c664712f1f4ba717816eed9c15d4d05f48a91bc5280d8ed1080f083c52a01a90

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acad2392f55ee3b75ee914661f7f1613.exe
Size

263KB
MD5

acad2392f55ee3b75ee914661f7f1613
SHA1

aabc5065a60f23dda114fbe4240f1e4b8b533842
SHA256

c664712f1f4ba717816eed9c15d4d05f48a91bc5280d8ed1080f083c52a01a90
SHA512

1407546cc77c508a1b15c622306b69c44828f02b4bf25615751328df0c3badb3a09dae9aa69453673f3e44ceb74a8ae9e4ca3408884b6973ab116802a532e909
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpuh:ZY7xh6SZI4z7FSVpuh

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wkciuri.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	whkivecl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wwutidkw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wfvqur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wpvclved.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wvleesaf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wvmq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wkmol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wwowrk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wjgjggt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wpele.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wgoemid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wih.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	waefoxt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	whpvj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	waqtkqv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wntf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wmikhjk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wigsog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wmoquo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wxuyua.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wxqvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wgtju.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wnrd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wcecyrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wbbrrydx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wsnyq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wbxrsdd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	whxbrmyl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	woqb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wsuo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wtfbsk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wgmn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wmbscqs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wvims.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wgue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wuopvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wnpycpye.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wdrijy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wgollkiao.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wriuej.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wwaqwqnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wlsat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wwtqsmro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wkjwkgp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wtqrm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wybqlyx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wdtmwy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wxolaswyw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wnkuu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wwjukawh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wkbawufss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wuoxjviw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wxryq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wbntvt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wunmr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	walmh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wshhru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wck.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wxpbg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wgwpp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wxnpjcl.exe

Executes dropped EXE 64 IoCs

pid	Process
4336	wkbcrv.exe
3176	wdyyy.exe
4220	wwowrk.exe
4312	wlhfogt.exe
2268	wjgjggt.exe
3268	wsawlja.exe
1224	wvfx.exe
4060	wgue.exe
3120	wuonmpaea.exe
4372	wixj.exe
372	wfxm.exe
4576	wwbdovc.exe
4952	wtmqmwld.exe
1428	wibsoo.exe
1384	wfvqur.exe
4616	wxuyua.exe
4264	wqvhu.exe
1296	wuoxjviw.exe
608	wxqvc.exe
4892	wrkxxi.exe
2880	woso.exe
5112	wehdrjs.exe
1384	wpele.exe
812	whodlpvi.exe
2872	wuopvi.exe
1800	wgoemid.exe
3276	wdoiekd.exe
372	waxw.exe
960	wwjlcnwtx.exe
3820	wkjwkgp.exe
4804	wmrib.exe
5112	waqtkqv.exe
2724	wxci.exe
2364	wclpoc.exe
3192	wlwewfweq.exe
5060	wpfjeoos.exe
2540	wnpycpye.exe
4440	wwqou.exe
3008	wtqrm.exe
2396	wykkyepfn.exe
1508	whdxe.exe
1384	wrwkjj.exe
2312	wnavunfrb.exe
3552	wveufr.exe
4984	wshhru.exe
4892	wklwm.exe
3944	wcecyrj.exe
4420	wxryq.exe
1004	wpkfej.exe
1532	wddpadtd.exe
4912	wdrijy.exe
4968	wpvclved.exe
1052	wmynwyg.exe
2332	wriuej.exe
4424	wnwrwok.exe
2968	wjntcq.exe
4432	wkcn.exe
2432	wsub.exe
1388	wgollkiao.exe
4620	wgmn.exe
3584	wpgbgjpk.exe
436	wypefllp.exe
4104	wacxoh.exe
4928	wvgjylduv.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wrwkjj.exe	whdxe.exe
File created	C:\Windows\SysWOW64\wntf.exe	wvims.exe
File created	C:\Windows\SysWOW64\wcplbu.exe	wbbrrydx.exe
File created	C:\Windows\SysWOW64\wibsoo.exe	wtmqmwld.exe
File opened for modification	C:\Windows\SysWOW64\wxqvc.exe	wuoxjviw.exe
File opened for modification	C:\Windows\SysWOW64\wtqrm.exe	wwqou.exe
File created	C:\Windows\SysWOW64\wpgbgjpk.exe	wgmn.exe
File created	C:\Windows\SysWOW64\wacxoh.exe	wypefllp.exe
File created	C:\Windows\SysWOW64\walmh.exe	wgwpp.exe
File created	C:\Windows\SysWOW64\wvkb.exe	wobtnk.exe
File created	C:\Windows\SysWOW64\wuopvi.exe	whodlpvi.exe
File opened for modification	C:\Windows\SysWOW64\wuopvi.exe	whodlpvi.exe
File opened for modification	C:\Windows\SysWOW64\woqb.exe	wbxrsdd.exe
File opened for modification	C:\Windows\SysWOW64\wvmq.exe	wdtmwy.exe
File created	C:\Windows\SysWOW64\wkmol.exe	wwjukawh.exe
File opened for modification	C:\Windows\SysWOW64\wmikhjk.exe	wdpwcgf.exe
File opened for modification	C:\Windows\SysWOW64\wakw.exe	wkbawufss.exe
File created	C:\Windows\SysWOW64\wuonmpaea.exe	wgue.exe
File created	C:\Windows\SysWOW64\wfwad.exe	wbntvt.exe
File opened for modification	C:\Windows\SysWOW64\wigsog.exe	wemcbu.exe
File created	C:\Windows\SysWOW64\waxw.exe	wdoiekd.exe
File created	C:\Windows\SysWOW64\whdxe.exe	wykkyepfn.exe
File created	C:\Windows\SysWOW64\wgwpp.exe	wunmr.exe
File created	C:\Windows\SysWOW64\wyrupbvs.exe	wedyxvj.exe
File created	C:\Windows\SysWOW64\wemcbu.exe	wmikhjk.exe
File opened for modification	C:\Windows\SysWOW64\wdrijy.exe	wddpadtd.exe
File opened for modification	C:\Windows\SysWOW64\wacxoh.exe	wypefllp.exe
File opened for modification	C:\Windows\SysWOW64\wxryq.exe	wcecyrj.exe
File opened for modification	C:\Windows\SysWOW64\woqoo.exe	wsncc.exe
File created	C:\Windows\SysWOW64\wck.exe	woqb.exe
File opened for modification	C:\Windows\SysWOW64\wbfof.exe	wmbscqs.exe
File opened for modification	C:\Windows\SysWOW64\wdpwcgf.exe	wdnoyk.exe
File created	C:\Windows\SysWOW64\wqkfkj.exe	wigsog.exe
File opened for modification	C:\Windows\SysWOW64\wgue.exe	wvfx.exe
File opened for modification	C:\Windows\SysWOW64\wwbdovc.exe	wfxm.exe
File opened for modification	C:\Windows\SysWOW64\wwjlcnwtx.exe	waxw.exe
File created	C:\Windows\SysWOW64\wmrib.exe	wkjwkgp.exe
File opened for modification	C:\Windows\SysWOW64\wwutidkw.exe	wrkmb.exe
File created	C:\Windows\SysWOW64\wqvhu.exe	wxuyua.exe
File created	C:\Windows\SysWOW64\wgoemid.exe	wuopvi.exe
File opened for modification	C:\Windows\SysWOW64\wkmol.exe	wwjukawh.exe
File created	C:\Windows\SysWOW64\wwbuqoqxh.exe	wgwgvb.exe
File created	C:\Windows\SysWOW64\wnwrwok.exe	wriuej.exe
File opened for modification	C:\Windows\SysWOW64\wto.exe	wxlkofh.exe
File opened for modification	C:\Windows\SysWOW64\wgplee.exe	wck.exe
File created	C:\Windows\SysWOW64\woqoo.exe	wsncc.exe
File created	C:\Windows\SysWOW64\wotxpiidl.exe	woqoo.exe
File opened for modification	C:\Windows\SysWOW64\wvleesaf.exe	wehoki.exe
File created	C:\Windows\SysWOW64\wwg.exe	waefoxt.exe
File created	C:\Windows\SysWOW64\wtfbsk.exe	wsuo.exe
File created	C:\Windows\SysWOW64\wsawlja.exe	wjgjggt.exe
File opened for modification	C:\Windows\SysWOW64\wqvhu.exe	wxuyua.exe
File created	C:\Windows\SysWOW64\wbbrrydx.exe	wmtsdeff.exe
File opened for modification	C:\Windows\SysWOW64\wtywa.exe	wfykpw.exe
File opened for modification	C:\Windows\SysWOW64\wuoxjviw.exe	wqvhu.exe
File opened for modification	C:\Windows\SysWOW64\wypefllp.exe	wpgbgjpk.exe
File created	C:\Windows\SysWOW64\wwjukawh.exe	wfef.exe
File opened for modification	C:\Windows\SysWOW64\wmoquo.exe	wqkfkj.exe
File opened for modification	C:\Windows\SysWOW64\wtmqmwld.exe	wwbdovc.exe
File opened for modification	C:\Windows\SysWOW64\wfvqur.exe	wibsoo.exe
File opened for modification	C:\Windows\SysWOW64\wwaqwqnd.exe	wfwad.exe
File created	C:\Windows\SysWOW64\wwtqsmro.exe	wkciuri.exe
File created	C:\Windows\SysWOW64\waefoxt.exe	wnkuu.exe
File opened for modification	C:\Windows\SysWOW64\whpvj.exe	wtfbsk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
3552	2364	WerFault.exe	196
1724	3192	WerFault.exe	199
2708	1508	WerFault.exe	221
228	4928	WerFault.exe	292
1112	4928	WerFault.exe	292
3208	1376	WerFault.exe	317
4148	2880	WerFault.exe	412
1344	2880	WerFault.exe	412

