32\wlcfgv.exe"
                                                                                                                                                                                81⤵
                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                PID:2948
                                                                                                                                                                                • C:\Windows\SysWOW64\wtckye.exe
                                                                                                                                                                                  "C:\Windows\system32\wtckye.exe"
                                                                                                                                                                                  82⤵
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  PID:2708
                                                                                                                                                                                  • C:\Windows\SysWOW64\wivst.exe
                                                                                                                                                                                    "C:\Windows\system32\wivst.exe"
                                                                                                                                                                                    83⤵
                                                                                                                                                                                      PID:808
                                                                                                                                                                                      • C:\Windows\SysWOW64\wgyddtuo.exe
                                                                                                                                                                                        "C:\Windows\system32\wgyddtuo.exe"
                                                                                                                                                                                        84⤵
                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                        PID:1124
                                                                                                                                                                                        • C:\Windows\SysWOW64\wkbldlc.exe
                                                                                                                                                                                          "C:\Windows\system32\wkbldlc.exe"
                                                                                                                                                                                          85⤵
                                                                                                                                                                                            PID:568
                                                                                                                                                                                            • C:\Windows\SysWOW64\wajjrc.exe
                                                                                                                                                                                              "C:\Windows\system32\wajjrc.exe"
                                                                                                                                                                                              86⤵
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              PID:2732
                                                                                                                                                                                              • C:\Windows\SysWOW64\wvboei.exe
                                                                                                                                                                                                "C:\Windows\system32\wvboei.exe"
                                                                                                                                                                                                87⤵
                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:2984
                                                                                                                                                                                                • C:\Windows\SysWOW64\wxogka.exe
                                                                                                                                                                                                  "C:\Windows\system32\wxogka.exe"
                                                                                                                                                                                                  88⤵
                                                                                                                                                                                                    PID:2712
                                                                                                                                                                                                    • C:\Windows\SysWOW64\wrhlvi.exe
                                                                                                                                                                                                      "C:\Windows\system32\wrhlvi.exe"
                                                                                                                                                                                                      89⤵
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:1536
                                                                                                                                                                                                      • C:\Windows\SysWOW64\wqynahrp.exe
                                                                                                                                                                                                        "C:\Windows\system32\wqynahrp.exe"
                                                                                                                                                                                                        90⤵
                                                                                                                                                                                                          PID:2616
                                                                                                                                                                                                          • C:\Windows\SysWOW64\wpcwjhv.exe
                                                                                                                                                                                                            "C:\Windows\system32\wpcwjhv.exe"
                                                                                                                                                                                                            91⤵
                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                            PID:2212
                                                                                                                                                                                                            • C:\Windows\SysWOW64\wvdbbp.exe
                                                                                                                                                                                                              "C:\Windows\system32\wvdbbp.exe"
                                                                                                                                                                                                              92⤵
                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:2316
                                                                                                                                                                                                              • C:\Windows\SysWOW64\wcqqaae.exe
                                                                                                                                                                                                                "C:\Windows\system32\wcqqaae.exe"
                                                                                                                                                                                                                93⤵
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                PID:2328
                                                                                                                                                                                                                • C:\Windows\SysWOW64\wcirdywpu.exe
                                                                                                                                                                                                                  "C:\Windows\system32\wcirdywpu.exe"
                                                                                                                                                                                                                  94⤵
                                                                                                                                                                                                                    PID:1148
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\wdkadqec.exe
                                                                                                                                                                                                                      "C:\Windows\system32\wdkadqec.exe"
                                                                                                                                                                                                                      95⤵
                                                                                                                                                                                                                        PID:2752
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\wdxusq.exe
                                                                                                                                                                                                                          "C:\Windows\system32\wdxusq.exe"
                                                                                                                                                                                                                          96⤵
                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                          PID:1960
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wwfpyww.exe
                                                                                                                                                                                                                            "C:\Windows\system32\wwfpyww.exe"
                                                                                                                                                                                                                            97⤵
                                                                                                                                                                                                                              PID:1548
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\wuulp.exe
                                                                                                                                                                                                                                "C:\Windows\system32\wuulp.exe"
                                                                                                                                                                                                                                98⤵
                                                                                                                                                                                                                                  PID:1264
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\wpbftfpme.exe
                                                                                                                                                                                                                                    "C:\Windows\system32\wpbftfpme.exe"
                                                                                                                                                                                                                                    99⤵
                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                    PID:1572
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\wvntro.exe
                                                                                                                                                                                                                                      "C:\Windows\system32\wvntro.exe"
                                                                                                                                                                                                                                      100⤵
                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                      PID:2172
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\wrgyev.exe
                                                                                                                                                                                                                                        "C:\Windows\system32\wrgyev.exe"
                                                                                                                                                                                                                                        101⤵
                                                                                                                                                                                                                                          PID:2704
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wxicvem.exe
                                                                                                                                                                                                                                            "C:\Windows\system32\wxicvem.exe"
