3a9b09f1ee3b7cbfe206775914f93cfe9e269f9975b5c11cfe4a8c7108853ae0

Analysis

max time kernel
115s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

84e53c73da75ce80f906e6fb0e6e7770_exe32.exe
Size

440KB
MD5

84e53c73da75ce80f906e6fb0e6e7770
SHA1

4236cc48bb0f861268cf3a253e7340423df3fe9b
SHA256

3a9b09f1ee3b7cbfe206775914f93cfe9e269f9975b5c11cfe4a8c7108853ae0
SHA512

b7e7574dffe68fa3bb8917d760fcaa856a747075c33b0c55e2b96f21a84566d6ec1c8c3ced5ad1b57560e2a7eec3e4f452069cbdb042f8a26fb8662211c511ba
SSDEEP

12288:QT6SZhP46SCTbSwgS1IaPRJbDh4i0vm4OsKN5sTuGj:QThhP46SCTbSwgS1IaPRJbDh4i0vm4OG

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
187	4080	cmd.exe
188	4080	cmd.exe
193	4744	cmd.exe
194	4744	cmd.exe
216	4172	cmd.exe
217	4172	cmd.exe
279	688	cmd.exe
280	688	cmd.exe
301	4524	cmd.exe
302	4524	cmd.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	weeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wacvmpv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wrmtjif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wsrkjshly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wsipduwu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wctj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wvdelh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	whwur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wwbbwb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wepont.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wyg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wdo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	whwal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wkkljb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wxioue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wtgssf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wnbolh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wdy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wjuh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wmwrgh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wkiqe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wtyyioqu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wsksi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wcfdoh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wxnfkjum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wqch.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wcmstaq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wwauht.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	weehfka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wbpxex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wrqv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wplhac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wjlamw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wfke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wqrfxvpdj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wbrouu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	whc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	whmfbs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wpkgpil.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wlxhv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	whirfaqa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wfuq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wpyirfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wendpnr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wosobvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wtsato.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wdvcthyt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wmbvcgfo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	webqftr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wrenq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wjafirm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wqcwxi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wvoeop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wtxuj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wlkbyek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wxsnobrd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	weka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wltwytgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wseto.exe

Executes dropped EXE 64 IoCs

pid	Process
1780	wqrfxvpdj.exe
3772	wrkdsgs.exe
4996	wxbmmo.exe
2480	wuhrrmb.exe
232	wbhl.exe
3580	wtgssf.exe
2144	weeb.exe
4208	wkfsrmef.exe
2356	wkiqe.exe
4064	wtigvi.exe
4496	whirfaqa.exe
1256	wjafirm.exe
1456	wxnfkjum.exe
3796	wojx.exe
3200	wacvmpv.exe
4328	whdpnx.exe
4504	wcmstaq.exe
4452	wvisbg.exe
1428	wfuq.exe
1752	wxqrhpd.exe
3364	wnqdrh.exe
4696	wqch.exe
4220	wendpnr.exe
1944	wdo.exe
1780	wmwrgh.exe
4800	wlkbyek.exe
3380	wbrouu.exe
1428	woryf.exe
3732	wegage.exe
2956	wnbolh.exe
3000	wepont.exe
2524	woxrk.exe
2056	whwal.exe
4308	wqcwxi.exe
2272	wbr.exe
2708	wsrkjshly.exe
1700	wulfenh.exe
3300	wyg.exe
872	wmgicpctp.exe
1184	wwauht.exe
4504	wseto.exe
1852	whdt.exe
3908	wvdelh.exe
2516	wrmtjif.exe
2084	wtltsahs.exe
2012	whmfbs.exe
500	wdy.exe
1944	wntpxa.exe
1868	weehfka.exe
4504	wseto.exe
4080	cmd.exe
1796	wmmmfg.exe
3516	wosobvn.exe
4744	cmd.exe
2240	WerFault.exe
1384	wqlmvfqyy.exe
3768	wnucug.exe
3076	wtyyioqu.exe
4060	wim.exe
3792	weka.exe
2704	wrotsd.exe
1168	wpyirfx.exe
4348	Conhost.exe
4172	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wrenq.exe	wjlamw.exe
File opened for modification	C:\Windows\SysWOW64\wuhrrmb.exe	wxbmmo.exe
File created	C:\Windows\SysWOW64\wtgssf.exe	wbhl.exe
File created	C:\Windows\SysWOW64\wcmstaq.exe	whdpnx.exe
File created	C:\Windows\SysWOW64\woxrk.exe	wepont.exe
File opened for modification	C:\Windows\SysWOW64\wcjdn.exe	wwauht.exe
File opened for modification	C:\Windows\SysWOW64\wyobju.exe	wdvcthyt.exe
File opened for modification	C:\Windows\SysWOW64\wvisbg.exe	wcmstaq.exe
File opened for modification	C:\Windows\SysWOW64\wegage.exe	woryf.exe
File created	C:\Windows\SysWOW64\wrotsd.exe	weka.exe
File created	C:\Windows\SysWOW64\wsyrqf.exe	wyobju.exe
File opened for modification	C:\Windows\SysWOW64\wskgn.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wwbbwb.exe	wjuh.exe
File created	C:\Windows\SysWOW64\wrqv.exe	wtxuj.exe
File created	C:\Windows\SysWOW64\wjlamw.exe	whc.exe
File created	C:\Windows\SysWOW64\wvcbm.exe	wxsnobrd.exe
File created	C:\Windows\SysWOW64\whdpnx.exe	wacvmpv.exe
File created	C:\Windows\SysWOW64\wxqrhpd.exe	wfuq.exe
File created	C:\Windows\SysWOW64\wuvwua.exe	wwbbwb.exe
File opened for modification	C:\Windows\SysWOW64\wim.exe	wtyyioqu.exe
File created	C:\Windows\SysWOW64\wpkgpil.exe	wsyrqf.exe
File opened for modification	C:\Windows\SysWOW64\wmwrgh.exe	wdo.exe
File opened for modification	C:\Windows\SysWOW64\wsyrqf.exe	wyobju.exe
File opened for modification	C:\Windows\SysWOW64\wulfenh.exe	wsrkjshly.exe
File created	C:\Windows\SysWOW64\wctj.exe	WerFault.exe
File opened for modification	C:\Windows\SysWOW64\wrkdsgs.exe	wqrfxvpdj.exe
File created	C:\Windows\SysWOW64\wvdelh.exe	whdt.exe
File opened for modification	C:\Windows\SysWOW64\whmfbs.exe	wtltsahs.exe
File created	C:\Windows\SysWOW64\wvrnrmv.exe	wvoeop.exe
File created	C:\Windows\SysWOW64\wltwytgi.exe	wkkljb.exe
File created	C:\Windows\SysWOW64\webqftr.exe	wrqv.exe
File created	C:\Windows\SysWOW64\wqis.exe	wpyirfx.exe
File created	C:\Windows\SysWOW64\wmshg.exe	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\wrqv.exe	wtxuj.exe
File opened for modification	C:\Windows\SysWOW64\wde.exe	wplhac.exe
File created	C:\Windows\SysWOW64\wqrfxvpdj.exe	84e53c73da75ce80f906e6fb0e6e7770_exe32.exe
File created	C:\Windows\SysWOW64\wtigvi.exe	wkiqe.exe
File opened for modification	C:\Windows\SysWOW64\wnqdrh.exe	wxqrhpd.exe
File opened for modification	C:\Windows\SysWOW64\wvdelh.exe	whdt.exe
File opened for modification	C:\Windows\SysWOW64\weehfka.exe	wntpxa.exe
File opened for modification	C:\Windows\SysWOW64\wnbvjife.exe	wgff.exe
File opened for modification	C:\Windows\SysWOW64\whirfaqa.exe	wtigvi.exe
File opened for modification	C:\Windows\SysWOW64\wosobvn.exe	wmmmfg.exe
File created	C:\Windows\SysWOW64\wxsnobrd.exe	wde.exe
File created	C:\Windows\SysWOW64\wtltsahs.exe	wrmtjif.exe
File created	C:\Windows\SysWOW64\weehfka.exe	wntpxa.exe
File created	C:\Windows\SysWOW64\wlyrecb.exe	wsksi.exe
File opened for modification	C:\Windows\SysWOW64\weka.exe	wim.exe
File opened for modification	C:\Windows\SysWOW64\wpyirfx.exe	wrotsd.exe
File created	C:\Windows\SysWOW64\wde.exe	wplhac.exe
File opened for modification	C:\Windows\SysWOW64\whdpnx.exe	wacvmpv.exe
File created	C:\Windows\SysWOW64\wim.exe	wtyyioqu.exe
File opened for modification	C:\Windows\SysWOW64\wjuh.exe	wvrnrmv.exe
File created	C:\Windows\SysWOW64\wrkdsgs.exe	wqrfxvpdj.exe
File created	C:\Windows\SysWOW64\wuhrrmb.exe	wxbmmo.exe
File created	C:\Windows\SysWOW64\wcfdoh.exe	wfke.exe
File opened for modification	C:\Windows\SysWOW64\weeb.exe	wtgssf.exe
File opened for modification	C:\Windows\SysWOW64\wtltsahs.exe	wrmtjif.exe
File created	C:\Windows\SysWOW64\whmfbs.exe	wtltsahs.exe
File opened for modification	C:\Windows\SysWOW64\wkkljb.exe	wbpxex.exe
File opened for modification	C:\Windows\SysWOW64\wvpujwe.exe	wuqub.exe
File created	C:\Windows\SysWOW64\wseto.exe	weehfka.exe
File opened for modification	C:\Windows\SysWOW64\wseto.exe	weehfka.exe
File opened for modification	C:\Windows\SysWOW64\wtigvi.exe	wkiqe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 26 IoCs

pid	pid_target	Process	procid_target
4832	4328	WerFault.exe	136
4640	4452	WerFault.exe	145
2672	1780	WerFault.exe	169
5052	1700	WerFault.exe	208
3032	1852	WerFault.exe	225
1632	2516	WerFault.exe	233
1788	2084	WerFault.exe	236
1292	4080	WerFault.exe	258
2308	4080	WerFault.exe	258
2884	2240	WerFault.exe	274
2240	1704	WerFault.exe	313
1200	1704	WerFault.exe	313
3732	1704	WerFault.exe	313
4584	1704	WerFault.exe	313
5080	4944	WerFault.exe	348
4756	1280	WerFault.exe	351
4584	492	WerFault.exe	356
4288	3336	WerFault.exe	372
4624	3336	WerFault.exe	372
2096	1292	WerFault.exe	394
3876	688	WerFault.exe	414
4332	5004	WerFault.exe	422
2312	4644	WerFault.exe	469
1236	924	WerFault.exe	519
3724	5004	WerFault.exe	563
3076	5004	WerFault.exe	563

