a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe
Size

95KB
MD5

cbddeef3d23079bd4e7939c5987eb1ba
SHA1

fd48a656aa8f73f0ae51bc23dac2ddc68b92418c
SHA256

a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad
SHA512

49a84777ee5d389ff04e2a81f5de427cb23bb343e2dfa154b5f1fc8dbb0882c2c52b5397c91738dad060eb3a2e0b6fb32f58136eed52c51540f7a63ee8d86795
SSDEEP

1536:2zfXIsxrhzk2nfsW3ou3yWW2dvcW6eHcBwUi6vWE0Dl27b58XBdqaMG:yfjxrhzk2nfsWhP7dvavi6vWEbh8XH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2596	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
3036	wqf.exe
2580	wjiv.exe
1464	wesmwg.exe
1932	wwimx.exe
2052	wms.exe
1500	wujp.exe
1392	wpthks.exe
2044	wxyevvf.exe
2120	wwirsuq.exe
2576	wqrlowb.exe
2864	wmrr.exe
2540	whbisi.exe
1656	wkuhd.exe
2816	wynsni.exe
1512	whdyg.exe
556	wcn.exe
2920	wpduvo.exe
2000	wifnd.exe
1592	wrgf.exe
1596	wupo.exe
1548	whfsbku.exe
2484	wcaljaa.exe
2180	wbuhny.exe
1304	wwuo.exe
2816	wqtvl.exe
1504	wqty.exe
2852	wct.exe
2920	wwstq.exe
2104	wwoqthdj.exe
2732	wyv.exe
1988	wuwl.exe
1548	wynv.exe
2336	wxdoyem.exe
2064	wwwmbcj.exe
840	wnxwjod.exe
2984	wims.exe
1016	wdvkhb.exe
2024	wlm.exe
2000	wcld.exe
2396	wofr.exe
2516	wdabkbuny.exe
876	whjkyrjjk.exe
2324	wsxqy.exe
2952	wrspbi.exe
2064	wbymnl.exe
840	wqxwva.exe
2984	wdcwvvtb.exe
2592	wschdknp.exe
2300	wfq.exe
2464	wabctlbrp.exe
2256	wndpijqre.exe
2748	wxivt.exe
1028	wancmqceu.exe
2752	wexmbgqaf.exe
2952	wmntslt.exe
1120	wqweha.exe
2780	wgvnone.exe
1620	wxwxvcw.exe
2616	wgmhohyqq.exe
1828	wrnufdop.exe
2948	wvdggpnwi.exe
2256	wqdmfv.exe
1872	wteldh.exe
3052	wxtbuq.exe