                                                                                                                                                                                                                                            102⤵
                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                            PID:3032
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\wvkog.exe
                                                                                                                                                                                                                                              "C:\Windows\system32\wvkog.exe"
                                                                                                                                                                                                                                              103⤵
                                                                                                                                                                                                                                                PID:1744
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\wdxcf.exe
                                                                                                                                                                                                                                                  "C:\Windows\system32\wdxcf.exe"
                                                                                                                                                                                                                                                  104⤵
                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                  PID:264
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\wwphpwb.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\wwphpwb.exe"
                                                                                                                                                                                                                                                    105⤵
                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                    PID:1152
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\wviisvtq.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\wviisvtq.exe"
                                                                                                                                                                                                                                                      106⤵
                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                      PID:564
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\wqbnedik.exe
                                                                                                                                                                                                                                                        "C:\Windows\system32\wqbnedik.exe"
                                                                                                                                                                                                                                                        107⤵
                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                        PID:2580
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\wwmcd.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\wwmcd.exe"
                                                                                                                                                                                                                                                          108⤵
                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                          PID:1984
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wvgdgkw.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\wvgdgkw.exe"
                                                                                                                                                                                                                                                            109⤵
                                                                                                                                                                                                                                                              PID:2280
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\wxstndp.exe
                                                                                                                                                                                                                                                                "C:\Windows\system32\wxstndp.exe"
                                                                                                                                                                                                                                                                110⤵
                                                                                                                                                                                                                                                                • Suspicious use of UnmapMainImage
                                                                                                                                                                                                                                                                PID:1200
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\wvugw.exe
                                                                                                                                                                                                                                                                  "C:\Windows\system32\wvugw.exe"
                                                                                                                                                                                                                                                                  111⤵
                                                                                                                                                                                                                                                                    PID:1640
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxstndp.exe"
                                                                                                                                                                                                                                                                    111⤵
                                                                                                                                                                                                                                                                      PID:2748
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 852
                                                                                                                                                                                                                                                                      111⤵
                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                      PID:1504
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgdgkw.exe"
                                                                                                                                                                                                                                                                    110⤵
                                                                                                                                                                                                                                                                      PID:284
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwmcd.exe"
                                                                                                                                                                                                                                                                    109⤵
                                                                                                                                                                                                                                                                      PID:2852
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqbnedik.exe"
                                                                                                                                                                                                                                                                    108⤵
                                                                                                                                                                                                                                                                      PID:940
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wviisvtq.exe"
                                                                                                                                                                                                                                                                    107⤵
                                                                                                                                                                                                                                                                      PID:296
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwphpwb.exe"
                                                                                                                                                                                                                                                                    106⤵
                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                    PID:944
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxcf.exe"
                                                                                                                                                                                                                                                                  105⤵
                                                                                                                                                                                                                                                                    PID:696
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkog.exe"
                                                                                                                                                                                                                                                                  104⤵
                                                                                                                                                                                                                                                                    PID:972
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxicvem.exe"
                                                                                                                                                                                                                                                                  103⤵
                                                                                                                                                                                                                                                                    PID:1028
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrgyev.exe"
                                                                                                                                                                                                                                                                  102⤵
                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                  PID:2584
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvntro.exe"
                                                                                                                                                                                                                                                                101⤵
                                                                                                                                                                                                                                                                  PID:2304
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbftfpme.exe"
                                                                                                                                                                                                                                                                100⤵
                                                                                                                                                                                                                                                                  PID:352
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuulp.exe"
                                                                                                                                                                                                                                                                99⤵
                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                PID:2980
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfpyww.exe"
                                                                                                                                                                                                                                                              98⤵
                                                                                                                                                                                                                                                                PID:2940
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxusq.exe"
                                                                                                                                                                                                                                                              97⤵
                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                              PID:2236
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdkadqec.exe"
                                                                                                                                                                                                                                                            96⤵
                                                                                                                                                                                                                                                              PID:1952
