Analysis

  • max time kernel
    111s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:40

General

  • Target

    af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe

  • Size

    107KB

  • MD5

    e4bbd14f58c9db9a9f161b1aa5247350

  • SHA1

    6d0efd03776876e34c7adf5f9e3d807a1ec7762f

  • SHA256

    af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066

  • SHA512

    2f15d097a0140dc41db54b33a184a953b77bbd8f7576bb30f6dd35af837b7a4e891d9e23effcba19407702bb034c8f3c007f2c6750416277eb2c5a9eadc980c7

  • SSDEEP

    1536:2zfXIsxrhzk2nfsW3ou3yWW2dvcW6eHcBwUi6vWE0Dl27b58XBdqaMGxuA1n1:yfjxrhzk2nfsWhP7dvavi6vWEbh8X/

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 64 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 64 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe
    "C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\SysWOW64\wwkehar.exe
      "C:\Windows\system32\wwkehar.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\wtnrwrv.exe
        "C:\Windows\system32\wtnrwrv.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Windows\SysWOW64\wrtxcpet.exe
          "C:\Windows\system32\wrtxcpet.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1364
          • C:\Windows\SysWOW64\wsjcd.exe
            "C:\Windows\system32\wsjcd.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:3024
            • C:\Windows\SysWOW64\wjw.exe
              "C:\Windows\system32\wjw.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1100
              • C:\Windows\SysWOW64\wbkq.exe
                "C:\Windows\system32\wbkq.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:744
                • C:\Windows\SysWOW64\wekojvq.exe
                  "C:\Windows\system32\wekojvq.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:3900
                  • C:\Windows\SysWOW64\weuk.exe
                    "C:\Windows\system32\weuk.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:1200
                    • C:\Windows\SysWOW64\wntcur.exe
                      "C:\Windows\system32\wntcur.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:1048
                      • C:\Windows\SysWOW64\wvaoox.exe
                        "C:\Windows\system32\wvaoox.exe"
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:2360
                        • C:\Windows\SysWOW64\wchxpsty.exe
                          "C:\Windows\system32\wchxpsty.exe"
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          PID:1584
                          • C:\Windows\SysWOW64\wmefo.exe
                            "C:\Windows\system32\wmefo.exe"
                            13⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            PID:3920
                            • C:\Windows\SysWOW64\wtcquv.exe
                              "C:\Windows\system32\wtcquv.exe"
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              PID:2428
                              • C:\Windows\SysWOW64\wdxwtuc.exe
                                "C:\Windows\system32\wdxwtuc.exe"
                                15⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                PID:1996
                                • C:\Windows\SysWOW64\wkuiacj.exe
                                  "C:\Windows\system32\wkuiacj.exe"
                                  16⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  PID:4268
                                  • C:\Windows\SysWOW64\wdcrphn.exe
                                    "C:\Windows\system32\wdcrphn.exe"
                                    17⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    PID:876
                                    • C:\Windows\SysWOW64\wxxqvo.exe
                                      "C:\Windows\system32\wxxqvo.exe"
                                      18⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      PID:3508
                                      • C:\Windows\SysWOW64\wnxd.exe
                                        "C:\Windows\system32\wnxd.exe"
                                        19⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        PID:2304
                                        • C:\Windows\SysWOW64\woopiwv.exe
                                          "C:\Windows\system32\woopiwv.exe"
                                          20⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          PID:1804
                                          • C:\Windows\SysWOW64\wggjcfk.exe
                                            "C:\Windows\system32\wggjcfk.exe"
                                            21⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            PID:1944
                                            • C:\Windows\SysWOW64\wbb.exe
                                              "C:\Windows\system32\wbb.exe"
                                              22⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              PID:2936
                                              • C:\Windows\SysWOW64\wlxp.exe
                                                "C:\Windows\system32\wlxp.exe"
                                                23⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                PID:4372
                                                • C:\Windows\SysWOW64\wvtawfd.exe
                                                  "C:\Windows\system32\wvtawfd.exe"
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1900
                                                  • C:\Windows\SysWOW64\wroydkw.exe
                                                    "C:\Windows\system32\wroydkw.exe"
                                                    25⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2716
                                                    • C:\Windows\SysWOW64\wetug.exe
                                                      "C:\Windows\system32\wetug.exe"
                                                      26⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      PID:2728
                                                      • C:\Windows\SysWOW64\wxos.exe
                                                        "C:\Windows\system32\wxos.exe"
                                                        27⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4576
                                                        • C:\Windows\SysWOW64\wqgnitag.exe
                                                          "C:\Windows\system32\wqgnitag.exe"
                                                          28⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          PID:1948
                                                          • C:\Windows\SysWOW64\wwptofs.exe
                                                            "C:\Windows\system32\wwptofs.exe"
                                                            29⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            PID:3988
                                                            • C:\Windows\SysWOW64\wpvecm.exe
                                                              "C:\Windows\system32\wpvecm.exe"
                                                              30⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1832
                                                              • C:\Windows\SysWOW64\wjdnqtb.exe
                                                                "C:\Windows\system32\wjdnqtb.exe"
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                PID:3224
                                                                • C:\Windows\SysWOW64\wgue.exe
                                                                  "C:\Windows\system32\wgue.exe"
                                                                  32⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  PID:1500
                                                                  • C:\Windows\SysWOW64\wgeoqm.exe
                                                                    "C:\Windows\system32\wgeoqm.exe"
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    PID:4324
                                                                    • C:\Windows\SysWOW64\wfj.exe
                                                                      "C:\Windows\system32\wfj.exe"
                                                                      34⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      PID:4232
                                                                      • C:\Windows\SysWOW64\wsnoy.exe
                                                                        "C:\Windows\system32\wsnoy.exe"
                                                                        35⤵
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        PID:1628
                                                                        • C:\Windows\SysWOW64\wwifm.exe
                                                                          "C:\Windows\system32\wwifm.exe"
                                                                          36⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          PID:3900
                                                                          • C:\Windows\SysWOW64\wxrqdl.exe
                                                                            "C:\Windows\system32\wxrqdl.exe"
                                                                            37⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            PID:4008
                                                                            • C:\Windows\SysWOW64\waps.exe
                                                                              "C:\Windows\system32\waps.exe"
                                                                              38⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:212
                                                                              • C:\Windows\SysWOW64\wtw.exe
                                                                                "C:\Windows\system32\wtw.exe"
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                PID:2268
                                                                                • C:\Windows\SysWOW64\wpnqjkawo.exe
                                                                                  "C:\Windows\system32\wpnqjkawo.exe"
                                                                                  40⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  PID:3584
                                                                                  • C:\Windows\SysWOW64\wcjyjg.exe
                                                                                    "C:\Windows\system32\wcjyjg.exe"
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    PID:3500
                                                                                    • C:\Windows\SysWOW64\wvcsep.exe
                                                                                      "C:\Windows\system32\wvcsep.exe"
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      PID:1380
                                                                                      • C:\Windows\SysWOW64\woicqw.exe
                                                                                        "C:\Windows\system32\woicqw.exe"
                                                                                        43⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        PID:1292
                                                                                        • C:\Windows\SysWOW64\wosm.exe
                                                                                          "C:\Windows\system32\wosm.exe"
                                                                                          44⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          PID:3568
                                                                                          • C:\Windows\SysWOW64\wmrra.exe
                                                                                            "C:\Windows\system32\wmrra.exe"
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            PID:3900
                                                                                            • C:\Windows\SysWOW64\wfr.exe
                                                                                              "C:\Windows\system32\wfr.exe"
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:2120
                                                                                              • C:\Windows\SysWOW64\wjvasmc.exe
                                                                                                "C:\Windows\system32\wjvasmc.exe"
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:3236
                                                                                                • C:\Windows\SysWOW64\wxeajfdf.exe
                                                                                                  "C:\Windows\system32\wxeajfdf.exe"
                                                                                                  48⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:1996
                                                                                                  • C:\Windows\SysWOW64\wtsvbkos.exe
                                                                                                    "C:\Windows\system32\wtsvbkos.exe"
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:1644
                                                                                                    • C:\Windows\SysWOW64\wgeekhpsg.exe
                                                                                                      "C:\Windows\system32\wgeekhpsg.exe"
                                                                                                      50⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:1156
                                                                                                      • C:\Windows\SysWOW64\wgrwtdg.exe
                                                                                                        "C:\Windows\system32\wgrwtdg.exe"
                                                                                                        51⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        PID:3124
                                                                                                        • C:\Windows\SysWOW64\wbu.exe
                                                                                                          "C:\Windows\system32\wbu.exe"
                                                                                                          52⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:3964
                                                                                                          • C:\Windows\SysWOW64\wlsgdms.exe
                                                                                                            "C:\Windows\system32\wlsgdms.exe"
                                                                                                            53⤵
                                                                                                            • Checks computer location settings
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            PID:3348
                                                                                                            • C:\Windows\SysWOW64\wkgxljiy.exe
                                                                                                              "C:\Windows\system32\wkgxljiy.exe"
                                                                                                              54⤵
                                                                                                              • Checks computer location settings
                                                                                                              • Executes dropped EXE
                                                                                                              PID:3768
                                                                                                              • C:\Windows\SysWOW64\wkjhpe.exe
                                                                                                                "C:\Windows\system32\wkjhpe.exe"
                                                                                                                55⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                PID:4228
                                                                                                                • C:\Windows\SysWOW64\wllpqat.exe
                                                                                                                  "C:\Windows\system32\wllpqat.exe"
                                                                                                                  56⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:2972
                                                                                                                  • C:\Windows\SysWOW64\woyeq.exe
                                                                                                                    "C:\Windows\system32\woyeq.exe"
                                                                                                                    57⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:4600
                                                                                                                    • C:\Windows\SysWOW64\wgnf.exe
                                                                                                                      "C:\Windows\system32\wgnf.exe"
                                                                                                                      58⤵
                                                                                                                      • Checks computer location settings
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:3792
                                                                                                                      • C:\Windows\SysWOW64\wdqq.exe
                                                                                                                        "C:\Windows\system32\wdqq.exe"
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:4920
                                                                                                                        • C:\Windows\SysWOW64\wcekla.exe
                                                                                                                          "C:\Windows\system32\wcekla.exe"
                                                                                                                          60⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          PID:3028
                                                                                                                          • C:\Windows\SysWOW64\wgqan.exe
                                                                                                                            "C:\Windows\system32\wgqan.exe"
                                                                                                                            61⤵
                                                                                                                            • Checks computer location settings
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:2368
                                                                                                                            • C:\Windows\SysWOW64\wlfpnbe.exe
                                                                                                                              "C:\Windows\system32\wlfpnbe.exe"
                                                                                                                              62⤵
                                                                                                                              • Checks computer location settings
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:1032
                                                                                                                              • C:\Windows\SysWOW64\wgwrse.exe
                                                                                                                                "C:\Windows\system32\wgwrse.exe"
                                                                                                                                63⤵
                                                                                                                                • Checks computer location settings
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                PID:972