Loads dropped DLL 64 IoCs

pid	Process
2276	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe
2276	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe
2276	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe
2276	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe
3036	wqf.exe
3036	wqf.exe
3036	wqf.exe
3036	wqf.exe
2580	wjiv.exe
2580	wjiv.exe
2580	wjiv.exe
2580	wjiv.exe
1464	wesmwg.exe
1464	wesmwg.exe
1464	wesmwg.exe
1464	wesmwg.exe
1932	wwimx.exe
1932	wwimx.exe
1932	wwimx.exe
1932	wwimx.exe
2052	wms.exe
2052	wms.exe
2052	wms.exe
2052	wms.exe
1500	wujp.exe
1500	wujp.exe
1500	wujp.exe
1500	wujp.exe
1392	wpthks.exe
1392	wpthks.exe
1392	wpthks.exe
1392	wpthks.exe
2044	wxyevvf.exe
2044	wxyevvf.exe
2044	wxyevvf.exe
2044	wxyevvf.exe
2120	wwirsuq.exe
2120	wwirsuq.exe
2120	wwirsuq.exe
2120	wwirsuq.exe
2576	wqrlowb.exe
2576	wqrlowb.exe
2576	wqrlowb.exe
2576	wqrlowb.exe
2864	wmrr.exe
2864	wmrr.exe
2864	wmrr.exe
2864	wmrr.exe
2540	whbisi.exe
2540	whbisi.exe
2540	whbisi.exe
2540	whbisi.exe
1656	wkuhd.exe
1656	wkuhd.exe
1656	wkuhd.exe
1656	wkuhd.exe
2816	wynsni.exe
2816	wynsni.exe
2816	wynsni.exe
2816	wynsni.exe
1512	whdyg.exe
1512	whdyg.exe
1512	whdyg.exe
1512	whdyg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wfcm.exe	wavldaiy.exe
File opened for modification	C:\Windows\SysWOW64\wuqyxgcb.exe	wnxgwcvh.exe
File created	C:\Windows\SysWOW64\wemcwt.exe	wnxdvh.exe
File opened for modification	C:\Windows\SysWOW64\wcaljaa.exe	whfsbku.exe
File created	C:\Windows\SysWOW64\wwoqthdj.exe	wwstq.exe
File created	C:\Windows\SysWOW64\wnxwjod.exe	wwwmbcj.exe
File opened for modification	C:\Windows\SysWOW64\wbutqi.exe	wlvhrwv.exe
File opened for modification	C:\Windows\SysWOW64\wfuqtoio.exe	wbbwyyh.exe
File opened for modification	C:\Windows\SysWOW64\wifnd.exe	wpduvo.exe
File opened for modification	C:\Windows\SysWOW64\wdcwvvtb.exe	wqxwva.exe
File created	C:\Windows\SysWOW64\wtduftqw.exe	wxnympdh.exe
File created	C:\Windows\SysWOW64\wavldaiy.exe	wdk.exe
File opened for modification	C:\Windows\SysWOW64\wbwvpi.exe	whwpqddmo.exe
File opened for modification	C:\Windows\SysWOW64\wmqgrlj.exe	wnrd.exe
File opened for modification	C:\Windows\SysWOW64\wwirsuq.exe	wxyevvf.exe
File opened for modification	C:\Windows\SysWOW64\wwoqthdj.exe	wwstq.exe
File opened for modification	C:\Windows\SysWOW64\wrspbi.exe	wsxqy.exe
File created	C:\Windows\SysWOW64\wxtbuq.exe	wteldh.exe
File opened for modification	C:\Windows\SysWOW64\wavldaiy.exe	wdk.exe
File created	C:\Windows\SysWOW64\wuqyxgcb.exe	wnxgwcvh.exe
File opened for modification	C:\Windows\SysWOW64\wtprpw.exe	wtgdsy.exe
File opened for modification	C:\Windows\SysWOW64\wlm.exe	wdvkhb.exe
File created	C:\Windows\SysWOW64\wkavwx.exe	wuoxsl.exe
File created	C:\Windows\SysWOW64\wvfhnadw.exe	wtprpw.exe
File created	C:\Windows\SysWOW64\wyv.exe	wwoqthdj.exe
File created	C:\Windows\SysWOW64\wdabkbuny.exe	wofr.exe
File created	C:\Windows\SysWOW64\wcutagnd.exe	whwmbaq.exe
File opened for modification	C:\Windows\SysWOW64\wfprfyj.exe	wkavwx.exe
File created	C:\Windows\SysWOW64\wtgdsy.exe	wvixlf.exe
File opened for modification	C:\Windows\SysWOW64\wpthks.exe	wujp.exe
File opened for modification	C:\Windows\SysWOW64\wmrr.exe	wqrlowb.exe
File opened for modification	C:\Windows\SysWOW64\wvfhnadw.exe	wtprpw.exe
File opened for modification	C:\Windows\SysWOW64\wnrd.exe	wvfhnadw.exe
File opened for modification	C:\Windows\SysWOW64\wdm.exe	wfcm.exe
File created	C:\Windows\SysWOW64\wuoxsl.exe	wbutqi.exe
File opened for modification	C:\Windows\SysWOW64\whwpqddmo.exe	wtmodibhf.exe
File created	C:\Windows\SysWOW64\wfuqtoio.exe	wbbwyyh.exe
File opened for modification	C:\Windows\SysWOW64\wnxwjod.exe	wwwmbcj.exe
File opened for modification	C:\Windows\SysWOW64\wxwxvcw.exe	wgvnone.exe
File opened for modification	C:\Windows\SysWOW64\wyrfgp.exe	wwxivcd.exe
File opened for modification	C:\Windows\SysWOW64\wqtvl.exe	wwuo.exe
File created	C:\Windows\SysWOW64\wuwl.exe	wyv.exe
File created	C:\Windows\SysWOW64\wcld.exe	wlm.exe
File created	C:\Windows\SysWOW64\wabctlbrp.exe	wfq.exe
File opened for modification	C:\Windows\SysWOW64\wivku.exe	wwghmm.exe
File opened for modification	C:\Windows\SysWOW64\wxivt.exe	wndpijqre.exe
File opened for modification	C:\Windows\SysWOW64\wwwmbcj.exe	wxdoyem.exe
File opened for modification	C:\Windows\SysWOW64\wcld.exe	wlm.exe
File created	C:\Windows\SysWOW64\wwghmm.exe	wlmqrouhh.exe
File opened for modification	C:\Windows\SysWOW64\waodubi.exe	wepuvu.exe
File opened for modification	C:\Windows\SysWOW64\wwuo.exe	wbuhny.exe
File created	C:\Windows\SysWOW64\wlm.exe	wdvkhb.exe
File opened for modification	C:\Windows\SysWOW64\wfq.exe	wschdknp.exe
File created	C:\Windows\SysWOW64\whwpqddmo.exe	wtmodibhf.exe
File created	C:\Windows\SysWOW64\wnkxn.exe	wfuqtoio.exe
File opened for modification	C:\Windows\SysWOW64\wxyevvf.exe	wpthks.exe
File created	C:\Windows\SysWOW64\wrgf.exe	wifnd.exe
File opened for modification	C:\Windows\SysWOW64\wwghmm.exe	wlmqrouhh.exe
File created	C:\Windows\SysWOW64\wlnsj.exe	wvjxsay.exe
File opened for modification	C:\Windows\SysWOW64\wbbwyyh.exe	wlnsj.exe
File opened for modification	C:\Windows\SysWOW64\wujp.exe	wms.exe
File opened for modification	C:\Windows\SysWOW64\wbuhny.exe	wcaljaa.exe
File created	C:\Windows\SysWOW64\wdm.exe	wfcm.exe
File created	C:\Windows\SysWOW64\wrho.exe	wbfry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 3036	2276	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe	28
PID 2276 wrote to memory of 3036	2276	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe	28
PID 2276 wrote to memory of 3036	2276	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe	28
PID 2276 wrote to memory of 3036	2276	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe	28
PID 2276 wrote to memory of 2596	2276	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe	29
PID 2276 wrote to memory of 2596	2276	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe	29
PID 2276 wrote to memory of 2596	2276	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe	29
PID 2276 wrote to memory of 2596	2276	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe	29
PID 3036 wrote to memory of 2580	3036	wqf.exe	31
PID 3036 wrote to memory of 2580	3036	wqf.exe	31
PID 3036 wrote to memory of 2580	3036	wqf.exe	31
PID 3036 wrote to memory of 2580	3036	wqf.exe	31
PID 3036 wrote to memory of 2516	3036	wqf.exe	32
PID 3036 wrote to memory of 2516	3036	wqf.exe	32
PID 3036 wrote to memory of 2516	3036	wqf.exe	32
PID 3036 wrote to memory of 2516	3036	wqf.exe	32
PID 2580 wrote to memory of 1464	2580	wjiv.exe	34
PID 2580 wrote to memory of 1464	2580	wjiv.exe	34
PID 2580 wrote to memory of 1464	2580	wjiv.exe	34
PID 2580 wrote to memory of 1464	2580	wjiv.exe	34
PID 2580 wrote to memory of 2880	2580	wjiv.exe	35
PID 2580 wrote to memory of 2880	2580	wjiv.exe	35
PID 2580 wrote to memory of 2880	2580	wjiv.exe	35
PID 2580 wrote to memory of 2880	2580	wjiv.exe	35
PID 1464 wrote to memory of 1932	1464	wesmwg.exe	37
PID 1464 wrote to memory of 1932	1464	wesmwg.exe	37
PID 1464 wrote to memory of 1932	1464	wesmwg.exe	37
PID 1464 wrote to memory of 1932	1464	wesmwg.exe	37
PID 1464 wrote to memory of 1244	1464	wesmwg.exe	38
PID 1464 wrote to memory of 1244	1464	wesmwg.exe	38
PID 1464 wrote to memory of 1244	1464	wesmwg.exe	38
PID 1464 wrote to memory of 1244	1464	wesmwg.exe	38
PID 1932 wrote to memory of 2052	1932	wwimx.exe	40
PID 1932 wrote to memory of 2052	1932	wwimx.exe	40
PID 1932 wrote to memory of 2052	1932	wwimx.exe	40
PID 1932 wrote to memory of 2052	1932	wwimx.exe	40
PID 1932 wrote to memory of 2312	1932	wwimx.exe	41
PID 1932 wrote to memory of 2312	1932	wwimx.exe	41
PID 1932 wrote to memory of 2312	1932	wwimx.exe	41
PID 1932 wrote to memory of 2312	1932	wwimx.exe	41
PID 2052 wrote to memory of 1500	2052	wms.exe	43
PID 2052 wrote to memory of 1500	2052	wms.exe	43
PID 2052 wrote to memory of 1500	2052	wms.exe	43
PID 2052 wrote to memory of 1500	2052	wms.exe	43
PID 2052 wrote to memory of 1388	2052	wms.exe	44
PID 2052 wrote to memory of 1388	2052	wms.exe	44
PID 2052 wrote to memory of 1388	2052	wms.exe	44
PID 2052 wrote to memory of 1388	2052	wms.exe	44
PID 1500 wrote to memory of 1392	1500	wujp.exe	46
PID 1500 wrote to memory of 1392	1500	wujp.exe	46
PID 1500 wrote to memory of 1392	1500	wujp.exe	46
PID 1500 wrote to memory of 1392	1500	wujp.exe	46
PID 1500 wrote to memory of 2852	1500	wujp.exe	47
PID 1500 wrote to memory of 2852	1500	wujp.exe	47
PID 1500 wrote to memory of 2852	1500	wujp.exe	47
PID 1500 wrote to memory of 2852	1500	wujp.exe	47
PID 1392 wrote to memory of 2044	1392	wpthks.exe	49
PID 1392 wrote to memory of 2044	1392	wpthks.exe	49
PID 1392 wrote to memory of 2044	1392	wpthks.exe	49
PID 1392 wrote to memory of 2044	1392	wpthks.exe	49
PID 1392 wrote to memory of 2000	1392	wpthks.exe	50
PID 1392 wrote to memory of 2000	1392	wpthks.exe	50
PID 1392 wrote to memory of 2000	1392	wpthks.exe	50
PID 1392 wrote to memory of 2000	1392	wpthks.exe	50

