c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b

Analysis

max time kernel
137s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 03:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe
Size

92KB
MD5

73e83cc5ee6460a28d3fa52a58355c6e
SHA1

e6f0d849188dabcfadfbe8cbde989f788fbb7253
SHA256

c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b
SHA512

0209897cbc02056d88657d331c374e465487a35170cc5c3f4ee265fb1a29cc50e147601d10bb6f894d0c4e05a6f099138ed537ba0b7e865337e4ecac277c84e3
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71qCi2:1eOLK7hNIMLrCiS4+PwRjY5xhEAXQCD

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
305	848	wrmvc.exe
306	848	wrmvc.exe
311	1736	wgprskvp.exe
312	1736	wgprskvp.exe

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2516	wqxmpkot.exe
2888	wqusu.exe
2172	wfhmks.exe
2212	wshbap.exe
768	wbelgrun.exe
2656	wgpbtxt.exe
2044	wmu.exe
2100	wyv.exe
1408	wdxnmtfi.exe
3044	wjwidvska.exe
3048	wscfoa.exe
1984	wvlocp.exe
808	wifcf.exe
1576	wsyoinp.exe
3008	wgsalm.exe
1076	wrbd.exe
1816	wplqfh.exe
2632	wutytv.exe
2636	wcdg.exe
2428	wsoanrud.exe
572	wrndcpw.exe
2484	wcgogn.exe
2212	wuhbnc.exe
848	wkubop.exe
1296	wsqqavl.exe
640	wnpwy.exe
2340	wapkpxae.exe
2504	wqmn.exe
2444	wqwb.exe
1324	wivl.exe
1336	wperm.exe
1656	wphqex.exe
2284	wbvtntal.exe
2196	wnwjeqrk.exe
2908	wugpivlv.exe
2700	wve.exe
2508	wmf.exe
2360	woawcxgn.exe
2072	wsigpmvk.exe
836	wjprkyxjy.exe
2412	wyibeokoo.exe
2904	wreer.exe
2056	whiwuq.exe
2316	wcpegte.exe
1304	wwrty.exe
2168	wfwrlg.exe
2696	wrdot.exe
2684	wnw.exe
1868	wmampfo.exe
2172	wini.exe
2028	wyot.exe
3064	wyfiy.exe
840	wgnof.exe
436	waxfjfr.exe
3024	wkondksv.exe
2620	wexeipb.exe
2424	wewgyndiu.exe
520	wlyyxspq.exe
1956	woijlhf.exe
2216	wjhpkndqb.exe
2220	wwbbnmk.exe
1288	wqqy.exe
2928	wctuqqq.exe
2968	wxucpvneq.exe