                                                                                                                                • C:\Windows\SysWOW64\weyedjw.exe
                                                                                                                                  "C:\Windows\system32\weyedjw.exe"
                                                                                                                                  64⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  PID:1332
                                                                                                                                  • C:\Windows\SysWOW64\wlw.exe
                                                                                                                                    "C:\Windows\system32\wlw.exe"
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:1364
                                                                                                                                    • C:\Windows\SysWOW64\waytnc.exe
                                                                                                                                      "C:\Windows\system32\waytnc.exe"
                                                                                                                                      66⤵
                                                                                                                                      • Checks computer location settings
                                                                                                                                      PID:1992
                                                                                                                                      • C:\Windows\SysWOW64\wqotopmkn.exe
                                                                                                                                        "C:\Windows\system32\wqotopmkn.exe"
                                                                                                                                        67⤵
                                                                                                                                        • Checks computer location settings
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        PID:3756
                                                                                                                                        • C:\Windows\SysWOW64\wbvwnr.exe
                                                                                                                                          "C:\Windows\system32\wbvwnr.exe"
                                                                                                                                          68⤵
                                                                                                                                          • Checks computer location settings
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          PID:1156
                                                                                                                                          • C:\Windows\SysWOW64\wgtvs.exe
                                                                                                                                            "C:\Windows\system32\wgtvs.exe"
                                                                                                                                            69⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:3760
                                                                                                                                            • C:\Windows\SysWOW64\wnhhk.exe
                                                                                                                                              "C:\Windows\system32\wnhhk.exe"
                                                                                                                                              70⤵
                                                                                                                                              • Checks computer location settings
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:1520
                                                                                                                                              • C:\Windows\SysWOW64\wbarie.exe
                                                                                                                                                "C:\Windows\system32\wbarie.exe"
                                                                                                                                                71⤵
                                                                                                                                                • Checks computer location settings
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                PID:3900
                                                                                                                                                • C:\Windows\SysWOW64\wrjqw.exe
                                                                                                                                                  "C:\Windows\system32\wrjqw.exe"
                                                                                                                                                  72⤵
                                                                                                                                                  • Checks computer location settings
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:1796
                                                                                                                                                  • C:\Windows\SysWOW64\wnlchxwex.exe
                                                                                                                                                    "C:\Windows\system32\wnlchxwex.exe"
                                                                                                                                                    73⤵
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    PID:1924
                                                                                                                                                    • C:\Windows\SysWOW64\wkops.exe
                                                                                                                                                      "C:\Windows\system32\wkops.exe"
                                                                                                                                                      74⤵
                                                                                                                                                      • Checks computer location settings
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:3424
                                                                                                                                                      • C:\Windows\SysWOW64\wbhvfn.exe
                                                                                                                                                        "C:\Windows\system32\wbhvfn.exe"
                                                                                                                                                        75⤵
                                                                                                                                                        • Checks computer location settings
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        PID:1580
                                                                                                                                                        • C:\Windows\SysWOW64\wsklya.exe
                                                                                                                                                          "C:\Windows\system32\wsklya.exe"
                                                                                                                                                          76⤵
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:528
                                                                                                                                                          • C:\Windows\SysWOW64\wpyirfx.exe
                                                                                                                                                            "C:\Windows\system32\wpyirfx.exe"
                                                                                                                                                            77⤵
                                                                                                                                                            • Checks computer location settings
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            PID:2116
                                                                                                                                                            • C:\Windows\SysWOW64\wkcudh.exe
                                                                                                                                                              "C:\Windows\system32\wkcudh.exe"
                                                                                                                                                              78⤵
                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:1708
                                                                                                                                                              • C:\Windows\SysWOW64\wctap.exe
                                                                                                                                                                "C:\Windows\system32\wctap.exe"
                                                                                                                                                                79⤵
                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:3456
                                                                                                                                                                • C:\Windows\SysWOW64\wyiwhx.exe
                                                                                                                                                                  "C:\Windows\system32\wyiwhx.exe"
                                                                                                                                                                  80⤵
                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                  PID:3976
                                                                                                                                                                  • C:\Windows\SysWOW64\wdul.exe
                                                                                                                                                                    "C:\Windows\system32\wdul.exe"
                                                                                                                                                                    81⤵
                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                    PID:2648
                                                                                                                                                                    • C:\Windows\SysWOW64\wlsih.exe
                                                                                                                                                                      "C:\Windows\system32\wlsih.exe"
                                                                                                                                                                      82⤵
                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                      PID:4396
                                                                                                                                                                      • C:\Windows\SysWOW64\wph.exe
                                                                                                                                                                        "C:\Windows\system32\wph.exe"
                                                                                                                                                                        83⤵
                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                        PID:5052
                                                                                                                                                                        • C:\Windows\SysWOW64\wdahd.exe
                                                                                                                                                                          "C:\Windows\system32\wdahd.exe"
                                                                                                                                                                          84⤵
                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                          PID:4412
                                                                                                                                                                          • C:\Windows\SysWOW64\wemam.exe
                                                                                                                                                                            "C:\Windows\system32\wemam.exe"
                                                                                                                                                                            85⤵
                                                                                                                                                                              PID:4392
                                                                                                                                                                              • C:\Windows\SysWOW64\wiof.exe
                                                                                                                                                                                "C:\Windows\system32\wiof.exe"
                                                                                                                                                                                86⤵
                                                                                                                                                                                  PID:4992
                                                                                                                                                                                  • C:\Windows\SysWOW64\wddbxnthl.exe
                                                                                                                                                                                    "C:\Windows\system32\wddbxnthl.exe"
                                                                                                                                                                                    87⤵
                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                    PID:2908
                                                                                                                                                                                    • C:\Windows\SysWOW64\wagnj.exe
                                                                                                                                                                                      "C:\Windows\system32\wagnj.exe"
                                                                                                                                                                                      88⤵
                                                                                                                                                                                        PID:448
                                                                                                                                                                                        • C:\Windows\SysWOW64\wvkb.exe
                                                                                                                                                                                          "C:\Windows\system32\wvkb.exe"
                                                                                                                                                                                          89⤵
                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:1904
                                                                                                                                                                                          • C:\Windows\SysWOW64\wnbgih.exe
                                                                                                                                                                                            "C:\Windows\system32\wnbgih.exe"
                                                                                                                                                                                            90⤵
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:3392
                                                                                                                                                                                            • C:\Windows\SysWOW64\wjpcalyv.exe
                                                                                                                                                                                              "C:\Windows\system32\wjpcalyv.exe"
                                                                                                                                                                                              91⤵
                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                              PID:4544
                                                                                                                                                                                              • C:\Windows\SysWOW64\waijn.exe
                                                                                                                                                                                                "C:\Windows\system32\waijn.exe"
                                                                                                                                                                                                92⤵
                                                                                                                                                                                                  PID:4896
                                                                                                                                                                                                  • C:\Windows\SysWOW64\wwwgfc.exe
                                                                                                                                                                                                    "C:\Windows\system32\wwwgfc.exe"
                                                                                                                                                                                                    93⤵
                                                                                                                                                                                                      PID:3804
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waijn.exe"
                                                                                                                                                                                                      93⤵
                                                                                                                                                                                                        PID:2612