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcirdywpu.exe"
                                                                                                                                                                                                                                                            95⤵
                                                                                                                                                                                                                                                              PID:2084
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcqqaae.exe"
                                                                                                                                                                                                                                                            94⤵
                                                                                                                                                                                                                                                              PID:2552
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdbbp.exe"
                                                                                                                                                                                                                                                            93⤵
                                                                                                                                                                                                                                                              PID:2096
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpcwjhv.exe"
                                                                                                                                                                                                                                                            92⤵
                                                                                                                                                                                                                                                              PID:1700
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqynahrp.exe"
                                                                                                                                                                                                                                                            91⤵
                                                                                                                                                                                                                                                              PID:1812
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhlvi.exe"
                                                                                                                                                                                                                                                            90⤵
                                                                                                                                                                                                                                                              PID:984
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxogka.exe"
                                                                                                                                                                                                                                                            89⤵
                                                                                                                                                                                                                                                              PID:980
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvboei.exe"
                                                                                                                                                                                                                                                            88⤵
                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                            PID:316
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wajjrc.exe"
                                                                                                                                                                                                                                                          87⤵
                                                                                                                                                                                                                                                            PID:2204
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbldlc.exe"
                                                                                                                                                                                                                                                          86⤵
                                                                                                                                                                                                                                                            PID:2404
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgyddtuo.exe"
                                                                                                                                                                                                                                                          85⤵
                                                                                                                                                                                                                                                            PID:1188
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivst.exe"
                                                                                                                                                                                                                                                          84⤵
                                                                                                                                                                                                                                                            PID:2264
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtckye.exe"
                                                                                                                                                                                                                                                          83⤵
                                                                                                                                                                                                                                                            PID:1864
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlcfgv.exe"
                                                                                                                                                                                                                                                          82⤵
                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                          PID:1736
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmxvwur.exe"
                                                                                                                                                                                                                                                        81⤵
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        PID:872
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkgym.exe"
                                                                                                                                                                                                                                                      80⤵
                                                                                                                                                                                                                                                        PID:2640
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqdhkwsf.exe"
                                                                                                                                                                                                                                                      79⤵
                                                                                                                                                                                                                                                        PID:944
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjqulm.exe"
                                                                                                                                                                                                                                                      78⤵
                                                                                                                                                                                                                                                        PID:1952
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdefndcyi.exe"
                                                                                                                                                                                                                                                      77⤵
                                                                                                                                                                                                                                                        PID:1152
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlicy.exe"
                                                                                                                                                                                                                                                      76⤵
                                                                                                                                                                                                                                                        PID:1464
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifvxb.exe"
                                                                                                                                                                                                                                                      75⤵
                                                                                                                                                                                                                                                        PID:2780
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnmqms.exe"
                                                                                                                                                                                                                                                      74⤵
                                                                                                                                                                                                                                                        PID:808
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpkfetk.exe"
                                                                                                                                                                                                                                                      73⤵
                                                                                                                                                                                                                                                        PID:1716
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugrll.exe"
                                                                                                                                                                                                                                                      72⤵
                                                                                                                                                                                                                                                        PID:2356
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbnlbd.exe"
                                                                                                                                                                                                                                                      71⤵
                                                                                                                                                                                                                                                        PID:1804
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvjweca.exe"
                                                                                                                                                                                                                                                      70⤵
                                                                                                                                                                                                                                                        PID:400
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waisonjx.exe"
                                                                                                                                                                                                                                                      69⤵
                                                                                                                                                                                                                                                        PID:2784
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 284 -s 488
                                                                                                                                                                                                                                                        69⤵
                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                        PID:2928
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxgkovckj.exe"
                                                                                                                                                                                                                                                      68⤵
                                                                                                                                                                                                                                                        PID:912