Loads dropped DLL 64 IoCs

pid	Process
1612	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe
1612	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe
1612	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe
1612	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe
2516	wqxmpkot.exe
2516	wqxmpkot.exe
2516	wqxmpkot.exe
2516	wqxmpkot.exe
2516	wqxmpkot.exe
2888	wqusu.exe
2888	wqusu.exe
2888	wqusu.exe
2888	wqusu.exe
2888	wqusu.exe
2172	wfhmks.exe
2172	wfhmks.exe
2172	wfhmks.exe
2172	wfhmks.exe
2172	wfhmks.exe
2212	wshbap.exe
2212	wshbap.exe
2212	wshbap.exe
2212	wshbap.exe
2212	wshbap.exe
768	wbelgrun.exe
768	wbelgrun.exe
768	wbelgrun.exe
768	wbelgrun.exe
768	wbelgrun.exe
2656	wgpbtxt.exe
2656	wgpbtxt.exe
2656	wgpbtxt.exe
2656	wgpbtxt.exe
2656	wgpbtxt.exe
2044	wmu.exe
2044	wmu.exe
2044	wmu.exe
2044	wmu.exe
2044	wmu.exe
2100	wyv.exe
2100	wyv.exe
2100	wyv.exe
2100	wyv.exe
2100	wyv.exe
1408	wdxnmtfi.exe
2936	wtywuiaxt.exe
2936	wtywuiaxt.exe
2936	wtywuiaxt.exe
2936	wtywuiaxt.exe
3044	wjwidvska.exe
3044	wjwidvska.exe
3044	wjwidvska.exe
3044	wjwidvska.exe
3044	wjwidvska.exe
3048	wscfoa.exe
3048	wscfoa.exe
3048	wscfoa.exe
3048	wscfoa.exe
3048	wscfoa.exe
1984	wvlocp.exe
1984	wvlocp.exe
1984	wvlocp.exe
1984	wvlocp.exe
1984	wvlocp.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxucpvneq = "\"C:\\Windows\\SysWOW64\\wxucpvneq.exe\""	wxucpvneq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqaipf = "\"C:\\Windows\\SysWOW64\\wqaipf.exe\""	wqaipf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuyqs = "\"C:\\Windows\\SysWOW64\\wuyqs.exe\""	wuyqs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wyv = "\"C:\\Windows\\SysWOW64\\wyv.exe\""	wyv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnpwy = "\"C:\\Windows\\SysWOW64\\wnpwy.exe\""	wnpwy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wini = "\"C:\\Windows\\SysWOW64\\wini.exe\""	wini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdusosava = "\"C:\\Windows\\SysWOW64\\wdusosava.exe\""	wdusosava.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsiccdk = "\"C:\\Windows\\SysWOW64\\wsiccdk.exe\""	wsiccdk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtwxnxas = "\"C:\\Windows\\SysWOW64\\wtwxnxas.exe\""	wtwxnxas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\whqeyb = "\"C:\\Windows\\SysWOW64\\whqeyb.exe\""	whqeyb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfhmks = "\"C:\\Windows\\SysWOW64\\wfhmks.exe\""	wfhmks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjprkyxjy = "\"C:\\Windows\\SysWOW64\\wjprkyxjy.exe\""	wjprkyxjy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqqy = "\"C:\\Windows\\SysWOW64\\wqqy.exe\""	wqqy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvdscq = "\"C:\\Windows\\SysWOW64\\wvdscq.exe\""	wvdscq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wrkyrty = "\"C:\\Windows\\SysWOW64\\wrkyrty.exe\""	wrkyrty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlypbx = "\"C:\\Windows\\SysWOW64\\wlypbx.exe\""	wlypbx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgdbqv = "\"C:\\Windows\\SysWOW64\\wgdbqv.exe\""	wgdbqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbclgx = "\"C:\\Windows\\SysWOW64\\wbclgx.exe\""	wbclgx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlcshqy = "\"C:\\Windows\\SysWOW64\\wlcshqy.exe\""	wlcshqy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wifcf = "\"C:\\Windows\\SysWOW64\\wifcf.exe\""	wifcf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wugpivlv = "\"C:\\Windows\\SysWOW64\\wugpivlv.exe\""	wugpivlv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmf = "\"C:\\Windows\\SysWOW64\\wmf.exe\""	wmf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcijwekt = "\"C:\\Windows\\SysWOW64\\wcijwekt.exe\""	wcijwekt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcdg = "\"C:\\Windows\\SysWOW64\\wcdg.exe\""	wcdg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\waixrgx = "\"C:\\Windows\\SysWOW64\\waixrgx.exe\""	waixrgx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wltbki = "\"C:\\Windows\\SysWOW64\\wltbki.exe\""	wltbki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvayeo = "\"C:\\Windows\\SysWOW64\\wvayeo.exe\""	wvayeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcvrcyotm = "\"C:\\Windows\\SysWOW64\\wcvrcyotm.exe\""	wcvrcyotm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wyfiy = "\"C:\\Windows\\SysWOW64\\wyfiy.exe\""	wyfiy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wexeipb = "\"C:\\Windows\\SysWOW64\\wexeipb.exe\""	wexeipb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbcldkdac = "\"C:\\Windows\\SysWOW64\\wbcldkdac.exe\""	wbcldkdac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlbiiitgp = "\"C:\\Windows\\SysWOW64\\wlbiiitgp.exe\""	wlbiiitgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wloqrfej = "\"C:\\Windows\\SysWOW64\\wloqrfej.exe\""	wloqrfej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjuuwefd = "\"C:\\Windows\\SysWOW64\\wjuuwefd.exe\""	wjuuwefd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtamqxv = "\"C:\\Windows\\SysWOW64\\wtamqxv.exe\""	wtamqxv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wivl = "\"C:\\Windows\\SysWOW64\\wivl.exe\""	wivl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsxpggxg = "\"C:\\Windows\\SysWOW64\\wsxpggxg.exe\""	wsxpggxg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wretjda = "\"C:\\Windows\\SysWOW64\\wretjda.exe\""	wretjda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvyblejk = "\"C:\\Windows\\SysWOW64\\wvyblejk.exe\""	wvyblejk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgprskvp = "\"C:\\Windows\\SysWOW64\\wgprskvp.exe\""	wgprskvp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wikltmn = "\"C:\\Windows\\SysWOW64\\wikltmn.exe\""	wikltmn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wosaaq = "\"C:\\Windows\\SysWOW64\\wosaaq.exe\""	wosaaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbniltil = "\"C:\\Windows\\SysWOW64\\wbniltil.exe\""	wbniltil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsoanrud = "\"C:\\Windows\\SysWOW64\\wsoanrud.exe\""	wsoanrud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsqqavl = "\"C:\\Windows\\SysWOW64\\wsqqavl.exe\""	wsqqavl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\whbdlvd = "\"C:\\Windows\\SysWOW64\\whbdlvd.exe\""	whbdlvd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\woxwgau = "\"C:\\Windows\\SysWOW64\\woxwgau.exe\""	woxwgau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wplujhv = "\"C:\\Windows\\SysWOW64\\wplujhv.exe\""	wplujhv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmun = "\"C:\\Windows\\SysWOW64\\wmun.exe\""	wmun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqusu = "\"C:\\Windows\\SysWOW64\\wqusu.exe\""	wqusu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wreer = "\"C:\\Windows\\SysWOW64\\wreer.exe\""	wreer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwbbnmk = "\"C:\\Windows\\SysWOW64\\wwbbnmk.exe\""	wwbbnmk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wewgyndiu = "\"C:\\Windows\\SysWOW64\\wewgyndiu.exe\""	wewgyndiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wstxtp = "\"C:\\Windows\\SysWOW64\\wstxtp.exe\""	wstxtp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wksijv = "\"C:\\Windows\\SysWOW64\\wksijv.exe\""	wksijv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtywuiaxt = "\"C:\\Windows\\SysWOW64\\wtywuiaxt.exe\""	wtywuiaxt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmampfo = "\"C:\\Windows\\SysWOW64\\wmampfo.exe\""	wmampfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkondksv = "\"C:\\Windows\\SysWOW64\\wkondksv.exe\""	wkondksv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wrmvc = "\"C:\\Windows\\SysWOW64\\wrmvc.exe\""	wrmvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wakfntxc = "\"C:\\Windows\\SysWOW64\\wakfntxc.exe\""	wakfntxc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmnwkjv = "\"C:\\Windows\\SysWOW64\\wmnwkjv.exe\""	wmnwkjv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\weyrxnjsd = "\"C:\\Windows\\SysWOW64\\weyrxnjsd.exe\""	weyrxnjsd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wicxwoat = "\"C:\\Windows\\SysWOW64\\wicxwoat.exe\""	wicxwoat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgpbtxt = "\"C:\\Windows\\SysWOW64\\wgpbtxt.exe\""	wgpbtxt.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wrpngkrc.exe	wnrnb.exe
File opened for modification	C:\Windows\SysWOW64\wimqbbso.exe	wjrsycv.exe
File created	C:\Windows\SysWOW64\wrarthkv.exe	whfeqj.exe
File created	C:\Windows\SysWOW64\wlnrhph.exe	wumhad.exe
File created	C:\Windows\SysWOW64\wmu.exe	wgpbtxt.exe
File opened for modification	C:\Windows\SysWOW64\wkubop.exe	wuhbnc.exe
File opened for modification	C:\Windows\SysWOW64\wretjda.exe	wkjexw.exe
File opened for modification	C:\Windows\SysWOW64\wtxdrwq.exe	wigpoahr.exe
File created	C:\Windows\SysWOW64\wtwxnxas.exe	wlnrhph.exe
File created	C:\Windows\SysWOW64\wjrsycv.exe	wbclgx.exe
File created	C:\Windows\SysWOW64\wvayeo.exe	wemfqyai.exe
File created	C:\Windows\SysWOW64\wasoqo.exe	wosaaq.exe
File created	C:\Windows\SysWOW64\wsyoinp.exe	wifcf.exe
File opened for modification	C:\Windows\SysWOW64\wsyoinp.exe	wifcf.exe
File created	C:\Windows\SysWOW64\wnw.exe	wrdot.exe
File created	C:\Windows\SysWOW64\wxucpvneq.exe	wctuqqq.exe
File created	C:\Windows\SysWOW64\wyot.exe	wini.exe
File created	C:\Windows\SysWOW64\wbcldkdac.exe	wxucpvneq.exe
File created	C:\Windows\SysWOW64\wylypkrnr.exe	wretjda.exe
File opened for modification	C:\Windows\SysWOW64\wptqysgnn.exe	wikltmn.exe
File opened for modification	C:\Windows\SysWOW64\whklioog.exe	wybfdiu.exe
File created	C:\Windows\SysWOW64\wvdscq.exe	wbcldkdac.exe
File created	C:\Windows\SysWOW64\wayqyp.exe	wtpk.exe
File opened for modification	C:\Windows\SysWOW64\wxwsu.exe	wtwxnxas.exe
File created	C:\Windows\SysWOW64\wbelgrun.exe	wshbap.exe
File opened for modification	C:\Windows\SysWOW64\wmu.exe	wgpbtxt.exe
File opened for modification	C:\Windows\SysWOW64\wreer.exe	wyibeokoo.exe
File opened for modification	C:\Windows\SysWOW64\wctuqqq.exe	wqqy.exe
File created	C:\Windows\SysWOW64\wqxmpkot.exe	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe
File created	C:\Windows\SysWOW64\wctuqqq.exe	wqqy.exe
File opened for modification	C:\Windows\SysWOW64\wylypkrnr.exe	wretjda.exe
File opened for modification	C:\Windows\SysWOW64\wrarthkv.exe	whfeqj.exe
File created	C:\Windows\SysWOW64\wumhad.exe	wjuuwefd.exe
File opened for modification	C:\Windows\SysWOW64\wvlocp.exe	wscfoa.exe
File opened for modification	C:\Windows\SysWOW64\wsqqavl.exe	wkubop.exe
File opened for modification	C:\Windows\SysWOW64\wgnof.exe	wyfiy.exe
File opened for modification	C:\Windows\SysWOW64\wjrsycv.exe	wbclgx.exe
File opened for modification	C:\Windows\SysWOW64\wobmkb.exe	wghwxtms.exe
File created	C:\Windows\SysWOW64\wjwidvska.exe	wtywuiaxt.exe
File opened for modification	C:\Windows\SysWOW64\wkondksv.exe	waxfjfr.exe
File created	C:\Windows\SysWOW64\wmpaod.exe	waixrgx.exe
File opened for modification	C:\Windows\SysWOW64\wlypbx.exe	wgbqtkd.exe
File created	C:\Windows\SysWOW64\wnnuimguo.exe	wayqyp.exe
File created	C:\Windows\SysWOW64\wugpivlv.exe	wnwjeqrk.exe
File created	C:\Windows\SysWOW64\wini.exe	wmampfo.exe
File opened for modification	C:\Windows\SysWOW64\wewhowfe.exe	wvdscq.exe
File opened for modification	C:\Windows\SysWOW64\wsiccdk.exe	wsxpggxg.exe
File created	C:\Windows\SysWOW64\wbclgx.exe	wgcegswrt.exe
File created	C:\Windows\SysWOW64\wxwsu.exe	wtwxnxas.exe
File created	C:\Windows\SysWOW64\wmfwfp.exe	wmgtpsq.exe
File opened for modification	C:\Windows\SysWOW64\wqwb.exe	wqmn.exe
File created	C:\Windows\SysWOW64\wivl.exe	wqwb.exe
File opened for modification	C:\Windows\SysWOW64\wvdscq.exe	wbcldkdac.exe
File opened for modification	C:\Windows\SysWOW64\wmpaod.exe	waixrgx.exe
File opened for modification	C:\Windows\SysWOW64\wjuuwefd.exe	whklioog.exe
File opened for modification	C:\Windows\SysWOW64\whiwuq.exe	wreer.exe
File opened for modification	C:\Windows\SysWOW64\wyot.exe	wini.exe
File opened for modification	C:\Windows\SysWOW64\wuyqs.exe	wiacb.exe
File opened for modification	C:\Windows\SysWOW64\wpxyhusf.exe	wloqrfej.exe
File opened for modification	C:\Windows\SysWOW64\wmgtpsq.exe	wbniltil.exe
File created	C:\Windows\SysWOW64\wperm.exe	wivl.exe
File created	C:\Windows\SysWOW64\wqaipf.exe	wffv.exe
File opened for modification	C:\Windows\SysWOW64\wayqyp.exe	wtpk.exe
File created	C:\Windows\SysWOW64\wgjuv.exe	wpxyhusf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2516	1612	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe	28
PID 1612 wrote to memory of 2516	1612	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe	28
PID 1612 wrote to memory of 2516	1612	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe	28
PID 1612 wrote to memory of 2516	1612	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe	28
PID 1612 wrote to memory of 2684	1612	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe	29
PID 1612 wrote to memory of 2684	1612	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe	29
PID 1612 wrote to memory of 2684	1612	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe	29
PID 1612 wrote to memory of 2684	1612	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe	29
PID 2516 wrote to memory of 2888	2516	wqxmpkot.exe	31
PID 2516 wrote to memory of 2888	2516	wqxmpkot.exe	31
PID 2516 wrote to memory of 2888	2516	wqxmpkot.exe	31
PID 2516 wrote to memory of 2888	2516	wqxmpkot.exe	31
PID 2516 wrote to memory of 2488	2516	wqxmpkot.exe	32
PID 2516 wrote to memory of 2488	2516	wqxmpkot.exe	32
PID 2516 wrote to memory of 2488	2516	wqxmpkot.exe	32
PID 2516 wrote to memory of 2488	2516	wqxmpkot.exe	32
PID 2888 wrote to memory of 2172	2888	wqusu.exe	66
PID 2888 wrote to memory of 2172	2888	wqusu.exe	66
PID 2888 wrote to memory of 2172	2888	wqusu.exe	66
PID 2888 wrote to memory of 2172	2888	wqusu.exe	66
PID 2888 wrote to memory of 568	2888	wqusu.exe	35
PID 2888 wrote to memory of 568	2888	wqusu.exe	35
PID 2888 wrote to memory of 568	2888	wqusu.exe	35
PID 2888 wrote to memory of 568	2888	wqusu.exe	35
PID 2172 wrote to memory of 2212	2172	wfhmks.exe	37
PID 2172 wrote to memory of 2212	2172	wfhmks.exe	37
PID 2172 wrote to memory of 2212	2172	wfhmks.exe	37
PID 2172 wrote to memory of 2212	2172	wfhmks.exe	37
PID 2172 wrote to memory of 2180	2172	wfhmks.exe	38
PID 2172 wrote to memory of 2180	2172	wfhmks.exe	38
PID 2172 wrote to memory of 2180	2172	wfhmks.exe	38
PID 2172 wrote to memory of 2180	2172	wfhmks.exe	38
PID 2212 wrote to memory of 768	2212	wshbap.exe	40
PID 2212 wrote to memory of 768	2212	wshbap.exe	40
PID 2212 wrote to memory of 768	2212	wshbap.exe	40
PID 2212 wrote to memory of 768	2212	wshbap.exe	40
PID 2212 wrote to memory of 1756	2212	wshbap.exe	41
PID 2212 wrote to memory of 1756	2212	wshbap.exe	41
PID 2212 wrote to memory of 1756	2212	wshbap.exe	41
PID 2212 wrote to memory of 1756	2212	wshbap.exe	41
PID 768 wrote to memory of 2656	768	wbelgrun.exe	43
PID 768 wrote to memory of 2656	768	wbelgrun.exe	43
PID 768 wrote to memory of 2656	768	wbelgrun.exe	43
PID 768 wrote to memory of 2656	768	wbelgrun.exe	43
PID 768 wrote to memory of 2188	768	wbelgrun.exe	44
PID 768 wrote to memory of 2188	768	wbelgrun.exe	44
PID 768 wrote to memory of 2188	768	wbelgrun.exe	44
PID 768 wrote to memory of 2188	768	wbelgrun.exe	44
PID 2656 wrote to memory of 2044	2656	wgpbtxt.exe	46
PID 2656 wrote to memory of 2044	2656	wgpbtxt.exe	46
PID 2656 wrote to memory of 2044	2656	wgpbtxt.exe	46
PID 2656 wrote to memory of 2044	2656	wgpbtxt.exe	46
PID 2656 wrote to memory of 1604	2656	wgpbtxt.exe	47
PID 2656 wrote to memory of 1604	2656	wgpbtxt.exe	47
PID 2656 wrote to memory of 1604	2656	wgpbtxt.exe	47
PID 2656 wrote to memory of 1604	2656	wgpbtxt.exe	47
PID 2044 wrote to memory of 2100	2044	wmu.exe	49
PID 2044 wrote to memory of 2100	2044	wmu.exe	49
PID 2044 wrote to memory of 2100	2044	wmu.exe	49
PID 2044 wrote to memory of 2100	2044	wmu.exe	49
PID 2044 wrote to memory of 2968	2044	wmu.exe	50
PID 2044 wrote to memory of 2968	2044	wmu.exe	50
PID 2044 wrote to memory of 2968	2044	wmu.exe	50
PID 2044 wrote to memory of 2968	2044	wmu.exe	50

