0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe
Size

107KB
MD5

88bc89ab98e89837bf13a0256671e6da
SHA1

d9a2e91647e217168d3b570f2d247e4e62fb0981
SHA256

0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175
SHA512

3c88c79ff351275ddfb2c274504eced993a21bfd60d9cee323f34d99f35ee8a5b6d192566fe1bd09f419f62ac662b6970f0fac34e7cdee70cde010bf8121b7b6
SSDEEP

1536:2zfXIsxrhzk2nfsW3ou3yWW2dvcW6eHcBwUi6vWE0Dl27b58XBdqaMGxzl4UQ:yfjxrhzk2nfsWhP7dvavi6vWEbh8X9O

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2752	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2732	wncnaduw.exe
2648	wonxgro.exe
2268	wptqp.exe
1464	wyjmq.exe
2944	wckxhxm.exe
1788	wkbg.exe
1532	wpq.exe
2432	wwuram.exe
2168	wuodnj.exe
3060	wgfyml.exe
1772	wsmpqf.exe
2864	wvcbrtd.exe
1608	wox.exe
2108	wryymrdym.exe
1880	wgdxudddk.exe
1308	wxilpne.exe
2332	wyes.exe
2716	wujbe.exe
3012	wybofu.exe
572	wip.exe
2252	wqqbebyev.exe
2892	waj.exe
2864	wtqdsjk.exe
1680	whfujbqe.exe
1808	wybwx.exe
1192	whqfpq.exe
2932	wmvu.exe
2616	wrb.exe
2772	wfia.exe
1572	wwvnel.exe
308	wglkemadu.exe
1992	wegxqlwju.exe
2944	wamg.exe
300	wyeumkx.exe
2024	wvx.exe
1600	wfop.exe
2460	watxeq.exe
2760	wlhwane.exe
1856	wcrhxdh.exe
1604	wtgtgmrna.exe
1832	wyjjivim.exe
1484	wvq.exe
1736	wmwe.exe
2008	wexeduk.exe
1088	wntmjxvbe.exe
2940	wvkvbb.exe
3012	wtf.exe
1156	wbgamggmv.exe
2564	wglooou.exe
2004	wlr.exe
2888	wkrpywo.exe
1528	whc.exe
2248	wsroewd.exe
876	wuiygjbl.exe
2796	wctqupx.exe
1748	whnv.exe
2196	whpvgthm.exe
2260	wqthytab.exe
2864	warqfv.exe
940	wigndw.exe
448	wtkwwv.exe
3056	wydd.exe
3032	wlefp.exe
1672	wyalmqpln.exe