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 4336	2724	acad2392f55ee3b75ee914661f7f1613.exe	91
PID 2724 wrote to memory of 4336	2724	acad2392f55ee3b75ee914661f7f1613.exe	91
PID 2724 wrote to memory of 4336	2724	acad2392f55ee3b75ee914661f7f1613.exe	91
PID 2724 wrote to memory of 4920	2724	acad2392f55ee3b75ee914661f7f1613.exe	93
PID 2724 wrote to memory of 4920	2724	acad2392f55ee3b75ee914661f7f1613.exe	93
PID 2724 wrote to memory of 4920	2724	acad2392f55ee3b75ee914661f7f1613.exe	93
PID 4336 wrote to memory of 3176	4336	wkbcrv.exe	95
PID 4336 wrote to memory of 3176	4336	wkbcrv.exe	95
PID 4336 wrote to memory of 3176	4336	wkbcrv.exe	95
PID 4336 wrote to memory of 4348	4336	wkbcrv.exe	97
PID 4336 wrote to memory of 4348	4336	wkbcrv.exe	97
PID 4336 wrote to memory of 4348	4336	wkbcrv.exe	97
PID 3176 wrote to memory of 4220	3176	wdyyy.exe	99
PID 3176 wrote to memory of 4220	3176	wdyyy.exe	99
PID 3176 wrote to memory of 4220	3176	wdyyy.exe	99
PID 3176 wrote to memory of 2200	3176	wdyyy.exe	100
PID 3176 wrote to memory of 2200	3176	wdyyy.exe	100
PID 3176 wrote to memory of 2200	3176	wdyyy.exe	100
PID 4220 wrote to memory of 4312	4220	wwowrk.exe	103
PID 4220 wrote to memory of 4312	4220	wwowrk.exe	103
PID 4220 wrote to memory of 4312	4220	wwowrk.exe	103
PID 4220 wrote to memory of 4172	4220	wwowrk.exe	104
PID 4220 wrote to memory of 4172	4220	wwowrk.exe	104
PID 4220 wrote to memory of 4172	4220	wwowrk.exe	104
PID 4312 wrote to memory of 2268	4312	wlhfogt.exe	106
PID 4312 wrote to memory of 2268	4312	wlhfogt.exe	106
PID 4312 wrote to memory of 2268	4312	wlhfogt.exe	106
PID 4312 wrote to memory of 3904	4312	wlhfogt.exe	108
PID 4312 wrote to memory of 3904	4312	wlhfogt.exe	108
PID 4312 wrote to memory of 3904	4312	wlhfogt.exe	108
PID 2268 wrote to memory of 3268	2268	wjgjggt.exe	109
PID 2268 wrote to memory of 3268	2268	wjgjggt.exe	109
PID 2268 wrote to memory of 3268	2268	wjgjggt.exe	109
PID 2268 wrote to memory of 3784	2268	wjgjggt.exe	111
PID 2268 wrote to memory of 3784	2268	wjgjggt.exe	111
PID 2268 wrote to memory of 3784	2268	wjgjggt.exe	111
PID 3268 wrote to memory of 1224	3268	wsawlja.exe	112
PID 3268 wrote to memory of 1224	3268	wsawlja.exe	112
PID 3268 wrote to memory of 1224	3268	wsawlja.exe	112
PID 3268 wrote to memory of 1380	3268	wsawlja.exe	113
PID 3268 wrote to memory of 1380	3268	wsawlja.exe	113
PID 3268 wrote to memory of 1380	3268	wsawlja.exe	113
PID 1224 wrote to memory of 4060	1224	wvfx.exe	115
PID 1224 wrote to memory of 4060	1224	wvfx.exe	115
PID 1224 wrote to memory of 4060	1224	wvfx.exe	115
PID 1224 wrote to memory of 4912	1224	wvfx.exe	116
PID 1224 wrote to memory of 4912	1224	wvfx.exe	116
PID 1224 wrote to memory of 4912	1224	wvfx.exe	116
PID 4060 wrote to memory of 3120	4060	wgue.exe	120
PID 4060 wrote to memory of 3120	4060	wgue.exe	120
PID 4060 wrote to memory of 3120	4060	wgue.exe	120
PID 4060 wrote to memory of 5104	4060	wgue.exe	118
PID 4060 wrote to memory of 5104	4060	wgue.exe	118
PID 4060 wrote to memory of 5104	4060	wgue.exe	118
PID 3120 wrote to memory of 4372	3120	wuonmpaea.exe	121
PID 3120 wrote to memory of 4372	3120	wuonmpaea.exe	121
PID 3120 wrote to memory of 4372	3120	wuonmpaea.exe	121
PID 3120 wrote to memory of 3432	3120	wuonmpaea.exe	123
PID 3120 wrote to memory of 3432	3120	wuonmpaea.exe	123
PID 3120 wrote to memory of 3432	3120	wuonmpaea.exe	123
PID 4372 wrote to memory of 372	4372	wixj.exe	124
PID 4372 wrote to memory of 372	4372	wixj.exe	124
PID 4372 wrote to memory of 372	4372	wixj.exe	124
PID 4372 wrote to memory of 2292	4372	wixj.exe	126