C:\Users\Admin\AppData\Local\Temp\c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe
"C:\Users\Admin\AppData\Local\Temp\c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\wqxmpkot.exe
  "C:\Windows\system32\wqxmpkot.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\wqusu.exe
    "C:\Windows\system32\wqusu.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\SysWOW64\wfhmks.exe
      "C:\Windows\system32\wfhmks.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\SysWOW64\wshbap.exe
        
        "C:\Windows\system32\wshbap.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\SysWOW64\wbelgrun.exe
        
        "C:\Windows\system32\wbelgrun.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\wgpbtxt.exe
        
        "C:\Windows\system32\wgpbtxt.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\wmu.exe
        
        "C:\Windows\system32\wmu.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\wyv.exe
        
        "C:\Windows\system32\wyv.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2100
        
        C:\Windows\SysWOW64\wdxnmtfi.exe
        
        "C:\Windows\system32\wdxnmtfi.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1408
        
        C:\Windows\SysWOW64\wtywuiaxt.exe
        
        "C:\Windows\system32\wtywuiaxt.exe"
        11⤵
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\wjwidvska.exe
        
        "C:\Windows\system32\wjwidvska.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3044
        
        C:\Windows\SysWOW64\wscfoa.exe
        
        "C:\Windows\system32\wscfoa.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\wvlocp.exe
        
        "C:\Windows\system32\wvlocp.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1984
        
        C:\Windows\SysWOW64\wifcf.exe
        
        "C:\Windows\system32\wifcf.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:808
        