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcngdnnqd.exe"
                                                                                                                                                                                                                                                      67⤵
                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                      PID:2880
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weveant.exe"
                                                                                                                                                                                                                                                    66⤵
                                                                                                                                                                                                                                                      PID:540
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjtoig.exe"
                                                                                                                                                                                                                                                    65⤵
                                                                                                                                                                                                                                                      PID:1584
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqdyhp.exe"
                                                                                                                                                                                                                                                    64⤵
                                                                                                                                                                                                                                                      PID:1688
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiyge.exe"
                                                                                                                                                                                                                                                    63⤵
                                                                                                                                                                                                                                                      PID:2744
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwydy.exe"
                                                                                                                                                                                                                                                    62⤵
                                                                                                                                                                                                                                                      PID:2640
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whsntyi.exe"
                                                                                                                                                                                                                                                    61⤵
                                                                                                                                                                                                                                                      PID:316
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\werhshbg.exe"
                                                                                                                                                                                                                                                    60⤵
                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                    PID:2412
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkybgyll.exe"
                                                                                                                                                                                                                                                  59⤵
                                                                                                                                                                                                                                                    PID:3032
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whvtg.exe"
                                                                                                                                                                                                                                                  58⤵
                                                                                                                                                                                                                                                    PID:2100
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wficyqmx.exe"
                                                                                                                                                                                                                                                  57⤵
                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                  PID:1816
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqbvrs.exe"
                                                                                                                                                                                                                                                56⤵
                                                                                                                                                                                                                                                  PID:1620
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winpmrprw.exe"
                                                                                                                                                                                                                                                55⤵
                                                                                                                                                                                                                                                  PID:2068
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbcb.exe"
                                                                                                                                                                                                                                                54⤵
                                                                                                                                                                                                                                                  PID:940
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbxxk.exe"
                                                                                                                                                                                                                                                53⤵
                                                                                                                                                                                                                                                  PID:1468
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkguja.exe"
                                                                                                                                                                                                                                                52⤵
                                                                                                                                                                                                                                                  PID:2680
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woocpvj.exe"
                                                                                                                                                                                                                                                51⤵
                                                                                                                                                                                                                                                  PID:744
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtwjxrr.exe"
                                                                                                                                                                                                                                                50⤵
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                PID:2000
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwblto.exe"
                                                                                                                                                                                                                                              49⤵
                                                                                                                                                                                                                                                PID:2832
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wksuou.exe"
                                                                                                                                                                                                                                              48⤵
                                                                                                                                                                                                                                                PID:1652
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsahgpq.exe"
                                                                                                                                                                                                                                              47⤵
                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                              PID:776
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsuskndvi.exe"
                                                                                                                                                                                                                                            46⤵
                                                                                                                                                                                                                                              PID:2448
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 180
                                                                                                                                                                                                                                              46⤵
                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                              PID:532
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womjvwmax.exe"
                                                                                                                                                                                                                                            45⤵
                                                                                                                                                                                                                                              PID:868
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wylypkrnr.exe"
                                                                                                                                                                                                                                            44⤵
                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                            PID:1872
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrmkk.exe"
                                                                                                                                                                                                                                          43⤵
                                                                                                                                                                                                                                            PID:1552
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntkvoj.exe"
                                                                                                                                                                                                                                          42⤵
                                                                                                                                                                                                                                            PID:2580
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvmwbb.exe"
                                                                                                                                                                                                                                          41⤵
                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                          PID:2768
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfuby.exe"
                                                                                                                                                                                                                                        40⤵
                                                                                                                                                                                                                                          PID:1148
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnyymedj.exe"
                                                                                                                                                                                                                                        39⤵
                                                                                                                                                                                                                                          PID:1200
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\webpfc.exe"
                                                                                                                                                                                                                                        38⤵