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjpcalyv.exe"
                                                                                                                                                                                                      92⤵
                                                                                                                                                                                                        PID:3308
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1648
                                                                                                                                                                                                        92⤵
                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                        PID:5096
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1472
                                                                                                                                                                                                        92⤵
                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                        PID:4608
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbgih.exe"
                                                                                                                                                                                                      91⤵
                                                                                                                                                                                                        PID:1740
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkb.exe"
                                                                                                                                                                                                      90⤵
                                                                                                                                                                                                        PID:4840
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wagnj.exe"
                                                                                                                                                                                                      89⤵
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:1520
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wddbxnthl.exe"
                                                                                                                                                                                                    88⤵
                                                                                                                                                                                                      PID:4904
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiof.exe"
                                                                                                                                                                                                    87⤵
                                                                                                                                                                                                      PID:968
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemam.exe"
                                                                                                                                                                                                    86⤵
                                                                                                                                                                                                      PID:1200
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdahd.exe"
                                                                                                                                                                                                    85⤵
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    PID:316
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wph.exe"
                                                                                                                                                                                                  84⤵
                                                                                                                                                                                                    PID:3592
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsih.exe"
                                                                                                                                                                                                  83⤵
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  PID:3536
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdul.exe"
                                                                                                                                                                                                82⤵
                                                                                                                                                                                                  PID:3024
                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 748
                                                                                                                                                                                                  82⤵
                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                  PID:1720
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyiwhx.exe"
                                                                                                                                                                                                81⤵
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:3680
                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 116
                                                                                                                                                                                                81⤵
                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                PID:4248
                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1536
                                                                                                                                                                                                81⤵
                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                PID:4360
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctap.exe"
                                                                                                                                                                                              80⤵
                                                                                                                                                                                                PID:2832
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcudh.exe"
                                                                                                                                                                                              79⤵
                                                                                                                                                                                                PID:3220
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpyirfx.exe"
                                                                                                                                                                                              78⤵
                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                              PID:3844
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsklya.exe"
                                                                                                                                                                                            77⤵
                                                                                                                                                                                              PID:740
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhvfn.exe"
                                                                                                                                                                                            76⤵
                                                                                                                                                                                              PID:4816
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkops.exe"
                                                                                                                                                                                            75⤵
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:2520
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnlchxwex.exe"
                                                                                                                                                                                          74⤵
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:4896
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjqw.exe"
                                                                                                                                                                                        73⤵
                                                                                                                                                                                          PID:4984
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbarie.exe"
                                                                                                                                                                                        72⤵
                                                                                                                                                                                          PID:3496
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnhhk.exe"
                                                                                                                                                                                        71⤵
                                                                                                                                                                                          PID:2912
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtvs.exe"
                                                                                                                                                                                        70⤵
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:1292
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvwnr.exe"
                                                                                                                                                                                      69⤵
                                                                                                                                                                                        PID:2396
                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1536
                                                                                                                                                                                        69⤵
                                                                                                                                                                                        • Program crash
                                                                                                                                                                                        PID:2940
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqotopmkn.exe"
                                                                                                                                                                                      68⤵
                                                                                                                                                                                        PID:5040
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waytnc.exe"
                                                                                                                                                                                      67⤵
                                                                                                                                                                                        PID:2420
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlw.exe"
                                                                                                                                                                                      66⤵
                                                                                                                                                                                        PID:2240
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weyedjw.exe"
                                                                                                                                                                                      65⤵
                                                                                                                                                                                        PID:2032
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwrse.exe"
                                                                                                                                                                                      64⤵
                                                                                                                                                                                        PID:4292
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfpnbe.exe"
                                                                                                                                                                                      63⤵
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:3404
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqan.exe"
                                                                                                                                                                                    62⤵
                                                                                                                                                                                      PID:1828
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcekla.exe"
                                                                                                                                                                                    61⤵
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    PID:2360
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdqq.exe"
                                                                                                                                                                                  60⤵
                                                                                                                                                                                    PID:1772
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgnf.exe"
                                                                                                                                                                                  59⤵
                                                                                                                                                                                    PID:1596
                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 1444
                                                                                                                                                                                    59⤵
                                                                                                                                                                                    • Program crash
                                                                                                                                                                                    PID:832
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woyeq.exe"
                                                                                                                                                                                  58⤵
                                                                                                                                                                                    PID:4316
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllpqat.exe"
                                                                                                                                                                                  57⤵
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  PID:1068
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjhpe.exe"
                                                                                                                                                                                56⤵
                                                                                                                                                                                  PID:4356
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkgxljiy.exe"
                                                                                                                                                                                55⤵
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                PID:3836
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsgdms.exe"
                                                                                                                                                                              54⤵
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              PID:4956
                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 1536
                                                                                                                                                                              54⤵
                                                                                                                                                                              • Program crash
                                                                                                                                                                              PID:2036
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbu.exe"
                                                                                                                                                                            53⤵
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            PID:2068
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrwtdg.exe"
                                                                                                                                                                          52⤵
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:4100
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1676
                                                                                                                                                                          52⤵
                                                                                                                                                                          • Program crash
                                                                                                                                                                          PID:1612
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgeekhpsg.exe"
                                                                                                                                                                        51⤵
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        PID:5040
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsvbkos.exe"