        C:\Windows\SysWOW64\wsyoinp.exe
        
        "C:\Windows\system32\wsyoinp.exe"
        16⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\wgsalm.exe
        
        "C:\Windows\system32\wgsalm.exe"
        17⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\wrbd.exe
        
        "C:\Windows\system32\wrbd.exe"
        18⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\wplqfh.exe
        
        "C:\Windows\system32\wplqfh.exe"
        19⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\wutytv.exe
        
        "C:\Windows\system32\wutytv.exe"
        20⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\wcdg.exe
        
        "C:\Windows\system32\wcdg.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2636
        
        C:\Windows\SysWOW64\wsoanrud.exe
        
        "C:\Windows\system32\wsoanrud.exe"
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2428
        
        C:\Windows\SysWOW64\wrndcpw.exe
        
        "C:\Windows\system32\wrndcpw.exe"
        23⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\wcgogn.exe
        
        "C:\Windows\system32\wcgogn.exe"
        24⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\wuhbnc.exe
        
        "C:\Windows\system32\wuhbnc.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\wkubop.exe
        
        "C:\Windows\system32\wkubop.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\wsqqavl.exe
        
        "C:\Windows\system32\wsqqavl.exe"
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1296
        
        C:\Windows\SysWOW64\wnpwy.exe
        
        "C:\Windows\system32\wnpwy.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:640
        
        C:\Windows\SysWOW64\wapkpxae.exe
        
        "C:\Windows\system32\wapkpxae.exe"
        29⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SysWOW64\wqmn.exe
        
        "C:\Windows\system32\wqmn.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\wqwb.exe
        
        "C:\Windows\system32\wqwb.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\wivl.exe
        
        "C:\Windows\system32\wivl.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1324
        
        C:\Windows\SysWOW64\wperm.exe
        
        "C:\Windows\system32\wperm.exe"
        33⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\wphqex.exe
        
        "C:\Windows\system32\wphqex.exe"
        34⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\wbvtntal.exe
        
        "C:\Windows\system32\wbvtntal.exe"
        35⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\wnwjeqrk.exe
        
        "C:\Windows\system32\wnwjeqrk.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\wugpivlv.exe
        
        "C:\Windows\system32\wugpivlv.exe"
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2908
        
        C:\Windows\SysWOW64\wve.exe
        
        "C:\Windows\system32\wve.exe"
        38⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\wmf.exe
        
        "C:\Windows\system32\wmf.exe"
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2508
        
        C:\Windows\SysWOW64\woawcxgn.exe
        
        "C:\Windows\system32\woawcxgn.exe"
        40⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\wsigpmvk.exe
        
        "C:\Windows\system32\wsigpmvk.exe"
        41⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\wjprkyxjy.exe
        
        "C:\Windows\system32\wjprkyxjy.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:836
        
        C:\Windows\SysWOW64\wyibeokoo.exe
        
        "C:\Windows\system32\wyibeokoo.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\wreer.exe
        
        "C:\Windows\system32\wreer.exe"
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\whiwuq.exe
        
        "C:\Windows\system32\whiwuq.exe"
        45⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\wcpegte.exe
        
        "C:\Windows\system32\wcpegte.exe"
        46⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\wwrty.exe
        
        "C:\Windows\system32\wwrty.exe"
        47⤵
        Executes dropped EXE
        
        PID:1304
        
        C:\Windows\SysWOW64\wfwrlg.exe
        
        "C:\Windows\system32\wfwrlg.exe"
        48⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\wrdot.exe
        
        "C:\Windows\system32\wrdot.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\wnw.exe
        
        "C:\Windows\system32\wnw.exe"
        50⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\wmampfo.exe
        
        "C:\Windows\system32\wmampfo.exe"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\wini.exe
        
        "C:\Windows\system32\wini.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\wyot.exe
        
        "C:\Windows\system32\wyot.exe"
        53⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\wyfiy.exe
        
        "C:\Windows\system32\wyfiy.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\wgnof.exe
        
        "C:\Windows\system32\wgnof.exe"
        55⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\waxfjfr.exe
        
        "C:\Windows\system32\waxfjfr.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\wkondksv.exe
        
        "C:\Windows\system32\wkondksv.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3024
        
        C:\Windows\SysWOW64\wexeipb.exe
        
        "C:\Windows\system32\wexeipb.exe"
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2620
        
        C:\Windows\SysWOW64\wewgyndiu.exe
        
        "C:\Windows\system32\wewgyndiu.exe"
        59⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2424
        
        C:\Windows\SysWOW64\wlyyxspq.exe
        
        "C:\Windows\system32\wlyyxspq.exe"
        60⤵
        Executes dropped EXE
        
        PID:520
        
        C:\Windows\SysWOW64\woijlhf.exe
        
        "C:\Windows\system32\woijlhf.exe"
        61⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\wjhpkndqb.exe
        
        "C:\Windows\system32\wjhpkndqb.exe"
        62⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\wwbbnmk.exe
        
        "C:\Windows\system32\wwbbnmk.exe"
        63⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2220
        
        C:\Windows\SysWOW64\wqqy.exe
        
        "C:\Windows\system32\wqqy.exe"
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\wctuqqq.exe
        
        "C:\Windows\system32\wctuqqq.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\wxucpvneq.exe
        
        "C:\Windows\system32\wxucpvneq.exe"
        66⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\wbcldkdac.exe
        
        "C:\Windows\system32\wbcldkdac.exe"
        67⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\wvdscq.exe
        
        "C:\Windows\system32\wvdscq.exe"
        68⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\wewhowfe.exe
        
        "C:\Windows\system32\wewhowfe.exe"
        69⤵
        
        PID:580
        
        C:\Windows\SysWOW64\whbdlvd.exe
        
        "C:\Windows\system32\whbdlvd.exe"
        70⤵
        Adds Run key to start application
        
        PID:1628
        
        C:\Windows\SysWOW64\wbwsgd.exe
        
        "C:\Windows\system32\wbwsgd.exe"
        71⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\wdusosava.exe
        
        "C:\Windows\system32\wdusosava.exe"
        72⤵
        Adds Run key to start application
        
        PID:1348
        
        C:\Windows\SysWOW64\wmd.exe
        
        "C:\Windows\system32\wmd.exe"
        73⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\wsxpggxg.exe
        
        "C:\Windows\system32\wsxpggxg.exe"
        74⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\wsiccdk.exe
        
        "C:\Windows\system32\wsiccdk.exe"
        75⤵
        Adds Run key to start application
        
        PID:1640
        
        C:\Windows\SysWOW64\wfxglapyl.exe
        
        "C:\Windows\system32\wfxglapyl.exe"
        76⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\waixrgx.exe
        
        "C:\Windows\system32\waixrgx.exe"
        77⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\wmpaod.exe
        
        "C:\Windows\system32\wmpaod.exe"
        78⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\wgbqtkd.exe
        
        "C:\Windows\system32\wgbqtkd.exe"
        79⤵
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\wlypbx.exe
        
        "C:\Windows\system32\wlypbx.exe"
        80⤵
        Adds Run key to start application
        
        PID:3044
        
        C:\Windows\SysWOW64\wkjexw.exe
        
        "C:\Windows\system32\wkjexw.exe"
        81⤵
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\wretjda.exe
        
        "C:\Windows\system32\wretjda.exe"
        82⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\wylypkrnr.exe
        
        "C:\Windows\system32\wylypkrnr.exe"
        83⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\wltbki.exe
        
        "C:\Windows\system32\wltbki.exe"
        84⤵
        Adds Run key to start application
        
        PID:2304
        
        C:\Windows\SysWOW64\wopvgxp.exe
        
        "C:\Windows\system32\wopvgxp.exe"
        85⤵
        
        PID:944
        
        C:\Windows\SysWOW64\wvyblejk.exe
        
        "C:\Windows\system32\wvyblejk.exe"
        86⤵
        Adds Run key to start application
        