                                                                                                                                                                                                                                          PID:1768
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrbie.exe"
                                                                                                                                                                                                                                        37⤵
                                                                                                                                                                                                                                          PID:1412
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcirupp.exe"
                                                                                                                                                                                                                                        36⤵
                                                                                                                                                                                                                                          PID:1976
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyoxya.exe"
                                                                                                                                                                                                                                        35⤵
                                                                                                                                                                                                                                          PID:2680
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyotjdow.exe"
                                                                                                                                                                                                                                        34⤵
                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                        PID:2200
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 204
                                                                                                                                                                                                                                        34⤵
                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                        PID:2324
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wepokwq.exe"
                                                                                                                                                                                                                                      33⤵
                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                      PID:2588
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgif.exe"
                                                                                                                                                                                                                                    32⤵
                                                                                                                                                                                                                                      PID:1876
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxvuisl.exe"
                                                                                                                                                                                                                                    31⤵
                                                                                                                                                                                                                                      PID:1620
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbtbmgyr.exe"
                                                                                                                                                                                                                                    30⤵
                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                    PID:2460
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcsb.exe"
                                                                                                                                                                                                                                  29⤵
                                                                                                                                                                                                                                    PID:2160
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyir.exe"
                                                                                                                                                                                                                                  28⤵
                                                                                                                                                                                                                                    PID:1772
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqam.exe"
                                                                                                                                                                                                                                  27⤵
                                                                                                                                                                                                                                    PID:2112
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpc.exe"
                                                                                                                                                                                                                                  26⤵
                                                                                                                                                                                                                                    PID:2116
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrktcvntk.exe"
                                                                                                                                                                                                                                  25⤵
                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                  PID:2892
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjp.exe"
                                                                                                                                                                                                                                24⤵
                                                                                                                                                                                                                                  PID:1028
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wch.exe"
                                                                                                                                                                                                                                23⤵
                                                                                                                                                                                                                                  PID:880
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjogghc.exe"
                                                                                                                                                                                                                                22⤵
                                                                                                                                                                                                                                  PID:776
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wssx.exe"
                                                                                                                                                                                                                                21⤵
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                PID:2384
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wttwfn.exe"
                                                                                                                                                                                                                              20⤵
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              PID:1040
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxpit.exe"
                                                                                                                                                                                                                            19⤵
                                                                                                                                                                                                                              PID:1860
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmfwqqgv.exe"
                                                                                                                                                                                                                            18⤵
                                                                                                                                                                                                                              PID:1640
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 204
                                                                                                                                                                                                                              18⤵
                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                              PID:2176
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmvjsrtn.exe"
                                                                                                                                                                                                                            17⤵
                                                                                                                                                                                                                              PID:2180
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxkm.exe"
                                                                                                                                                                                                                            16⤵
                                                                                                                                                                                                                              PID:1380
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbduawlg.exe"
                                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                                              PID:2232
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 48
                                                                                                                                                                                                                              15⤵
                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                              PID:2320
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wflbh.exe"
                                                                                                                                                                                                                            14⤵
                                                                                                                                                                                                                              PID:1564
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpathdt.exe"
                                                                                                                                                                                                                            13⤵
                                                                                                                                                                                                                              PID:2304
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxjilhe.exe"
                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                              PID:868
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmuacc.exe"
                                                                                                                                                                                                                            11⤵
                                                                                                                                                                                                                              PID:2288
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwpmv.exe"
                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                              PID:2176
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwuptuaw.exe"
                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                            PID:2664
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 204
                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                            PID:2756
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whuflhgh.exe"
                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                          PID:264
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdantqvcx.exe"
                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                        PID:2100
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wokudwoj.exe"
                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                        PID:2164
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 48
                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                        PID:2040
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wolrla.exe"
                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                        PID:2092
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvbbguf.exe"
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      PID:1832
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqdrf.exe"
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:2636
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                    • Deletes itself
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    PID:2844