Loads dropped DLL 64 IoCs

pid	Process
1812	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe
1812	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe
1812	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe
1812	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe
2732	wncnaduw.exe
2732	wncnaduw.exe
2732	wncnaduw.exe
2732	wncnaduw.exe
2648	wonxgro.exe
2648	wonxgro.exe
2648	wonxgro.exe
2648	wonxgro.exe
2268	wptqp.exe
2268	wptqp.exe
2268	wptqp.exe
2268	wptqp.exe
1464	wyjmq.exe
1464	wyjmq.exe
1464	wyjmq.exe
1464	wyjmq.exe
2944	wckxhxm.exe
2944	wckxhxm.exe
2944	wckxhxm.exe
2944	wckxhxm.exe
1788	wkbg.exe
1788	wkbg.exe
1788	wkbg.exe
1788	wkbg.exe
1532	wpq.exe
1532	wpq.exe
1532	wpq.exe
1532	wpq.exe
2432	wwuram.exe
2432	wwuram.exe
2432	wwuram.exe
2432	wwuram.exe
2168	wuodnj.exe
2168	wuodnj.exe
2168	wuodnj.exe
2168	wuodnj.exe
3060	wgfyml.exe
3060	wgfyml.exe
3060	wgfyml.exe
3060	wgfyml.exe
1772	wsmpqf.exe
1772	wsmpqf.exe
1772	wsmpqf.exe
1772	wsmpqf.exe
2864	wvcbrtd.exe
2864	wvcbrtd.exe
2864	wvcbrtd.exe
2864	wvcbrtd.exe
1608	wox.exe
1608	wox.exe
1608	wox.exe
1608	wox.exe
2108	wryymrdym.exe
2108	wryymrdym.exe
2108	wryymrdym.exe
2108	wryymrdym.exe
1880	wgdxudddk.exe
1880	wgdxudddk.exe
1880	wgdxudddk.exe
1880	wgdxudddk.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wnqybq.exe	wrjqoncx.exe
File created	C:\Windows\SysWOW64\wybitfwlv.exe	wsvsrwi.exe
File opened for modification	C:\Windows\SysWOW64\wuodnj.exe	wwuram.exe
File created	C:\Windows\SysWOW64\wybwx.exe	whfujbqe.exe
File opened for modification	C:\Windows\SysWOW64\wsroewd.exe	whc.exe
File opened for modification	C:\Windows\SysWOW64\whpvgthm.exe	whnv.exe
File created	C:\Windows\SysWOW64\wjlcj.exe	wfflifd.exe
File opened for modification	C:\Windows\SysWOW64\wmwe.exe	wvq.exe
File opened for modification	C:\Windows\SysWOW64\wyalmqpln.exe	wlefp.exe
File created	C:\Windows\SysWOW64\weeolx.exe	wpovt.exe
File created	C:\Windows\SysWOW64\wnqdqmsm.exe	wynufvxj.exe
File created	C:\Windows\SysWOW64\wqthytab.exe	whpvgthm.exe
File created	C:\Windows\SysWOW64\wfia.exe	wrb.exe
File opened for modification	C:\Windows\SysWOW64\wwvnel.exe	wfia.exe
File created	C:\Windows\SysWOW64\wcrhxdh.exe	wlhwane.exe
File opened for modification	C:\Windows\SysWOW64\wvq.exe	wyjjivim.exe
File created	C:\Windows\SysWOW64\wfgdqneqw.exe	wvptxkc.exe
File created	C:\Windows\SysWOW64\wujbe.exe	wyes.exe
File opened for modification	C:\Windows\SysWOW64\wexeduk.exe	wmwe.exe
File opened for modification	C:\Windows\SysWOW64\weeolx.exe	wpovt.exe
File opened for modification	C:\Windows\SysWOW64\wafefrgm.exe	wumykid.exe
File opened for modification	C:\Windows\SysWOW64\wmvu.exe	whqfpq.exe
File created	C:\Windows\SysWOW64\wfyhk.exe	wjioswj.exe
File created	C:\Windows\SysWOW64\wjkrsw.exe	wfgdqneqw.exe
File opened for modification	C:\Windows\SysWOW64\wwpxskua.exe	wsbakcumc.exe
File created	C:\Windows\SysWOW64\wigndw.exe	warqfv.exe
File created	C:\Windows\SysWOW64\wpmtnon.exe	wxnuyera.exe
File opened for modification	C:\Windows\SysWOW64\wchphcd.exe	woryqk.exe
File created	C:\Windows\SysWOW64\wbjdnu.exe	wfrkuqx.exe
File created	C:\Windows\SysWOW64\wkrpywo.exe	wlr.exe
File opened for modification	C:\Windows\SysWOW64\wydd.exe	wtkwwv.exe
File created	C:\Windows\SysWOW64\whirgimu.exe	wlcjuf.exe
File created	C:\Windows\SysWOW64\wsmpqf.exe	wgfyml.exe
File opened for modification	C:\Windows\SysWOW64\wybofu.exe	wujbe.exe
File created	C:\Windows\SysWOW64\wip.exe	wybofu.exe
File opened for modification	C:\Windows\SysWOW64\wtf.exe	wvkvbb.exe
File created	C:\Windows\SysWOW64\wiwbvbnq.exe	wtijfjhx.exe
File opened for modification	C:\Windows\SysWOW64\wihjlku.exe	wyqnmjr.exe
File opened for modification	C:\Windows\SysWOW64\wfflifd.exe	wdmdeo.exe
File created	C:\Windows\SysWOW64\wyes.exe	wxilpne.exe
File created	C:\Windows\SysWOW64\wsroewd.exe	whc.exe
File created	C:\Windows\SysWOW64\woryqk.exe	wpmtnon.exe
File opened for modification	C:\Windows\SysWOW64\wjioswj.exe	wrelqn.exe
File created	C:\Windows\SysWOW64\wafefrgm.exe	wumykid.exe
File created	C:\Windows\SysWOW64\wgfyml.exe	wuodnj.exe
File opened for modification	C:\Windows\SysWOW64\wyes.exe	wxilpne.exe
File created	C:\Windows\SysWOW64\wlr.exe	wglooou.exe
File created	C:\Windows\SysWOW64\whpvgthm.exe	whnv.exe
File created	C:\Windows\SysWOW64\wpq.exe	wkbg.exe
File created	C:\Windows\SysWOW64\wtijfjhx.exe	wsoabrh.exe
File opened for modification	C:\Windows\SysWOW64\wgfyml.exe	wuodnj.exe
File created	C:\Windows\SysWOW64\wqqbebyev.exe	wip.exe
File created	C:\Windows\SysWOW64\wvk.exe	wmyqy.exe
File created	C:\Windows\SysWOW64\wsundyxj.exe	wnqybq.exe
File created	C:\Windows\SysWOW64\wmkukj.exe	wdhjqjt.exe
File created	C:\Windows\SysWOW64\wjioswj.exe	wrelqn.exe
File created	C:\Windows\SysWOW64\wmkjfkkh.exe	whvjwbkr.exe
File created	C:\Windows\SysWOW64\wkbg.exe	wckxhxm.exe
File opened for modification	C:\Windows\SysWOW64\wegxqlwju.exe	wglkemadu.exe
File opened for modification	C:\Windows\SysWOW64\whnv.exe	wctqupx.exe
File created	C:\Windows\SysWOW64\wtkwwv.exe	wigndw.exe
File opened for modification	C:\Windows\SysWOW64\wtpntff.exe	wqycsr.exe
File opened for modification	C:\Windows\SysWOW64\wnvmvbr.exe	wrcoqy.exe
File created	C:\Windows\SysWOW64\wvmtms.exe	wiwbvbnq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
328	1680	WerFault.exe	99
3032	2564	WerFault.exe	176
2344	2196	WerFault.exe	202
1088	868	WerFault.exe	248
3024	376	WerFault.exe	255
1716	2528	WerFault.exe	274
1948	2304	WerFault.exe	290
2444	2756	WerFault.exe	324
3024	2840	WerFault.exe	370