        PID:1360
        
        C:\Windows\SysWOW64\wigpoahr.exe
        
        "C:\Windows\system32\wigpoahr.exe"
        87⤵
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\wtxdrwq.exe
        
        "C:\Windows\system32\wtxdrwq.exe"
        88⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\wcijwekt.exe
        
        "C:\Windows\system32\wcijwekt.exe"
        89⤵
        Adds Run key to start application
        
        PID:2628
        
        C:\Windows\SysWOW64\wfgidrp.exe
        
        "C:\Windows\system32\wfgidrp.exe"
        90⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\wkwtgfmi.exe
        
        "C:\Windows\system32\wkwtgfmi.exe"
        91⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\wnrnb.exe
        
        "C:\Windows\system32\wnrnb.exe"
        92⤵
        Drops file in System32 directory
        
        PID:324
        
        C:\Windows\SysWOW64\wrpngkrc.exe
        
        "C:\Windows\system32\wrpngkrc.exe"
        93⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\wlsca.exe
        
        "C:\Windows\system32\wlsca.exe"
        94⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\wksgppt.exe
        
        "C:\Windows\system32\wksgppt.exe"
        95⤵
        
        PID:544
        
        C:\Windows\SysWOW64\wrmvc.exe
        
        "C:\Windows\system32\wrmvc.exe"
        96⤵
        Blocklisted process makes network request
        Adds Run key to start application
        
        PID:848
        
        C:\Windows\SysWOW64\wrkyrty.exe
        
        "C:\Windows\system32\wrkyrty.exe"
        97⤵
        Adds Run key to start application
        
        PID:2964
        
        C:\Windows\SysWOW64\wgprskvp.exe
        
        "C:\Windows\system32\wgprskvp.exe"
        98⤵
        Blocklisted process makes network request
        Adds Run key to start application
        
        PID:1736
        
        C:\Windows\SysWOW64\wvibnag.exe
        
        "C:\Windows\system32\wvibnag.exe"
        99⤵
        
        PID:280
        
        C:\Windows\SysWOW64\wffv.exe
        
        "C:\Windows\system32\wffv.exe"
        100⤵
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\wqaipf.exe
        
        "C:\Windows\system32\wqaipf.exe"
        101⤵
        Adds Run key to start application
        
        PID:2588
        
        C:\Windows\SysWOW64\wgdbqv.exe
        
        "C:\Windows\system32\wgdbqv.exe"
        102⤵
        Adds Run key to start application
        
        PID:2052
        
        C:\Windows\SysWOW64\wgcegswrt.exe
        
        "C:\Windows\system32\wgcegswrt.exe"
        103⤵
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\wbclgx.exe
        
        "C:\Windows\system32\wbclgx.exe"
        104⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:572
        
        C:\Windows\SysWOW64\wjrsycv.exe
        
        "C:\Windows\system32\wjrsycv.exe"
        105⤵
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\wimqbbso.exe
        
        "C:\Windows\system32\wimqbbso.exe"
        106⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\wtctlxx.exe
        
        "C:\Windows\system32\wtctlxx.exe"
        107⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\wdvjweca.exe
        
        "C:\Windows\system32\wdvjweca.exe"
        108⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\wlbiiitgp.exe
        
        "C:\Windows\system32\wlbiiitgp.exe"
        109⤵
        Adds Run key to start application
        
        PID:2564
        
        C:\Windows\SysWOW64\wstxtp.exe
        
        "C:\Windows\system32\wstxtp.exe"
        110⤵
        Adds Run key to start application
        
        PID:468
        
        C:\Windows\SysWOW64\wakfntxc.exe
        
        "C:\Windows\system32\wakfntxc.exe"
        111⤵
        Adds Run key to start application
        
        PID:2932
        
        C:\Windows\SysWOW64\weupbjox.exe
        
        "C:\Windows\system32\weupbjox.exe"
        112⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\wikbcvmfc.exe
        
        "C:\Windows\system32\wikbcvmfc.exe"
        113⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\wmnwkjv.exe
        
        "C:\Windows\system32\wmnwkjv.exe"
        114⤵
        Adds Run key to start application
        
        PID:2376
        
        C:\Windows\SysWOW64\wntbn.exe
        
        "C:\Windows\system32\wntbn.exe"
        115⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\wpjmor.exe
        
        "C:\Windows\system32\wpjmor.exe"
        116⤵
        
        PID:808
        
        C:\Windows\SysWOW64\weyrxnjsd.exe
        
        "C:\Windows\system32\weyrxnjsd.exe"
        117⤵
        Adds Run key to start application
        
        PID:2544
        
        C:\Windows\SysWOW64\wksijv.exe
        
        "C:\Windows\system32\wksijv.exe"
        118⤵
        Adds Run key to start application
        
        PID:1408
        
        C:\Windows\SysWOW64\wgroialxh.exe
        
        "C:\Windows\system32\wgroialxh.exe"
        119⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\wicxwoat.exe
        
        "C:\Windows\system32\wicxwoat.exe"
        120⤵
        Adds Run key to start application
        
        PID:3048
        
        C:\Windows\SysWOW64\wikltmn.exe
        
        "C:\Windows\system32\wikltmn.exe"
        121⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\wptqysgnn.exe
        
        "C:\Windows\system32\wptqysgnn.exe"
        122⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\wtpk.exe
        
        "C:\Windows\system32\wtpk.exe"
        123⤵
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\wayqyp.exe
        
        "C:\Windows\system32\wayqyp.exe"
        124⤵
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\wnnuimguo.exe
        
        "C:\Windows\system32\wnnuimguo.exe"
        125⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\wemfqyai.exe
        
        "C:\Windows\system32\wemfqyai.exe"
        126⤵
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\wvayeo.exe
        
        "C:\Windows\system32\wvayeo.exe"
        127⤵
        Adds Run key to start application
        
        PID:1296
        
        C:\Windows\SysWOW64\wdvvdt.exe
        
        "C:\Windows\system32\wdvvdt.exe"
        128⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\whfeqj.exe
        
        "C:\Windows\system32\whfeqj.exe"
        129⤵
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\wrarthkv.exe
        
        "C:\Windows\system32\wrarthkv.exe"
        130⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\wiacb.exe
        
        "C:\Windows\system32\wiacb.exe"
        131⤵
        Drops file in System32 directory
        
        PID:240
        
        C:\Windows\SysWOW64\wuyqs.exe
        
        "C:\Windows\system32\wuyqs.exe"
        132⤵
        Adds Run key to start application
        
        PID:1064
        
        C:\Windows\SysWOW64\wloqrfej.exe
        
        "C:\Windows\system32\wloqrfej.exe"
        133⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\wpxyhusf.exe
        
        "C:\Windows\system32\wpxyhusf.exe"
        134⤵
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\wgjuv.exe
        
        "C:\Windows\system32\wgjuv.exe"
        135⤵
        
        PID:612
        
        C:\Windows\SysWOW64\wosaaq.exe
        
        "C:\Windows\system32\wosaaq.exe"
        136⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\wasoqo.exe
        
        "C:\Windows\system32\wasoqo.exe"
        137⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\wvruotg.exe
        
        "C:\Windows\system32\wvruotg.exe"
        138⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\wybfdiu.exe
        
        "C:\Windows\system32\wybfdiu.exe"
        139⤵
        Drops file in System32 directory
        
        PID:1020
        
        C:\Windows\SysWOW64\whklioog.exe
        
        "C:\Windows\system32\whklioog.exe"
        140⤵
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\wjuuwefd.exe
        
        "C:\Windows\system32\wjuuwefd.exe"
        141⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\wumhad.exe
        
        "C:\Windows\system32\wumhad.exe"
        142⤵
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\wlnrhph.exe
        
        "C:\Windows\system32\wlnrhph.exe"
        143⤵
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\wtwxnxas.exe
        