                                                                                                                                                                                                                Network

                                                                                                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                Downloads

                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\install[2].htm

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  7KB

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  9463ba07743e8a9aca3b55373121b7c5

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0CH2MZY9.txt

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  132B

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  6a39ddc505da461a5cbe42a729ccac4c

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  1ec1b921fa2351b9d0fd724ee8b88843da04ffeb

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  8d35c679a4998c1d00f308747ebb55936fc4620602cc98f498b441ec42ca2bfb

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  9ecb0d05ec23f90a2d2f3274a46122f0167bebcef517816210ae4ec6309c99419d466ee2be959a58fea273823226e19ea1ae8dd5d53c9d1146ab2b04812b7313

                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KHM1KUSH.txt

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  132B

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  d8e311991f3310c61bc62e672bb93cc3

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  db0c612a896bb8e83e1677b868209105db2e00f1

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  9d179ddd9870fc40c7f4e87654d4e3929a01713892315a1f5f5b007056c08d3b

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  decb08386fa62f59ae3221006954d70480a0468b26b88c6c0511a76286ce192c867a6641682104915692a95c4899e69f66b6b58769e753f1c2634fd2c79b49fb

                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O4ZFFLR1.txt

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  132B

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  67abb7f643855b825c9a68b28e349610

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  b1e7a7b84027cadd208884296678c96cd44873f0

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  cc92e9be1350d5857b4d9a6752733aeeaaf31f901bd358746e72135c8c649615

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  a198a64858cb1fe7896d2e5ed99c25cea08b953589a31d0cc893b5a7dd09c619a4ced34ed3b17d826461518796797f39cc7693c5d235d3a1550224a88c85d4b5

                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T432DMZD.txt

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  132B

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  c6ec81e689d220c51033a716826ec5f1

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  ac1b32fac3c33a816b33362813e7bd4e59d761f0

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  915f4f1c1eab5427bc3aa060fad34d8bb519b33a0bf998a51d436593e0d48e1a

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  03104c63ff892b7248d43df6799780d045ca1ecd42df742a57e282e8e01e63afcffac3ec8ea35f61a03e3331424ee012be76fd5ddadb25a1b1c7d61e8a84c760

                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W3BJGI5N.txt

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  132B

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  0521cc4db3d867873b72c6f88be66ae3

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  025cff072302630255f45087c838b159ab5a459c

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  dc97959401b479625283afbb2a7404d63b394092036946a8708a066dc6b43559

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  043c9128067ee04d5aad76e6cd73b1b6df3b5136aacb36ab40e264f7ebaf7a000dc051bf3249aa04fa7ae4120933a86793bb1f44b656d1aac83bd7eeb315b6c6

                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YDJQKZ76.txt

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  99B

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  dd95cb0653cd0da29f2d8a7c6390ba14

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  d51f6122993040cc60d92da6b6c39e792af79643

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  a92455283fe29439f4123ef8e1abb7aff0a291a8b458d0d4f887a886ed78b832

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  3bb5e598bba5c1c1a039cbab4b30fe9b9df2386d2ea2e8f5661778efb9a78fa9d03c91dfcd95b7a779028866388abf6e843d5624b34d9080f3f0d5aaa3c05e0c

                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZV3W6FIX.txt

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  132B

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  466944fe3e2b2bc135d12fef4bf31f4d

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  30ccdefad09979db85c5ac33536a67a62632fd07

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  358acb7bd81a4bf4e3ea927a924dab09fb84ac5143907bc5011b728e0a50a098

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  6e6bef22782a0450c79034eaa6a3eca380f5a50697c81440dba99181b50d71c5fcf9f25bebc167e875293c0db65ce0486641fca9c825d2ef728549e198e8615f

                                                                                                                                                                                                                • \Windows\SysWOW64\wdantqvcx.exe

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  107KB

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  0ec54cb9f13a434fbb453089d41c7fe7

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  f140667024030fb2719442593dad66aac60740be

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  82f68a1fa8384bac06f8cee801477f4a3c0e1bf1d7c58a9d8bce2dce0b182722

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  beea6698c442ab6d77dafa315fee0744d7bee059f0a962a91e01545698b6c9e28cdbbf28472736d823eb30c44b215931b8508c5131f8287815362f002f3f9af0

                                                                                                                                                                                                                • \Windows\SysWOW64\whuflhgh.exe

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  107KB

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  18e7cec51bc2a89375478bc16ad60b2b

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  7faff0457e2d76a8ea48d3593af389cca5df2d22

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  ba05e9bb6a2041573f18dc5f21d906fe98397210f4baa7c2d62b150e054a1d0a