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wamg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqycsr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbphr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwvnel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmyqy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdhjqjt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wglkemadu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	warqfv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whirgimu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyqnmjr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wntmjxvbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfyhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wohhtp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiwbvbnq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wchphcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpxayno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wegxqlwju.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqirrk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wenjrsod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrimt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcrsuq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waravnkcy.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2564	wglooou.exe
2756	wfyhk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2732	1812	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe	30
PID 1812 wrote to memory of 2732	1812	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe	30
PID 1812 wrote to memory of 2732	1812	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe	30
PID 1812 wrote to memory of 2732	1812	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe	30
PID 1812 wrote to memory of 2752	1812	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe	31
PID 1812 wrote to memory of 2752	1812	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe	31
PID 1812 wrote to memory of 2752	1812	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe	31
PID 1812 wrote to memory of 2752	1812	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe	31
PID 2732 wrote to memory of 2648	2732	wncnaduw.exe	33
PID 2732 wrote to memory of 2648	2732	wncnaduw.exe	33
PID 2732 wrote to memory of 2648	2732	wncnaduw.exe	33
PID 2732 wrote to memory of 2648	2732	wncnaduw.exe	33
PID 2732 wrote to memory of 1652	2732	wncnaduw.exe	34
PID 2732 wrote to memory of 1652	2732	wncnaduw.exe	34
PID 2732 wrote to memory of 1652	2732	wncnaduw.exe	34
PID 2732 wrote to memory of 1652	2732	wncnaduw.exe	34
PID 2648 wrote to memory of 2268	2648	wonxgro.exe	36
PID 2648 wrote to memory of 2268	2648	wonxgro.exe	36
PID 2648 wrote to memory of 2268	2648	wonxgro.exe	36
PID 2648 wrote to memory of 2268	2648	wonxgro.exe	36
PID 2648 wrote to memory of 1440	2648	wonxgro.exe	37
PID 2648 wrote to memory of 1440	2648	wonxgro.exe	37
PID 2648 wrote to memory of 1440	2648	wonxgro.exe	37
PID 2648 wrote to memory of 1440	2648	wonxgro.exe	37
PID 2268 wrote to memory of 1464	2268	wptqp.exe	39
PID 2268 wrote to memory of 1464	2268	wptqp.exe	39
PID 2268 wrote to memory of 1464	2268	wptqp.exe	39
PID 2268 wrote to memory of 1464	2268	wptqp.exe	39
PID 2268 wrote to memory of 3032	2268	wptqp.exe	40
PID 2268 wrote to memory of 3032	2268	wptqp.exe	40
PID 2268 wrote to memory of 3032	2268	wptqp.exe	40
PID 2268 wrote to memory of 3032	2268	wptqp.exe	40
PID 1464 wrote to memory of 2944	1464	wyjmq.exe	42
PID 1464 wrote to memory of 2944	1464	wyjmq.exe	42
PID 1464 wrote to memory of 2944	1464	wyjmq.exe	42
PID 1464 wrote to memory of 2944	1464	wyjmq.exe	42
PID 1464 wrote to memory of 1092	1464	wyjmq.exe	43
PID 1464 wrote to memory of 1092	1464	wyjmq.exe	43
PID 1464 wrote to memory of 1092	1464	wyjmq.exe	43
PID 1464 wrote to memory of 1092	1464	wyjmq.exe	43
PID 2944 wrote to memory of 1788	2944	wckxhxm.exe	45
PID 2944 wrote to memory of 1788	2944	wckxhxm.exe	45
PID 2944 wrote to memory of 1788	2944	wckxhxm.exe	45
PID 2944 wrote to memory of 1788	2944	wckxhxm.exe	45
PID 2944 wrote to memory of 1528	2944	wckxhxm.exe	46
PID 2944 wrote to memory of 1528	2944	wckxhxm.exe	46
PID 2944 wrote to memory of 1528	2944	wckxhxm.exe	46
PID 2944 wrote to memory of 1528	2944	wckxhxm.exe	46
PID 1788 wrote to memory of 1532	1788	wkbg.exe	48
PID 1788 wrote to memory of 1532	1788	wkbg.exe	48
PID 1788 wrote to memory of 1532	1788	wkbg.exe	48
PID 1788 wrote to memory of 1532	1788	wkbg.exe	48
PID 1788 wrote to memory of 1324	1788	wkbg.exe	49
PID 1788 wrote to memory of 1324	1788	wkbg.exe	49
PID 1788 wrote to memory of 1324	1788	wkbg.exe	49
PID 1788 wrote to memory of 1324	1788	wkbg.exe	49
PID 1532 wrote to memory of 2432	1532	wpq.exe	51
PID 1532 wrote to memory of 2432	1532	wpq.exe	51
PID 1532 wrote to memory of 2432	1532	wpq.exe	51
PID 1532 wrote to memory of 2432	1532	wpq.exe	51
PID 1532 wrote to memory of 876	1532	wpq.exe	52
PID 1532 wrote to memory of 876	1532	wpq.exe	52
PID 1532 wrote to memory of 876	1532	wpq.exe	52
PID 1532 wrote to memory of 876	1532	wpq.exe	52

C:\Users\Admin\AppData\Local\Temp\0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe
"C:\Users\Admin\AppData\Local\Temp\0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\wncnaduw.exe
  "C:\Windows\system32\wncnaduw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\wonxgro.exe
    "C:\Windows\system32\wonxgro.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\wptqp.exe
      "C:\Windows\system32\wptqp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\SysWOW64\wyjmq.exe
        
        "C:\Windows\system32\wyjmq.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\Windows\SysWOW64\wckxhxm.exe
        
        "C:\Windows\system32\wckxhxm.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\wkbg.exe
        
        "C:\Windows\system32\wkbg.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\wpq.exe
        
        "C:\Windows\system32\wpq.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\wwuram.exe
        
        "C:\Windows\system32\wwuram.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\wuodnj.exe
        
        "C:\Windows\system32\wuodnj.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\wgfyml.exe
        
        "C:\Windows\system32\wgfyml.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\wsmpqf.exe
        
        "C:\Windows\system32\wsmpqf.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1772
        
        C:\Windows\SysWOW64\wvcbrtd.exe
        
        "C:\Windows\system32\wvcbrtd.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2864
        
        C:\Windows\SysWOW64\wox.exe
        
        "C:\Windows\system32\wox.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\wryymrdym.exe
        
        "C:\Windows\system32\wryymrdym.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2108
        
        C:\Windows\SysWOW64\wgdxudddk.exe
        
        "C:\Windows\system32\wgdxudddk.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1880
        
        C:\Windows\SysWOW64\wxilpne.exe
        
        "C:\Windows\system32\wxilpne.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1308
        
        C:\Windows\SysWOW64\wyes.exe
        
        "C:\Windows\system32\wyes.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\wujbe.exe
        
        "C:\Windows\system32\wujbe.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\wybofu.exe
        
        "C:\Windows\system32\wybofu.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\wip.exe
        
        "C:\Windows\system32\wip.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Windows\SysWOW64\wqqbebyev.exe
        
        "C:\Windows\system32\wqqbebyev.exe"
        22⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\waj.exe
        
        "C:\Windows\system32\waj.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\wtqdsjk.exe
        
        "C:\Windows\system32\wtqdsjk.exe"
        24⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\whfujbqe.exe
        