C:\Users\Admin\AppData\Local\Temp\acad2392f55ee3b75ee914661f7f1613.exe
"C:\Users\Admin\AppData\Local\Temp\acad2392f55ee3b75ee914661f7f1613.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\wkbcrv.exe
  "C:\Windows\system32\wkbcrv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\SysWOW64\wdyyy.exe
    "C:\Windows\system32\wdyyy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\SysWOW64\wwowrk.exe
      "C:\Windows\system32\wwowrk.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Windows\SysWOW64\wlhfogt.exe
        
        "C:\Windows\system32\wlhfogt.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4312
      - C:\Windows\SysWOW64\wjgjggt.exe
        
        "C:\Windows\system32\wjgjggt.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\wsawlja.exe
        
        "C:\Windows\system32\wsawlja.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\wvfx.exe
        
        "C:\Windows\system32\wvfx.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\wgue.exe
        
        "C:\Windows\system32\wgue.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgue.exe"
        10⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\wuonmpaea.exe
        
        "C:\Windows\system32\wuonmpaea.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\wixj.exe
        
        "C:\Windows\system32\wixj.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\wfxm.exe
        
        "C:\Windows\system32\wfxm.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\wwbdovc.exe
        
        "C:\Windows\system32\wwbdovc.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\wtmqmwld.exe
        
        "C:\Windows\system32\wtmqmwld.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\wibsoo.exe
        
        "C:\Windows\system32\wibsoo.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\wfvqur.exe
        
        "C:\Windows\system32\wfvqur.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\wxuyua.exe
        
        "C:\Windows\system32\wxuyua.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\wqvhu.exe
        
        "C:\Windows\system32\wqvhu.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\wuoxjviw.exe
        
        "C:\Windows\system32\wuoxjviw.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\wxqvc.exe
        
        "C:\Windows\system32\wxqvc.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:608
        
        C:\Windows\SysWOW64\wrkxxi.exe
        
        "C:\Windows\system32\wrkxxi.exe"
        21⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\woso.exe
        
        "C:\Windows\system32\woso.exe"
        22⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\wehdrjs.exe
        
        "C:\Windows\system32\wehdrjs.exe"
        23⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\wpele.exe
        
        "C:\Windows\system32\wpele.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\whodlpvi.exe
        
        "C:\Windows\system32\whodlpvi.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\wuopvi.exe
        
        "C:\Windows\system32\wuopvi.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\wgoemid.exe
        
        "C:\Windows\system32\wgoemid.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\wdoiekd.exe
        
        "C:\Windows\system32\wdoiekd.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\SysWOW64\waxw.exe
        
        "C:\Windows\system32\waxw.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\wwjlcnwtx.exe
        
        "C:\Windows\system32\wwjlcnwtx.exe"
        30⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\wkjwkgp.exe
        
        "C:\Windows\system32\wkjwkgp.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3820
        
        C:\Windows\SysWOW64\wmrib.exe
        
        "C:\Windows\system32\wmrib.exe"
        32⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\waqtkqv.exe
        
        "C:\Windows\system32\waqtkqv.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\wxci.exe
        
        "C:\Windows\system32\wxci.exe"
        34⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\wclpoc.exe
        
        "C:\Windows\system32\wclpoc.exe"
        35⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\wlwewfweq.exe
        
        "C:\Windows\system32\wlwewfweq.exe"
        36⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\wpfjeoos.exe
        
        "C:\Windows\system32\wpfjeoos.exe"
        37⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\wnpycpye.exe
        
        "C:\Windows\system32\wnpycpye.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\wwqou.exe
        
        "C:\Windows\system32\wwqou.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\wtqrm.exe
        
        "C:\Windows\system32\wtqrm.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\wykkyepfn.exe
        
        "C:\Windows\system32\wykkyepfn.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\whdxe.exe
        
        "C:\Windows\system32\whdxe.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\wrwkjj.exe
        
        "C:\Windows\system32\wrwkjj.exe"
        43⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\wnavunfrb.exe
        
        "C:\Windows\system32\wnavunfrb.exe"
        44⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\wveufr.exe
        
        "C:\Windows\system32\wveufr.exe"
        45⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\wshhru.exe
        
        "C:\Windows\system32\wshhru.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\wklwm.exe
        
        "C:\Windows\system32\wklwm.exe"
        47⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\wcecyrj.exe
        
        "C:\Windows\system32\wcecyrj.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\wxryq.exe
        
        "C:\Windows\system32\wxryq.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\wpkfej.exe
        
        "C:\Windows\system32\wpkfej.exe"
        50⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\wddpadtd.exe
        
        "C:\Windows\system32\wddpadtd.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\wdrijy.exe
        
        "C:\Windows\system32\wdrijy.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\wpvclved.exe
        
        "C:\Windows\system32\wpvclved.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\wmynwyg.exe
        
        "C:\Windows\system32\wmynwyg.exe"
        54⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\wriuej.exe
        
        "C:\Windows\system32\wriuej.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\wnwrwok.exe
        
        "C:\Windows\system32\wnwrwok.exe"
        56⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\wjntcq.exe
        
        "C:\Windows\system32\wjntcq.exe"
        57⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\wkcn.exe
        
        "C:\Windows\system32\wkcn.exe"
        58⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\wsub.exe
        
        "C:\Windows\system32\wsub.exe"
        59⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\wgollkiao.exe
        
        "C:\Windows\system32\wgollkiao.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\wgmn.exe
        
        "C:\Windows\system32\wgmn.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\wpgbgjpk.exe
        
        "C:\Windows\system32\wpgbgjpk.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\wypefllp.exe
        
        "C:\Windows\system32\wypefllp.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\wacxoh.exe
        
        "C:\Windows\system32\wacxoh.exe"
        64⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\wvgjylduv.exe
        
        "C:\Windows\system32\wvgjylduv.exe"
        65⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\wixsufo.exe
        
        "C:\Windows\system32\wixsufo.exe"
        66⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\wbntvt.exe
        
        "C:\Windows\system32\wbntvt.exe"
        67⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\wfwad.exe
        
        "C:\Windows\system32\wfwad.exe"
        68⤵
        Drops file in System32 directory
        
        PID:3200
        
        C:\Windows\SysWOW64\wwaqwqnd.exe
        
        "C:\Windows\system32\wwaqwqnd.exe"
        69⤵
        Checks computer location settings
        