                                                                                                                                                                      50⤵
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:4760
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxeajfdf.exe"
                                                                                                                                                                    49⤵
                                                                                                                                                                      PID:4564
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjvasmc.exe"
                                                                                                                                                                    48⤵
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:1924
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfr.exe"
                                                                                                                                                                  47⤵
                                                                                                                                                                    PID:3752
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrra.exe"
                                                                                                                                                                  46⤵
                                                                                                                                                                    PID:972
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wosm.exe"
                                                                                                                                                                  45⤵
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:4364
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woicqw.exe"
                                                                                                                                                                44⤵
                                                                                                                                                                  PID:4696
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvcsep.exe"
                                                                                                                                                                43⤵
                                                                                                                                                                  PID:1236
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjyjg.exe"
                                                                                                                                                                42⤵
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:804
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpnqjkawo.exe"
                                                                                                                                                              41⤵
                                                                                                                                                                PID:2432
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtw.exe"
                                                                                                                                                              40⤵
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:3476
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waps.exe"
                                                                                                                                                            39⤵
                                                                                                                                                              PID:4892
                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1660
                                                                                                                                                              39⤵
                                                                                                                                                              • Program crash
                                                                                                                                                              PID:208
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxrqdl.exe"
                                                                                                                                                            38⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:4804
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwifm.exe"
                                                                                                                                                          37⤵
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:1828
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsnoy.exe"
                                                                                                                                                        36⤵
                                                                                                                                                          PID:1920
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfj.exe"
                                                                                                                                                        35⤵
                                                                                                                                                          PID:4272
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgeoqm.exe"
                                                                                                                                                        34⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:1424
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgue.exe"
                                                                                                                                                      33⤵
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:2712
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdnqtb.exe"
                                                                                                                                                    32⤵
                                                                                                                                                      PID:2648
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvecm.exe"
                                                                                                                                                    31⤵
                                                                                                                                                      PID:2888
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwptofs.exe"
                                                                                                                                                    30⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:4732
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgnitag.exe"
                                                                                                                                                  29⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:4068
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxos.exe"
                                                                                                                                                28⤵
                                                                                                                                                  PID:3900
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wetug.exe"
                                                                                                                                                27⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:4828
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wroydkw.exe"
                                                                                                                                              26⤵
                                                                                                                                                PID:832
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtawfd.exe"
                                                                                                                                              25⤵
                                                                                                                                                PID:4564
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlxp.exe"
                                                                                                                                              24⤵
                                                                                                                                                PID:4812
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbb.exe"
                                                                                                                                              23⤵
                                                                                                                                                PID:2464
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wggjcfk.exe"
                                                                                                                                              22⤵
                                                                                                                                                PID:1008
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woopiwv.exe"
                                                                                                                                              21⤵
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:3596
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnxd.exe"
                                                                                                                                            20⤵
                                                                                                                                              PID:3572
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxqvo.exe"
                                                                                                                                            19⤵
                                                                                                                                              PID:4232
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcrphn.exe"
                                                                                                                                            18⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:4324
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkuiacj.exe"
                                                                                                                                          17⤵
                                                                                                                                            PID:2264
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxwtuc.exe"
                                                                                                                                          16⤵
                                                                                                                                            PID:4996
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtcquv.exe"
                                                                                                                                          15⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:1828
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmefo.exe"
                                                                                                                                        14⤵
                                                                                                                                          PID:4900
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchxpsty.exe"
                                                                                                                                        13⤵
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:4920
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvaoox.exe"
                                                                                                                                      12⤵
                                                                                                                                        PID:1960
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntcur.exe"
                                                                                                                                      11⤵
                                                                                                                                        PID:4600
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weuk.exe"
                                                                                                                                      10⤵
                                                                                                                                        PID:3204
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekojvq.exe"
                                                                                                                                      9⤵
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:1948
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbkq.exe"
                                                                                                                                    8⤵
                                                                                                                                      PID:2424
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjw.exe"
                                                                                                                                    7⤵
                                                                                                                                      PID:832
                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1308
                                                                                                                                      7⤵
                                                                                                                                      • Program crash
                                                                                                                                      PID:3580
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjcd.exe"
                                                                                                                                    6⤵
                                                                                                                                      PID:4516
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtxcpet.exe"
                                                                                                                                    5⤵
                                                                                                                                      PID:3320
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtnrwrv.exe"
                                                                                                                                    4⤵
                                                                                                                                      PID:2036
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwkehar.exe"
                                                                                                                                    3⤵
                                                                                                                                      PID:2484
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"
                                                                                                                                    2⤵
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:968
                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1100 -ip 1100
                                                                                                                                  1⤵
                                                                                                                                    PID:4464
                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 212 -ip 212
                                                                                                                                    1⤵
                                                                                                                                      PID:4228
                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3124 -ip 3124
                                                                                                                                      1⤵
                                                                                                                                        PID:4864
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3348 -ip 3348
                                                                                                                                        1⤵
                                                                                                                                          PID:1008
                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3792 -ip 3792
                                                                                                                                          1⤵
                                                                                                                                            PID:3608
                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1156 -ip 1156
                                                                                                                                            1⤵
                                                                                                                                              PID:4888
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3976 -ip 3976
                                                                                                                                              1⤵
                                                                                                                                                PID:2036
                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3976 -ip 3976
                                                                                                                                                1⤵
                                                                                                                                                  PID:3392
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2648 -ip 2648
                                                                                                                                                  1⤵
                                                                                                                                                    PID:1740
                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4544 -ip 4544
                                                                                                                                                    1⤵
                                                                                                                                                      PID:2492
                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4544 -ip 4544
                                                                                                                                                      1⤵
                                                                                                                                                        PID:3848