        "C:\Windows\system32\whfujbqe.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\wybwx.exe
        
        "C:\Windows\system32\wybwx.exe"
        26⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\whqfpq.exe
        
        "C:\Windows\system32\whqfpq.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1192
        
        C:\Windows\SysWOW64\wmvu.exe
        
        "C:\Windows\system32\wmvu.exe"
        28⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\wrb.exe
        
        "C:\Windows\system32\wrb.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\wfia.exe
        
        "C:\Windows\system32\wfia.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\wwvnel.exe
        
        "C:\Windows\system32\wwvnel.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\wglkemadu.exe
        
        "C:\Windows\system32\wglkemadu.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:308
        
        C:\Windows\SysWOW64\wegxqlwju.exe
        
        "C:\Windows\system32\wegxqlwju.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\wamg.exe
        
        "C:\Windows\system32\wamg.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\wyeumkx.exe
        
        "C:\Windows\system32\wyeumkx.exe"
        35⤵
        Executes dropped EXE
        
        PID:300
        
        C:\Windows\SysWOW64\wvx.exe
        
        "C:\Windows\system32\wvx.exe"
        36⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\wfop.exe
        
        "C:\Windows\system32\wfop.exe"
        37⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\watxeq.exe
        
        "C:\Windows\system32\watxeq.exe"
        38⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\wlhwane.exe
        
        "C:\Windows\system32\wlhwane.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\wcrhxdh.exe
        
        "C:\Windows\system32\wcrhxdh.exe"
        40⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\wtgtgmrna.exe
        
        "C:\Windows\system32\wtgtgmrna.exe"
        41⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\wyjjivim.exe
        
        "C:\Windows\system32\wyjjivim.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\wvq.exe
        
        "C:\Windows\system32\wvq.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\wmwe.exe
        
        "C:\Windows\system32\wmwe.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\wexeduk.exe
        
        "C:\Windows\system32\wexeduk.exe"
        45⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\wntmjxvbe.exe
        
        "C:\Windows\system32\wntmjxvbe.exe"
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\wvkvbb.exe
        
        "C:\Windows\system32\wvkvbb.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\wtf.exe
        
        "C:\Windows\system32\wtf.exe"
        48⤵
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\wbgamggmv.exe
        
        "C:\Windows\system32\wbgamggmv.exe"
        49⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\wglooou.exe
        
        "C:\Windows\system32\wglooou.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of UnmapMainImage
        
        PID:2564
        
        C:\Windows\SysWOW64\wlr.exe
        
        "C:\Windows\system32\wlr.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\wkrpywo.exe
        
        "C:\Windows\system32\wkrpywo.exe"
        52⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\whc.exe
        
        "C:\Windows\system32\whc.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\wsroewd.exe
        
        "C:\Windows\system32\wsroewd.exe"
        54⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\wuiygjbl.exe
        
        "C:\Windows\system32\wuiygjbl.exe"
        55⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\wctqupx.exe
        
        "C:\Windows\system32\wctqupx.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\whnv.exe
        
        "C:\Windows\system32\whnv.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\whpvgthm.exe
        
        "C:\Windows\system32\whpvgthm.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\wqthytab.exe
        
        "C:\Windows\system32\wqthytab.exe"
        59⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\warqfv.exe
        
        "C:\Windows\system32\warqfv.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\wigndw.exe
        
        "C:\Windows\system32\wigndw.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\wtkwwv.exe
        
        "C:\Windows\system32\wtkwwv.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\wydd.exe
        
        "C:\Windows\system32\wydd.exe"
        63⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\wlefp.exe
        
        "C:\Windows\system32\wlefp.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\wyalmqpln.exe
        
        "C:\Windows\system32\wyalmqpln.exe"
        65⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\waravnkcy.exe
        
        "C:\Windows\system32\waravnkcy.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\wmyqy.exe
        
        "C:\Windows\system32\wmyqy.exe"
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\wvk.exe
        
        "C:\Windows\system32\wvk.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\wohhtp.exe
        
        "C:\Windows\system32\wohhtp.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\wdhjqjt.exe
        
        "C:\Windows\system32\wdhjqjt.exe"
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\wmkukj.exe
        
        "C:\Windows\system32\wmkukj.exe"
        71⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\wlcjuf.exe
        
        "C:\Windows\system32\wlcjuf.exe"
        72⤵
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\whirgimu.exe
        
        "C:\Windows\system32\whirgimu.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\wpxayno.exe
        
        "C:\Windows\system32\wpxayno.exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\wdtuddes.exe
        
        "C:\Windows\system32\wdtuddes.exe"
        75⤵
        
        PID:376
        
        C:\Windows\SysWOW64\wrimt.exe
        
        "C:\Windows\system32\wrimt.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\wodagthr.exe
        
        "C:\Windows\system32\wodagthr.exe"
        77⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\wqirrk.exe
        
        "C:\Windows\system32\wqirrk.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\wpovt.exe
        
        "C:\Windows\system32\wpovt.exe"
        79⤵
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\weeolx.exe
        
        "C:\Windows\system32\weeolx.exe"
        80⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\wxnuyera.exe
        
        "C:\Windows\system32\wxnuyera.exe"
        81⤵
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\wpmtnon.exe
        
        "C:\Windows\system32\wpmtnon.exe"
        82⤵
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\woryqk.exe
        
        "C:\Windows\system32\woryqk.exe"
        83⤵
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\wchphcd.exe
        
        "C:\Windows\system32\wchphcd.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\wenjrsod.exe
        
        "C:\Windows\system32\wenjrsod.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\wrjqoncx.exe
        
        "C:\Windows\system32\wrjqoncx.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\wnqybq.exe
        
        "C:\Windows\system32\wnqybq.exe"
        87⤵
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\wsundyxj.exe
        
        "C:\Windows\system32\wsundyxj.exe"
        88⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\wcjjcyao.exe
        
        "C:\Windows\system32\wcjjcyao.exe"
        89⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\wqycsr.exe
        