        "C:\Windows\system32\wtwxnxas.exe"
        144⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1260
        
        C:\Windows\SysWOW64\wxwsu.exe
        
        "C:\Windows\system32\wxwsu.exe"
        145⤵
        
        PID:992
        
        C:\Windows\SysWOW64\wcvrcyotm.exe
        
        "C:\Windows\system32\wcvrcyotm.exe"
        146⤵
        Adds Run key to start application
        
        PID:2284
        
        C:\Windows\SysWOW64\wbniltil.exe
        
        "C:\Windows\system32\wbniltil.exe"
        147⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\wmgtpsq.exe
        
        "C:\Windows\system32\wmgtpsq.exe"
        148⤵
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\wmfwfp.exe
        
        "C:\Windows\system32\wmfwfp.exe"
        149⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\wtamqxv.exe
        
        "C:\Windows\system32\wtamqxv.exe"
        150⤵
        Adds Run key to start application
        
        PID:2420
        
        C:\Windows\SysWOW64\wgoqc.exe
        
        "C:\Windows\system32\wgoqc.exe"
        151⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\woxwgau.exe
        
        "C:\Windows\system32\woxwgau.exe"
        152⤵
        Adds Run key to start application
        
        PID:2892
        
        C:\Windows\SysWOW64\wbsjjy.exe
        
        "C:\Windows\system32\wbsjjy.exe"
        153⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\wvrphdb.exe
        
        "C:\Windows\system32\wvrphdb.exe"
        154⤵
        
        PID:884
        
        C:\Windows\SysWOW64\whqeyb.exe
        
        "C:\Windows\system32\whqeyb.exe"
        155⤵
        Adds Run key to start application
        
        PID:1524
        
        C:\Windows\SysWOW64\wplujhv.exe
        
        "C:\Windows\system32\wplujhv.exe"
        156⤵
        Adds Run key to start application
        
        PID:2300
        
        C:\Windows\SysWOW64\wghwxtms.exe
        
        "C:\Windows\system32\wghwxtms.exe"
        157⤵
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\wobmkb.exe
        
        "C:\Windows\system32\wobmkb.exe"
        158⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\wvrudfs.exe
        
        "C:\Windows\system32\wvrudfs.exe"
        159⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\wmun.exe
        
        "C:\Windows\system32\wmun.exe"
        160⤵
        Adds Run key to start application
        
        PID:2660
        
        C:\Windows\SysWOW64\wlcshqy.exe
        
        "C:\Windows\system32\wlcshqy.exe"
        161⤵
        Adds Run key to start application
        
        PID:2448
        
        C:\Windows\SysWOW64\wllgdn.exe
        
        "C:\Windows\system32\wllgdn.exe"
        162⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\wqitsyr.exe
        
        "C:\Windows\system32\wqitsyr.exe"
        163⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\wwsax.exe
        
        "C:\Windows\system32\wwsax.exe"
        164⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\wnsjf.exe
        
        "C:\Windows\system32\wnsjf.exe"
        165⤵
        
        PID:980
        
        C:\Windows\SysWOW64\wvmarbj.exe
        
        "C:\Windows\system32\wvmarbj.exe"
        166⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\wnmjypc.exe
        
        "C:\Windows\system32\wnmjypc.exe"
        167⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\wpvumes.exe
        
        "C:\Windows\system32\wpvumes.exe"
        168⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\whve.exe
        
        "C:\Windows\system32\whve.exe"
        169⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\wofk.exe
        
        "C:\Windows\system32\wofk.exe"
        170⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\wgskalo.exe
        
        "C:\Windows\system32\wgskalo.exe"
        171⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\wxpgsjq.exe
        
        "C:\Windows\system32\wxpgsjq.exe"
        172⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\wmaag.exe
        
        "C:\Windows\system32\wmaag.exe"
        173⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpgsjq.exe"
        173⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgskalo.exe"
        172⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofk.exe"
        171⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whve.exe"
        170⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvumes.exe"
        169⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnmjypc.exe"
        168⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvmarbj.exe"
        167⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnsjf.exe"
        166⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwsax.exe"
        165⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqitsyr.exe"
        164⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllgdn.exe"
        163⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlcshqy.exe"
        162⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmun.exe"
        161⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvrudfs.exe"
        160⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobmkb.exe"
        159⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghwxtms.exe"
        158⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wplujhv.exe"
        157⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whqeyb.exe"
        156⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvrphdb.exe"
        155⤵
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbsjjy.exe"
        154⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxwgau.exe"
        153⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgoqc.exe"
        152⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtamqxv.exe"
        151⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmfwfp.exe"
        150⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmgtpsq.exe"
        149⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbniltil.exe"
        148⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvrcyotm.exe"
        147⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwsu.exe"
        146⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtwxnxas.exe"
        145⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnrhph.exe"
        144⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wumhad.exe"
        143⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjuuwefd.exe"
        142⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whklioog.exe"
        141⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybfdiu.exe"
        140⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvruotg.exe"
        139⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wasoqo.exe"
        138⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wosaaq.exe"
        137⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgjuv.exe"
        136⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpxyhusf.exe"
        135⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wloqrfej.exe"
        134⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuyqs.exe"
        133⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiacb.exe"
        132⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrarthkv.exe"
        131⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whfeqj.exe"
        130⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvvdt.exe"
        129⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvayeo.exe"
        128⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemfqyai.exe"
        127⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnnuimguo.exe"
        126⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wayqyp.exe"
        125⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtpk.exe"
        124⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wptqysgnn.exe"
        123⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikltmn.exe"
        122⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wicxwoat.exe"
        121⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgroialxh.exe"
        120⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wksijv.exe"
        119⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weyrxnjsd.exe"
        118⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpjmor.exe"
        117⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntbn.exe"
        116⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmnwkjv.exe"
        115⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikbcvmfc.exe"
        114⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weupbjox.exe"
        113⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wakfntxc.exe"
        112⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wstxtp.exe"
        111⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlbiiitgp.exe"
        110⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvjweca.exe"
        109⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtctlxx.exe"
        108⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimqbbso.exe"
        107⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjrsycv.exe"
        106⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbclgx.exe"
        105⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgcegswrt.exe"
        104⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgdbqv.exe"
        103⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqaipf.exe"
        102⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wffv.exe"
        101⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvibnag.exe"
        100⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgprskvp.exe"
        99⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkyrty.exe"
        98⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrmvc.exe"
        97⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wksgppt.exe"
        96⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsca.exe"
        95⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrpngkrc.exe"
        94⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnrnb.exe"
        93⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkwtgfmi.exe"
        92⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfgidrp.exe"
        91⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcijwekt.exe"
        90⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxdrwq.exe"
        89⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigpoahr.exe"
        88⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvyblejk.exe"
        87⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wopvgxp.exe"
        86⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wltbki.exe"
        85⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wylypkrnr.exe"
        84⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wretjda.exe"
        83⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjexw.exe"
        82⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlypbx.exe"
        81⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgbqtkd.exe"
        80⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpaod.exe"
        79⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waixrgx.exe"
        78⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfxglapyl.exe"
        77⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsiccdk.exe"
        76⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxpggxg.exe"
        75⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmd.exe"
        74⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdusosava.exe"
        73⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwsgd.exe"
        72⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whbdlvd.exe"
        71⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wewhowfe.exe"
        70⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdscq.exe"
        69⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbcldkdac.exe"
        68⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxucpvneq.exe"
        67⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctuqqq.exe"
        66⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqy.exe"
        65⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbbnmk.exe"
        64⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhpkndqb.exe"
        63⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woijlhf.exe"
        62⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyyxspq.exe"
        61⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wewgyndiu.exe"
        60⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexeipb.exe"
        59⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkondksv.exe"
        58⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waxfjfr.exe"
        57⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgnof.exe"
        56⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyfiy.exe"
        55⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyot.exe"
        54⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wini.exe"
        53⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmampfo.exe"
        52⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnw.exe"
        51⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrdot.exe"
        50⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfwrlg.exe"
        49⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrty.exe"
        48⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcpegte.exe"
        47⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whiwuq.exe"
        46⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wreer.exe"
        45⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyibeokoo.exe"
        44⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjprkyxjy.exe"
        43⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsigpmvk.exe"
        42⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woawcxgn.exe"
        41⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmf.exe"
        40⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wve.exe"
        39⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugpivlv.exe"
        38⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwjeqrk.exe"
        37⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvtntal.exe"
        36⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphqex.exe"
        35⤵
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wperm.exe"
        34⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivl.exe"
        33⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqwb.exe"
        32⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqmn.exe"
        31⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wapkpxae.exe"
        30⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnpwy.exe"
        29⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsqqavl.exe"
        28⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkubop.exe"
        27⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhbnc.exe"
        26⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcgogn.exe"
        25⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrndcpw.exe"
        24⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsoanrud.exe"
        23⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcdg.exe"
        22⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wutytv.exe"
        21⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wplqfh.exe"
        20⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrbd.exe"
        19⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsalm.exe"
        18⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsyoinp.exe"
        17⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifcf.exe"
        16⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvlocp.exe"
        15⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wscfoa.exe"
        14⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwidvska.exe"
        13⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtywuiaxt.exe"
        12⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxnmtfi.exe"
        11⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyv.exe"
        10⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmu.exe"
        9⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgpbtxt.exe"
        8⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbelgrun.exe"
        7⤵
        