                                                                                                                                                      Network

                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                      Replay Monitor

                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                      Downloads

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\install[2].htm

                                                                                                                                                        Filesize

                                                                                                                                                        7KB

                                                                                                                                                        MD5

                                                                                                                                                        9463ba07743e8a9aca3b55373121b7c5

                                                                                                                                                        SHA1

                                                                                                                                                        4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

                                                                                                                                                        SHA256

                                                                                                                                                        d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

                                                                                                                                                        SHA512

                                                                                                                                                        6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

                                                                                                                                                      • C:\Windows\SysWOW64\wbb.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        dd58640e11fb116ff558854f3aff3364

                                                                                                                                                        SHA1

                                                                                                                                                        b6fa284995551cd842ec82d813b881f344fbc213

                                                                                                                                                        SHA256

                                                                                                                                                        5b37a133f675ebaf4e6de090f15f28220b745103dff2616eebebfd4df5a0aaf6

                                                                                                                                                        SHA512

                                                                                                                                                        f0d957a73f9a3917f4d96a224a7ab174d0a26770ef6f24158cc8e1fdd9caf44d2340d7d34f06bc70cb77dec21a8613f0f83b7e0dfd70d67b0508294559302d42

                                                                                                                                                      • C:\Windows\SysWOW64\wbkq.exe

                                                                                                                                                        Filesize

                                                                                                                                                        107KB

                                                                                                                                                        MD5

                                                                                                                                                        2baf14267ae0638aabc0f41f87c4d019

                                                                                                                                                        SHA1

                                                                                                                                                        df8e720d8e38f27222d0ca247633aa5b871c0580

                                                                                                                                                        SHA256

                                                                                                                                                        4181ab947afd3539ddf77f975ca0dd8c892d2d6930d34a024f468e0f7c0c966c

                                                                                                                                                        SHA512

                                                                                                                                                        df6a5e1dbbff8e15964123f0814d54671f5e712453dfa36b1417ae176954128f70478d2b3c762c9232ea4609a36c8515cd6b3aa2fe80c08efd68fb6b06fe53a2

                                                                                                                                                      • C:\Windows\SysWOW64\wchxpsty.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        f8a96c73edc4206f67d67cdd8f64e42e

                                                                                                                                                        SHA1

                                                                                                                                                        a781686fc410f0e5791b859f53b8f09ad3badd8d

                                                                                                                                                        SHA256

                                                                                                                                                        f1942ac22056d9121862a4afa6c3e9068316a0a0333e350993eb2d2aa280b833

                                                                                                                                                        SHA512

                                                                                                                                                        5a290b6c5619bb5d9233ef83606bbd36d3b35385b17f191ffd6f709f9943c24e2d0ba836d3dc0e9a232b900146ea46046f091fcea5234c44de67fc15e3246423

                                                                                                                                                      • C:\Windows\SysWOW64\wdcrphn.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        96ed296554abac9a395a7b376cc70908

                                                                                                                                                        SHA1

                                                                                                                                                        062875a892f7dbe80e161e3d85393eec7cf6e014

                                                                                                                                                        SHA256

                                                                                                                                                        2da938a25ebaf96b1ea77486892700b6ae797d9245d10519f8a44a9977ac2384

                                                                                                                                                        SHA512

                                                                                                                                                        d383f99466d097432a5063a0801baf9bf20e31793571fe3b4fbaec861acaa7eb133b539739c6d35b437603b4ff161818f58cd00207133021e218efd52a525124

                                                                                                                                                      • C:\Windows\SysWOW64\wdxwtuc.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        8a1437d3c1a3273dbafdb0e5fe5afda2

                                                                                                                                                        SHA1

                                                                                                                                                        c5ab27a4c122fcb969d996535e8f78bd29cbce7e

                                                                                                                                                        SHA256

                                                                                                                                                        6af05907650ef5d3e7931e7ec455636ae6c1f6b1add5adf937be5ebce7cd6a72

                                                                                                                                                        SHA512

                                                                                                                                                        169dd20a03564cc578f223d93597b980f9dd13e7d887090fea7e29719fe238f9f6093037749eef592b4d84722eebc63160d5f8b208c02380429ed2650bbd0bc4

                                                                                                                                                      • C:\Windows\SysWOW64\wekojvq.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        2940e341f41b90dcabcb40beec81ce74

                                                                                                                                                        SHA1

                                                                                                                                                        7da62a86c3293db48d9be98e91b677602279a4a5

                                                                                                                                                        SHA256

                                                                                                                                                        14c2b1d88f82a5772d1088b9bbaabf58dff43ae55b60d8122517aff7e25abbfe

                                                                                                                                                        SHA512

                                                                                                                                                        de272b6d8109d6f504a2cfcc9316ceaa4a4fe6bf30ff2cb6a5023f94aaa82c0e8ed71ebf205548082484a1c98023b30d59a3b2cae7f490606ff0d50d7b82b5f6

                                                                                                                                                      • C:\Windows\SysWOW64\wetug.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        dec472a5661224fdcbc4f05147855e76