        "C:\Windows\system32\wqycsr.exe"
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\wtpntff.exe
        
        "C:\Windows\system32\wtpntff.exe"
        91⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\wvjvyug.exe
        
        "C:\Windows\system32\wvjvyug.exe"
        92⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\wrcoqy.exe
        
        "C:\Windows\system32\wrcoqy.exe"
        93⤵
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\wnvmvbr.exe
        
        "C:\Windows\system32\wnvmvbr.exe"
        94⤵
        
        PID:844
        
        C:\Windows\SysWOW64\wrelqn.exe
        
        "C:\Windows\system32\wrelqn.exe"
        95⤵
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\wjioswj.exe
        
        "C:\Windows\system32\wjioswj.exe"
        96⤵
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\wfyhk.exe
        
        "C:\Windows\system32\wfyhk.exe"
        97⤵
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        
        PID:2756
        
        C:\Windows\SysWOW64\wsoabrh.exe
        
        "C:\Windows\system32\wsoabrh.exe"
        98⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\wtijfjhx.exe
        
        "C:\Windows\system32\wtijfjhx.exe"
        99⤵
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\wiwbvbnq.exe
        
        "C:\Windows\system32\wiwbvbnq.exe"
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\wvmtms.exe
        
        "C:\Windows\system32\wvmtms.exe"
        101⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\wsgga.exe
        
        "C:\Windows\system32\wsgga.exe"
        102⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\wumykid.exe
        
        "C:\Windows\system32\wumykid.exe"
        103⤵
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\wafefrgm.exe
        
        "C:\Windows\system32\wafefrgm.exe"
        104⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\wotuvj.exe
        
        "C:\Windows\system32\wotuvj.exe"
        105⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\wpapfa.exe
        
        "C:\Windows\system32\wpapfa.exe"
        106⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\worepvt.exe
        
        "C:\Windows\system32\worepvt.exe"
        107⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\wjhnrb.exe
        
        "C:\Windows\system32\wjhnrb.exe"
        108⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\wwipotc.exe
        
        "C:\Windows\system32\wwipotc.exe"
        109⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\wyqnmjr.exe
        
        "C:\Windows\system32\wyqnmjr.exe"
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\wihjlku.exe
        
        "C:\Windows\system32\wihjlku.exe"
        111⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\wynufvxj.exe
        
        "C:\Windows\system32\wynufvxj.exe"
        112⤵
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\wnqdqmsm.exe
        
        "C:\Windows\system32\wnqdqmsm.exe"
        113⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\wsvsrwi.exe
        
        "C:\Windows\system32\wsvsrwi.exe"
        114⤵
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\wybitfwlv.exe
        
        "C:\Windows\system32\wybitfwlv.exe"
        115⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\wcrsuq.exe
        
        "C:\Windows\system32\wcrsuq.exe"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\whvjwbkr.exe
        
        "C:\Windows\system32\whvjwbkr.exe"
        117⤵
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\wmkjfkkh.exe
        
        "C:\Windows\system32\wmkjfkkh.exe"
        118⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\wvptxkc.exe
        
        "C:\Windows\system32\wvptxkc.exe"
        119⤵
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\wfgdqneqw.exe
        
        "C:\Windows\system32\wfgdqneqw.exe"
        120⤵
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\wjkrsw.exe
        
        "C:\Windows\system32\wjkrsw.exe"
        121⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\wsbakcumc.exe
        
        "C:\Windows\system32\wsbakcumc.exe"
        122⤵
        Drops file in System32 directory
        
        PID:332
        
        C:\Windows\SysWOW64\wwpxskua.exe
        
        "C:\Windows\system32\wwpxskua.exe"
        123⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\wdvamwhs.exe
        
        "C:\Windows\system32\wdvamwhs.exe"
        124⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\wdmdeo.exe
        
        "C:\Windows\system32\wdmdeo.exe"
        125⤵
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\wfflifd.exe
        
        "C:\Windows\system32\wfflifd.exe"
        126⤵
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\wjlcj.exe
        
        "C:\Windows\system32\wjlcj.exe"
        127⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\wfrkuqx.exe
        
        "C:\Windows\system32\wfrkuqx.exe"
        128⤵
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\wbjdnu.exe
        
        "C:\Windows\system32\wbjdnu.exe"
        129⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\wbphr.exe
        
        "C:\Windows\system32\wbphr.exe"
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\wgfh.exe
        
        "C:\Windows\system32\wgfh.exe"
        131⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbphr.exe"
        131⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbjdnu.exe"
        130⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfrkuqx.exe"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjlcj.exe"
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfflifd.exe"
        127⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdmdeo.exe"
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvamwhs.exe"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwpxskua.exe"
        124⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsbakcumc.exe"
        123⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjkrsw.exe"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfgdqneqw.exe"
        121⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvptxkc.exe"
        120⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmkjfkkh.exe"
        119⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whvjwbkr.exe"
        118⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcrsuq.exe"
        117⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybitfwlv.exe"
        116⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsvsrwi.exe"
        115⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqdqmsm.exe"
        114⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wynufvxj.exe"
        113⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 184
        113⤵
        Program crash
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wihjlku.exe"
        112⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyqnmjr.exe"
        111⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwipotc.exe"
        110⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhnrb.exe"
        109⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\worepvt.exe"
        108⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpapfa.exe"
        107⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wotuvj.exe"
        106⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wafefrgm.exe"
        105⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wumykid.exe"
        104⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsgga.exe"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvmtms.exe"
        102⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiwbvbnq.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtijfjhx.exe"
        100⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsoabrh.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfyhk.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 884
        98⤵
        Program crash
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjioswj.exe"
        97⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrelqn.exe"
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnvmvbr.exe"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrcoqy.exe"
        94⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvjvyug.exe"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtpntff.exe"
        92⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqycsr.exe"
        91⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjjcyao.exe"
        90⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsundyxj.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqybq.exe"
        88⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjqoncx.exe"
        87⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 796
        87⤵
        Program crash
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wenjrsod.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchphcd.exe"
        85⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woryqk.exe"
        84⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpmtnon.exe"
        83⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxnuyera.exe"
        82⤵
        
        PID:972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 184
        82⤵
        Program crash
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weeolx.exe"
        81⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpovt.exe"
        80⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqirrk.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wodagthr.exe"
        78⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrimt.exe"
        77⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdtuddes.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 184
        76⤵
        Program crash
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpxayno.exe"
        75⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whirgimu.exe"
        74⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 184
        74⤵
        Program crash
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlcjuf.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmkukj.exe"
        72⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdhjqjt.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohhtp.exe"
        70⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvk.exe"
        69⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmyqy.exe"
        68⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waravnkcy.exe"
        67⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyalmqpln.exe"
        66⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlefp.exe"
        65⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydd.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtkwwv.exe"
        63⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigndw.exe"
        62⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warqfv.exe"
        61⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqthytab.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whpvgthm.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 180
        59⤵
        Program crash
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whnv.exe"
        58⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctqupx.exe"
        57⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuiygjbl.exe"
        56⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsroewd.exe"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whc.exe"
        54⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkrpywo.exe"
        53⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlr.exe"
        52⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wglooou.exe"
        51⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 204
        51⤵
        Program crash
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbgamggmv.exe"
        50⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtf.exe"
        49⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkvbb.exe"
        48⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntmjxvbe.exe"
        47⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexeduk.exe"
        46⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmwe.exe"
        45⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvq.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyjjivim.exe"
        43⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtgtgmrna.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcrhxdh.exe"
        41⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlhwane.exe"
        40⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\watxeq.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfop.exe"
        38⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvx.exe"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyeumkx.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wamg.exe"
        35⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wegxqlwju.exe"
        34⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wglkemadu.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwvnel.exe"
        32⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfia.exe"
        31⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrb.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmvu.exe"
        29⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whqfpq.exe"
        28⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybwx.exe"
        27⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whfujbqe.exe"
        26⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 184
        26⤵
        Program crash
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtqdsjk.exe"
        25⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waj.exe"
        24⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqbebyev.exe"
        23⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wip.exe"
        22⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybofu.exe"
        21⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujbe.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyes.exe"
        19⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxilpne.exe"
        18⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgdxudddk.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryymrdym.exe"
        16⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wox.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvcbrtd.exe"
        14⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsmpqf.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgfyml.exe"
        12⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuodnj.exe"
        11⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwuram.exe"
        10⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpq.exe"
        9⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbg.exe"
        8⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckxhxm.exe"
        7⤵
        
        PID:1528
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyjmq.exe"
        6⤵
        
        PID:1092
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wptqp.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wonxgro.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wncnaduw.exe"
    3⤵
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe"
  2⤵
  - Deletes itself
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F4RO075G.txt

Filesize
132B

MD5
0a4a894b6492a123a1eac300c5962a01

SHA1
3b249583a963d0edfef16f2fcc04ba11ede94041

SHA256
02e57c50689cdf7299d663f86536c222ecf9507eccfc482f54c026245a6f3eab

SHA512
9b2944f4e08db766ebdbdd3ded67c98f7c7cb70270d4e4614e50a699f1ce21a45b2605fb5259bf1964905c172e8f0e86292c70b542f7e3a4cc9afeebc6e18a0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H4BK43C3.txt

Filesize
98B

MD5
a55ea7eb3e368f88734a134a9c7df45d

SHA1
c920733315cecd20e7c0770929b7bf53085670d0

SHA256
00516fe78fe9aadc305e46614d0199dab0283bdc5410fca7d53d98eabe90373a

SHA512
3d99a0e6fb7ec1843daa91fcf4f6e870045f87d2c4770d89ec1bb21b33b7fdbd68c60bac14b2c670fa41eceafb93697a170886adf526690e7194d48af9d38142

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TLOT1Z84.txt

Filesize
132B

MD5
8fde257bfa1c8b0c5ce7770acc6c0f22

SHA1
1ba315c82e0d5b0b425c750c2831f1830c7dcddc

SHA256
1d83f888bebfc3ab51d58a3fc48d8fcd235b237e7b09727c52035d9545c883ae

SHA512
6d60f809ad7dcf46f1ef33539e5dde578f1eefb741d215de8ac502f44d87230b84543d5b12d1828f88a8aca83c38b7544ade85af554ddbf053f55b3cb3b28fa8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W8E3T1CS.txt

Filesize
132B

MD5
e373f029fd5302b9a9abfc24d522cf15

SHA1
4c4c594c08372c5e325407765b79bc7590ca5858

SHA256
656ec1ba0d4a016b812a70b05c962337a22d8d0c7f6cc92c39086dbba664f728

SHA512
2e4649c6158324a46fb14036b0e143d8ec305a1ee3c3d36d3b05031dc9f6cd1f39d0e2eaf8034ee62e1127f4d8a47b881264654fb7ce4e3f67d0b113ab88aaf2

Download Submit
\Windows\SysWOW64\wckxhxm.exe

Filesize
107KB

MD5
952284bf113020383897180f5cce2cbd

SHA1
389aa75197a9551fc8930711a77d539f505cf797

SHA256
4b7d12dea28a7a5133233bf0ef302f053fa1dde3f785547ff52f81b4de58ad78

SHA512
50244a7baaec78fce8c7e5dff42948d8e40bc8d3a1ab3016992486f35825a69cf89197fd66d0ab247b1ee1f75224501b6550ff4fc4b0aa0701991d0cd13eb798

Download Submit
\Windows\SysWOW64\wgfyml.exe

Filesize
107KB

MD5
ed63a5fa00998d50b767f69108a1979e

SHA1
68f51e60697d41dd895a4b86f878addd9b1a5490

SHA256
c60bb270ab8111f7e3966b5dee8f7be7c049f1bfa2978b2b870e8f1daf94d183

SHA512
931689e774b24643b724753e160821ea023147a14740c9266305662af287e0463bbde7ca690011f60ea716cde9c0645ad5736c9d74514c8b202c5533eb5d0072