C:\Users\Admin\AppData\Local\Temp\a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe
"C:\Users\Admin\AppData\Local\Temp\a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\wqf.exe
  "C:\Windows\system32\wqf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\wjiv.exe
    "C:\Windows\system32\wjiv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\wesmwg.exe
      "C:\Windows\system32\wesmwg.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Windows\SysWOW64\wwimx.exe
        
        "C:\Windows\system32\wwimx.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Windows\SysWOW64\wms.exe
        
        "C:\Windows\system32\wms.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\wujp.exe
        
        "C:\Windows\system32\wujp.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\wpthks.exe
        
        "C:\Windows\system32\wpthks.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\wxyevvf.exe
        
        "C:\Windows\system32\wxyevvf.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\wwirsuq.exe
        
        "C:\Windows\system32\wwirsuq.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2120
        
        C:\Windows\SysWOW64\wqrlowb.exe
        
        "C:\Windows\system32\wqrlowb.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\wmrr.exe
        
        "C:\Windows\system32\wmrr.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2864
        
        C:\Windows\SysWOW64\whbisi.exe
        
        "C:\Windows\system32\whbisi.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2540
        
        C:\Windows\SysWOW64\wkuhd.exe
        
        "C:\Windows\system32\wkuhd.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1656
        
        C:\Windows\SysWOW64\wynsni.exe
        
        "C:\Windows\system32\wynsni.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2816
        
        C:\Windows\SysWOW64\whdyg.exe
        
        "C:\Windows\system32\whdyg.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1512
        