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  bd544e23e4039b82e26a26712a8b82c99e6ac358c9a02edea606ee9204e76c2bc425c4e7390055c8c57c4a2a98f4b1f6a1edc79cafc17973d27b74f5d2ab5b5b

                                                                                                                                                                                                                • \Windows\SysWOW64\wmuacc.exe

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  108KB

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  3a983b50b789640652def5c3efd94007

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  027d0a78b0954c43d5e388e9615b9596dbf5ac55

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  7aed1e87a3d3af5e103ef57f2a4750810820cfdd3dc0e74e368935932f2ecaf5

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  810a43ac3686aac36c6961440d42bbe7b1579b24a165930c1c298b3ed77ccae79d7ec83d70662f6313a8de1efff9cd2fa6e61b37f717f2361dc916cae2442554

                                                                                                                                                                                                                • \Windows\SysWOW64\wokudwoj.exe

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  107KB

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  7066acea91749dbec42aa1aee2f38089

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  ecbc4e5661d011361e5ae92ecf010129d1c66832

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  63818780db5110ae1df4267207620090231cce89c1301fdaff77cdce5390681e

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  f06aa06fb4edc877da0216a7273f09b2d1cd023a853dd5f448ee661d3f0c7b0c67cb3b2ee58bf677b4a2282cee57e95f9b7525417cbefadf47056844682b34ee

                                                                                                                                                                                                                • \Windows\SysWOW64\wolrla.exe

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  107KB

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  e6dd929ebc6c750ee9a45d65ef1ac643

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  48f319959ba3f48cb833ff4cd2f3fa6b50acb257

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  ba653ea1a34112c645b11802170956ca1d4a14e7fed395c2584da597e0954682

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  9759728cbea3abcf12f939fe798f0e8c96990481d3d8b0559719e550ae7ec160d8696d3b3f685783db3cb11fed944c45d5b0c00fa0ae0508d9d996250b846cc3

                                                                                                                                                                                                                • \Windows\SysWOW64\wuwpmv.exe

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  108KB

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  ff7f229faa91a701a694495d118ea240

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  f497a6ae3c25456514e95dc8e2f06665a6f31cd0

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  f574cbe2c4250268c321e9003a2f6aae32b4b9a3bb2cdcd92f4035029a7be53c

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  220ffca683f042cb0a33a5f22437e8f7e81e7e09e97a9e51a34ee4c5dfb4b844e0459e5dc6f4ff5b35e0dc5177f6a1074693501d72509ea6c05385692374b23a

                                                                                                                                                                                                                • \Windows\SysWOW64\wvbbguf.exe

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  107KB

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  107efc16271388a58495e95a94359c57

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  8818a11ada9e2f9017db8581f7b49e305987ec94

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  71f2e1f9702e8a4032383208dcf37834f354293dc241d0243c4f94c3d6996661

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  e7192c06d008e1bab4ac3896d6ff09d423c62436bc00710acff358f28478369893228536f89e3904002dfc3d6bbc5309cba31f5367c12ff48b8e71c43e84b1dc

                                                                                                                                                                                                                • \Windows\SysWOW64\wvqdrf.exe

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  107KB

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  eb95f64fa14b7d769b02c9eb464896f8

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  91b3b28180b6b60fba592020e5f7049eee3379e3

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  84afa73ee4ddb18ec2e06474242c55562b14baa7f7d1d0d3df50e638ec02b148

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  1c08da2130e18ae07c40ffbd9172a1eb49f6880ac6ff5ab19e009ea41ac9ba47db2d77325c1b2bcb78b18edc8c068850e46f4533adcd05bbd85e862443c9e092

                                                                                                                                                                                                                • \Windows\SysWOW64\wwuptuaw.exe

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  108KB

                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                  d9b192b1e761f727481f9f3b1c8e21da

                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                  eaebc436fff97b5d0f4b2fbc85a273ed72a15243

                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                  174406fc86901022393cb04efca18ba9bcfcd85dc5a6f9b3ce23ad79479508bd

                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                  02c09ac196257912acd4951389359493ca0d061e50f1b717f206e1093873a6ecc2bdc65337a5fc90a0cd9babb8062429eb88ba9b50c22f50af16d028b2f86b57

                                                                                                                                                                                                                • memory/568-163-0x0000000003160000-0x0000000003177000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/568-170-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/568-148-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/664-269-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/664-283-0x0000000004260000-0x0000000004277000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/664-287-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/664-286-0x0000000004260000-0x0000000004277000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/664-285-0x0000000004260000-0x0000000004277000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/664-284-0x0000000004260000-0x0000000004277000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/944-288-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/944-331-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/944-298-0x0000000003550000-0x0000000003567000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1104-92-0x0000000003EA0000-0x0000000003EB7000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1104-93-0x0000000003EA0000-0x0000000003EB7000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1104-72-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1104-95-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1104-91-0x0000000003EA0000-0x0000000003EB7000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1668-382-0x0000000003530000-0x0000000003547000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1668-366-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1668-383-0x0000000003530000-0x0000000003547000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1668-386-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1668-381-0x0000000003520000-0x0000000003537000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1668-380-0x0000000003520000-0x0000000003537000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1692-235-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1692-251-0x0000000003E20000-0x0000000003E37000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1692-250-0x0000000003E20000-0x0000000003E37000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1692-252-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1692-245-0x0000000002330000-0x0000000002347000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1744-333-0x00000000032E0000-0x00000000032F7000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1744-334-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1744-332-0x00000000032E0000-0x00000000032F7000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1744-318-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1816-217-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1816-236-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1816-231-0x0000000003200000-0x0000000003217000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1816-232-0x0000000003200000-0x0000000003217000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1816-233-0x0000000003200000-0x0000000003217000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/1816-234-0x0000000003200000-0x0000000003217000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2004-115-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2004-161-0x0000000003E70000-0x0000000003E87000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2004-116-0x0000000003E70000-0x0000000003E87000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2004-119-0x0000000003E70000-0x0000000003E87000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2004-117-0x0000000003E70000-0x0000000003E87000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2004-118-0x0000000003E70000-0x0000000003E87000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2004-162-0x0000000003E70000-0x0000000003E87000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2004-160-0x0000000003E70000-0x0000000003E87000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2004-97-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2096-387-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2216-367-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2216-364-0x0000000003E60000-0x0000000003E77000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2216-363-0x0000000003E60000-0x0000000003E77000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2216-365-0x0000000003E70000-0x0000000003E87000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2236-215-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2236-209-0x0000000002310000-0x0000000002327000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2236-193-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2368-12-0x00000000037A0000-0x00000000037B7000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2368-20-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2368-13-0x00000000037A0000-0x00000000037B7000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2368-21-0x0000000003DB0000-0x0000000003DC7000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2368-0-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2368-24-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2472-317-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2472-302-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2556-171-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2556-191-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2556-190-0x0000000002170000-0x0000000002187000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2556-216-0x0000000002170000-0x0000000002187000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2556-189-0x0000000002170000-0x0000000002187000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2556-218-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2640-67-0x0000000003E60000-0x0000000003E77000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2640-68-0x0000000003E70000-0x0000000003E87000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2640-48-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2640-71-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2640-69-0x0000000003E70000-0x0000000003E87000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2800-45-0x0000000003B60000-0x0000000003B77000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2800-38-0x0000000003B50000-0x0000000003B67000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2800-34-0x0000000003B50000-0x0000000003B67000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2800-49-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2864-350-0x0000000003960000-0x0000000003977000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2864-344-0x0000000003950000-0x0000000003967000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2864-349-0x0000000003960000-0x0000000003977000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2864-335-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2864-402-0x0000000003960000-0x0000000003977000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2864-392-0x0000000003950000-0x0000000003967000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2864-393-0x0000000003960000-0x0000000003977000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2864-385-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2864-384-0x0000000003950000-0x0000000003967000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2920-253-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2920-267-0x0000000003ED0000-0x0000000003EE7000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2920-268-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2920-266-0x0000000003ED0000-0x0000000003EE7000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2920-270-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2960-139-0x0000000003320000-0x0000000003337000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2960-146-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2960-121-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB

                                                                                                                                                                                                                • memory/2960-133-0x0000000003320000-0x0000000003337000-memory.dmp

                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                  92KB