        PID:2124
        
        C:\Windows\SysWOW64\wlsat.exe
        
        "C:\Windows\system32\wlsat.exe"
        70⤵
        Checks computer location settings
        
        PID:4844
        
        C:\Windows\SysWOW64\wxlkofh.exe
        
        "C:\Windows\system32\wxlkofh.exe"
        71⤵
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\wto.exe
        
        "C:\Windows\system32\wto.exe"
        72⤵
        Checks computer location settings
        
        PID:1376
        
        C:\Windows\SysWOW64\wsnyq.exe
        
        "C:\Windows\system32\wsnyq.exe"
        73⤵
        Checks computer location settings
        
        PID:3708
        
        C:\Windows\SysWOW64\wih.exe
        
        "C:\Windows\system32\wih.exe"
        74⤵
        Checks computer location settings
        
        PID:2304
        
        C:\Windows\SysWOW64\wromkb.exe
        
        "C:\Windows\system32\wromkb.exe"
        75⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\wunmr.exe
        
        "C:\Windows\system32\wunmr.exe"
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\wgwpp.exe
        
        "C:\Windows\system32\wgwpp.exe"
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\walmh.exe
        
        "C:\Windows\system32\walmh.exe"
        78⤵
        Checks computer location settings
        
        PID:4868
        
        C:\Windows\SysWOW64\wsncc.exe
        
        "C:\Windows\system32\wsncc.exe"
        79⤵
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\woqoo.exe
        
        "C:\Windows\system32\woqoo.exe"
        80⤵
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\wotxpiidl.exe
        
        "C:\Windows\system32\wotxpiidl.exe"
        81⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\wbxrsdd.exe
        
        "C:\Windows\system32\wbxrsdd.exe"
        82⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\woqb.exe
        
        "C:\Windows\system32\woqb.exe"
        83⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3652
        
        C:\Windows\SysWOW64\wck.exe
        
        "C:\Windows\system32\wck.exe"
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\wgplee.exe
        
        "C:\Windows\system32\wgplee.exe"
        85⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\wehoki.exe
        
        "C:\Windows\system32\wehoki.exe"
        86⤵
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\wvleesaf.exe
        
        "C:\Windows\system32\wvleesaf.exe"
        87⤵
        Checks computer location settings
        
        PID:3276
        
        C:\Windows\SysWOW64\wrybv.exe
        
        "C:\Windows\system32\wrybv.exe"
        88⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\wnrd.exe
        
        "C:\Windows\system32\wnrd.exe"
        89⤵
        Checks computer location settings
        
        PID:4556
        
        C:\Windows\SysWOW64\wmfwkx.exe
        
        "C:\Windows\system32\wmfwkx.exe"
        90⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\wnsp.exe
        
        "C:\Windows\system32\wnsp.exe"
        91⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\wblyo.exe
        
        "C:\Windows\system32\wblyo.exe"
        92⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\wxolaswyw.exe
        
        "C:\Windows\system32\wxolaswyw.exe"
        93⤵
        Checks computer location settings
        
        PID:4264
        
        C:\Windows\SysWOW64\wanl.exe
        
        "C:\Windows\system32\wanl.exe"
        94⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\wwf.exe
        
        "C:\Windows\system32\wwf.exe"
        95⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\whxbrmyl.exe
        
        "C:\Windows\system32\whxbrmyl.exe"
        96⤵
        Checks computer location settings
        
        PID:2420
        
        C:\Windows\SysWOW64\wybqlyx.exe
        
        "C:\Windows\system32\wybqlyx.exe"
        97⤵
        Checks computer location settings
        
        PID:4172
        
        C:\Windows\SysWOW64\wmgkm.exe
        
        "C:\Windows\system32\wmgkm.exe"
        98⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\wqpq.exe
        
        "C:\Windows\system32\wqpq.exe"
        99⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\wdtmwy.exe
        
        "C:\Windows\system32\wdtmwy.exe"
        100⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\wvmq.exe
        
        "C:\Windows\system32\wvmq.exe"
        101⤵
        Checks computer location settings
        
        PID:4816
        
        C:\Windows\SysWOW64\wfef.exe
        
        "C:\Windows\system32\wfef.exe"
        102⤵
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\wwjukawh.exe
        
        "C:\Windows\system32\wwjukawh.exe"
        103⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\wkmol.exe
        
        "C:\Windows\system32\wkmol.exe"
        104⤵
        Checks computer location settings
        
        PID:4756
        
        C:\Windows\SysWOW64\wkciuri.exe
        
        "C:\Windows\system32\wkciuri.exe"
        105⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\wwtqsmro.exe
        
        "C:\Windows\system32\wwtqsmro.exe"
        106⤵
        Checks computer location settings
        
        PID:1608
        
        C:\Windows\SysWOW64\wedyxvj.exe
        
        "C:\Windows\system32\wedyxvj.exe"
        107⤵
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\wyrupbvs.exe
        
        "C:\Windows\system32\wyrupbvs.exe"
        108⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\whkivecl.exe
        
        "C:\Windows\system32\whkivecl.exe"
        109⤵
        Checks computer location settings
        
        PID:3532
        
        C:\Windows\SysWOW64\wktslw.exe
        
        "C:\Windows\system32\wktslw.exe"
        110⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\wgwgvb.exe
        
        "C:\Windows\system32\wgwgvb.exe"
        111⤵
        Drops file in System32 directory
        
        PID:876
        
        C:\Windows\SysWOW64\wwbuqoqxh.exe
        
        "C:\Windows\system32\wwbuqoqxh.exe"
        112⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\wgtju.exe
        
        "C:\Windows\system32\wgtju.exe"
        113⤵
        Checks computer location settings
        
        PID:3904
        
        C:\Windows\SysWOW64\wxnpjcl.exe
        
        "C:\Windows\system32\wxnpjcl.exe"
        114⤵
        Checks computer location settings
        
        PID:1124
        
        C:\Windows\SysWOW64\wpcqjos.exe
        
        "C:\Windows\system32\wpcqjos.exe"
        115⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\wmbscqs.exe
        
        "C:\Windows\system32\wmbscqs.exe"
        116⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\wbfof.exe
        
        "C:\Windows\system32\wbfof.exe"
        117⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\wvhbpoqhn.exe
        
        "C:\Windows\system32\wvhbpoqhn.exe"
        118⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\wrkmb.exe
        
        "C:\Windows\system32\wrkmb.exe"
        119⤵
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\wwutidkw.exe
        
        "C:\Windows\system32\wwutidkw.exe"
        120⤵
        Checks computer location settings
        
        PID:2420
        
        C:\Windows\SysWOW64\wgyqsgbe.exe
        
        "C:\Windows\system32\wgyqsgbe.exe"
        121⤵
        
        PID:844
        
        C:\Windows\SysWOW64\whicja.exe
        
        "C:\Windows\system32\whicja.exe"
        122⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\wvims.exe
        
        "C:\Windows\system32\wvims.exe"
        123⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\wntf.exe
        