        C:\Windows\SysWOW64\wcn.exe
        
        "C:\Windows\system32\wcn.exe"
        17⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\wpduvo.exe
        
        "C:\Windows\system32\wpduvo.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\wifnd.exe
        
        "C:\Windows\system32\wifnd.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\wrgf.exe
        
        "C:\Windows\system32\wrgf.exe"
        20⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\wupo.exe
        
        "C:\Windows\system32\wupo.exe"
        21⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\whfsbku.exe
        
        "C:\Windows\system32\whfsbku.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\wcaljaa.exe
        
        "C:\Windows\system32\wcaljaa.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\wbuhny.exe
        
        "C:\Windows\system32\wbuhny.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\wwuo.exe
        
        "C:\Windows\system32\wwuo.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\wqtvl.exe
        
        "C:\Windows\system32\wqtvl.exe"
        26⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\wqty.exe
        
        "C:\Windows\system32\wqty.exe"
        27⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\wct.exe
        
        "C:\Windows\system32\wct.exe"
        28⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\wwstq.exe
        
        "C:\Windows\system32\wwstq.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\wwoqthdj.exe
        
        "C:\Windows\system32\wwoqthdj.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\wyv.exe
        
        "C:\Windows\system32\wyv.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\wuwl.exe
        
        "C:\Windows\system32\wuwl.exe"
        32⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\wynv.exe
        
        "C:\Windows\system32\wynv.exe"
        33⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\wxdoyem.exe
        
        "C:\Windows\system32\wxdoyem.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\wwwmbcj.exe
        
        "C:\Windows\system32\wwwmbcj.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\wnxwjod.exe
        
        "C:\Windows\system32\wnxwjod.exe"
        36⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\wims.exe
        
        "C:\Windows\system32\wims.exe"
        37⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\wdvkhb.exe
        
        "C:\Windows\system32\wdvkhb.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\wlm.exe
        
        "C:\Windows\system32\wlm.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\wcld.exe
        
        "C:\Windows\system32\wcld.exe"
        40⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\wofr.exe
        
        "C:\Windows\system32\wofr.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\wdabkbuny.exe
        
        "C:\Windows\system32\wdabkbuny.exe"
        42⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\whjkyrjjk.exe
        
        "C:\Windows\system32\whjkyrjjk.exe"
        43⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\wsxqy.exe
        
        "C:\Windows\system32\wsxqy.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\wrspbi.exe
        
        "C:\Windows\system32\wrspbi.exe"
        45⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\wbymnl.exe
        
        "C:\Windows\system32\wbymnl.exe"
        46⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\wqxwva.exe
        
        "C:\Windows\system32\wqxwva.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\wdcwvvtb.exe
        
        "C:\Windows\system32\wdcwvvtb.exe"
        48⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\wschdknp.exe
        
        "C:\Windows\system32\wschdknp.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\wfq.exe
        
        "C:\Windows\system32\wfq.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\SysWOW64\wabctlbrp.exe
        
        "C:\Windows\system32\wabctlbrp.exe"
        51⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\wndpijqre.exe
        
        "C:\Windows\system32\wndpijqre.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\wxivt.exe
        
        "C:\Windows\system32\wxivt.exe"
        53⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\wancmqceu.exe
        
        "C:\Windows\system32\wancmqceu.exe"
        54⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\wexmbgqaf.exe
        
        "C:\Windows\system32\wexmbgqaf.exe"
        55⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\SysWOW64\wmntslt.exe
        
        "C:\Windows\system32\wmntslt.exe"
        56⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\wqweha.exe
        
        "C:\Windows\system32\wqweha.exe"
        57⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\wgvnone.exe
        
        "C:\Windows\system32\wgvnone.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\wxwxvcw.exe
        
        "C:\Windows\system32\wxwxvcw.exe"
        59⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\wgmhohyqq.exe
        
        "C:\Windows\system32\wgmhohyqq.exe"
        60⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\wrnufdop.exe
        
        "C:\Windows\system32\wrnufdop.exe"
        61⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\SysWOW64\wvdggpnwi.exe
        
        "C:\Windows\system32\wvdggpnwi.exe"
        62⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\wqdmfv.exe
        
        "C:\Windows\system32\wqdmfv.exe"
        63⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\wteldh.exe
        
        "C:\Windows\system32\wteldh.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\wxtbuq.exe
        
        "C:\Windows\system32\wxtbuq.exe"
        65⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\wdk.exe
        
        "C:\Windows\system32\wdk.exe"
        66⤵
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\wavldaiy.exe
        
        "C:\Windows\system32\wavldaiy.exe"
        67⤵
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\wfcm.exe
        
        "C:\Windows\system32\wfcm.exe"
        68⤵
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\wdm.exe
        
        "C:\Windows\system32\wdm.exe"
        69⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\wlmqrouhh.exe
        
        "C:\Windows\system32\wlmqrouhh.exe"
        70⤵
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\wwghmm.exe
        
        "C:\Windows\system32\wwghmm.exe"
        71⤵
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\wivku.exe
        
        "C:\Windows\system32\wivku.exe"
        72⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\whqiyggw.exe
        
        "C:\Windows\system32\whqiyggw.exe"
        73⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\whwmbaq.exe
        
        "C:\Windows\system32\whwmbaq.exe"
        74⤵
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\wcutagnd.exe
        
        "C:\Windows\system32\wcutagnd.exe"
        75⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\wthpou.exe
        