                                                                                                                                                        SHA1

                                                                                                                                                        94a167afd172a60232a2eacf733a1b8f502f0e8c

                                                                                                                                                        SHA256

                                                                                                                                                        133ec1139e9c97ee4c7223066c9f698f65b916d73ad134ba141027287af1b030

                                                                                                                                                        SHA512

                                                                                                                                                        304826b10daf5576dcff64818c0b6ff0a5ea1dd7024efcbb42ead2f8142a909ce443e86d95494e52a155664b175f07aa34fdf647a4fc95181b3bea1140d966e0

                                                                                                                                                      • C:\Windows\SysWOW64\weuk.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        eac730272ec3221de919ade7abcc7b98

                                                                                                                                                        SHA1

                                                                                                                                                        934cfc5b4f886ed28f697dbfe0ddcd6d8765c7d5

                                                                                                                                                        SHA256

                                                                                                                                                        f8bb44f4119fbf82f484276d645cbcf1336a85b72dd88f31a43fb9e06bf1253e

                                                                                                                                                        SHA512

                                                                                                                                                        353dbffb6543e998b366ac5d8e110b9daf9db45719e2a04fcf6b23e4c08bcec1aef7ae95495f216b7e7798cfc674862dd951b1ef053c86eb2953c7c35b656302

                                                                                                                                                      • C:\Windows\SysWOW64\wgeoqm.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        d3a817900f014dc63d338596f85f7c69

                                                                                                                                                        SHA1

                                                                                                                                                        ab0036cffa3ce87390006d95b7bde45361d1b4b6

                                                                                                                                                        SHA256

                                                                                                                                                        18d3928f565c8b8c75c402edfddabd56c7bb0ca43d65ac24e8b4bb1a950a71a9

                                                                                                                                                        SHA512

                                                                                                                                                        55cd68059b7a070f721fe1e049a83b313dd377ec638d76dd8cb7b4ce96cd04eee3e7b96a96ff61c557efee5495f21f7d32d00241f5b314501f528b5f828ce6ee

                                                                                                                                                      • C:\Windows\SysWOW64\wggjcfk.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        b2ad6ce49de8c6f1708f36437e44a677

                                                                                                                                                        SHA1

                                                                                                                                                        b4f5f728f988bd8ea6b95c29280522f7ce414eef

                                                                                                                                                        SHA256

                                                                                                                                                        77e8d513c5f1215670e54f193ddb672891266bafb76c65dd71801aa856867058

                                                                                                                                                        SHA512

                                                                                                                                                        01e1248b84fcb54fa1b93a6490dd07a2adbb1b0fb4cf866ccf63ef57368b31d8897653223a8e0b6598b489fb5eb6814553e1188e38149896354d37a281516892

                                                                                                                                                      • C:\Windows\SysWOW64\wgue.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        e91d47e0740aa951479982a95ae6bd18

                                                                                                                                                        SHA1

                                                                                                                                                        7d6d4681c44eef42fd0814447e04f8e7bff1e521

                                                                                                                                                        SHA256

                                                                                                                                                        9874f6b5102ed9a033c7dd7ebc13de4187c1e2acbe7f2bd40de7759ad6fc1f7d

                                                                                                                                                        SHA512

                                                                                                                                                        6397331f303e8291af94e499a9519ed1d2adcfd43d29da9c0232f72aea086dd8e4135f8c7193ad3fe8908471d95315054f026276eeae04eaab3d31bce9a81631

                                                                                                                                                      • C:\Windows\SysWOW64\wjdnqtb.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        eefe85a88281be7ecb476b63568dd015

                                                                                                                                                        SHA1

                                                                                                                                                        3fde7bad3f6068866b7580bb104c410508a16ca7

                                                                                                                                                        SHA256

                                                                                                                                                        d3bc30c834c414075614060d891ea53f300c3ef670de1129dc8416f071facc96

                                                                                                                                                        SHA512

                                                                                                                                                        f6dd2402897c1ea8100fb546951a4d29c77665e6006a8743ebce25829cb8ef1328ae7b70fbe5638579470a6a5095d268da72b5be7e7247054ccb6b629a8c71c3

                                                                                                                                                      • C:\Windows\SysWOW64\wjw.exe

                                                                                                                                                        Filesize

                                                                                                                                                        107KB

                                                                                                                                                        MD5

                                                                                                                                                        a648135d7e08fec5b6f729ef347d3585

                                                                                                                                                        SHA1

                                                                                                                                                        8503e99efabdab82c3605b5927d8e2d0d82440f4

                                                                                                                                                        SHA256

                                                                                                                                                        9dd7889e30059ed0753a237eeffcaacb1670b258e319283b4dd44f5df641a19e

                                                                                                                                                        SHA512

                                                                                                                                                        7394b9fb017090b6884a6bd36bb4ce3e1a520638affc6b53cedea6ec54fb8a9286957b464d77785153aaf156d00d2624c5e6073e03cecc25c7c23e4ad5de4278

                                                                                                                                                      • C:\Windows\SysWOW64\wkuiacj.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        7275ff3a384a169abffd1039f02d995b

                                                                                                                                                        SHA1

                                                                                                                                                        c98dc15b4db80672a7e7ecf3905a30bb18962e93

                                                                                                                                                        SHA256

                                                                                                                                                        74542e3850373806de42a032db30c29006f3d28eb50448660046cd3e342c81c8

                                                                                                                                                        SHA512

                                                                                                                                                        589c606dcf12aa61144557ccad3d169a6a2f358f3b6b0479fc4f2a2edfe20ff75fb721b3b1e9315ee2f50d5029225989b25e2609097e2e3732724105727b31d9

                                                                                                                                                      • C:\Windows\SysWOW64\wlxp.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        d8d506f087a77741c5eae398fe57fc7a

                                                                                                                                                        SHA1

                                                                                                                                                        4805753c862e594b112506360b476c08b4e78e4d

                                                                                                                                                        SHA256

                                                                                                                                                        b481b3e420888f09a0376e5f5146d994fed741c22928a2bf27351ee971862bca

                                                                                                                                                        SHA512

                                                                                                                                                        a2fe23746ce110b13b494b476608487cd4641329cd98e58690a0044ce9fa2b489149f030ff77b6fd666dc76bee1550e720a75068bb148be888ac38eaf1a1115e

                                                                                                                                                      • C:\Windows\SysWOW64\wmefo.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        2413044a1d68167e10330a7aed418e4c

                                                                                                                                                        SHA1

                                                                                                                                                        fba87ae3803a95d0848d6731fe26683f07b0c218

                                                                                                                                                        SHA256

                                                                                                                                                        403381db3841ec5f3f4df2fa480b842e8a3522d546a99c7063a4206840acfc7e

                                                                                                                                                        SHA512

                                                                                                                                                        8c0edcde40fda9a6c0b66219bd615a416b4eb8df78eb37c0da9f4595901b1333a91d8d1c8782a8ed698b40c3e0778ab2cf07e85b6df19d59040e9cfbfa2f889f

                                                                                                                                                      • C:\Windows\SysWOW64\wntcur.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        6565532460511b825b324baa2916d60e

                                                                                                                                                        SHA1

                                                                                                                                                        219559b96245eb1f9e06c457a484247b017b1fec

                                                                                                                                                        SHA256

                                                                                                                                                        5788c43d0ca4a1f11d0ca8c1d46f8f73107c036594f9ef6b7922123f07d7d021

                                                                                                                                                        SHA512

                                                                                                                                                        7aa5f59439874bb2d7a9bdaf9726ef204311af59e3723608f330922029dae642691df4de6a31a61bdccaf675a8f2ca2846c16cddd02be1bf1ab43f08a7699802

                                                                                                                                                      • C:\Windows\SysWOW64\wnxd.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        1ef638cd4ef521f90e0dad5e9aa1dd61

                                                                                                                                                        SHA1

                                                                                                                                                        dac4a64f1cb6c18bff4ba757d9fa9dde42d64c8f

                                                                                                                                                        SHA256

                                                                                                                                                        fea598ff307071f9a8d925c86f3ddef983bb938a09e2b698d276ffda08d0f764

                                                                                                                                                        SHA512

                                                                                                                                                        47adb06cb4a8d8103695ad5ee1edd338962e1f9ccf5b157d1743afdb1273fe926fe42e254f0d53eff8daf0b9c2c7fb82baaa6f5630f5145df112e99ca48e8222

                                                                                                                                                      • C:\Windows\SysWOW64\woopiwv.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        c465af67e692231538055966fb833da7

                                                                                                                                                        SHA1

                                                                                                                                                        d81c034359d7ca27dc6ff822be4435ff69788c0e

                                                                                                                                                        SHA256

                                                                                                                                                        5519423460f451d7d3282b2a7046ad1f4f567e2fecb658059e3c87cab8ba716c

                                                                                                                                                        SHA512

                                                                                                                                                        7464ec1b8bd95769107d83d5b3eb731dfac69a6a306097736d2a2a831846ee9ea01065fb61a27c78cb80d2a002dca5d0523fb2c6674141120268d53657c77f95

                                                                                                                                                      • C:\Windows\SysWOW64\wpvecm.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        0a2eeaa7f377cf986e8c4782f99caac4

                                                                                                                                                        SHA1

                                                                                                                                                        4e92641cb3229693ca4ffabff1b482903ff4d0ed

                                                                                                                                                        SHA256

                                                                                                                                                        22c98c9b9b420446c6c874963379675c92a8203005c27d789d1c87d6a9e2261d

                                                                                                                                                        SHA512

                                                                                                                                                        5a75e6a22c2130fa1dd12cb8f2f2e453313974546957f8f317dff763dd069be537f64609cac9b68304995334bcc291a03024de10ab5c5e53aba8a7f25489dcc4

                                                                                                                                                      • C:\Windows\SysWOW64\wqgnitag.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        0bb0cfef7b9f547641da41d2f69dee1f

                                                                                                                                                        SHA1

                                                                                                                                                        6a03aa8fbae741076e786b03934ebf2411dd1868

                                                                                                                                                        SHA256

                                                                                                                                                        04a555b2acd7c432fd0eddf04df28e1249c924acd2253f0ce2c8a0d4b1ae687b

                                                                                                                                                        SHA512

                                                                                                                                                        044d43af69a9187a954f3adc4795f83cde18dd5fc713cb49aeb5f011607f01876294ae0b91cfbd2b5c1abe915c82072eab5c0e925b2c86009cc0b495b8f767e0

                                                                                                                                                      • C:\Windows\SysWOW64\wroydkw.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        42805d2b2df3dd0ad18b2b6e497117a5

                                                                                                                                                        SHA1

                                                                                                                                                        8abf9b4e8c6df6e93e2907aa598801489ed39e64

                                                                                                                                                        SHA256

                                                                                                                                                        1728320447c190d309de199a2cc7e0a7b0630119181eacd2ad978daa80ff3265

                                                                                                                                                        SHA512

                                                                                                                                                        f90231a5d07e8dc7072fabb0d3520e1f154b1c439cf49aced8f6593b58ab2407df3966b20b9e1e8fc45afd479dae11b6b6427e145da6f2a2eedf53f4144707be

                                                                                                                                                      • C:\Windows\SysWOW64\wrtxcpet.exe

                                                                                                                                                        Filesize

                                                                                                                                                        107KB

                                                                                                                                                        MD5

                                                                                                                                                        661180444cb1a90a5542f5af9e97734b

                                                                                                                                                        SHA1

                                                                                                                                                        46502f31d23a861d765627c9f23bcde621dde721

                                                                                                                                                        SHA256

                                                                                                                                                        a4047c67030ae93c30fd21b66cedb4fd8229d7b679ed97b323eb98ab71fd5428

                                                                                                                                                        SHA512

                                                                                                                                                        34b7d125b479d0f7683826d9ae7f5bfbd1cc3f68ffcccbb6ac95a7cacb1e1b06f3d29052bcbc0523c8d03896142d17c83c716771d277163d95e3cf94b045cecf

                                                                                                                                                      • C:\Windows\SysWOW64\wsjcd.exe

                                                                                                                                                        Filesize

                                                                                                                                                        107KB

                                                                                                                                                        MD5

                                                                                                                                                        c391e26df1f2731cad31bfd05342357a

                                                                                                                                                        SHA1

                                                                                                                                                        428ea4b461977a904e0cc1284571545a118c2221

                                                                                                                                                        SHA256

                                                                                                                                                        51cbc2030bda178904bc4ce490dd5b0d9a06fcd20f1286190230d7aa6f41e1c7

                                                                                                                                                        SHA512

                                                                                                                                                        69fd6411f4ff5974151b0c8bb1844dfb01b1d6492519ee898e7a9b46c449f192e4563c78285af478aba8e51e3fc994e2b06710cc5b019978c1a9010f10a81e7b

                                                                                                                                                      • C:\Windows\SysWOW64\wtcquv.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        6997d7a01feaed0e830afea8aef98ec6

                                                                                                                                                        SHA1

                                                                                                                                                        4433b02f85ad58c898e7b1819d3948685d14b9e7

                                                                                                                                                        SHA256

                                                                                                                                                        a349823ba74f542fc84bb77ee0e6bf0bbc6c7a8374c74937a6b8a172f7baad42

                                                                                                                                                        SHA512

                                                                                                                                                        1e36b887ae44fb80dcfe876200e3e63314a32dd3578dc76ef046a0cd9b0b81ad5a08bbc7be2d61628bbf39e95b86a147dcc6dac935e1b178f9c74c6dc5029078

                                                                                                                                                      • C:\Windows\SysWOW64\wtnrwrv.exe

                                                                                                                                                        Filesize

                                                                                                                                                        107KB

                                                                                                                                                        MD5

                                                                                                                                                        dc56b3c5bbed155c45a2cd7e62c0280d

                                                                                                                                                        SHA1

                                                                                                                                                        cb3ffe613f10149c0d42b32cd1306e6a149316d6

                                                                                                                                                        SHA256

                                                                                                                                                        69ac01a9dcbef5e7a393ab225137dbdabf0b294495127ec8be86d598eeb9a43e

                                                                                                                                                        SHA512

                                                                                                                                                        ba59116757b72ea844ee8c25747ae23030e0eb273b6aeb053831cab91b4b03dd95cdc0e626dca2fa457ce555af1b95c393d91207d834227e706abfccd82d6209

                                                                                                                                                      • C:\Windows\SysWOW64\wvaoox.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        39ad8d3180520a3222985801924ea8b4

                                                                                                                                                        SHA1

                                                                                                                                                        404d777cfc93197a16d3c869d8280f1e95b5fd4f

                                                                                                                                                        SHA256

                                                                                                                                                        43feb723b3f587452984ae13fd9220178718d19841bc18ce20d81d34a9a8eff8

                                                                                                                                                        SHA512

                                                                                                                                                        76149d1edc28a8ccb726e4041a24e72f0de26198bdc114c35fae2b00e97f67cfc09b8bc6783a3dd476fd7a3929c77ecff7a98d1f689a919a77f235021bcfa157

                                                                                                                                                      • C:\Windows\SysWOW64\wvtawfd.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        d19d06fb67bc2a2ba2e7d385fb5b7e0a

                                                                                                                                                        SHA1

                                                                                                                                                        a41695f231fa85c6a617e8164c30472f7de1ae8b

                                                                                                                                                        SHA256

                                                                                                                                                        c88bce8f29014c442de8c2508b34bad22098b2628bb9602985bd69f749a2fad5

                                                                                                                                                        SHA512

                                                                                                                                                        e47270c9d53c47aa37bb31b3b8673fba7b03330568630d7cb2e33603a2d82cf37bd9537b911110c25a0a98cc4e5587caa7d2397ecc14c8845d8ca2deb5789e54

                                                                                                                                                      • C:\Windows\SysWOW64\wwkehar.exe

                                                                                                                                                        Filesize

                                                                                                                                                        107KB

                                                                                                                                                        MD5

                                                                                                                                                        9aaeb52c2d8c8c5d53d961e2464ccf7c

                                                                                                                                                        SHA1

                                                                                                                                                        e2f54eae4aa70a448baf4536b934b3b64ba9dc1b

                                                                                                                                                        SHA256

                                                                                                                                                        6db2bf1bf608c8c1b07240b298ba8fd15327a937f7cc6618551d8078dfb32e4a

                                                                                                                                                        SHA512

                                                                                                                                                        d9d097d2f8ea56da751f27f9d5699524b23cb30b4b1544c1241cae0cbb8891d85e488be0ca2fe119d7d4440093769a419d86df28809528ac2847181d94929bc2

                                                                                                                                                      • C:\Windows\SysWOW64\wwptofs.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        e78decb794c5372fde0298bdd3d85844

                                                                                                                                                        SHA1

                                                                                                                                                        bff9430aad84a178abd0d884004b02e93062d8fb

                                                                                                                                                        SHA256

                                                                                                                                                        3ca49d93d63cb131fc506fad8b66896389b12f71c65a7f88284faa916650b52f

                                                                                                                                                        SHA512

                                                                                                                                                        c36044e6c359bb894d021bf65537287e4334521b0c1e78020f4e307b7044b2f20537088e941fb060354a97f83741b666d961ef4053e74572ed39b682ab09d4e4

                                                                                                                                                      • C:\Windows\SysWOW64\wxos.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        4217c25b1f85e95f4e275da0cc20fe7d

                                                                                                                                                        SHA1

                                                                                                                                                        ff4470183904ad6db730d5696008cf42138a332e

                                                                                                                                                        SHA256

                                                                                                                                                        23bbc76b770669444151a9d5e524aed5d585367ca39568bbcc4dc3826e79a3dc

                                                                                                                                                        SHA512

                                                                                                                                                        5481fea349b2d71532c03bc3391c7e154dced1f595d166f2b738dc22046b39ff7b93b3ce8c3af150a1805b0f545f9383ea247bf8744e1a3bf8321d00e5f9936d

                                                                                                                                                      • C:\Windows\SysWOW64\wxxqvo.exe

                                                                                                                                                        Filesize

                                                                                                                                                        108KB

                                                                                                                                                        MD5

                                                                                                                                                        0dca54bdf09e1206f252ea340faba924

                                                                                                                                                        SHA1

                                                                                                                                                        e689b641003be8a5d92d659d147ba7678d5e5a7d

                                                                                                                                                        SHA256

                                                                                                                                                        b3bc818b6db709ccf1ab395b03d591d2c109f90539804e84154e5dc808a31052

                                                                                                                                                        SHA512

                                                                                                                                                        7e469650cb7cc2e9b8b594c44f04c31c40ebb21559488691b534958d546d7d99c4acdfbf26d47073f04d6f0335b312f6b265926b0600f3110ef36a9fdeeda5d0

                                                                                                                                                      • memory/212-394-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/448-797-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/528-700-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/744-75-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/836-11-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/836-0-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/876-183-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/972-597-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1032-589-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1048-107-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1100-64-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1156-493-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1200-96-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1292-437-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1332-605-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1364-613-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1364-43-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1380-429-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1500-344-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1520-652-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1580-692-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1584-129-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1628-368-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1644-485-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1708-716-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1796-668-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1804-216-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1832-323-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1900-258-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1904-805-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1924-676-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1944-227-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1948-301-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1992-621-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1996-477-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/1996-162-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/2116-708-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/2120-461-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/2268-403-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/2304-205-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/2360-118-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/2368-581-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/2428-151-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/2648-740-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/2716-269-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/2728-280-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/2908-789-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/2936-237-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/2940-22-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/2972-541-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3024-54-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3028-573-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3124-501-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3224-333-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3236-469-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3348-517-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3392-813-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3424-684-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3456-724-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3476-33-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3500-421-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3508-194-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3568-445-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3584-412-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3756-629-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3760-644-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3768-525-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3792-557-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3900-376-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3900-453-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3900-660-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3900-85-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3920-140-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3964-509-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3976-732-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/3988-312-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4008-385-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4228-533-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4232-360-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4268-173-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4324-352-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4372-248-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4392-773-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4392-764-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4396-748-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4412-765-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4544-821-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4576-290-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4600-549-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4896-829-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4920-565-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/4992-781-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB

                                                                                                                                                      • memory/5052-756-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        92KB