        "C:\Windows\system32\wntf.exe"
        124⤵
        Checks computer location settings
        
        PID:4084
        
        C:\Windows\SysWOW64\wbmpvvxyu.exe
        
        "C:\Windows\system32\wbmpvvxyu.exe"
        125⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\wxpbg.exe
        
        "C:\Windows\system32\wxpbg.exe"
        126⤵
        Checks computer location settings
        
        PID:3252
        
        C:\Windows\SysWOW64\wobtnk.exe
        
        "C:\Windows\system32\wobtnk.exe"
        127⤵
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\wvkb.exe
        
        "C:\Windows\system32\wvkb.exe"
        128⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\wmtsdeff.exe
        
        "C:\Windows\system32\wmtsdeff.exe"
        129⤵
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\wbbrrydx.exe
        
        "C:\Windows\system32\wbbrrydx.exe"
        130⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\wcplbu.exe
        
        "C:\Windows\system32\wcplbu.exe"
        131⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\wwehsah.exe
        
        "C:\Windows\system32\wwehsah.exe"
        132⤵
        
        PID:316
        
        C:\Windows\SysWOW64\wdnoyk.exe
        
        "C:\Windows\system32\wdnoyk.exe"
        133⤵
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\wdpwcgf.exe
        
        "C:\Windows\system32\wdpwcgf.exe"
        134⤵
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\wmikhjk.exe
        
        "C:\Windows\system32\wmikhjk.exe"
        135⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\wemcbu.exe
        
        "C:\Windows\system32\wemcbu.exe"
        136⤵
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\wigsog.exe
        
        "C:\Windows\system32\wigsog.exe"
        137⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\wqkfkj.exe
        
        "C:\Windows\system32\wqkfkj.exe"
        138⤵
        Drops file in System32 directory
        
        PID:1004
        
        C:\Windows\SysWOW64\wmoquo.exe
        
        "C:\Windows\system32\wmoquo.exe"
        139⤵
        Checks computer location settings
        
        PID:2128
        
        C:\Windows\SysWOW64\wegwi.exe
        
        "C:\Windows\system32\wegwi.exe"
        140⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\wnkuu.exe
        
        "C:\Windows\system32\wnkuu.exe"
        141⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\waefoxt.exe
        
        "C:\Windows\system32\waefoxt.exe"
        142⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\wwg.exe
        
        "C:\Windows\system32\wwg.exe"
        143⤵
        Checks computer location settings
        
        PID:2304
        
        C:\Windows\SysWOW64\wkbawufss.exe
        
        "C:\Windows\system32\wkbawufss.exe"
        144⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\wakw.exe
        
        "C:\Windows\system32\wakw.exe"
        145⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\wsuo.exe
        
        "C:\Windows\system32\wsuo.exe"
        146⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\wtfbsk.exe
        
        "C:\Windows\system32\wtfbsk.exe"
        147⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\whpvj.exe
        
        "C:\Windows\system32\whpvj.exe"
        148⤵
        Checks computer location settings
        
        PID:4164
        
        C:\Windows\SysWOW64\wfoab.exe
        
        "C:\Windows\system32\wfoab.exe"
        149⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\wfykpw.exe
        
        "C:\Windows\system32\wfykpw.exe"
        150⤵
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\wtywa.exe
        
        "C:\Windows\system32\wtywa.exe"
        151⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfykpw.exe"
        151⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfoab.exe"
        150⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whpvj.exe"
        149⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtfbsk.exe"
        148⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsuo.exe"
        147⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wakw.exe"
        146⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbawufss.exe"
        145⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwg.exe"
        144⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waefoxt.exe"
        143⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnkuu.exe"
        142⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wegwi.exe"
        141⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmoquo.exe"
        140⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqkfkj.exe"
        139⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigsog.exe"
        138⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemcbu.exe"
        137⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmikhjk.exe"
        136⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdpwcgf.exe"
        135⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnoyk.exe"
        134⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwehsah.exe"
        133⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcplbu.exe"
        132⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbbrrydx.exe"
        131⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmtsdeff.exe"
        130⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkb.exe"
        129⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobtnk.exe"
        128⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpbg.exe"
        127⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbmpvvxyu.exe"
        126⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntf.exe"
        125⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvims.exe"
        124⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whicja.exe"
        123⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgyqsgbe.exe"
        122⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwutidkw.exe"
        121⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkmb.exe"
        120⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvhbpoqhn.exe"
        119⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbfof.exe"
        118⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmbscqs.exe"
        117⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpcqjos.exe"
        116⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxnpjcl.exe"
        115⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtju.exe"
        114⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbuqoqxh.exe"
        113⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwgvb.exe"
        112⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wktslw.exe"
        111⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whkivecl.exe"
        110⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyrupbvs.exe"
        109⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wedyxvj.exe"
        108⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwtqsmro.exe"
        107⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkciuri.exe"
        106⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkmol.exe"
        105⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjukawh.exe"
        104⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 116
        104⤵
        Program crash
        
        PID:4148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1536
        104⤵
        Program crash
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfef.exe"
        103⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvmq.exe"
        102⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdtmwy.exe"
        101⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpq.exe"
        100⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmgkm.exe"
        99⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybqlyx.exe"
        98⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxbrmyl.exe"
        97⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwf.exe"
        96⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wanl.exe"
        95⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxolaswyw.exe"
        94⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wblyo.exe"
        93⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnsp.exe"
        92⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmfwkx.exe"
        91⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnrd.exe"
        90⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrybv.exe"
        89⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvleesaf.exe"
        88⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wehoki.exe"
        87⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgplee.exe"
        86⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wck.exe"
        85⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woqb.exe"
        84⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbxrsdd.exe"
        83⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wotxpiidl.exe"
        82⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woqoo.exe"
        81⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsncc.exe"
        80⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\walmh.exe"
        79⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwpp.exe"
        78⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunmr.exe"
        77⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wromkb.exe"
        76⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wih.exe"
        75⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsnyq.exe"
        74⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wto.exe"
        73⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1356
        73⤵
        Program crash
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxlkofh.exe"
        72⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsat.exe"
        71⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwaqwqnd.exe"
        70⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfwad.exe"
        69⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbntvt.exe"
        68⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wixsufo.exe"
        67⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgjylduv.exe"
        66⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 116
        66⤵
        Program crash
        
        PID:228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1536
        66⤵
        Program crash
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wacxoh.exe"
        65⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wypefllp.exe"
        64⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpgbgjpk.exe"
        63⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgmn.exe"
        62⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgollkiao.exe"
        61⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsub.exe"
        60⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcn.exe"
        59⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjntcq.exe"
        58⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwrwok.exe"
        57⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wriuej.exe"
        56⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmynwyg.exe"
        55⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvclved.exe"
        54⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrijy.exe"
        53⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wddpadtd.exe"
        52⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpkfej.exe"
        51⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxryq.exe"
        50⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcecyrj.exe"
        49⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wklwm.exe"
        48⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wshhru.exe"
        47⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wveufr.exe"
        46⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnavunfrb.exe"
        45⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwkjj.exe"
        44⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdxe.exe"
        43⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1428
        43⤵
        Program crash
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wykkyepfn.exe"
        42⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtqrm.exe"
        41⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwqou.exe"
        40⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnpycpye.exe"
        39⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpfjeoos.exe"
        38⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwewfweq.exe"
        37⤵
        