        "C:\Windows\system32\wthpou.exe"
        76⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\wjvpqhcgu.exe
        
        "C:\Windows\system32\wjvpqhcgu.exe"
        77⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\wuyopewd.exe
        
        "C:\Windows\system32\wuyopewd.exe"
        78⤵
        
        PID:324
        
        C:\Windows\SysWOW64\whotaa.exe
        
        "C:\Windows\system32\whotaa.exe"
        79⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\wudwj.exe
        
        "C:\Windows\system32\wudwj.exe"
        80⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\wtaunteu.exe
        
        "C:\Windows\system32\wtaunteu.exe"
        81⤵
        
        PID:852
        
        C:\Windows\SysWOW64\wbfry.exe
        
        "C:\Windows\system32\wbfry.exe"
        82⤵
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\wrho.exe
        
        "C:\Windows\system32\wrho.exe"
        83⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\wisif.exe
        
        "C:\Windows\system32\wisif.exe"
        84⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\wayuym.exe
        
        "C:\Windows\system32\wayuym.exe"
        85⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\whodrrbk.exe
        
        "C:\Windows\system32\whodrrbk.exe"
        86⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\wqlpn.exe
        
        "C:\Windows\system32\wqlpn.exe"
        87⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\wlvhrwv.exe
        
        "C:\Windows\system32\wlvhrwv.exe"
        88⤵
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\wbutqi.exe
        
        "C:\Windows\system32\wbutqi.exe"
        89⤵
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\wuoxsl.exe
        
        "C:\Windows\system32\wuoxsl.exe"
        90⤵
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\wkavwx.exe
        
        "C:\Windows\system32\wkavwx.exe"
        91⤵
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\wfprfyj.exe
        
        "C:\Windows\system32\wfprfyj.exe"
        92⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\wepuvu.exe
        
        "C:\Windows\system32\wepuvu.exe"
        93⤵
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\waodubi.exe
        
        "C:\Windows\system32\waodubi.exe"
        94⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\whirgimu.exe
        
        "C:\Windows\system32\whirgimu.exe"
        95⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\wxido.exe
        
        "C:\Windows\system32\wxido.exe"
        96⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\wpnraeja.exe
        
        "C:\Windows\system32\wpnraeja.exe"
        97⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\wnxgwcvh.exe
        
        "C:\Windows\system32\wnxgwcvh.exe"
        98⤵
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\wuqyxgcb.exe
        
        "C:\Windows\system32\wuqyxgcb.exe"
        99⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\wvxdbc.exe
        
        "C:\Windows\system32\wvxdbc.exe"
        100⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\wmiyoqp.exe
        
        "C:\Windows\system32\wmiyoqp.exe"
        101⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\wwhqv.exe
        
        "C:\Windows\system32\wwhqv.exe"
        102⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\wvqeshse.exe
        
        "C:\Windows\system32\wvqeshse.exe"
        103⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\wwxivcd.exe
        
        "C:\Windows\system32\wwxivcd.exe"
        104⤵
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\wyrfgp.exe
        
        "C:\Windows\system32\wyrfgp.exe"
        105⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\wpifxx.exe
        
        "C:\Windows\system32\wpifxx.exe"
        106⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\wgwfyl.exe
        
        "C:\Windows\system32\wgwfyl.exe"
        107⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\wcgweskk.exe
        
        "C:\Windows\system32\wcgweskk.exe"
        108⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\wkxfww.exe
        
        "C:\Windows\system32\wkxfww.exe"
        109⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\weivdcuw.exe
        
        "C:\Windows\system32\weivdcuw.exe"
        110⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\wnxdvh.exe
        
        "C:\Windows\system32\wnxdvh.exe"
        111⤵
        Drops file in System32 directory
        
        PID:900
        
        C:\Windows\SysWOW64\wemcwt.exe
        
        "C:\Windows\system32\wemcwt.exe"
        112⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\wtmodibhf.exe
        
        "C:\Windows\system32\wtmodibhf.exe"
        113⤵
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\whwpqddmo.exe
        
        "C:\Windows\system32\whwpqddmo.exe"
        114⤵
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\wbwvpi.exe
        
        "C:\Windows\system32\wbwvpi.exe"
        115⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\wvimvoii.exe
        
        "C:\Windows\system32\wvimvoii.exe"
        116⤵
        
        PID:384
        
        C:\Windows\SysWOW64\wxakgbl.exe
        
        "C:\Windows\system32\wxakgbl.exe"
        117⤵
        
        PID:836
        
        C:\Windows\SysWOW64\wsytuei.exe
        
        "C:\Windows\system32\wsytuei.exe"
        118⤵
        
        PID:304
        
        C:\Windows\SysWOW64\wilpison.exe
        
        "C:\Windows\system32\wilpison.exe"
        119⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\wnggmbv.exe
        
        "C:\Windows\system32\wnggmbv.exe"
        120⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\wvixlf.exe
        
        "C:\Windows\system32\wvixlf.exe"
        121⤵
        Drops file in System32 directory
        
        PID:324
        
        C:\Windows\SysWOW64\wtgdsy.exe
        
        "C:\Windows\system32\wtgdsy.exe"
        122⤵
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\wtprpw.exe
        
        "C:\Windows\system32\wtprpw.exe"
        123⤵
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\wvfhnadw.exe
        
        "C:\Windows\system32\wvfhnadw.exe"
        124⤵
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\wnrd.exe
        
        "C:\Windows\system32\wnrd.exe"
        125⤵
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\wmqgrlj.exe
        
        "C:\Windows\system32\wmqgrlj.exe"
        126⤵
        
        PID:888
        
        C:\Windows\SysWOW64\whaw.exe
        
        "C:\Windows\system32\whaw.exe"
        127⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\wxbhg.exe
        
        "C:\Windows\system32\wxbhg.exe"
        128⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\wvjxsay.exe
        
        "C:\Windows\system32\wvjxsay.exe"
        129⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\wlnsj.exe
        
        "C:\Windows\system32\wlnsj.exe"
        130⤵
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\wbbwyyh.exe
        
        "C:\Windows\system32\wbbwyyh.exe"
        131⤵
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\wfuqtoio.exe
        
        "C:\Windows\system32\wfuqtoio.exe"
        132⤵
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\wnkxn.exe
        
        "C:\Windows\system32\wnkxn.exe"
        133⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\wxnympdh.exe
        
        "C:\Windows\system32\wxnympdh.exe"
        134⤵
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnkxn.exe"
        134⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfuqtoio.exe"
        133⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbbwyyh.exe"
        132⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnsj.exe"
        131⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvjxsay.exe"
        130⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxbhg.exe"
        129⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whaw.exe"
        128⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmqgrlj.exe"
        127⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnrd.exe"
        126⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvfhnadw.exe"
        125⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtprpw.exe"
        124⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtgdsy.exe"
        123⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvixlf.exe"
        122⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnggmbv.exe"
        121⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wilpison.exe"
        120⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsytuei.exe"
        119⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxakgbl.exe"
        118⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvimvoii.exe"
        117⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwvpi.exe"
        116⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwpqddmo.exe"
        115⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtmodibhf.exe"
        114⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemcwt.exe"
        113⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnxdvh.exe"
        112⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weivdcuw.exe"
        111⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkxfww.exe"
        110⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcgweskk.exe"
        109⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwfyl.exe"
        108⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpifxx.exe"
        107⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyrfgp.exe"
        106⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwxivcd.exe"
        105⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqeshse.exe"
        104⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhqv.exe"
        103⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmiyoqp.exe"
        102⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvxdbc.exe"
        101⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuqyxgcb.exe"
        100⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnxgwcvh.exe"
        99⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpnraeja.exe"
        98⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxido.exe"
        97⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whirgimu.exe"
        96⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waodubi.exe"
        95⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wepuvu.exe"
        94⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfprfyj.exe"
        93⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkavwx.exe"
        92⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuoxsl.exe"
        91⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbutqi.exe"
        90⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvhrwv.exe"
        89⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqlpn.exe"
        88⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whodrrbk.exe"
        87⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wayuym.exe"
        86⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wisif.exe"
        85⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrho.exe"
        84⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbfry.exe"
        83⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtaunteu.exe"
        82⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudwj.exe"
        81⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whotaa.exe"
        80⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuyopewd.exe"
        79⤵
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjvpqhcgu.exe"
        78⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wthpou.exe"
        77⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcutagnd.exe"
        76⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwmbaq.exe"
        75⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whqiyggw.exe"
        74⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivku.exe"
        73⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwghmm.exe"
        72⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlmqrouhh.exe"
        71⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdm.exe"
        70⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfcm.exe"
        69⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wavldaiy.exe"
        68⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdk.exe"
        67⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxtbuq.exe"
        66⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wteldh.exe"
        65⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqdmfv.exe"
        64⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdggpnwi.exe"
        63⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrnufdop.exe"
        62⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgmhohyqq.exe"
        61⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwxvcw.exe"
        60⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgvnone.exe"
        59⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqweha.exe"
        58⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmntslt.exe"
        57⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexmbgqaf.exe"
        56⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wancmqceu.exe"
        55⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxivt.exe"
        54⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wndpijqre.exe"
        53⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wabctlbrp.exe"
        52⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfq.exe"
        51⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wschdknp.exe"
        50⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcwvvtb.exe"
        49⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqxwva.exe"
        48⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbymnl.exe"
        47⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrspbi.exe"
        46⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxqy.exe"
        45⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whjkyrjjk.exe"
        44⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdabkbuny.exe"
        43⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofr.exe"
        42⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcld.exe"
        41⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlm.exe"
        40⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvkhb.exe"
        39⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wims.exe"
        38⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnxwjod.exe"
        37⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwwmbcj.exe"
        36⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxdoyem.exe"
        35⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wynv.exe"
        34⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwl.exe"
        33⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyv.exe"
        32⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwoqthdj.exe"
        31⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwstq.exe"
        30⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wct.exe"
        29⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqty.exe"
        28⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqtvl.exe"
        27⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwuo.exe"
        26⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbuhny.exe"
        25⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcaljaa.exe"
        24⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whfsbku.exe"
        23⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wupo.exe"
        22⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrgf.exe"
        21⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifnd.exe"
        20⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpduvo.exe"
        19⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcn.exe"
        18⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdyg.exe"
        17⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wynsni.exe"
        16⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkuhd.exe"
        15⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whbisi.exe"
        14⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrr.exe"
        13⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqrlowb.exe"
        12⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwirsuq.exe"
        11⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxyevvf.exe"
        10⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpthks.exe"
        9⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujp.exe"
        8⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wms.exe"
        7⤵
        
        PID:1388
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwimx.exe"
        6⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wesmwg.exe"
        5⤵
        
        PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjiv.exe"
      4⤵
      PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqf.exe"
    3⤵
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe"
  2⤵
  - Deletes itself
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1UW0VB79.txt

Filesize
99B

MD5
f133079271d87dae6011cbadd8b50afa

SHA1
8e21adb3cb87fdf8c1b92b7e3aeed7e6b596455f

SHA256
04e2d1a25450d4e06ebc3cdfa7bb59a40831b16371e2c6fd4adade73359e53a2

SHA512
b7865e939cfea4abf46e69c260b4c81faf41c8816c9a00991251b291c1c5080e4b228d5136b7198196c0a7a98d04e56521d43d3de35b6c9ac6257867e718ed4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RONYLCM9.txt

Filesize
132B

MD5
0821d14e3865f59dd70f183d75bef8c7

SHA1
89e5e76552e48f5abc2e03782031b016762df0c1

SHA256
58f20d4501d83b17ef2c2de2a926dbb1274a59ea4311566b19ceccd85c234bc2

SHA512
97ec978d5191ff71797b8598bc0e07b1e0b72e34de3a46de860290b264035ef78952354e8e70640c562002f054b0635f7e53a328e65a9f1450c73356feba68a7

Download Submit
C:\Windows\SysWOW64\wjiv.exe

Filesize
95KB

MD5
beb90c0050ff8152624eba6ea7617c39

SHA1
7277de832af72b65b31fa07d445428973705682d

SHA256
95d3b95c5b5e2695b6655a31dc12c219b507e9bd8c39454cad44e2980e9c627f

SHA512
ace478736c138b41db480feaef0af59456779500b170a15ea5904bc082d02d69e7c9c04778f9724763b0b12f4844990c30c506299928520fd8e2dd64636888bc

Download Submit
C:\Windows\SysWOW64\wxyevvf.exe

Filesize
95KB

MD5
c76520856af48b6c000e527ebf885699

SHA1
d97f44ccf5bbda8a8e24052df60f7e3484ae8fe4

SHA256
b4439ed26d8674f02d2700368a1a46131758e8e99bcf5011a2b88d04a3a74c32

SHA512
38779996dfb9bf58a281cbdecec4eb94c817eb21a9f3ec72bae11aa578499fcb5ef15002cd3680d1581ab31e2a0793902aebcdfb14d536b7854d9683576a64e1

Download Submit
\Windows\SysWOW64\wesmwg.exe

Filesize
95KB

MD5
553de3081b3891e0539a38cc460fb800

SHA1
626d98dc465b29f1659aa9a68e1f81ea3623086f

SHA256
7910143260cd09d724414b593ba7d8ec86b0c30504494c4ee56df512bcf11fce

SHA512
8cdb36f60b4fc5882915210b070c8cdd5c1cd90cda66dd69fa74a096e996f4909ad22dc54f1b69226121082378affebea304ef2a2a8a9e8bbf7ab2120cb80a7c

Download Submit
\Windows\SysWOW64\wmrr.exe

Filesize
95KB

MD5
a750bb8a61743f1b731675c467ec7d29

SHA1
e84cd726cfd5194abeb6a4cc18f63d2f1a2a712e

SHA256
1addf9044ab30e2d1349c3e1c441d7225e728ec6387584efdeaa654f18694404

SHA512
5c5fb9c9b237eacd75b5d408ddcd81f5679549323af3fbdfea8f4305a50d706e60d69a6142db2d8ad851ee2cbcba889eb25753c01244cd76c59d872744d35d1a

Download Submit
\Windows\SysWOW64\wms.exe

Filesize
95KB

MD5
e4bc7f0f5c75529e327bc1eb7e872b75

SHA1
e8c22ac55df2d459089c1859a2491866d17663f8

SHA256
1e7f81aebe6d5659c394131ee418667071ae58d9d1c5a4bad7b3dc308140217e

SHA512
f830cf4a40fccd85bb96de3bdc1f4d29a0c487ed8d4b1d283edf6ac2f77b25325d392029b813b5ce32dc084a167c7eee46a9e8fefa9a51f9993715a4ca6d96f3

Download Submit
\Windows\SysWOW64\wpthks.exe

Filesize
95KB

MD5
22120111c169be6ca2bdf7bfbbcc2f47

SHA1
0a920f1cfba367cd4469e3759144e17dbac6e282

SHA256
b03fc47dff2f3059cb6101396635e9af2a0a648607ffd7eab361ecc8acaf3289

SHA512
a06a9491aa97d08a54522ebf7f2c01b1a594e700d041b8cb253906c2598c81e0483a51e037adde2cfe808ce6205daf5957efb635e8d4ca3eb0c840ab16505b6b

Download Submit
\Windows\SysWOW64\wqf.exe

Filesize
95KB

MD5
96e753d5fd81e5aefe2e25e06d9cd339

SHA1
4fde6db8d7917a749eb87b2443aeddcf0adaae26

SHA256
581b0d6696f0f0760e9c9be99e02556b6e0c9c1898b2e80a549289cb883648c9

SHA512
c6a602416bc3d9875a45957748c208202ad6ae395328075c5e04087731757f8511fddd6b5199fc7b50bab1b62aa27e161f4f8c8a449fff8482768dd68c4cf3b4

Download Submit
\Windows\SysWOW64\wqrlowb.exe

Filesize
95KB

MD5
43f0d5d76b60097c1ecf73137550c392

SHA1
d86343ba09e82279618c01d2ece8121796b7e8c1

SHA256
c9294af9df734b8771c3f5270aa81c1794a7f88ba37bc5f9ce086a1091f6b061

SHA512
28fba3a3a45f1f9581fd43f7c64dbaa64cf98e74939dce4bf4ebcb7b4f71f3f4a56f91ff5bfe5db46f10497a8a7a3b513e11c720256294a78adf5740f37071c0

Download Submit
\Windows\SysWOW64\wujp.exe

Filesize
95KB

MD5
d92b47b785b17e382aa8f3cba876e517

SHA1
f45831d1a3079ac9dd126ca8ec09ba7186719570

SHA256
f11f6884b3974d054573d15449e28c6534853ea2e6fba86641742da830a08225

SHA512
fd6105034fb85faabf65f75839f19f371b050f45ba44e3246fced2b366b353b242895fdb66497714e4438c90f48a4d11d9bb1a59c989fb5f83747f1c5fdd3877

Download Submit
\Windows\SysWOW64\wwimx.exe

Filesize
95KB

MD5
8b42d7c33f9578da2c28c68602521fe1

SHA1
fdb3715dcc31d2e0f0859607aad1d8a76472e109

SHA256
c5100743ec375324cf9db5110c0a7386b35f61da7b79a18e6dcb7383a33510b9

SHA512
c89980a4db65ed40c9c35baece83f54f7a102716f510386c801f476e61fec7884e8d49fbc4ab617051cb1f640b0edde0c8e43c18c4d194059731a806ae098969

Download Submit
\Windows\SysWOW64\wwirsuq.exe

Filesize
95KB

MD5
58650ae93e1279b8a76761f9b307a8e6

SHA1
a65147a1978f69b68a6e3c23ff8a97d2f6e9c131

SHA256
d7b0fbab64929584cd1fc076bfaf2e5af3f6d79ca31cb0b6b03901ddc0b0cb0b

SHA512
5a09ee7c83fe868224c080b62c9b3e9c4363f6160b7cf8b51b8c83e1a01689d7091aa1ee5963e396f19bc2e5efd93cb23c3960690ddae0ac37f1336a7c6b9c12

Download Submit
memory/556-305-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/556-317-0x00000000034D0000-0x00000000034E7000-memory.dmp

Filesize
92KB

Download
memory/1392-173-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/1392-152-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1392-172-0x0000000004010000-0x0000000004027000-memory.dmp

Filesize
92KB

Download
memory/1392-170-0x0000000004010000-0x0000000004027000-memory.dmp

Filesize
92KB

Download
memory/1392-176-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1464-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1464-87-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1464-84-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/1464-85-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/1500-148-0x0000000002450000-0x0000000002467000-memory.dmp

Filesize
92KB

Download
memory/1500-131-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1500-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1512-291-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1512-304-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1512-303-0x0000000003580000-0x0000000003597000-memory.dmp

Filesize
92KB

Download
memory/1656-274-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1656-275-0x00000000033B0000-0x00000000033C7000-memory.dmp

Filesize
92KB

Download
memory/1656-262-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1932-108-0x00000000037B0000-0x00000000037C7000-memory.dmp

Filesize
92KB

Download
memory/1932-107-0x00000000037B0000-0x00000000037C7000-memory.dmp

Filesize
92KB

Download
memory/1932-88-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1932-110-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1932-96-0x00000000037B0000-0x00000000037C7000-memory.dmp

Filesize
92KB

Download
memory/2044-193-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/2044-196-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2044-191-0x0000000003ED0000-0x0000000003EE7000-memory.dmp

Filesize
92KB

Download
memory/2044-174-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-130-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-111-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2120-217-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2120-195-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2120-213-0x00000000033B0000-0x00000000033C7000-memory.dmp

Filesize
92KB

Download
memory/2276-11-0x00000000032E0000-0x00000000032F7000-memory.dmp

Filesize
92KB

Download
memory/2276-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2276-19-0x00000000032E0000-0x00000000032F7000-memory.dmp

Filesize
92KB

Download
memory/2276-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2276-12-0x00000000032E0000-0x00000000032F7000-memory.dmp

Filesize
92KB

Download
memory/2540-261-0x0000000002330000-0x0000000002347000-memory.dmp

Filesize
92KB

Download
memory/2540-259-0x0000000002330000-0x0000000002347000-memory.dmp

Filesize
92KB

Download
memory/2540-247-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2540-260-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2576-227-0x0000000003670000-0x0000000003687000-memory.dmp

Filesize
92KB

Download
memory/2576-232-0x0000000003670000-0x0000000003687000-memory.dmp

Filesize
92KB

Download
memory/2576-234-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2576-215-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2580-64-0x0000000003730000-0x0000000003747000-memory.dmp

Filesize
92KB

Download
memory/2580-53-0x0000000003120000-0x0000000003137000-memory.dmp

Filesize
92KB

Download
memory/2580-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2580-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2816-289-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2816-276-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2816-288-0x00000000021D0000-0x00000000021E7000-memory.dmp

Filesize
92KB

Download
memory/2816-290-0x00000000021D0000-0x00000000021E7000-memory.dmp

Filesize
92KB

Download
memory/2864-246-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2864-233-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3036-44-0x0000000003670000-0x0000000003687000-memory.dmp

Filesize
92KB

Download
memory/3036-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3036-42-0x0000000003670000-0x0000000003687000-memory.dmp

Filesize
92KB

Download
memory/3036-40-0x0000000003490000-0x00000000034A7000-memory.dmp

Filesize
92KB

Download
memory/3036-41-0x0000000003490000-0x00000000034A7000-memory.dmp

Filesize
92KB

Download
memory/3036-129-0x0000000003670000-0x0000000003687000-memory.dmp

Filesize
92KB

Download
memory/3036-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download