Download Submit
\Windows\SysWOW64\wkbg.exe

Filesize
107KB

MD5
553821dd6a8be1857c333de8d3602e28

SHA1
a7f6c75f8db3b52425bf64d3e7523567d0c94c9a

SHA256
9788f6bc1d7ee3387b3fa70e0e60faa744635db0505c8c46aa81a110cbe9f6bd

SHA512
8a4b9d630064266005e7e3ff1375f4519a480c7574069bfe463d8cdc6ad0ea39c05a97340e608e0afc595ac2feb0f7ffb7bd0c0395bc68cb5afef23921636dff

Download Submit
\Windows\SysWOW64\wncnaduw.exe

Filesize
107KB

MD5
970e49a3baa12539e1d3df8dd110481a

SHA1
59842585f7a6f359ca1b3f25f2e2cc34c015ad2f

SHA256
f1432c7ef85a85b11ccf2a6f73633267465490859f5114315ddea0bcb62e459e

SHA512
51e60362f4bed053f2d6e80164bb74cfc10fbd8b009b6909bde2c1cf57db14ef16da2546a7a25fb24a181f5934be45c9d98a968baf59bd74491366eac59eb632

Download Submit
\Windows\SysWOW64\wonxgro.exe

Filesize
107KB

MD5
378193ba8017beef8691f53979a431f1

SHA1
471814fef4053a7c41f763bbd93cadf283205f54

SHA256
298797f3f8aafbcb303dd1a3e689ce90e50f84d994bc4e1aacb086e67ccf41fa

SHA512
cfd06785dcaca819c081608f6ef582f786098dd5823e2b78d9db34641ec914df8ca0601ed12c8855ff860c961918836dd398a678debdcc2a1073655f1e5b5df5

Download Submit
\Windows\SysWOW64\wpq.exe

Filesize
107KB

MD5
fbae57437a948f09823013cbff88f0cf

SHA1
a6ec7012c207fd79696b901c07ddc470f765b4a7

SHA256
5e5b2d3b2e2fcf2435939bae927680b8a92a2d0dd12149b155b25a98c7d5c03a

SHA512
ec12124a652cbee519dfe6415b955c0771961247a009cba7b630a01b5775faa2df3fe0ef7d75a4b2e50c72670073711034b511f286209a2327de6a52a66dc656

Download Submit
\Windows\SysWOW64\wptqp.exe

Filesize
107KB

MD5
c4400517a58ea38791a4eae82057e8b1

SHA1
752c7005651be6b95b5ff495bff39c33ff063d78

SHA256
06a87925e15c32c903f1b517d29c1eeb46404030cdecebad3655b9d62125b954

SHA512
0a8776c5309c0f0a65e3a5adbed99a7469fa82a526b6859f7c2d93bb0e85ec4e42a7c4a672da4d1b918e2fa806f25152872b2c4955c73ae5300b198b205d2683

Download Submit
\Windows\SysWOW64\wuodnj.exe

Filesize
107KB

MD5
6e056519ad31f4ecf33ea5ca9ecdbaf2

SHA1
18cf20a2618a59f585fdc4866449b8f375490e8e

SHA256
83246bb181e47151d074fe8bc35e71cb036cf390c3e67650ee78994dbe7f6161

SHA512
01ca80688302eabb82e8eace3f40a3d4a76ec6c552e585433d83abd8911d61f4b200a534f43bba99760d4ed3e793ad98d33d104dca62a54e4792352416906795

Download Submit
\Windows\SysWOW64\wwuram.exe

Filesize
107KB

MD5
117593444d57df1845a019622207ceb8

SHA1
7de40cc4b43ecf653dda5335fd4f9c83e183cc6f

SHA256
0766d41cafea653e5724aa049e054456283aa85fee21542c6d6f656a4e63660f

SHA512
6ca235451cf568815d296bfbd29358f8e92bbdceff14e709405d7c9b06d9e6eadc3762f150c29c567edcbb5314905d2e1f9e809c2768094be65b9f3d9b211dbc

Download Submit
\Windows\SysWOW64\wyjmq.exe

Filesize
107KB

MD5
93ace10de624964802d38011359c3986

SHA1
c38b7a0ae3dea9aace58d35f0d2c639526678341

SHA256
ebc70d7f83128bdaa02f9138f2f5f9e96fb62d67ecc5bc9734411b5dfccc062d

SHA512
ad4b3f0d045a29ce9d325a820725418ba0334ebb68070f2d0bcb9ecd567d5d60e197a6f4960f194ae9ac9592ad2e86a64a12f3bafb57a247b4c2e7718a13a0b9

Download Submit
memory/572-390-0x00000000030F0000-0x0000000003107000-memory.dmp

Filesize
92KB

Download
memory/572-391-0x00000000030F0000-0x0000000003107000-memory.dmp

Filesize
92KB

Download
memory/572-392-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1192-483-0x0000000003370000-0x0000000003387000-memory.dmp

Filesize
92KB

Download
memory/1192-484-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1192-479-0x0000000003370000-0x0000000003387000-memory.dmp

Filesize
92KB

Download
memory/1308-331-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1308-329-0x0000000003E80000-0x0000000003E97000-memory.dmp

Filesize
92KB

Download
memory/1464-106-0x0000000002540000-0x0000000002557000-memory.dmp

Filesize
92KB

Download
memory/1464-109-0x0000000003340000-0x0000000003357000-memory.dmp

Filesize
92KB

Download
memory/1464-107-0x0000000002540000-0x0000000002557000-memory.dmp

Filesize
92KB

Download
memory/1464-108-0x0000000003340000-0x0000000003357000-memory.dmp

Filesize
92KB

Download
memory/1464-111-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1532-173-0x0000000004040000-0x0000000004057000-memory.dmp

Filesize
92KB

Download
memory/1532-175-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1608-270-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1608-284-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1672-1082-0x0000000074720000-0x0000000074778000-memory.dmp

Filesize
352KB

Download
memory/1672-1080-0x0000000076D70000-0x0000000076E8F000-memory.dmp

Filesize
1.1MB

Download
memory/1672-1083-0x0000000074790000-0x00000000747DF000-memory.dmp

Filesize
316KB

Download
memory/1672-1081-0x0000000076E90000-0x0000000076F8A000-memory.dmp

Filesize
1000KB

Download
memory/1672-1084-0x0000000003CF0000-0x0000000003EB4000-memory.dmp

Filesize
1.8MB

Download
memory/1680-453-0x0000000004050000-0x0000000004067000-memory.dmp

Filesize
92KB

Download
memory/1680-449-0x0000000004050000-0x0000000004067000-memory.dmp

Filesize
92KB

Download
memory/1680-468-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1772-240-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1772-253-0x0000000003C20000-0x0000000003C37000-memory.dmp

Filesize
92KB

Download
memory/1772-254-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1788-144-0x0000000003CF0000-0x0000000003D07000-memory.dmp

Filesize
92KB

Download
memory/1788-153-0x0000000003CF0000-0x0000000003D07000-memory.dmp

Filesize
92KB

Download
memory/1788-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1788-146-0x0000000003CF0000-0x0000000003D07000-memory.dmp

Filesize
92KB

Download
memory/1808-454-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1808-462-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/1808-469-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1812-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1812-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1812-19-0x0000000002560000-0x0000000002577000-memory.dmp

Filesize
92KB

Download
memory/1812-12-0x00000000022E0000-0x00000000022F7000-memory.dmp

Filesize
92KB

Download
memory/1880-300-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1880-316-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1880-315-0x0000000003610000-0x0000000003627000-memory.dmp

Filesize
92KB

Download
memory/1880-311-0x0000000003160000-0x0000000003177000-memory.dmp

Filesize
92KB

Download
memory/2108-298-0x0000000003FE0000-0x0000000003FF7000-memory.dmp

Filesize
92KB

Download
memory/2108-299-0x0000000003FE0000-0x0000000003FF7000-memory.dmp

Filesize
92KB

Download
memory/2108-290-0x0000000003FE0000-0x0000000003FF7000-memory.dmp

Filesize
92KB

Download
memory/2108-301-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2168-219-0x00000000034C0000-0x00000000034D7000-memory.dmp

Filesize
92KB

Download
memory/2168-206-0x0000000002330000-0x0000000002347000-memory.dmp

Filesize
92KB

Download
memory/2168-196-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2168-212-0x0000000002330000-0x0000000002347000-memory.dmp

Filesize
92KB

Download
memory/2168-218-0x00000000034C0000-0x00000000034D7000-memory.dmp

Filesize
92KB

Download
memory/2168-222-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2252-399-0x00000000035B0000-0x00000000035C7000-memory.dmp

Filesize
92KB

Download
memory/2252-406-0x00000000035B0000-0x00000000035C7000-memory.dmp

Filesize
92KB

Download
memory/2252-407-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2268-88-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2268-85-0x00000000037F0000-0x0000000003807000-memory.dmp

Filesize
92KB

Download
memory/2268-79-0x00000000037F0000-0x0000000003807000-memory.dmp

Filesize
92KB

Download
memory/2268-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2332-330-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2332-346-0x0000000002280000-0x0000000002297000-memory.dmp

Filesize
92KB

Download
memory/2332-347-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2332-345-0x0000000002280000-0x0000000002297000-memory.dmp

Filesize
92KB

Download
memory/2332-341-0x0000000002280000-0x0000000002297000-memory.dmp

Filesize
92KB

Download
memory/2432-193-0x0000000002240000-0x0000000002257000-memory.dmp

Filesize
92KB

Download
memory/2432-194-0x0000000002240000-0x0000000002257000-memory.dmp

Filesize
92KB

Download
memory/2432-197-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2648-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2648-60-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2648-61-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2648-62-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2648-63-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2716-359-0x00000000021D0000-0x00000000021E7000-memory.dmp

Filesize
92KB

Download
memory/2716-361-0x0000000002270000-0x0000000002287000-memory.dmp

Filesize
92KB

Download
memory/2716-362-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2732-40-0x0000000004120000-0x0000000004137000-memory.dmp

Filesize
92KB

Download
memory/2732-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2864-263-0x00000000034E0000-0x00000000034F7000-memory.dmp

Filesize
92KB

Download
memory/2864-265-0x00000000034E0000-0x00000000034F7000-memory.dmp

Filesize
92KB

Download
memory/2864-271-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2864-438-0x0000000002080000-0x0000000002097000-memory.dmp

Filesize
92KB

Download
memory/2864-437-0x0000000002080000-0x0000000002097000-memory.dmp

Filesize
92KB

Download
memory/2864-433-0x0000000002080000-0x0000000002097000-memory.dmp

Filesize
92KB

Download
memory/2864-439-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2864-269-0x00000000035B0000-0x00000000035C7000-memory.dmp

Filesize
92KB

Download
memory/2892-417-0x0000000003620000-0x0000000003637000-memory.dmp

Filesize
92KB

Download
memory/2892-423-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2892-422-0x0000000003620000-0x0000000003637000-memory.dmp

Filesize
92KB

Download
memory/2892-421-0x0000000003620000-0x0000000003637000-memory.dmp

Filesize
92KB

Download
memory/2944-113-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2944-131-0x0000000002310000-0x0000000002327000-memory.dmp

Filesize
92KB

Download
memory/2944-130-0x0000000002310000-0x0000000002327000-memory.dmp

Filesize
92KB

Download
memory/2944-134-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3012-373-0x0000000004040000-0x0000000004057000-memory.dmp

Filesize
92KB

Download
memory/3012-377-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3012-363-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3060-236-0x0000000003E60000-0x0000000003E77000-memory.dmp

Filesize
92KB

Download
memory/3060-239-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3060-238-0x0000000003E70000-0x0000000003E87000-memory.dmp

Filesize
92KB

Download
memory/3060-237-0x0000000003E70000-0x0000000003E87000-memory.dmp

Filesize
92KB

Download