        PID:2188
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wshbap.exe"
        6⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfhmks.exe"
        5⤵
        
        PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqusu.exe"
      4⤵
      PID:568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqxmpkot.exe"
    3⤵
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe"
  2⤵
  - Deletes itself
  PID:2684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "871999805-1519496292-10763930612508814911875147148177177873720847626101077172041"
1⤵
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1455794944-147588536115139820691772243899826438896172800062414427581482072827146"
1⤵
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17387948711939818668-171415963-1710090761-81952556-1937881609-1116888812-2020019405"
1⤵
PID:2588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-768892827546617701-1309761134-1731642905-12745685002087299961-16746571251242211323"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19140102661277263089-8526750112141243371-236955183901163522347653691-1411440211"
1⤵
PID:1836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2145655078-1516698452-9377827013871920145005595722120981512-19019814641577470997"
1⤵
PID:2796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1941674508-1771370271792526691-8850782271166833846-97809194306293987-639780482"
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BLJ1CU0D.txt

Filesize
98B

MD5
c9ff9c9adbb8dedcf647619d4afb672c

SHA1
5e82651cac318c6bfd8d8ea173b641f6cb7b5075

SHA256
c2760837aa71f64f617777d96da02069c7e0a496ff158bf7550827429e516e60

SHA512
341eb3adb5f93d2ab79314cd6d71b8bd6e7310deadff8021941d5e3fe44096726ee9f991a706df48065b9cccc790a30b601ef542b461c9bd78826868877f4fbc

Download Submit
C:\Windows\SysWOW64\wfhmks.exe

Filesize
92KB

MD5
6bb869d719db0cba9f626a8687b4e15c

SHA1
da43751a2fed0bd1cc072835642a7192294f5f26

SHA256
48cfa3079af8f802487ac3be45b2532e1279b259b9ed0d1a6f25c8b4fe155a65

SHA512
9954830f7e28b82506a26c88355fab7813e70027c37da2a0f2d7c6004a5d130ad2b48c24694edf6ffd83bda2fa2ad3f0ce288363646707d6e5632044820e6c09

Download Submit
\Windows\SysWOW64\wbelgrun.exe

Filesize
92KB

MD5
0e5c163de7e54dc42f4f7cbc0eca27b8

SHA1
35a2ea19bb80b685cbc46f8c157b564322a51663

SHA256
efa097a94c389c7e1cfbd5a1f35fcd5002e754bea4cea5390ba1a6c46109aa45

SHA512
1499b40998b26a1ad0cd92db142bf101ceef0d82c1a0b18b821973a12edfda21ba5d09aaab9be7172f718f81eae916b6a612c0498957aa772a15770b510afc34

Download Submit
\Windows\SysWOW64\wdxnmtfi.exe

Filesize
92KB

MD5
34ded03edc7495c99e7cb5e37a71c44d

SHA1
2367403bb1824c4fcecc7c2c70e7130757b99b23

SHA256
34b929a275b3381b9380a3a0e0c80ea8fd6733c141adbc5fcea88a611666d51d

SHA512
652a5bb75b145d6e3ca98a7583d59fd9dda3197207ae0bdd507c900991dec266f4bf068eb294c9b36f669983f3cccad8e090ee633195355e19828013c3d22d87

Download Submit
\Windows\SysWOW64\wgpbtxt.exe

Filesize
92KB

MD5
a6ea82e4546507dbea8718f156ffa02e

SHA1
beb2eced04d5dda61128f5bc2de47dfea6fcac8b

SHA256
5fab866ac351473dd5d67085e7b53c0591436cb4d11f1a5a40563793f0c03051

SHA512
990bcb306eeedf832966ea4697333966faa8a5ddc679f2c57caf78ec41e0f1565ff2a6e3ab829781f7483776161076cae3a7be0c7d19904a0982c024d72f9456

Download Submit
\Windows\SysWOW64\wjwidvska.exe

Filesize
92KB

MD5
0da17f3d817fe5190e5297a7949953a9

SHA1
8b61cae2ac5f227b6dc82132a1088c70a91f156b

SHA256
d7dd447dd46dd72651cb0953b90899f6f5b0127fe6e7aec975839b9a2fe92ac3

SHA512
a70ea04f1862eb8b11ea8ba1c83cfa907f49c70e2827fdd2ce90520ed6cadffa3015fa175efed4eadbd5f6daf669a1240069299e372bad1330455ec8884332ac

Download Submit
\Windows\SysWOW64\wmu.exe

Filesize
92KB

MD5
629a38c377b4f95b80e2169ea21e473f

SHA1
d19d30a0abded13032fdd660075eecff24f183cc

SHA256
73099f294a439f15e31355cc18b418783b9974c3c3d53195f2e73bb8c643f615

SHA512
92f5c5209632e3d52892b821d22b305adc795f60e260222519a98934b3e0550f1f0ee6c612fc26f1af4c6385e90cd2ca8315222e1bd84ef8536c74f8d58f5716

Download Submit
\Windows\SysWOW64\wqusu.exe

Filesize
92KB

MD5
0c16d5ed0f509135411368077c0c74ac

SHA1
f911c14ddb2df155a75f4660b8aff0d36aa77ccf

SHA256
9c729e63af78b5683bf55704fefc6f4c433aa49e29c5d0eca3a3e91e1358f5a5

SHA512
ebe28f14d24e50b3fafb89aefb3bd18d1d17e5f0df9abef140159b49ca555e9eb8baf935c5ff67d4b515c53983806c4021329fee3639e19f4bd0177b0d1633b2

Download Submit
\Windows\SysWOW64\wqxmpkot.exe

Filesize
92KB

MD5
1834246f23844fa16ab35ee324ffa650

SHA1
555e2fdc0c76791a40ae802683ea5c2147867041

SHA256
6aaff57bceb921828c82d284128553d9bb4fed401808a15788b97513bccb3a5c

SHA512
bcf2dc6d1631a061bb94c74969ddc4ad747ef81219aca424f14c1804c77bcf9f9efeb74a0d7e6c5562d80ea2337d04028bef83ee7386932741625543d80e5270