        PID:228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1612
        37⤵
        Program crash
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wclpoc.exe"
        36⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 1560
        36⤵
        Program crash
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxci.exe"
        35⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waqtkqv.exe"
        34⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrib.exe"
        33⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjwkgp.exe"
        32⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjlcnwtx.exe"
        31⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waxw.exe"
        30⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdoiekd.exe"
        29⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgoemid.exe"
        28⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuopvi.exe"
        27⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whodlpvi.exe"
        26⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpele.exe"
        25⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wehdrjs.exe"
        24⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woso.exe"
        23⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkxxi.exe"
        22⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxqvc.exe"
        21⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuoxjviw.exe"
        20⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqvhu.exe"
        19⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxuyua.exe"
        18⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfvqur.exe"
        17⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibsoo.exe"
        16⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtmqmwld.exe"
        15⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbdovc.exe"
        14⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfxm.exe"
        13⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wixj.exe"
        12⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuonmpaea.exe"
        11⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvfx.exe"
        9⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsawlja.exe"
        8⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjgjggt.exe"
        7⤵
        
        PID:3784
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlhfogt.exe"
        6⤵
        
        PID:3904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwowrk.exe"
        5⤵
        
        PID:4172
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdyyy.exe"
      4⤵
      PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbcrv.exe"
    3⤵
    PID:4348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\acad2392f55ee3b75ee914661f7f1613.exe"
  2⤵
  PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2364 -ip 2364
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3192 -ip 3192
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1508 -ip 1508
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4928 -ip 4928
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4928 -ip 4928
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1376 -ip 1376
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2880 -ip 2880
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2880 -ip 2880
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\waqtkqv.exe

Filesize
264KB

MD5
4068e55a6725ee0a165a800dfd580edb

SHA1
3b73cfa7c40aa5f00a80e166f28c70b8ab87531a

SHA256
0a2754df72147e42f3624813e2c11bb69a43d6f5c8a62c95c1bcdd5ccc52d69d

SHA512
6e701cf4bc49576d2cf3a270340327decef99197528d357a31c79eef4bbb3e15f2d3dc0e4af2601151d10871a1f4a546c1278435fc5280b374617050dd51477d

Download Submit
C:\Windows\SysWOW64\waxw.exe

Filesize
264KB

MD5
261f0e29c36dba69398ff2812fce4382

SHA1
ed84b268212f0a2a5ac3acaa96204cfcb8316058

SHA256
ed479e3530dd40d826416e9b0a6f16c89f1a569cc8306ea17270ced5a7f60c12

SHA512
0634ab0441bddfd47a0bd52ee30ddcbf716aeebc240f9737567d5d761f5a8683b95c7f26e7381988fddafdfa0c0cb0aa7034790b19e2264f65b284444a5a0552

Download Submit
C:\Windows\SysWOW64\wdoiekd.exe

Filesize
264KB

MD5
d25936878d6f2c2000d2a79d6726b808

SHA1
d71249556e7510f6b4a78be1f81881edd380d27c

SHA256
3971d97673b362560ceebb865eaef510fc161596a5d2ad8cc0d8b58903e76f38

SHA512
d4d8739f98f89c57362d029123798842a6c82ccef1883b3118e9bfb637b410fc87d673d388c62a0eec64153ef2d32dc0004259ef85e9ccc071011cbb94348ad7

Download Submit
C:\Windows\SysWOW64\wdyyy.exe

Filesize
263KB

MD5
0f23e75c82b7fac3d9e16cebbfd777a0

SHA1
2c80f62ccc8408d43b56905354f1e0bfd60cf1c5

SHA256
21b0f273153883c1e76a434ebdef24a0bda0fffd47a7dcb81219544e24b25835

SHA512
56243b2d6cf9ddef6914b26ecb5e858a36f2524e64a9c0efbf30fc5357c1d186857e7d913a606cb2116d5faea9174c564bbdfafbbe9b88ad11f4e1cfd677b8e3

Download Submit
C:\Windows\SysWOW64\wehdrjs.exe

Filesize
264KB

MD5
fb1c246fb557bc02fe01cebaff76b79f

SHA1
c18064e53acf18460a9bc79f36604be2d6adc4d6

SHA256
753baf8d5b78df04722d3ba7819c992ff6d07b485407f6f78aa81359437ab522

SHA512
2094a05e73b194ba6a8841d18f5dab0995daeefa49ed716be94bf99161bbd2061b1e421ce6384cb955358898309da0d0b6b0dc59136ec8b4210a2a37d28018ef

Download Submit
C:\Windows\SysWOW64\wfvqur.exe

Filesize
264KB

MD5
83d42003d5a41fe39bfbf38d421c13b9

SHA1
09b41f6dbafc8afd94bf9d4549000d84a910ab58

SHA256
d8c04d72719af8553b9e18890f441809a9ad2e69b83419e9dcd9feae25085855

SHA512
66300a838135b62ffb82bf790d054a979195da23b878881c19cdd54e26e65bbb3d38cb16763bee7905a69c3cc28507bba99d108bce23f28b034ebd3295797bf5

Download Submit
C:\Windows\SysWOW64\wfxm.exe

Filesize
264KB

MD5
d18ae275f532eca705df0afb4f1e2041

SHA1
1f6c6c097239d100b5e2cba46928ffa867d38fdb

SHA256
7adf7bd3a0239d945ce7595cd52995aa25042f54d0f3f1de7c025a3e0621b9a7

SHA512
179beb0b0ba0d3996183b7c6ea3804de8956cf952fa1c2b395eb48a9fef3944ec327928c4e0568412d4d867d771476fdbabde2ffe5bbd8af79a51e0e44919928

Download Submit
C:\Windows\SysWOW64\wgoemid.exe

Filesize
264KB

MD5
35840696a98cad46f34a696398acc323

SHA1
e8299ed5c901bc8dd77fb74c6618217fcf7c555e

SHA256
8459a2172d3f182940b12950aa2efc1ace1303f29317420bbb3e10aac98810fc

SHA512
4c9dd7309d367037874f06b565f66594f543613efed479db0d10ed5e9b7bcd3fea51531cf655f49bed46a1e8501a22f3c622ed67f7bd54f6f7970d1cda68d6cb

Download Submit
C:\Windows\SysWOW64\wgue.exe

Filesize
263KB

MD5
49e169b4e33083ebc7db47956c89e67f

SHA1
0c858fd7f709e82d6211f30abf7adc6f0d438581

SHA256
0a5c3e19f4f79665f194dd52f5921b052e909068d5f3f8bbe685fa208129f31f

SHA512
2fe6d5d4359ea2b56e036666f4bc2141827c169012034c8f472beb9e14b742ec78f6f53f2be4b4a7257f3b3829b3245f53ed169c4a59db1520d82c8582a74185

Download Submit
C:\Windows\SysWOW64\whodlpvi.exe

Filesize
264KB

MD5
c0d16787a8b0ccb8a0139bf3e89fc1ce

SHA1
c46c76117eaf045f745b04693ed2787bac05311d

SHA256
f582b4d614c11b5d8b36ede04e544888735aee34ecd555bf10e5368d554f6d0c

SHA512
f28d36f8291cfd5916f9a772a4b5c68281bb61cbd39c5ead3ae012b3b6d4d41cbbb1a0348b9e2bf13035b1ac4c2f671d0d081e3751d113ec916cebb49965d6de

Download Submit
C:\Windows\SysWOW64\wibsoo.exe

Filesize
264KB

MD5
2c68621573cca846ad5b0e57b48206dd

SHA1
e2aa0a57ab7dde86ec27ad60da692565e9b081e6

SHA256
798df13af6b9003d370d29e117e2c94ee9562d07ffcc3f4c41ba82980a4e2abd

SHA512
b4769467909295545bd8312807a7c405f797ca3663a234e93c346f2cacabd30a92384c1248e59042e47508c00d7f93a77f713be8c09ffd543be34adeadb7b5fb

Download Submit
C:\Windows\SysWOW64\wixj.exe

Filesize
264KB

MD5
6703bbef0af86ee0ffe08e60ec94b182

SHA1
5192b955cdc27cb724e9b45faa57b5aaffe5a953

SHA256
42e187b0f535c7183ddad2a8fa26f58f38a2e14cf85e85d7566c5aad74cc1219

SHA512
057610acb8a0e2205340178c62a4e77472932b7f6337a84e76551854283c928d9dc4e8902e2de131fee21fb1b8f38a04c16d63f737d552f3920b8e033bec88e6

Download Submit
C:\Windows\SysWOW64\wjgjggt.exe

Filesize
263KB

MD5
6b52c520003c7c7991af9ec4fded621a

SHA1
fad4ea5df9084c2513b35781b6316422c944d894

SHA256
11cd4b4b702120801b1545f824ec9efc817d4dcf4acf2c83604e3afcbb552ac4

SHA512
9bad3489d9959cefc78c1e00332e527a98ee1d9c6033dcb8e198502c596df2a562598bde82b9b7e6168e94f38ff6272713f838c761c551dda3c81084153591c5

Download Submit
C:\Windows\SysWOW64\wkbcrv.exe

Filesize
263KB

MD5
9ca3f4f86069c0697c8899bd20353edf

SHA1
624e8ac3c360b4df3015efc8ffae4cd7f5bf8e15

SHA256
ec91133a6d841688aa0191b341aeb4a05741f8fd406a16d66b59cf2b081b0143

SHA512
968758b029fdea7d269505e7b5b1bdc14f3f3bf35c3586de72f922698aa7bf7164f96b955f63cde8a8021d90495793c6fef88e6f79e97ffafabc9750f1ce2862

Download Submit
C:\Windows\SysWOW64\wkjwkgp.exe

Filesize
264KB

MD5
72b4aab1536994f62cbf08f95c8a638c

SHA1
b5721ae65e4c64f24cb5691adcc7760172c5db1f

SHA256
349854d41e91a723c553784ca3cd71c72ddfbbbbfea9f22abe960af48d03f549

SHA512
505b47ee333d3986ddf57b44ea4f2aa89803d7b2869b823166562ac7535b8511fc4adf09fb8c1f0d8202c20488059e69650d3bac25d454b3643bb40cb297c11d

Download Submit
C:\Windows\SysWOW64\wlhfogt.exe

Filesize
263KB

MD5
591d1ac3079bc2bce6c02580046b301c

SHA1
d1edb48d1514105efd6be0552d52b077ffbc03bd

SHA256
47fa4bd02d6399ad74e70408daf3c4bb52d4b7223830ceeeff2591db0e99b13b

SHA512
14f468989ecb91e36e9a6e3e8fa947c6f7cdbc1932fed1b89264b502ab9cd4f06917327c3a4d142509dcbc23fb1f8a9ae53ad354843ef313b610f3495befb95b

Download Submit
C:\Windows\SysWOW64\wmrib.exe

Filesize
264KB

MD5
5901ea230b5be7a73df435d1ea31f373

SHA1
4dfc1601651555ddc3bc98a6fa3ea35659c28a7a

SHA256
22c889ffa78ae61510f35a28fbd3d84f6582bc22189f272ea24a908557eba5b4

SHA512
3f49c72b0bc5b68ef9f798e28615a559f6356854469ad3c00951a8d5ce70a752e5a5327fb8fe0e655fd439502422b926c2d0a409a4e2613370801153af28a437

Download Submit
C:\Windows\SysWOW64\woso.exe

Filesize
264KB

MD5
c4936005892be3eada86021c7f7b9acc

SHA1
139cc29226972fa0e546f9ffe1739d77a7186094

SHA256
3bba5584b427b80a10bc26299fc4a314ee6983756f427dec7862ae962c703abf

SHA512
fd19efabd25e3507be1785d80b8ae56920a2e53361ee7b62ffdcd27fb1dbb0098b7297dcc0ff8d1bc407a032046d52ef298776890bd7a3800234b572f3907a31

Download Submit
C:\Windows\SysWOW64\wpele.exe

Filesize
264KB

MD5
d925d2cd4c84a2114e71d8a329984621

SHA1
0ac4856c8a8ace8b10afd7157dbcc4596dd31c84

SHA256
eef33470106c6f4e0275e431e656ad5cd84b469d4371cb075a667191f3927cf4

SHA512
28de00b4ab9b18a9790dbf4ba2bbbd31c4f22be4415ef6eabd44d14758505fbb5418cedaa2f8f56bcd7cbc9013801fbb41d99cbcaaff0f3706e862cb23627fcf

Download Submit
C:\Windows\SysWOW64\wqvhu.exe

Filesize
264KB

MD5
8f3b6e11544d6cd8be435601857462de

SHA1
a9b41cae2fd20316681faf1db59b0e2937c6e976

SHA256
3991b37e22f6d8cb7a7a32883de95220687d81d71f86ffaafda9eb68bb929042

SHA512
d346964643f0018e2c63bf6d6be4610948aa1f592901447a1a0054aa6aa1c55b2d266bdffc2e10b26d2f4e531ed28e772babad0dc0ea82cdc90edf83734cd211

Download Submit
C:\Windows\SysWOW64\wrkxxi.exe

Filesize
264KB

MD5
23a84b15980952b8b180603b1db1cca6

SHA1
007f5b91fe62360c633033440875ca866edc06af

SHA256
f9df3fcbc50a4f9027b7d404e18a20d48a4925c9fd3b7513def74c0900f25584

SHA512
65eb4f5d91a85c95ccaaed7a2595ba6fded0dfe09b23fcc96c58d9f57c15018c28a23b254a63c361b49f20234194ac2a536f2ca07158136de4cbbb5d9a69a776

Download Submit
C:\Windows\SysWOW64\wsawlja.exe

Filesize
263KB

MD5
e0a271366da9081931698fdb2e0d72a4

SHA1
29012b85745bf0c3201e63e788353d1cd200114b

SHA256
e008b15ebd09a527cb699a80cd2523ef3c46e7bb4c475eaf9066e73c8ba7c829

SHA512
6b5fdeb863f60d5581051a4f7c515a7f961ed98d8807ef1ce851bd7f12390ee9abd3b02fd1a5d07f88fc12b13f4752cc35557eb8a43ff0b528093eded2f58b1b

Download Submit
C:\Windows\SysWOW64\wtmqmwld.exe

Filesize
264KB

MD5
106d30ca999cd58ffee4ab4c7e6c1761

SHA1
577cbc760d5fede3e3d20153242c80762eb0781f

SHA256
b6ccb7776606ddd8efccaf89f5233aacd82ac561ca5b3938efef74bf9c361f0f

SHA512
b9c10b3d32fc99218b933ed12a9d2844e89e79d8d97e8ce96275c6619c9564e2f00222aef2fc0c6cb1f5bc49c3f62f875fc81e2e460e6a1deeafabd7aa25593e

Download Submit
C:\Windows\SysWOW64\wuonmpaea.exe

Filesize
264KB

MD5
0f3c741d9a3bb6592ba0749cd056f6c6

SHA1
2dcbab91733050a237d2c61598a4bac87b0ae970

SHA256
23b42917bbf26eed201d46ba379013b4be58b8bb82859649cdd2baaea0507c91

SHA512
9f035381498dc7c05093776c292bb35551b864c3b14df5473494920ccdf8f79f61fd6cf8cee8b45f7c2aaa59fcfd9a5ad35e700e8ce53024997f8a5aa47e1129

Download Submit
C:\Windows\SysWOW64\wuopvi.exe

Filesize
264KB

MD5
4c05bd0c29723418ec05ebd80ac60dbc

SHA1
872fdffeedee493d74b9aa5e03868b2abfbdf744

SHA256
b2ce71afbc437365d15a71c5a707c1f470ebacd09fb0d118a97fad051cbaf50c

SHA512
7ccb86aee3c1eb35e3266d1a26392d80dad971f6e294aa08e2654a022b2b9a30078f607b6b66a9690576031351da3d75357365db8a3bbe48763ed73b3595e086

Download Submit
C:\Windows\SysWOW64\wuoxjviw.exe

Filesize
264KB

MD5
779096a3e7b7a0d0d0bfd69eb1ec2311

SHA1
d7369cb004fe4ee9035048688912d85699c03eb5

SHA256
d6aee85ca619b1265f2ffd81a9a6890a69760f440c49a08a57c3d5627bff58f0

SHA512
1dde8a04a44780c431cb36d55145b4324bbed1297d78843af819fa76950192111e306ef5b3a4ad30bda1ed0737bd9b120ae13df115e8819bb396bc662bf49270

Download Submit
C:\Windows\SysWOW64\wvfx.exe

Filesize
263KB

MD5
aa3619a8e872179e2051913bdcde6390

SHA1
73c7940f6ee61315750a07b5bc1121043a2ae37e

SHA256
feae2a1f4cf526125089abfc175d941b593d39b00270fdd22ca50c33094f8767

SHA512
3784baf515805eb94cd4f70b9140f8e0b096b18e9839b9f51c175d3508ed9255839dfc3dbc7f9ced58d0cdc4fa6d7a96303adaac159ca1766c2de6ecc575be7b

Download Submit
C:\Windows\SysWOW64\wwbdovc.exe

Filesize
264KB

MD5
139130e99523a73f54f16613c67bd9e3

SHA1
e388860e75e9ce68b6252525f24d7c735e2b9be5

SHA256
3470345dd8b91344e40f2a72359789386fe058c3381457537712b2dc4db6c6dc

SHA512
1b77f6803c04f88a2590676f6c55b062b5d2dd037d113babfe9901e73710db8efe42fc3a720a2d68858778ca8c472f90853f2b186ffd604770f19875689c27e6

Download Submit
C:\Windows\SysWOW64\wwjlcnwtx.exe

Filesize
264KB

MD5
c844c85ea8fa66de4f03b81d48f40a25

SHA1
f4fcb69576744edbd9d997b4c6816e0959e6b9de

SHA256
97fe7e3ffd8653c9d7eb73e5651252c17d9915e58aa32b0ecf8ec9bff5cd9e4f

SHA512
08504056f84c544b67f6ca3855feef5f7eff7a66f3619ac8d7803dceee48731068d94827980715ef020055402deb37b3f2e2fe44e1949055f903a37dee5891a7

Download Submit
C:\Windows\SysWOW64\wwowrk.exe

Filesize
263KB

MD5
e16b238e9e8eda9420747138db3b86f9

SHA1
63d18400566b286919e41c910769462e77c1dce5

SHA256
681e1c60031116fa84ae9cc069cfad53b19acb8b74fbcf4b3015846793bf651e

SHA512
6de3293eb37eacd2a4a3a3c3788b73f36de6bf8944ebfb5fcf64769da8d61bd97adc291ebc43ed5b82ed792a71bbc032fb86103d46b0bd79ea9ac47f29a97078

Download Submit
C:\Windows\SysWOW64\wxqvc.exe

Filesize
264KB

MD5
8d2c43371b376c31392bbddc32cf77dd

SHA1
8534fcdadf23337549b1a04ec534e23424dfa58a

SHA256
6ebe1be5252d09428f97e9e0d17d13cc6c8a88fb359a33df6ca75c1ca07bbc22

SHA512
dd79453bdcfa793b008296e71a1fb921a3b84f95716877d2dd67d3bbadc0568a51208aa34bb4bf15d817200f4a47fb75c4c196bbd154920af6a91e19403a6904

Download Submit
C:\Windows\SysWOW64\wxuyua.exe

Filesize
264KB

MD5
7887fc32c358ee8374b1ba6ba80a3f7b

SHA1
9996bc60ebeb901f4d67c85b5fa332db963090c1

SHA256
389d0f620eed6b373c37b01fb9af993e890f78a8b45fcb351e7b6d50bcd98083

SHA512
0e5eecd37a7536e4d5cdb6150cf3b853647d7b11e5daaf15e0ec649b195565ae78e31f4b03646346f961290d145c1b04583314a4851ed03aac01879d0ae2425c

Download Submit
memory/372-302-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/372-126-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/372-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/372-291-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/608-207-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/812-259-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/960-303-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/960-314-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1224-84-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1296-197-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-249-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-423-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-238-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-167-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1428-147-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1428-157-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1508-414-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1508-424-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1800-269-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1800-281-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2268-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2268-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2312-432-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2364-361-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2364-352-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2396-405-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2396-415-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2540-380-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2540-389-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2724-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2724-353-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2724-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2872-270-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2880-228-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3008-406-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3120-105-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3176-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3192-372-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3268-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3268-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3276-280-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3276-292-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3820-313-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3820-325-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4060-94-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4060-83-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4220-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4264-187-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4312-40-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4312-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4336-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4372-116-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4372-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4440-397-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4576-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4616-177-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4804-335-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4804-324-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4892-217-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4952-146-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5060-381-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5112-227-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5112-239-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5112-343-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download