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 1780	660	84e53c73da75ce80f906e6fb0e6e7770_exe32.exe	83
PID 660 wrote to memory of 1780	660	84e53c73da75ce80f906e6fb0e6e7770_exe32.exe	83
PID 660 wrote to memory of 1780	660	84e53c73da75ce80f906e6fb0e6e7770_exe32.exe	83
PID 660 wrote to memory of 2620	660	84e53c73da75ce80f906e6fb0e6e7770_exe32.exe	85
PID 660 wrote to memory of 2620	660	84e53c73da75ce80f906e6fb0e6e7770_exe32.exe	85
PID 660 wrote to memory of 2620	660	84e53c73da75ce80f906e6fb0e6e7770_exe32.exe	85
PID 1780 wrote to memory of 3772	1780	wqrfxvpdj.exe	87
PID 1780 wrote to memory of 3772	1780	wqrfxvpdj.exe	87
PID 1780 wrote to memory of 3772	1780	wqrfxvpdj.exe	87
PID 1780 wrote to memory of 2152	1780	wqrfxvpdj.exe	88
PID 1780 wrote to memory of 2152	1780	wqrfxvpdj.exe	88
PID 1780 wrote to memory of 2152	1780	wqrfxvpdj.exe	88
PID 3772 wrote to memory of 4996	3772	wrkdsgs.exe	92
PID 3772 wrote to memory of 4996	3772	wrkdsgs.exe	92
PID 3772 wrote to memory of 4996	3772	wrkdsgs.exe	92
PID 3772 wrote to memory of 2644	3772	wrkdsgs.exe	93
PID 3772 wrote to memory of 2644	3772	wrkdsgs.exe	93
PID 3772 wrote to memory of 2644	3772	wrkdsgs.exe	93
PID 4996 wrote to memory of 2480	4996	wxbmmo.exe	96
PID 4996 wrote to memory of 2480	4996	wxbmmo.exe	96
PID 4996 wrote to memory of 2480	4996	wxbmmo.exe	96
PID 4996 wrote to memory of 2824	4996	wxbmmo.exe	97
PID 4996 wrote to memory of 2824	4996	wxbmmo.exe	97
PID 4996 wrote to memory of 2824	4996	wxbmmo.exe	97
PID 2480 wrote to memory of 232	2480	wuhrrmb.exe	100
PID 2480 wrote to memory of 232	2480	wuhrrmb.exe	100
PID 2480 wrote to memory of 232	2480	wuhrrmb.exe	100
PID 2480 wrote to memory of 2708	2480	wuhrrmb.exe	102
PID 2480 wrote to memory of 2708	2480	wuhrrmb.exe	102
PID 2480 wrote to memory of 2708	2480	wuhrrmb.exe	102
PID 232 wrote to memory of 3580	232	wbhl.exe	103
PID 232 wrote to memory of 3580	232	wbhl.exe	103
PID 232 wrote to memory of 3580	232	wbhl.exe	103
PID 232 wrote to memory of 3148	232	wbhl.exe	104
PID 232 wrote to memory of 3148	232	wbhl.exe	104
PID 232 wrote to memory of 3148	232	wbhl.exe	104
PID 3580 wrote to memory of 2144	3580	wtgssf.exe	107
PID 3580 wrote to memory of 2144	3580	wtgssf.exe	107
PID 3580 wrote to memory of 2144	3580	wtgssf.exe	107
PID 3580 wrote to memory of 4784	3580	wtgssf.exe	108
PID 3580 wrote to memory of 4784	3580	wtgssf.exe	108
PID 3580 wrote to memory of 4784	3580	wtgssf.exe	108
PID 2144 wrote to memory of 4208	2144	weeb.exe	110
PID 2144 wrote to memory of 4208	2144	weeb.exe	110
PID 2144 wrote to memory of 4208	2144	weeb.exe	110
PID 2144 wrote to memory of 4648	2144	weeb.exe	111
PID 2144 wrote to memory of 4648	2144	weeb.exe	111
PID 2144 wrote to memory of 4648	2144	weeb.exe	111
PID 4208 wrote to memory of 2356	4208	wkfsrmef.exe	113
PID 4208 wrote to memory of 2356	4208	wkfsrmef.exe	113
PID 4208 wrote to memory of 2356	4208	wkfsrmef.exe	113
PID 4208 wrote to memory of 4920	4208	wkfsrmef.exe	114
PID 4208 wrote to memory of 4920	4208	wkfsrmef.exe	114
PID 4208 wrote to memory of 4920	4208	wkfsrmef.exe	114
PID 2356 wrote to memory of 4064	2356	wkiqe.exe	117
PID 2356 wrote to memory of 4064	2356	wkiqe.exe	117
PID 2356 wrote to memory of 4064	2356	wkiqe.exe	117
PID 2356 wrote to memory of 2688	2356	wkiqe.exe	120
PID 2356 wrote to memory of 2688	2356	wkiqe.exe	120
PID 2356 wrote to memory of 2688	2356	wkiqe.exe	120
PID 4064 wrote to memory of 4496	4064	wtigvi.exe	121
PID 4064 wrote to memory of 4496	4064	wtigvi.exe	121
PID 4064 wrote to memory of 4496	4064	wtigvi.exe	121
PID 4064 wrote to memory of 2864	4064	wtigvi.exe	122

C:\Users\Admin\AppData\Local\Temp\84e53c73da75ce80f906e6fb0e6e7770_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\84e53c73da75ce80f906e6fb0e6e7770_exe32.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\SysWOW64\wqrfxvpdj.exe
  "C:\Windows\system32\wqrfxvpdj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\wrkdsgs.exe
    "C:\Windows\system32\wrkdsgs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Windows\SysWOW64\wxbmmo.exe
      "C:\Windows\system32\wxbmmo.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Windows\SysWOW64\wuhrrmb.exe
        
        "C:\Windows\system32\wuhrrmb.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\SysWOW64\wbhl.exe
        
        "C:\Windows\system32\wbhl.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\wtgssf.exe
        
        "C:\Windows\system32\wtgssf.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\weeb.exe
        
        "C:\Windows\system32\weeb.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\wkfsrmef.exe
        
        "C:\Windows\system32\wkfsrmef.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\wkiqe.exe
        
        "C:\Windows\system32\wkiqe.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\wtigvi.exe
        
        "C:\Windows\system32\wtigvi.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\whirfaqa.exe
        
        "C:\Windows\system32\whirfaqa.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\wjafirm.exe
        
        "C:\Windows\system32\wjafirm.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\wxnfkjum.exe
        
        "C:\Windows\system32\wxnfkjum.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\wojx.exe
        
        "C:\Windows\system32\wojx.exe"
        15⤵
        Executes dropped EXE
        
        PID:3796
        
        C:\Windows\SysWOW64\wacvmpv.exe
        
        "C:\Windows\system32\wacvmpv.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3200
        
        C:\Windows\SysWOW64\whdpnx.exe
        
        "C:\Windows\system32\whdpnx.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\wcmstaq.exe
        
        "C:\Windows\system32\wcmstaq.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\wvisbg.exe
        
        "C:\Windows\system32\wvisbg.exe"
        19⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\wfuq.exe
        
        "C:\Windows\system32\wfuq.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\wxqrhpd.exe
        
        "C:\Windows\system32\wxqrhpd.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\wnqdrh.exe
        
        "C:\Windows\system32\wnqdrh.exe"
        22⤵
        Executes dropped EXE
        
        PID:3364
        
        C:\Windows\SysWOW64\wqch.exe
        
        "C:\Windows\system32\wqch.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\wendpnr.exe
        
        "C:\Windows\system32\wendpnr.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\wdo.exe
        
        "C:\Windows\system32\wdo.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\wmwrgh.exe
        
        "C:\Windows\system32\wmwrgh.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\wlkbyek.exe
        
        "C:\Windows\system32\wlkbyek.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\wbrouu.exe
        
        "C:\Windows\system32\wbrouu.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\woryf.exe
        
        "C:\Windows\system32\woryf.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\wegage.exe
        
        "C:\Windows\system32\wegage.exe"
        30⤵
        Executes dropped EXE
        
        PID:3732
        
        C:\Windows\SysWOW64\wnbolh.exe
        
        "C:\Windows\system32\wnbolh.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\wepont.exe
        
        "C:\Windows\system32\wepont.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\woxrk.exe
        
        "C:\Windows\system32\woxrk.exe"
        33⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\whwal.exe
        
        "C:\Windows\system32\whwal.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\wqcwxi.exe
        
        "C:\Windows\system32\wqcwxi.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\wbr.exe
        
        "C:\Windows\system32\wbr.exe"
        36⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\wsrkjshly.exe
        
        "C:\Windows\system32\wsrkjshly.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\wulfenh.exe
        
        "C:\Windows\system32\wulfenh.exe"
        38⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\wyg.exe
        
        "C:\Windows\system32\wyg.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\wmgicpctp.exe
        
        "C:\Windows\system32\wmgicpctp.exe"
        40⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\wwauht.exe
        
        "C:\Windows\system32\wwauht.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\wcjdn.exe
        
        "C:\Windows\system32\wcjdn.exe"
        42⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\whdt.exe
        
        "C:\Windows\system32\whdt.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\wvdelh.exe
        
        "C:\Windows\system32\wvdelh.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\wrmtjif.exe
        
        "C:\Windows\system32\wrmtjif.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\wtltsahs.exe
        
        "C:\Windows\system32\wtltsahs.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\whmfbs.exe
        
        "C:\Windows\system32\whmfbs.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\wdy.exe
        
        "C:\Windows\system32\wdy.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:500
        
        C:\Windows\SysWOW64\wntpxa.exe
        
        "C:\Windows\system32\wntpxa.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\weehfka.exe
        
        "C:\Windows\system32\weehfka.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\wseto.exe
        
        "C:\Windows\system32\wseto.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\wqdwg.exe
        
        "C:\Windows\system32\wqdwg.exe"
        52⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\wmmmfg.exe
        
        "C:\Windows\system32\wmmmfg.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\wosobvn.exe
        
        "C:\Windows\system32\wosobvn.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\wymcfyt.exe
        
        "C:\Windows\system32\wymcfyt.exe"
        55⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\wpcd.exe
        
        "C:\Windows\system32\wpcd.exe"
        56⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\wqlmvfqyy.exe
        
        "C:\Windows\system32\wqlmvfqyy.exe"
        57⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\wnucug.exe
        
        "C:\Windows\system32\wnucug.exe"
        58⤵
        Executes dropped EXE
        
        PID:3768
        
        C:\Windows\SysWOW64\wtyyioqu.exe
        
        "C:\Windows\system32\wtyyioqu.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\wim.exe
        
        "C:\Windows\system32\wim.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\weka.exe
        
        "C:\Windows\system32\weka.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\wrotsd.exe
        
        "C:\Windows\system32\wrotsd.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\wpyirfx.exe
        
        "C:\Windows\system32\wpyirfx.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\wqis.exe
        
        "C:\Windows\system32\wqis.exe"
        64⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\wmshg.exe
        
        "C:\Windows\system32\wmshg.exe"
        65⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\wvluk.exe
        
        "C:\Windows\system32\wvluk.exe"
        66⤵
        
        PID:944
        
        C:\Windows\SysWOW64\wpkdlmym.exe
        
        "C:\Windows\system32\wpkdlmym.exe"
        67⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\whwur.exe
        
        "C:\Windows\system32\whwur.exe"
        68⤵
        Checks computer location settings
        
        PID:1704
        
        C:\Windows\SysWOW64\wvoeop.exe
        
        "C:\Windows\system32\wvoeop.exe"
        69⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\wvrnrmv.exe
        
        "C:\Windows\system32\wvrnrmv.exe"
        70⤵
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\wjuh.exe
        
        "C:\Windows\system32\wjuh.exe"
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\wwbbwb.exe
        
        "C:\Windows\system32\wwbbwb.exe"
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\wuvwua.exe
        
        "C:\Windows\system32\wuvwua.exe"
        73⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\wsipduwu.exe
        
        "C:\Windows\system32\wsipduwu.exe"
        74⤵
        Checks computer location settings
        
        PID:4552
        
        C:\Windows\SysWOW64\wtsato.exe
        
        "C:\Windows\system32\wtsato.exe"
        75⤵
        Checks computer location settings
        
        PID:4220
        
        C:\Windows\SysWOW64\wqvnfs.exe
        
        "C:\Windows\system32\wqvnfs.exe"
        76⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\wyobju.exe
        
        "C:\Windows\system32\wyobju.exe"
        77⤵
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\wsyrqf.exe
        
        "C:\Windows\system32\wsyrqf.exe"
        78⤵
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\wpkgpil.exe
        
        "C:\Windows\system32\wpkgpil.exe"
        79⤵
        Checks computer location settings
        
        PID:492
        
        C:\Windows\SysWOW64\wmbvcgfo.exe
        
        "C:\Windows\system32\wmbvcgfo.exe"
        80⤵
        Checks computer location settings
        
        PID:3008
        
        C:\Windows\SysWOW64\wbpxex.exe
        
        "C:\Windows\system32\wbpxex.exe"
        81⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3300
        
        C:\Windows\SysWOW64\wkkljb.exe
        
        "C:\Windows\system32\wkkljb.exe"
        82⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\wltwytgi.exe
        
        "C:\Windows\system32\wltwytgi.exe"
        83⤵
        Checks computer location settings
        
        PID:3336
        
        C:\Windows\SysWOW64\wtxuj.exe
        
        "C:\Windows\system32\wtxuj.exe"
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\wrqv.exe
        
        "C:\Windows\system32\wrqv.exe"
        85⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\webqftr.exe
        
        "C:\Windows\system32\webqftr.exe"
        86⤵
        Checks computer location settings
        
        PID:3828
        
        C:\Windows\SysWOW64\wgsfh.exe
        
        "C:\Windows\system32\wgsfh.exe"
        87⤵
        
        PID:572
        
        C:\Windows\SysWOW64\whc.exe
        
        "C:\Windows\system32\whc.exe"
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\wjlamw.exe
        
        "C:\Windows\system32\wjlamw.exe"
        89⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\wrenq.exe
        
        "C:\Windows\system32\wrenq.exe"
        90⤵
        Checks computer location settings
        
        PID:1212
        
        C:\Windows\SysWOW64\wwouxlny.exe
        
        "C:\Windows\system32\wwouxlny.exe"
        91⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\wxioue.exe
        
        "C:\Windows\system32\wxioue.exe"
        92⤵
        Checks computer location settings
        
        PID:1812
        
        C:\Windows\SysWOW64\wuh.exe
        
        "C:\Windows\system32\wuh.exe"
        93⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\welrxjdr.exe
        
        "C:\Windows\system32\welrxjdr.exe"
        94⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\wnbvjife.exe
        
        "C:\Windows\system32\wnbvjife.exe"
        95⤵
        
        PID:688
        
        C:\Windows\SysWOW64\wplhac.exe
        
        "C:\Windows\system32\wplhac.exe"
        96⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\wde.exe
        
        "C:\Windows\system32\wde.exe"
        97⤵
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\wxsnobrd.exe
        
        "C:\Windows\system32\wxsnobrd.exe"
        98⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\wvcbm.exe
        
        "C:\Windows\system32\wvcbm.exe"
        99⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\wfke.exe
        
        "C:\Windows\system32\wfke.exe"
        100⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\wcfdoh.exe
        
        "C:\Windows\system32\wcfdoh.exe"
        101⤵
        Checks computer location settings
        
        PID:2988
        
        C:\Windows\SysWOW64\wsksi.exe
        
        "C:\Windows\system32\wsksi.exe"
        102⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\wlyrecb.exe
        
        "C:\Windows\system32\wlyrecb.exe"
        103⤵
        
        PID:232
        
        C:\Windows\SysWOW64\wyckf.exe
        
        "C:\Windows\system32\wyckf.exe"
        104⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\wdvcthyt.exe
        
        "C:\Windows\system32\wdvcthyt.exe"
        105⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\wfgljbm.exe
        
        "C:\Windows\system32\wfgljbm.exe"
        106⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\wskgn.exe
        
        "C:\Windows\system32\wskgn.exe"
        107⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\wctj.exe
        
        "C:\Windows\system32\wctj.exe"
        108⤵
        Checks computer location settings
        
        PID:2352
        
        C:\Windows\SysWOW64\wlxhv.exe
        
        "C:\Windows\system32\wlxhv.exe"
        109⤵
        Checks computer location settings
        
        PID:2056
        
        C:\Windows\SysWOW64\wuqub.exe
        
        "C:\Windows\system32\wuqub.exe"
        110⤵
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\wvpujwe.exe
        
        "C:\Windows\system32\wvpujwe.exe"
        111⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\wgk.exe
        
        "C:\Windows\system32\wgk.exe"
        112⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\wsocr.exe
        
        "C:\Windows\system32\wsocr.exe"
        113⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\woro.exe
        
        "C:\Windows\system32\woro.exe"
        114⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\wtav.exe
        
        "C:\Windows\system32\wtav.exe"
        115⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\wdalcknld.exe
        
        "C:\Windows\system32\wdalcknld.exe"
        116⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\wrtuxe.exe
        
        "C:\Windows\system32\wrtuxe.exe"
        117⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\woejvgg.exe
        
        "C:\Windows\system32\woejvgg.exe"
        118⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\wgncdq.exe
        
        "C:\Windows\system32\wgncdq.exe"
        119⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\wmxjjbfpr.exe
        
        "C:\Windows\system32\wmxjjbfpr.exe"
        120⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\wdaye.exe
        
        "C:\Windows\system32\wdaye.exe"
        121⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\wmtm.exe
        
        "C:\Windows\system32\wmtm.exe"
        122⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\wbfiyjn.exe
        
        "C:\Windows\system32\wbfiyjn.exe"
        123⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\wgppgt.exe
        
        "C:\Windows\system32\wgppgt.exe"
        124⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\wvkswjub.exe
        
        "C:\Windows\system32\wvkswjub.exe"
        125⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\wgff.exe
        
        "C:\Windows\system32\wgff.exe"
        126⤵
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\wkyv.exe
        
        "C:\Windows\system32\wkyv.exe"
        127⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\wosncjg.exe
        
        "C:\Windows\system32\wosncjg.exe"
        128⤵
        
        PID:924
        
        C:\Windows\SysWOW64\wqcysb.exe
        
        "C:\Windows\system32\wqcysb.exe"
        129⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\wbsddc.exe
        
        "C:\Windows\system32\wbsddc.exe"
        130⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\wjoacg.exe
        
        "C:\Windows\system32\wjoacg.exe"
        131⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\wkhldycui.exe
        
        "C:\Windows\system32\wkhldycui.exe"
        132⤵
        
        PID:796
        
        C:\Windows\SysWOW64\wdftfix.exe
        
        "C:\Windows\system32\wdftfix.exe"
        133⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\waqi.exe
        
        "C:\Windows\system32\waqi.exe"
        134⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\wfky.exe
        
        "C:\Windows\system32\wfky.exe"
        135⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\wpyed.exe
        
        "C:\Windows\system32\wpyed.exe"
        136⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\wgeuvim.exe
        
        "C:\Windows\system32\wgeuvim.exe"
        137⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\wgrog.exe
        
        "C:\Windows\system32\wgrog.exe"
        138⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\wryq.exe
        
        "C:\Windows\system32\wryq.exe"
        139⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\wafopj.exe
        
        "C:\Windows\system32\wafopj.exe"
        140⤵
        
        PID:792
        
        C:\Windows\SysWOW64\wfnv.exe
        
        "C:\Windows\system32\wfnv.exe"
        141⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\wfa.exe
        
        "C:\Windows\system32\wfa.exe"
        142⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\wbkdeq.exe
        
        "C:\Windows\system32\wbkdeq.exe"
        143⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\wpdma.exe
        
        "C:\Windows\system32\wpdma.exe"
        144⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\whi.exe
        
        "C:\Windows\system32\whi.exe"
        145⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\wjxoxooma.exe
        
        "C:\Windows\system32\wjxoxooma.exe"
        146⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\whbnils.exe
        
        "C:\Windows\system32\whbnils.exe"
        147⤵
        
        PID:892
        
        C:\Windows\SysWOW64\wdvlnnom.exe
        
        "C:\Windows\system32\wdvlnnom.exe"
        148⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\wolqymsa.exe
        
        "C:\Windows\system32\wolqymsa.exe"
        149⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\wubatury.exe
        
        "C:\Windows\system32\wubatury.exe"
        150⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\wgxgq.exe
        
        "C:\Windows\system32\wgxgq.exe"
        151⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\wcenvr.exe
        
        "C:\Windows\system32\wcenvr.exe"
        152⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\wqex.exe
        
        "C:\Windows\system32\wqex.exe"
        153⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\wgptvcg.exe
        
        "C:\Windows\system32\wgptvcg.exe"
        154⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqex.exe"
        154⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcenvr.exe"
        153⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxgq.exe"
        152⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wubatury.exe"
        151⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wolqymsa.exe"
        150⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvlnnom.exe"
        149⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whbnils.exe"
        148⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjxoxooma.exe"
        147⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whi.exe"
        146⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpdma.exe"
        145⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbkdeq.exe"
        144⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfa.exe"
        143⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1460
        143⤵
        Program crash
        
        PID:3724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1088
        143⤵
        Program crash
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfnv.exe"
        142⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wafopj.exe"
        141⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryq.exe"
        140⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrog.exe"
        139⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgeuvim.exe"
        138⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpyed.exe"
        137⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfky.exe"
        136⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waqi.exe"
        135⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdftfix.exe"
        134⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkhldycui.exe"
        133⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjoacg.exe"
        132⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbsddc.exe"
        131⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqcysb.exe"
        130⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wosncjg.exe"
        129⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1404
        129⤵
        Program crash
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkyv.exe"
        128⤵
        Blocklisted process makes network request
        Checks computer location settings
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgff.exe"
        127⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkswjub.exe"
        126⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgppgt.exe"
        125⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbfiyjn.exe"
        124⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmtm.exe"
        123⤵
        
        PID:1288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdaye.exe"
        122⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmxjjbfpr.exe"
        121⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgncdq.exe"
        120⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woejvgg.exe"
        119⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtuxe.exe"
        118⤵
        Blocklisted process makes network request
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdalcknld.exe"
        117⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtav.exe"
        116⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woro.exe"
        115⤵
        
        PID:3860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsocr.exe"
        114⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgk.exe"
        113⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1416
        113⤵
        Program crash
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvpujwe.exe"
        112⤵
        Checks computer location settings
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuqub.exe"
        111⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlxhv.exe"
        110⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctj.exe"
        109⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wskgn.exe"
        108⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfgljbm.exe"
        107⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvcthyt.exe"
        106⤵
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyckf.exe"
        105⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyrecb.exe"
        104⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsksi.exe"
        103⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcfdoh.exe"
        102⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfke.exe"
        101⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvcbm.exe"
        100⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxsnobrd.exe"
        99⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wde.exe"
        98⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1492
        98⤵
        Program crash
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wplhac.exe"
        97⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbvjife.exe"
        96⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 1536
        96⤵
        Program crash
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\welrxjdr.exe"
        95⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuh.exe"
        94⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxioue.exe"
        93⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwouxlny.exe"
        92⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrenq.exe"
        91⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjlamw.exe"
        90⤵
        
        PID:960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 1512
        90⤵
        Program crash
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whc.exe"
        89⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsfh.exe"
        88⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\webqftr.exe"
        87⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrqv.exe"
        86⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxuj.exe"
        85⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wltwytgi.exe"
        84⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 496
        84⤵
        Program crash
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 504
        84⤵
        Program crash
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkkljb.exe"
        83⤵
        Blocklisted process makes network request
        Checks computer location settings
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpxex.exe"
        82⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmbvcgfo.exe"
        81⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpkgpil.exe"
        80⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 1448
        80⤵
        Program crash
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsyrqf.exe"
        79⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1348
        79⤵
        Program crash
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyobju.exe"
        78⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1280
        78⤵
        Program crash
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqvnfs.exe"
        77⤵
        
        PID:3784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsato.exe"
        76⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsipduwu.exe"
        75⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuvwua.exe"
        74⤵
        
        PID:2264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbbwb.exe"
        73⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjuh.exe"
        72⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvrnrmv.exe"
        71⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvoeop.exe"
        70⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwur.exe"
        69⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 116
        69⤵
        Executes dropped EXE
        Program crash
        
        PID:2240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1536
        69⤵
        Program crash
        
        PID:1200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1496
        69⤵
        Program crash
        
        PID:3732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 708
        69⤵
        Program crash
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpkdlmym.exe"
        68⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvluk.exe"
        67⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmshg.exe"
        66⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqis.exe"
        65⤵
        Blocklisted process makes network request
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpyirfx.exe"
        64⤵
        Blocklisted process makes network request
        Checks computer location settings
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrotsd.exe"
        63⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weka.exe"
        62⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wim.exe"
        61⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtyyioqu.exe"
        60⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnucug.exe"
        59⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqlmvfqyy.exe"
        58⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpcd.exe"
        57⤵
        
        PID:236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1344
        57⤵
        Program crash
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymcfyt.exe"
        56⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wosobvn.exe"
        55⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmmfg.exe"
        54⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqdwg.exe"
        53⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 496
        53⤵
        Program crash
        
        PID:1292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 504
        53⤵
        Program crash
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wseto.exe"
        52⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weehfka.exe"
        51⤵
        
        PID:3576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntpxa.exe"
        50⤵
        
        PID:1692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdy.exe"
        49⤵
        
        PID:2432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whmfbs.exe"
        48⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtltsahs.exe"
        47⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1104
        47⤵
        Program crash
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrmtjif.exe"
        46⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 116
        46⤵
        Program crash
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdelh.exe"
        45⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdt.exe"
        44⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1548
        44⤵
        Program crash
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjdn.exe"
        43⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwauht.exe"
        42⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmgicpctp.exe"
        41⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyg.exe"
        40⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wulfenh.exe"
        39⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 1536
        39⤵
        Program crash
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsrkjshly.exe"
        38⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbr.exe"
        37⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqcwxi.exe"
        36⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwal.exe"
        35⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxrk.exe"
        34⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wepont.exe"
        33⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbolh.exe"
        32⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wegage.exe"
        31⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woryf.exe"
        30⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbrouu.exe"
        29⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkbyek.exe"
        28⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmwrgh.exe"
        27⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 1412
        27⤵
        Program crash
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdo.exe"
        26⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wendpnr.exe"
        25⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqch.exe"
        24⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqdrh.exe"
        23⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxqrhpd.exe"
        22⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfuq.exe"
        21⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvisbg.exe"
        20⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1668
        20⤵
        Program crash
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcmstaq.exe"
        19⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdpnx.exe"
        18⤵
        
        PID:568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1104
        18⤵
        Program crash
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wacvmpv.exe"
        17⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wojx.exe"
        16⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxnfkjum.exe"
        15⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjafirm.exe"
        14⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whirfaqa.exe"
        13⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtigvi.exe"
        12⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkiqe.exe"
        11⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkfsrmef.exe"
        10⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weeb.exe"
        9⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtgssf.exe"
        8⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhl.exe"
        7⤵
        
        PID:3148
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhrrmb.exe"
        6⤵
        
        PID:2708
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxbmmo.exe"
        5⤵
        
        PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkdsgs.exe"
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqrfxvpdj.exe"
    3⤵
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\84e53c73da75ce80f906e6fb0e6e7770_exe32.exe"
  2⤵
  PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4328 -ip 4328
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4452 -ip 4452
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1780 -ip 1780
1⤵
PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1700 -ip 1700
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1852 -ip 1852
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2516 -ip 2516
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2084 -ip 2084
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4080 -ip 4080
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4080 -ip 4080
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2240 -ip 2240
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1704 -ip 1704
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1704 -ip 1704
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1704 -ip 1704
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1704 -ip 1704
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4944 -ip 4944
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1280 -ip 1280
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 492 -ip 492
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3336 -ip 3336
1⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3336 -ip 3336
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1292 -ip 1292
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 688 -ip 688
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5004 -ip 5004
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4644 -ip 4644
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 924 -ip 924
1⤵
- Drops file in System32 directory
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5004 -ip 5004
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5004 -ip 5004
1⤵
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wacvmpv.exe

Filesize
441KB

MD5
0eb7e00d493179093a1000e338d3b88c

SHA1
c0f8074669389e70a5cccf674b0d9c281b60148a

SHA256
cdbdd02be4524d43a68944d16316d18c2c1820f5a82809a11b4f770c7af9ef4e

SHA512
2957c95a5e91c6ee9f5675c4567deec542c7415a021ef105a5c8bd39bd103f31f36ab704f504e3f60a5fa8a810de14060e8823223232ff86ed4b69ce65171b2f

Download Submit
C:\Windows\SysWOW64\wacvmpv.exe

Filesize
441KB

MD5
0eb7e00d493179093a1000e338d3b88c

SHA1
c0f8074669389e70a5cccf674b0d9c281b60148a

SHA256
cdbdd02be4524d43a68944d16316d18c2c1820f5a82809a11b4f770c7af9ef4e

SHA512
2957c95a5e91c6ee9f5675c4567deec542c7415a021ef105a5c8bd39bd103f31f36ab704f504e3f60a5fa8a810de14060e8823223232ff86ed4b69ce65171b2f

Download Submit
C:\Windows\SysWOW64\wbhl.exe

Filesize
440KB

MD5
265eee9587cef563a33d8b28a7fdcef3

SHA1
f4eb9fc4baaf3b3b33817a11a129b2c48c1d0c69

SHA256
8d686f211b3d16c1b55a62de0e02d2c7c9f8be87112f11662e8c7c502c1e379b

SHA512
0bdf24d107965f8fdf8251f8140f42573b20fa606280b1629daf7ce98c4a1b1188cd746735eb01da2b0d4cb957484856f91e3c21dee8ee61e948dff1a37dd9fa

Download Submit
C:\Windows\SysWOW64\wbhl.exe

Filesize
440KB

MD5
265eee9587cef563a33d8b28a7fdcef3

SHA1
f4eb9fc4baaf3b3b33817a11a129b2c48c1d0c69

SHA256
8d686f211b3d16c1b55a62de0e02d2c7c9f8be87112f11662e8c7c502c1e379b

SHA512
0bdf24d107965f8fdf8251f8140f42573b20fa606280b1629daf7ce98c4a1b1188cd746735eb01da2b0d4cb957484856f91e3c21dee8ee61e948dff1a37dd9fa

Download Submit
C:\Windows\SysWOW64\wbrouu.exe

Filesize
441KB

MD5
9bd4f9b690ac2655e2a17f0da552489a

SHA1
2446300e93238c75c3eac9899ebeb4235b0b8a00

SHA256
bcfc078ad165846ae00b20922dbe4283b1c900f0f0cdc51311942c66a9495875

SHA512
ba4f62bb223d671dce5188ab91fe16c0421a526a7e4b1c5eab6c3b929f03dbbacb3401956e1ce9bfe3affd39368163d7f0313d570d241d835849ec75c7dfcf81

Download Submit
C:\Windows\SysWOW64\wbrouu.exe

Filesize
441KB

MD5
9bd4f9b690ac2655e2a17f0da552489a

SHA1
2446300e93238c75c3eac9899ebeb4235b0b8a00

SHA256
bcfc078ad165846ae00b20922dbe4283b1c900f0f0cdc51311942c66a9495875

SHA512
ba4f62bb223d671dce5188ab91fe16c0421a526a7e4b1c5eab6c3b929f03dbbacb3401956e1ce9bfe3affd39368163d7f0313d570d241d835849ec75c7dfcf81

Download Submit
C:\Windows\SysWOW64\wcmstaq.exe

Filesize
441KB

MD5
7dd98933998a9a3c4fb1b0f6552354b7

SHA1
44177616f05056d400c30ee4e9ebf4aa81736273

SHA256
36332aa1f44744e0b50189a29499e54546a9301bfef7f13e2e6c1486742daf1b

SHA512
7cd58d4b45a154d27f0d2889af211d590259526855afcda055d4a966a97abd0041f9b5943b1c64bd036c28c3dfaeb78c6754b8b04f3f256a041a508e9d5e408b

Download Submit
C:\Windows\SysWOW64\wcmstaq.exe

Filesize
441KB

MD5
7dd98933998a9a3c4fb1b0f6552354b7

SHA1
44177616f05056d400c30ee4e9ebf4aa81736273

SHA256
36332aa1f44744e0b50189a29499e54546a9301bfef7f13e2e6c1486742daf1b

SHA512
7cd58d4b45a154d27f0d2889af211d590259526855afcda055d4a966a97abd0041f9b5943b1c64bd036c28c3dfaeb78c6754b8b04f3f256a041a508e9d5e408b

Download Submit
C:\Windows\SysWOW64\wdo.exe

Filesize
441KB

MD5
8c4e37709167f1d4a0fe91cea1a66898

SHA1
0773078d15237231fdb8ee0ff4e8e3fbfeba185d

SHA256
a8f5242e317de12397e274ffa595b66ab34483b4c8893f5279078ce3e7dda699

SHA512
64c5f02a456ae1043554be0a9f209a39dd0cf1dea3fd59ad44fefc6fe496189114a3e09d6883e5dbe4dff8d08ad5136e669bff318706c0ff23d05da887deed6f

Download Submit
C:\Windows\SysWOW64\wdo.exe

Filesize
441KB

MD5
8c4e37709167f1d4a0fe91cea1a66898

SHA1
0773078d15237231fdb8ee0ff4e8e3fbfeba185d

SHA256
a8f5242e317de12397e274ffa595b66ab34483b4c8893f5279078ce3e7dda699

SHA512
64c5f02a456ae1043554be0a9f209a39dd0cf1dea3fd59ad44fefc6fe496189114a3e09d6883e5dbe4dff8d08ad5136e669bff318706c0ff23d05da887deed6f

Download Submit
C:\Windows\SysWOW64\weeb.exe

Filesize
440KB

MD5
cd20c270d206243b7ec0729cc708b1eb

SHA1
62d5b93046f5d7927185ee35f8a5db1cd47042f8

SHA256
09442442db8b602329ff112294c412703fc649d95b3ed2fa86f6831873e86c62

SHA512
02518797a8f0b9608ccd729e22e113603793153f3e0955f2cd6f90cc5d568af011bc3273f4213596f35586f0008908235bf1f3a8db2399c950438e1d64a9e128

Download Submit
C:\Windows\SysWOW64\weeb.exe

Filesize
440KB

MD5
cd20c270d206243b7ec0729cc708b1eb

SHA1
62d5b93046f5d7927185ee35f8a5db1cd47042f8

SHA256
09442442db8b602329ff112294c412703fc649d95b3ed2fa86f6831873e86c62

SHA512
02518797a8f0b9608ccd729e22e113603793153f3e0955f2cd6f90cc5d568af011bc3273f4213596f35586f0008908235bf1f3a8db2399c950438e1d64a9e128

Download Submit
C:\Windows\SysWOW64\wegage.exe

Filesize
441KB

MD5
79dcb772a6d3f410dbb0eb1c6efbb760

SHA1
f32f85d13041562d5a2fc964e34f7a6985f4fbd9

SHA256
bee68fb313ede3b85d803cb71cfcd42934cdcb5d01931a7348b2d325059dda7c

SHA512
7eefcf4f33d834ea29adaf03769db1d37290a1c66b04ef57f916ec6aa641b770669c719e4555e337aa02d034d46d901e1553a4686aa085150ca9ca6c3e06c757

Download Submit
C:\Windows\SysWOW64\wegage.exe

Filesize
441KB

MD5
79dcb772a6d3f410dbb0eb1c6efbb760

SHA1
f32f85d13041562d5a2fc964e34f7a6985f4fbd9

SHA256
bee68fb313ede3b85d803cb71cfcd42934cdcb5d01931a7348b2d325059dda7c

SHA512
7eefcf4f33d834ea29adaf03769db1d37290a1c66b04ef57f916ec6aa641b770669c719e4555e337aa02d034d46d901e1553a4686aa085150ca9ca6c3e06c757

Download Submit
C:\Windows\SysWOW64\wendpnr.exe

Filesize
441KB

MD5
c3cc699692bca230a2a7bde9cd6a2380

SHA1
e6a6a96469f827047497a185612513769988900b

SHA256
73fffae3d9f10523bc7f8af12c741094e31c32f6e48a670a1199b3dde6821322

SHA512
100a9f07ddb2da3d712f74a27f24d24b7f8231e739b0c0ef2a7b2806a1d5e461ba6c8166341c178f6265f53accddfe4fc5a325fc53e649e3079ab0bbfd679400

Download Submit
C:\Windows\SysWOW64\wendpnr.exe

Filesize
441KB

MD5
c3cc699692bca230a2a7bde9cd6a2380

SHA1
e6a6a96469f827047497a185612513769988900b

SHA256
73fffae3d9f10523bc7f8af12c741094e31c32f6e48a670a1199b3dde6821322

SHA512
100a9f07ddb2da3d712f74a27f24d24b7f8231e739b0c0ef2a7b2806a1d5e461ba6c8166341c178f6265f53accddfe4fc5a325fc53e649e3079ab0bbfd679400

Download Submit
C:\Windows\SysWOW64\wepont.exe

Filesize
441KB

MD5
9d4984add42f2991fe43065d0d54472c

SHA1
cff53526714c80346ebc7d7cb65d97959c9e9b94

SHA256
67e0f7315d38e2cb6d0f9bd9de4e04f67e001d41260d25044b3197b8c5716c66

SHA512
e78e8f71a024a9c11574e70dba2f8b613c2e26ddd6196b6b05890ad1f86caee351b22311230789bdcca7719479640a76cc9d1ce176d74e965a279e2e48669e72

Download Submit
C:\Windows\SysWOW64\wepont.exe

Filesize
441KB

MD5
9d4984add42f2991fe43065d0d54472c

SHA1
cff53526714c80346ebc7d7cb65d97959c9e9b94

SHA256
67e0f7315d38e2cb6d0f9bd9de4e04f67e001d41260d25044b3197b8c5716c66

SHA512
e78e8f71a024a9c11574e70dba2f8b613c2e26ddd6196b6b05890ad1f86caee351b22311230789bdcca7719479640a76cc9d1ce176d74e965a279e2e48669e72

Download Submit
C:\Windows\SysWOW64\wfuq.exe

Filesize
441KB

MD5
f1b75a583d5ae863cd311b905743f644

SHA1
d5d6bd4b25e59c2faf37996f9f928ec73c81ee20

SHA256
7a0bfd47cd747babc71a300428fdea8d1aa5518dc66890b43f91abfece070a92

SHA512
f2bb28c3861072de76073c379d39a04a3e87daeb4731cc02401300c548105f0df3c0cfba5a8d454e005fd7f381847f05eeffe696d30f39a787c4e2bc63ef2c5b

Download Submit
C:\Windows\SysWOW64\wfuq.exe

Filesize
441KB

MD5
f1b75a583d5ae863cd311b905743f644

SHA1
d5d6bd4b25e59c2faf37996f9f928ec73c81ee20

SHA256
7a0bfd47cd747babc71a300428fdea8d1aa5518dc66890b43f91abfece070a92

SHA512
f2bb28c3861072de76073c379d39a04a3e87daeb4731cc02401300c548105f0df3c0cfba5a8d454e005fd7f381847f05eeffe696d30f39a787c4e2bc63ef2c5b

Download Submit
C:\Windows\SysWOW64\whdpnx.exe

Filesize
441KB

MD5
98b6cf7312ee90b8ffbc98e1d82da91e

SHA1
a7d9fe3c5e10c2a99e7eb2ddf8a1a31ba0a67f55

SHA256
5a52b25374164e5035b95abed9db69e9d0f97d632a958ab983ea730bfc87c1bd

SHA512
f84f68be1250985a26cc207126fec53bc929793c8968417f620913669fa70c743e3b2f708666033c3432441e6baec8f400bed3523626424057158ea3f3ff7609

Download Submit
C:\Windows\SysWOW64\whdpnx.exe

Filesize
441KB

MD5
98b6cf7312ee90b8ffbc98e1d82da91e

SHA1
a7d9fe3c5e10c2a99e7eb2ddf8a1a31ba0a67f55

SHA256
5a52b25374164e5035b95abed9db69e9d0f97d632a958ab983ea730bfc87c1bd

SHA512
f84f68be1250985a26cc207126fec53bc929793c8968417f620913669fa70c743e3b2f708666033c3432441e6baec8f400bed3523626424057158ea3f3ff7609

Download Submit
C:\Windows\SysWOW64\whirfaqa.exe

Filesize
440KB

MD5
6326f50e6e52a1c266af8f06c8a1ae81

SHA1
cff66afc9cfb3560ed07d2baa93baed8ed3d3665

SHA256
92b71ce7d2dd2abc371984e1b7e7c229f9564fd3eb61e263aa267ee96f69485b

SHA512
abf3ec00a71e204a5153225c48a008ee6e83ccd1fbd2ef1ebd22149b2b14612ec2e1156d3384b2ebb22cda93d80bd4b65207d7df1fbac72fbd87fdd6b14a77c7

Download Submit
C:\Windows\SysWOW64\whirfaqa.exe

Filesize
440KB

MD5
6326f50e6e52a1c266af8f06c8a1ae81

SHA1
cff66afc9cfb3560ed07d2baa93baed8ed3d3665

SHA256
92b71ce7d2dd2abc371984e1b7e7c229f9564fd3eb61e263aa267ee96f69485b

SHA512
abf3ec00a71e204a5153225c48a008ee6e83ccd1fbd2ef1ebd22149b2b14612ec2e1156d3384b2ebb22cda93d80bd4b65207d7df1fbac72fbd87fdd6b14a77c7

Download Submit
C:\Windows\SysWOW64\wjafirm.exe

Filesize
440KB

MD5
d276682a1f4be879fffebaefe3e7daad

SHA1
bf3ddea81bc95cb4d5d1ffb46db4c1dfe585517e

SHA256
b0469c1f1c270a5f7516e1b89c140d72d6583f7f04792f6840b959bc21d81ff2

SHA512
7ff99bca9cab9dcc74920f1dec5b2d96a297bee8ab48fcec6ffd1c9dc6f85255d5c9b789ec28feec304ee9870f63ef2c2cd8e0e66ba3a6069b40d22a9245e597

Download Submit
C:\Windows\SysWOW64\wjafirm.exe

Filesize
440KB

MD5
d276682a1f4be879fffebaefe3e7daad

SHA1
bf3ddea81bc95cb4d5d1ffb46db4c1dfe585517e

SHA256
b0469c1f1c270a5f7516e1b89c140d72d6583f7f04792f6840b959bc21d81ff2

SHA512
7ff99bca9cab9dcc74920f1dec5b2d96a297bee8ab48fcec6ffd1c9dc6f85255d5c9b789ec28feec304ee9870f63ef2c2cd8e0e66ba3a6069b40d22a9245e597

Download Submit
C:\Windows\SysWOW64\wkfsrmef.exe

Filesize
440KB

MD5
09290783ef496439781dff6ee39b20bb

SHA1
5f08a09cd3f5600413e373187218c5358ded5097

SHA256
9781ec8627172de7200f5c2617db9adcd8626e460cd85f084ad7d880c0ccff8f

SHA512
9c150bbc1cffa1e7d44db43a78fd7a7248f403ef85203b5bee60a66607e4df51ce8911c162c217121507e56b48b5f691918d0debeec38e8ff014043c467a254b

Download Submit
C:\Windows\SysWOW64\wkfsrmef.exe

Filesize
440KB

MD5
09290783ef496439781dff6ee39b20bb

SHA1
5f08a09cd3f5600413e373187218c5358ded5097

SHA256
9781ec8627172de7200f5c2617db9adcd8626e460cd85f084ad7d880c0ccff8f

SHA512
9c150bbc1cffa1e7d44db43a78fd7a7248f403ef85203b5bee60a66607e4df51ce8911c162c217121507e56b48b5f691918d0debeec38e8ff014043c467a254b

Download Submit
C:\Windows\SysWOW64\wkiqe.exe

Filesize
440KB

MD5
c544b0cedce902969d88057feeeb5a3b

SHA1
34e763f3469568c68ad72e9c20e75f9912a2e7e5

SHA256
8d05b7ac290549dff626ba7c66408db1a57e8c351c49406457ecd830e2da192b

SHA512
e0cdd984733b4467cfe491c3fd547f0d0f66c9e133c6fc0efe0fea64aa9bf9469afd43dce7d95f7e179fb11a79f006d5b31489c18fb32fa380cfaca7b3f01ec3

Download Submit
C:\Windows\SysWOW64\wkiqe.exe

Filesize
440KB

MD5
c544b0cedce902969d88057feeeb5a3b

SHA1
34e763f3469568c68ad72e9c20e75f9912a2e7e5

SHA256
8d05b7ac290549dff626ba7c66408db1a57e8c351c49406457ecd830e2da192b

SHA512
e0cdd984733b4467cfe491c3fd547f0d0f66c9e133c6fc0efe0fea64aa9bf9469afd43dce7d95f7e179fb11a79f006d5b31489c18fb32fa380cfaca7b3f01ec3

Download Submit
C:\Windows\SysWOW64\wlkbyek.exe

Filesize
441KB

MD5
c7950f8640fc03b3dc847ea47621d2ff

SHA1
8bd76a1e85fbba6229884b08db51e7c82f1bbf7c

SHA256
2bf0fac5c08c3781d3155ae79304014a21795f944a537d5118c473ad4c2ad666

SHA512
d3144b1a9ef84c4a37368547c172a8857d045a87e438a94e63a8e9d97fbb84e693b9ba6773967db117a80545100dcb73646bba04094e1399cfb7200bd325ef69

Download Submit
C:\Windows\SysWOW64\wlkbyek.exe

Filesize
441KB

MD5
c7950f8640fc03b3dc847ea47621d2ff

SHA1
8bd76a1e85fbba6229884b08db51e7c82f1bbf7c

SHA256
2bf0fac5c08c3781d3155ae79304014a21795f944a537d5118c473ad4c2ad666

SHA512
d3144b1a9ef84c4a37368547c172a8857d045a87e438a94e63a8e9d97fbb84e693b9ba6773967db117a80545100dcb73646bba04094e1399cfb7200bd325ef69

Download Submit
C:\Windows\SysWOW64\wmwrgh.exe

Filesize
441KB

MD5
06bc7c8ce019108181301f0561d71310

SHA1
35ee27601376e693f19dbf657b2228746a2a2856

SHA256
184e545fefa7f42005b8d9cd35ccc12753da122c6ebdde695adceb2ded3ea7ba

SHA512
b4c5a08378a3598ba5dbfcc21a0a6b2cf03be5816a94decef835f5e5f4b28e53d6ed25a0819976e57fff6450fd3c7b9d6f56b60c452d98ebf2d69ca9211cd0f7

Download Submit
C:\Windows\SysWOW64\wmwrgh.exe

Filesize
441KB

MD5
06bc7c8ce019108181301f0561d71310

SHA1
35ee27601376e693f19dbf657b2228746a2a2856

SHA256
184e545fefa7f42005b8d9cd35ccc12753da122c6ebdde695adceb2ded3ea7ba

SHA512
b4c5a08378a3598ba5dbfcc21a0a6b2cf03be5816a94decef835f5e5f4b28e53d6ed25a0819976e57fff6450fd3c7b9d6f56b60c452d98ebf2d69ca9211cd0f7

Download Submit
C:\Windows\SysWOW64\wnbolh.exe

Filesize
441KB

MD5
b5c1b037e86a334bb53e139288ad9bbe

SHA1
6c9b0caf3041cd6da06ea6dc63443526236aa7df

SHA256
8154d2041e93c34fcf6c2ab775065ab162e43e7c72bf96e7ef06a8d9ba24ffbf

SHA512
43f55ec841536eaa4f014b2c39f6f2beaa04089add7c848ea338e355091c365ab73713deaa2a30909eb3ce0925757185c05a87804e3634225d48c90d2ec5a01e

Download Submit
C:\Windows\SysWOW64\wnbolh.exe

Filesize
441KB

MD5
b5c1b037e86a334bb53e139288ad9bbe

SHA1
6c9b0caf3041cd6da06ea6dc63443526236aa7df

SHA256
8154d2041e93c34fcf6c2ab775065ab162e43e7c72bf96e7ef06a8d9ba24ffbf

SHA512
43f55ec841536eaa4f014b2c39f6f2beaa04089add7c848ea338e355091c365ab73713deaa2a30909eb3ce0925757185c05a87804e3634225d48c90d2ec5a01e

Download Submit
C:\Windows\SysWOW64\wnqdrh.exe

Filesize
441KB

MD5
232d2bd69b9639c14a31f773c6645edd

SHA1
1485ce03efc49c966df6f7091a8e35d7c4a1bcd4

SHA256
6332c2c0755afd80bd1d1008b01689e90726027f5b3cc81f040a929fa9fd0499

SHA512
fac0a432daa60c6ed7861c509854f817ef44718844327ddb06f224d0e6f75a938426c31c7721c23d510ea5a2b7b0c9a0e0061fa8ae418fd78cdaa95d86072fbf

Download Submit
C:\Windows\SysWOW64\wnqdrh.exe

Filesize
441KB

MD5
232d2bd69b9639c14a31f773c6645edd

SHA1
1485ce03efc49c966df6f7091a8e35d7c4a1bcd4

SHA256
6332c2c0755afd80bd1d1008b01689e90726027f5b3cc81f040a929fa9fd0499

SHA512
fac0a432daa60c6ed7861c509854f817ef44718844327ddb06f224d0e6f75a938426c31c7721c23d510ea5a2b7b0c9a0e0061fa8ae418fd78cdaa95d86072fbf

Download Submit
C:\Windows\SysWOW64\wojx.exe

Filesize
440KB

MD5
07b67555ecbcbca68cc7f8b3da87f3ca

SHA1
b6f66a7a38a8d6c03c698c57fbb94dc2059de87e

SHA256
98ec2f59662dbaf5b2b4845100347322e4fcda4ac23f09e24e2a664fd912a8c1

SHA512
2e2133d715f26d9afecd60ccd955f71e45cfcb09671c0ee6f03d554a8c9f6d7e7b77e4d16169403c541aa341a20815da307f3dadd22b2d78fb0f32c5298423b7

Download Submit
C:\Windows\SysWOW64\wojx.exe

Filesize
440KB

MD5
07b67555ecbcbca68cc7f8b3da87f3ca

SHA1
b6f66a7a38a8d6c03c698c57fbb94dc2059de87e

SHA256
98ec2f59662dbaf5b2b4845100347322e4fcda4ac23f09e24e2a664fd912a8c1

SHA512
2e2133d715f26d9afecd60ccd955f71e45cfcb09671c0ee6f03d554a8c9f6d7e7b77e4d16169403c541aa341a20815da307f3dadd22b2d78fb0f32c5298423b7

Download Submit
C:\Windows\SysWOW64\woryf.exe

Filesize
441KB

MD5
a54e501fc6306595f4c6553365b31b86

SHA1
1981cf8aa770f09c4fe272b17e492d8dcbf919c2

SHA256
e0785ca691ee402d3134e6052503a81a2651e1444e24d60b5fbde383292cdce4

SHA512
b6977275fe6565c6844f21a997ae25243bf43dbf6f3d0054f69c83e7b981d8195c090a5808edaf9abd10b81be7e99788098c18e77cc37eb709d7d7bffdae1fc5

Download Submit
C:\Windows\SysWOW64\woryf.exe

Filesize
441KB

MD5
a54e501fc6306595f4c6553365b31b86

SHA1
1981cf8aa770f09c4fe272b17e492d8dcbf919c2

SHA256
e0785ca691ee402d3134e6052503a81a2651e1444e24d60b5fbde383292cdce4

SHA512
b6977275fe6565c6844f21a997ae25243bf43dbf6f3d0054f69c83e7b981d8195c090a5808edaf9abd10b81be7e99788098c18e77cc37eb709d7d7bffdae1fc5

Download Submit
C:\Windows\SysWOW64\woxrk.exe

Filesize
441KB

MD5
72cece8162c85c2a32de23d8f948e812

SHA1
d46851d6fc755264a9007bb6639b168dcfcdd3fe

SHA256
0bcc1a26a3b5e741bc831c97f2d45dcc34444ec666d541eb23375e1da75c8ec5

SHA512
dfceedd1944f058e5ffc6c3da2974dc581291675819ab7256de5874a050793d9e6796bb2240ccbd2a9bad6fbb867db31b09b87f50c7385e2583da457c90de127

Download Submit
C:\Windows\SysWOW64\woxrk.exe

Filesize
441KB

MD5
72cece8162c85c2a32de23d8f948e812

SHA1
d46851d6fc755264a9007bb6639b168dcfcdd3fe

SHA256
0bcc1a26a3b5e741bc831c97f2d45dcc34444ec666d541eb23375e1da75c8ec5

SHA512
dfceedd1944f058e5ffc6c3da2974dc581291675819ab7256de5874a050793d9e6796bb2240ccbd2a9bad6fbb867db31b09b87f50c7385e2583da457c90de127

Download Submit
C:\Windows\SysWOW64\wqch.exe

Filesize
441KB

MD5
9a5545a23d726c4a05405315daaadcc5

SHA1
35e737fbfd4d2c96a8bffea0613c811ff7958ef1

SHA256
ad3a64d83883d551889ce084037e79ffd67fab2eaf5a37bd813f7c468e65bd81

SHA512
bf3e634bbbd2ab25bcd7d05e3888f1baa19690d7ef6585a87973ed36a47c44477a3e5a1b54518a58afc5bc94fea07bee9708c161ca71ecb334b76d2f4193dc72

Download Submit
C:\Windows\SysWOW64\wqch.exe

Filesize
441KB

MD5
9a5545a23d726c4a05405315daaadcc5

SHA1
35e737fbfd4d2c96a8bffea0613c811ff7958ef1

SHA256
ad3a64d83883d551889ce084037e79ffd67fab2eaf5a37bd813f7c468e65bd81

SHA512
bf3e634bbbd2ab25bcd7d05e3888f1baa19690d7ef6585a87973ed36a47c44477a3e5a1b54518a58afc5bc94fea07bee9708c161ca71ecb334b76d2f4193dc72

Download Submit
C:\Windows\SysWOW64\wqrfxvpdj.exe

Filesize
440KB

MD5
e0461cf3c0f200b703bbdd37252f3505

SHA1
faf187cd3421486669c8ccdb1fe6915da2321c66

SHA256
0a38a80bd44aead106f26197ca55358c42c0b7fef5cff21a42bad229d40814ef

SHA512
9124219b275f4487ca400f1a9e9d99b57dd2da08497d5b6db5ed7cc02614628b6df9074f1249165d28ab92c421141fb0a73a4e1bb533979220a5889723a7d818

Download Submit
C:\Windows\SysWOW64\wqrfxvpdj.exe

Filesize
440KB

MD5
e0461cf3c0f200b703bbdd37252f3505

SHA1
faf187cd3421486669c8ccdb1fe6915da2321c66

SHA256
0a38a80bd44aead106f26197ca55358c42c0b7fef5cff21a42bad229d40814ef

SHA512
9124219b275f4487ca400f1a9e9d99b57dd2da08497d5b6db5ed7cc02614628b6df9074f1249165d28ab92c421141fb0a73a4e1bb533979220a5889723a7d818

Download Submit
C:\Windows\SysWOW64\wqrfxvpdj.exe

Filesize
440KB

MD5
e0461cf3c0f200b703bbdd37252f3505

SHA1
faf187cd3421486669c8ccdb1fe6915da2321c66

SHA256
0a38a80bd44aead106f26197ca55358c42c0b7fef5cff21a42bad229d40814ef

SHA512
9124219b275f4487ca400f1a9e9d99b57dd2da08497d5b6db5ed7cc02614628b6df9074f1249165d28ab92c421141fb0a73a4e1bb533979220a5889723a7d818

Download Submit
C:\Windows\SysWOW64\wrkdsgs.exe

Filesize
440KB

MD5
49d68002434409b9b6919d10b21a3853

SHA1
b86dc6154273884dea21210461fe66d0fea22d01

SHA256
eb8c379e3831d88847cab971efa742c62bfebe3eb627846c360c7eaac6a9bf54

SHA512
946859771a49d323a7be7e65f2a6274bb3c55b6e233b6152d9fd27330f4b51690e4bcd4a4dad7ff7d1f3dfb27c302e4d480f73f4423af9aeee1686cc6eab342e

Download Submit
C:\Windows\SysWOW64\wrkdsgs.exe

Filesize
440KB

MD5
49d68002434409b9b6919d10b21a3853

SHA1
b86dc6154273884dea21210461fe66d0fea22d01

SHA256
eb8c379e3831d88847cab971efa742c62bfebe3eb627846c360c7eaac6a9bf54

SHA512
946859771a49d323a7be7e65f2a6274bb3c55b6e233b6152d9fd27330f4b51690e4bcd4a4dad7ff7d1f3dfb27c302e4d480f73f4423af9aeee1686cc6eab342e

Download Submit
C:\Windows\SysWOW64\wtgssf.exe

Filesize
440KB

MD5
a2e96896355710844363aa91615ddae6

SHA1
e4639c349fff870aa0a4b34b8f5e507a6cebfd19

SHA256
f091a39d58b4acd41c41370ac30adeb4cfbe4becaf7e7abf0d383a8744f19439

SHA512
b22621ff47c8adfb5763c522312f18ff34e93f2715b7379a40d130e713bf39ddac1bc634f0a2fb3f655e547a76e57b29fd4298d69dce7fb099c3ec5d212a54d7

Download Submit
C:\Windows\SysWOW64\wtgssf.exe

Filesize
440KB

MD5
a2e96896355710844363aa91615ddae6

SHA1
e4639c349fff870aa0a4b34b8f5e507a6cebfd19

SHA256
f091a39d58b4acd41c41370ac30adeb4cfbe4becaf7e7abf0d383a8744f19439

SHA512
b22621ff47c8adfb5763c522312f18ff34e93f2715b7379a40d130e713bf39ddac1bc634f0a2fb3f655e547a76e57b29fd4298d69dce7fb099c3ec5d212a54d7

Download Submit
C:\Windows\SysWOW64\wtigvi.exe

Filesize
440KB

MD5
4b3a4f490af9008adebd002e16c0f318

SHA1
42235ab7b9515698c9ba2ae08bf4348f13498203

SHA256
8a32c6b0fdb68cc87a06f26647057a64ffae55302dcb82bc612b1c00204b3b29

SHA512
7c5fe7975a56b478bc16621be52c81f1e561bd6563a259f7929b6a564095de751481f2d5e463c890cd1e9d0ee5a1a2624b3db8497eef9aef491527eeb058bca0

Download Submit
C:\Windows\SysWOW64\wtigvi.exe

Filesize
440KB

MD5
4b3a4f490af9008adebd002e16c0f318

SHA1
42235ab7b9515698c9ba2ae08bf4348f13498203

SHA256
8a32c6b0fdb68cc87a06f26647057a64ffae55302dcb82bc612b1c00204b3b29

SHA512
7c5fe7975a56b478bc16621be52c81f1e561bd6563a259f7929b6a564095de751481f2d5e463c890cd1e9d0ee5a1a2624b3db8497eef9aef491527eeb058bca0

Download Submit
C:\Windows\SysWOW64\wuhrrmb.exe

Filesize
440KB

MD5
7542a1179c073e613f9320ea7059e310

SHA1
016b64132790bf04690767e18f737644a1801d6e

SHA256
af29c01d70a30bd9540bede17f8a680076fd3c4f7e655dc4c015d279e79c7895

SHA512
65dfac9788c017b2e3a80800cdd89736456457c74ea34a8306f2511104722582148fc2a4d1a21e35a860890a66dbf91fa2d5bc585b9317293af2d8f72c54ce59

Download Submit
C:\Windows\SysWOW64\wuhrrmb.exe

Filesize
440KB

MD5
7542a1179c073e613f9320ea7059e310

SHA1
016b64132790bf04690767e18f737644a1801d6e

SHA256
af29c01d70a30bd9540bede17f8a680076fd3c4f7e655dc4c015d279e79c7895

SHA512
65dfac9788c017b2e3a80800cdd89736456457c74ea34a8306f2511104722582148fc2a4d1a21e35a860890a66dbf91fa2d5bc585b9317293af2d8f72c54ce59

Download Submit
C:\Windows\SysWOW64\wvisbg.exe

Filesize
441KB

MD5
1184858709d00d251d7443b5ab96f337

SHA1
10674f74730cc1c1a175d63923f46fbcc4681ad5

SHA256
b7ac57edb9a35e369aed4f7c676637190a0199891282a4fd5d35aa50e03ead3b

SHA512
a6bee8fbb7438dcc15246c433c04105010c20035959171a06e3f22b811978918d188beaffd024643a2ccaab2fef9fe859d88940b487c19462933964e242d5165

Download Submit
C:\Windows\SysWOW64\wvisbg.exe

Filesize
441KB

MD5
1184858709d00d251d7443b5ab96f337

SHA1
10674f74730cc1c1a175d63923f46fbcc4681ad5

SHA256
b7ac57edb9a35e369aed4f7c676637190a0199891282a4fd5d35aa50e03ead3b

SHA512
a6bee8fbb7438dcc15246c433c04105010c20035959171a06e3f22b811978918d188beaffd024643a2ccaab2fef9fe859d88940b487c19462933964e242d5165

Download Submit
C:\Windows\SysWOW64\wxbmmo.exe

Filesize
440KB

MD5
e5057c2a9fab2f1d9dd21c59af899679

SHA1
26a7645556fd176818b6d06327b560deaef9891a

SHA256
17820d0c3358820938ce9d368d4980e90b5ca81a466cce85f59fccc6d859f49f

SHA512
d7b497026d09ecb3dd6fa7da6ac0cfe2dc132331f8e2465c585949baba04984a77cd67a4fbe8376b7b285d78a87832a75101eda30fccfb13557c6169e84b6fcc

Download Submit
C:\Windows\SysWOW64\wxbmmo.exe

Filesize
440KB

MD5
e5057c2a9fab2f1d9dd21c59af899679

SHA1
26a7645556fd176818b6d06327b560deaef9891a

SHA256
17820d0c3358820938ce9d368d4980e90b5ca81a466cce85f59fccc6d859f49f

SHA512
d7b497026d09ecb3dd6fa7da6ac0cfe2dc132331f8e2465c585949baba04984a77cd67a4fbe8376b7b285d78a87832a75101eda30fccfb13557c6169e84b6fcc

Download Submit
C:\Windows\SysWOW64\wxnfkjum.exe

Filesize
440KB

MD5
6f8b2d50891bb32c686300b266a11613

SHA1
d4cd13058eb03402babc406f283bff6d4fd420f3

SHA256
281ff94fd93b3406e39e4445b63842db8093f7ccedbf8520ce9fbf3ffa24010b

SHA512
f402c760d07d830ef5d031211a3285cd5cb5ee007f9f969ad5e8a42094f39dce7855549b614f16a96141dff68358adb7ac14c8d68b32bc711f52234acb5c5794

Download Submit
C:\Windows\SysWOW64\wxnfkjum.exe

Filesize
440KB

MD5
6f8b2d50891bb32c686300b266a11613

SHA1
d4cd13058eb03402babc406f283bff6d4fd420f3

SHA256
281ff94fd93b3406e39e4445b63842db8093f7ccedbf8520ce9fbf3ffa24010b

SHA512
f402c760d07d830ef5d031211a3285cd5cb5ee007f9f969ad5e8a42094f39dce7855549b614f16a96141dff68358adb7ac14c8d68b32bc711f52234acb5c5794

Download Submit
C:\Windows\SysWOW64\wxqrhpd.exe

Filesize
441KB

MD5
e803b9515a93b49d2fee1df9b413da0a

SHA1
aa37557dab2564e8e5ec739c74acc9d9c3da7c0d

SHA256
f39e9bbde17a61bdf14db6646240460cb60cdd33b2b265eabdd920f1de2a4cd5

SHA512
736f739a89895771ad0a3aac85a5d6b4a6dce22372f4532a8dea3e095e7e1a98afa9c7be8ab24219df72a8fc2bf570f3ade5ec734383ccc98fb9131b97faf632

Download Submit
C:\Windows\SysWOW64\wxqrhpd.exe

Filesize
441KB

MD5
e803b9515a93b49d2fee1df9b413da0a

SHA1
aa37557dab2564e8e5ec739c74acc9d9c3da7c0d

SHA256
f39e9bbde17a61bdf14db6646240460cb60cdd33b2b265eabdd920f1de2a4cd5

SHA512
736f739a89895771ad0a3aac85a5d6b4a6dce22372f4532a8dea3e095e7e1a98afa9c7be8ab24219df72a8fc2bf570f3ade5ec734383ccc98fb9131b97faf632

Download Submit
memory/232-60-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/500-453-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/660-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/660-10-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/872-388-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1184-396-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1256-130-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1384-525-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1428-293-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1428-191-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1428-202-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1456-140-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1700-378-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1752-213-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1780-273-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1780-20-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1796-492-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1868-469-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1944-461-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1944-253-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2012-445-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2056-339-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2084-443-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2144-80-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2240-552-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2272-355-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2356-100-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2480-50-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2516-436-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2524-331-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2708-363-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2956-313-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3000-323-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3076-543-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3076-533-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3200-160-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3300-380-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3364-223-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3380-283-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3516-500-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3580-70-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3732-303-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3768-534-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3772-30-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3796-150-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3908-419-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4060-554-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4060-542-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4064-110-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4080-506-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4208-90-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4220-243-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4308-347-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4328-192-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4452-203-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4452-179-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4496-120-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4504-404-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4504-477-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4504-180-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4696-233-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4744-510-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4800-272-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4996-40-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download