Download Submit
\Windows\SysWOW64\wshbap.exe

Filesize
92KB

MD5
64ed5dab5b041cacda87359bce16559f

SHA1
bc9c1e22258999f496717427a4db6c6240c00303

SHA256
79862f9f952c614b0ff6eaf08de5734575f99f0e1d360bb80671c7ddaec63a1a

SHA512
2fc56da68356bd72bbc4e8be5f80b4cd27f8bd682b6fe24544b918051ca12fcb0ca1aebf81a868432e622526bf9f94d5984b8e547fbd53b8ed0cd36fc840d092

Download Submit
\Windows\SysWOW64\wyv.exe

Filesize
92KB

MD5
21e043c7d286250c160d6b33bb5a2e2e

SHA1
78294edc2944cc2a951cb46e31a8f24edc80f7bf

SHA256
de2a8565e28fd0fc85475ae6185bd533e413e554d3ada81bb5b75ef27c4490e8

SHA512
1c27f9fc21bd236a0a306ce1cd692e91a5fe323ca03250f58fadb04e59fc4293092dc6de36383ecad03e4a9c64575cd451ef31f5577ab4031d4c8cda03fe640e

Download Submit
memory/572-403-0x0000000003750000-0x0000000003768000-memory.dmp

Filesize
96KB

Download
memory/572-405-0x0000000003760000-0x0000000003778000-memory.dmp

Filesize
96KB

Download
memory/572-406-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/572-390-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/572-404-0x0000000003760000-0x0000000003778000-memory.dmp

Filesize
96KB

Download
memory/768-109-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/768-127-0x0000000003C60000-0x0000000003C78000-memory.dmp

Filesize
96KB

Download
memory/768-130-0x0000000003C70000-0x0000000003C80000-memory.dmp

Filesize
64KB

Download
memory/768-132-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/808-279-0x0000000003840000-0x0000000003858000-memory.dmp

Filesize
96KB

Download
memory/808-281-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/808-282-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/808-265-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1076-327-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1076-326-0x0000000003C70000-0x0000000003C80000-memory.dmp

Filesize
64KB

Download
memory/1076-318-0x0000000003C60000-0x0000000003C78000-memory.dmp

Filesize
96KB

Download
memory/1076-324-0x0000000003C70000-0x0000000003C88000-memory.dmp

Filesize
96KB

Download
memory/1076-319-0x0000000003C60000-0x0000000003C78000-memory.dmp

Filesize
96KB

Download
memory/1408-203-0x0000000003670000-0x0000000003688000-memory.dmp

Filesize
96KB

Download
memory/1408-202-0x0000000003670000-0x0000000003688000-memory.dmp

Filesize
96KB

Download
memory/1408-931-0x0000000076C10000-0x0000000076D0A000-memory.dmp

Filesize
1000KB

Download
memory/1408-930-0x0000000076D10000-0x0000000076E2F000-memory.dmp

Filesize
1.1MB

Download
memory/1408-206-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1576-296-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1576-280-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1576-295-0x0000000003C70000-0x0000000003C88000-memory.dmp

Filesize
96KB

Download
memory/1576-294-0x0000000003C60000-0x0000000003C78000-memory.dmp

Filesize
96KB

Download
memory/1612-21-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/1612-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1612-23-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1612-11-0x00000000031E0000-0x00000000031F8000-memory.dmp

Filesize
96KB

Download
memory/1612-18-0x00000000031E0000-0x00000000031F8000-memory.dmp

Filesize
96KB

Download
memory/1816-340-0x0000000003C70000-0x0000000003C88000-memory.dmp

Filesize
96KB

Download
memory/1816-325-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1816-341-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1816-339-0x0000000003C60000-0x0000000003C78000-memory.dmp

Filesize
96KB

Download
memory/1984-266-0x0000000003370000-0x0000000003380000-memory.dmp

Filesize
64KB

Download
memory/1984-267-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1984-262-0x0000000003370000-0x0000000003388000-memory.dmp

Filesize
96KB

Download
memory/1984-263-0x0000000003370000-0x0000000003388000-memory.dmp

Filesize
96KB

Download
memory/2044-153-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2044-174-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2044-175-0x0000000003C70000-0x0000000003C80000-memory.dmp

Filesize
64KB

Download
memory/2044-166-0x0000000003C70000-0x0000000003C88000-memory.dmp

Filesize
96KB

Download
memory/2100-189-0x0000000003C80000-0x0000000003C98000-memory.dmp

Filesize
96KB

Download
memory/2100-196-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2100-190-0x0000000003D80000-0x0000000003D98000-memory.dmp

Filesize
96KB

Download
memory/2172-87-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2172-83-0x0000000003BC0000-0x0000000003BD8000-memory.dmp

Filesize
96KB

Download
memory/2172-82-0x0000000003BB0000-0x0000000003BC8000-memory.dmp

Filesize
96KB

Download
memory/2172-65-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2212-108-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2212-105-0x0000000003C60000-0x0000000003C78000-memory.dmp

Filesize
96KB

Download
memory/2212-86-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2428-391-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2428-386-0x00000000031A0000-0x00000000031B8000-memory.dmp

Filesize
96KB

Download
memory/2428-387-0x00000000031A0000-0x00000000031B8000-memory.dmp

Filesize
96KB

Download
memory/2428-388-0x0000000003340000-0x0000000003358000-memory.dmp

Filesize
96KB

Download
memory/2428-389-0x0000000003340000-0x0000000003358000-memory.dmp

Filesize
96KB

Download
memory/2428-374-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2484-416-0x0000000003D60000-0x0000000003D78000-memory.dmp

Filesize
96KB

Download
memory/2484-407-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2516-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2516-43-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2632-354-0x0000000003EB0000-0x0000000003EC8000-memory.dmp

Filesize
96KB

Download
memory/2632-353-0x0000000003EB0000-0x0000000003EC8000-memory.dmp

Filesize
96KB

Download
memory/2632-357-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2632-356-0x0000000003EB0000-0x0000000003EC0000-memory.dmp

Filesize
64KB

Download
memory/2636-371-0x0000000003C70000-0x0000000003C88000-memory.dmp

Filesize
96KB

Download
memory/2636-372-0x0000000003C70000-0x0000000003C88000-memory.dmp

Filesize
96KB

Download
memory/2636-369-0x0000000003C60000-0x0000000003C78000-memory.dmp

Filesize
96KB

Download
memory/2636-355-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2636-370-0x0000000003C60000-0x0000000003C78000-memory.dmp

Filesize
96KB

Download
memory/2636-373-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2656-148-0x0000000003AB0000-0x0000000003AC8000-memory.dmp

Filesize
96KB

Download
memory/2656-149-0x0000000003AC0000-0x0000000003AD8000-memory.dmp

Filesize
96KB

Download
memory/2656-150-0x0000000003AC0000-0x0000000003AD8000-memory.dmp

Filesize
96KB

Download
memory/2656-154-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2656-128-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2888-60-0x0000000003C30000-0x0000000003C48000-memory.dmp

Filesize
96KB

Download
memory/2888-61-0x0000000003C30000-0x0000000003C48000-memory.dmp

Filesize
96KB

Download
memory/2888-41-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2888-64-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2936-223-0x0000000003680000-0x0000000003690000-memory.dmp

Filesize
64KB

Download
memory/2936-216-0x0000000003680000-0x0000000003698000-memory.dmp

Filesize
96KB

Download
memory/2936-264-0x0000000003680000-0x0000000003690000-memory.dmp

Filesize
64KB

Download
memory/2936-220-0x0000000003680000-0x0000000003698000-memory.dmp

Filesize
96KB

Download
memory/2936-222-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2936-204-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3008-309-0x0000000003C70000-0x0000000003C88000-memory.dmp

Filesize
96KB

Download
memory/3008-308-0x0000000003C60000-0x0000000003C78000-memory.dmp

Filesize
96KB

Download
memory/3008-310-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3044-235-0x0000000003B30000-0x0000000003B40000-memory.dmp

Filesize
64KB

Download
memory/3044-236-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3044-221-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3048-250-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3048-249-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/3048-248-0x0000000003690000-0x00000000036A8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads