c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe
Size

92KB
MD5

73e83cc5ee6460a28d3fa52a58355c6e
SHA1

e6f0d849188dabcfadfbe8cbde989f788fbb7253
SHA256

c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b
SHA512

0209897cbc02056d88657d331c374e465487a35170cc5c3f4ee265fb1a29cc50e147601d10bb6f894d0c4e05a6f099138ed537ba0b7e865337e4ecac277c84e3
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71qCi2:1eOLK7hNIMLrCiS4+PwRjY5xhEAXQCD

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wyk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wjkvwomf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	watkrqf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wsgqef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wkw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wjsjrvbti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wfanjku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wnejgt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wwqsno.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wkbqi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wysdu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wigenv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wadf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wthwc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wkyers.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wcyeatw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	webq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wbkpwnx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wrsy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wffavdmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wghvd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wkiqivkn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wlqeracoc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wbnsunx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wuymvq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wpjbvk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wjdww.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wmv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wmoei.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wxoviv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wacoeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wdamtj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wmphfqd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wjefcil.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wdnmnh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wyfdwgwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wtijvnq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wypldh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wjolemd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wrwh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wpwlpt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wfhjvlqbd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	weq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wjjel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wmrofs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wnmikjyrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wsxmrc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	whrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wfbgrir.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wdyhs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wywokl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wnjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wbam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wvxxcip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wertpl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wpma.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wolxrpvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wtn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wpognsg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wjnov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wuwude.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wrebki.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wkkljb.exe

Executes dropped EXE 64 IoCs

pid	Process
1656	wifltk.exe
2836	wbnsk.exe
4948	wbnsunx.exe
1716	wbam.exe
3948	wgue.exe
4412	wxxtkhp.exe
3020	wvxxcip.exe
3140	wnbnw.exe
1868	wmphfqd.exe
1984	wncapm.exe
1712	wneiri.exe
1540	wryye.exe
3356	wtijvnq.exe
3016	wkbqi.exe
680	wxeklta.exe
4616	wysdu.exe
4844	weck.exe
3988	wxqhtftu.exe
4912	wjyjqhox.exe
4488	wgcwd.exe
3316	wsgqef.exe
3368	wkigy.exe
4572	wkw.exe
1080	wnkoi.exe
8	wsxe.exe
1388	wpognsg.exe
5104	wblxdprye.exe
5052	wcbpnm.exe
768	wkmceq.exe
1192	wfaywv.exe
440	wjnov.exe
3644	wobexwi.exe
1080	wnowg.exe
2836	wjsjrvbti.exe
4496	wxdqas.exe
3188	wwr.exe
2772	wxtrn.exe
3948	wgqo.exe
4088	wsofbntwx.exe
4572	wfanjku.exe
4120	wwimx.exe
4228	wigenv.exe
3988	wewfqa.exe
1764	wypldh.exe
3808	wpma.exe
4092	wdyhs.exe
556	whlvsfb.exe
4188	wkj.exe
4144	wpvkb.exe
4812	wlonflrm.exe
3512	wymfvi.exe
4940	wptdi.exe
4180	wfq.exe
3188	wsmkgjge.exe
2800	wlfpsus.exe
3872	wxci.exe
3968	wjyay.exe
4444	wkcial.exe
3912	wnpxbysj.exe
3608	waxbww.exe
2204	weloxkkel.exe
1716	wolqiowy.exe
4736	webq.exe
4568	wit.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbam = "\"C:\\Windows\\SysWOW64\\wbam.exe\""	wbam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wahvayl = "\"C:\\Windows\\SysWOW64\\wahvayl.exe\""	wahvayl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbnsunx = "\"C:\\Windows\\SysWOW64\\wbnsunx.exe\""	wbnsunx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwdrmr = "\"C:\\Windows\\SysWOW64\\wwdrmr.exe\""	wwdrmr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpognsg = "\"C:\\Windows\\SysWOW64\\wpognsg.exe\""	wpognsg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlfsq = "\"C:\\Windows\\SysWOW64\\wlfsq.exe\""	wlfsq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsxi = "\"C:\\Windows\\SysWOW64\\wsxi.exe\""	wsxi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuqjdl = "\"C:\\Windows\\SysWOW64\\wuqjdl.exe\""	wuqjdl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wysdu = "\"C:\\Windows\\SysWOW64\\wysdu.exe\""	wysdu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjyay = "\"C:\\Windows\\SysWOW64\\wjyay.exe\""	wjyay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnlgco = "\"C:\\Windows\\SysWOW64\\wnlgco.exe\""	wnlgco.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmphfqd = "\"C:\\Windows\\SysWOW64\\wmphfqd.exe\""	wmphfqd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrebki = "\"C:\\Windows\\SysWOW64\\wrebki.exe\""	wrebki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wknwypff = "\"C:\\Windows\\SysWOW64\\wknwypff.exe\""	wknwypff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whrb = "\"C:\\Windows\\SysWOW64\\whrb.exe\""	whrb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcyeatw = "\"C:\\Windows\\SysWOW64\\wcyeatw.exe\""	wcyeatw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wckkp = "\"C:\\Windows\\SysWOW64\\wckkp.exe\""	wckkp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgwgvb = "\"C:\\Windows\\SysWOW64\\wgwgvb.exe\""	wgwgvb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkkljb = "\"C:\\Windows\\SysWOW64\\wkkljb.exe\""	wkkljb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wryye = "\"C:\\Windows\\SysWOW64\\wryye.exe\""	wryye.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrwh = "\"C:\\Windows\\SysWOW64\\wrwh.exe\""	wrwh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkyers = "\"C:\\Windows\\SysWOW64\\wkyers.exe\""	wkyers.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfaywv = "\"C:\\Windows\\SysWOW64\\wfaywv.exe\""	wfaywv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnmikjyrj = "\"C:\\Windows\\SysWOW64\\wnmikjyrj.exe\""	wnmikjyrj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtijvnq = "\"C:\\Windows\\SysWOW64\\wtijvnq.exe\""	wtijvnq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsofbntwx = "\"C:\\Windows\\SysWOW64\\wsofbntwx.exe\""	wsofbntwx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfufhab = "\"C:\\Windows\\SysWOW64\\wfufhab.exe\""	wfufhab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\woygsgus = "\"C:\\Windows\\SysWOW64\\woygsgus.exe\""	woygsgus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weq = "\"C:\\Windows\\SysWOW64\\weq.exe\""	weq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmv = "\"C:\\Windows\\SysWOW64\\wmv.exe\""	wmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsgqef = "\"C:\\Windows\\SysWOW64\\wsgqef.exe\""	wsgqef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpgmps = "\"C:\\Windows\\SysWOW64\\wpgmps.exe\""	wpgmps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqlw = "\"C:\\Windows\\SysWOW64\\wqlw.exe\""	wqlw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjjel = "\"C:\\Windows\\SysWOW64\\wjjel.exe\""	wjjel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wobexwi = "\"C:\\Windows\\SysWOW64\\wobexwi.exe\""	wobexwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlqeracoc = "\"C:\\Windows\\SysWOW64\\wlqeracoc.exe\""	wlqeracoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfelagd = "\"C:\\Windows\\SysWOW64\\wfelagd.exe\""	wfelagd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxtrn = "\"C:\\Windows\\SysWOW64\\wxtrn.exe\""	wxtrn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbvfqq = "\"C:\\Windows\\SysWOW64\\wbvfqq.exe\""	wbvfqq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wthwc = "\"C:\\Windows\\SysWOW64\\wthwc.exe\""	wthwc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wblxdprye = "\"C:\\Windows\\SysWOW64\\wblxdprye.exe\""	wblxdprye.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxdqas = "\"C:\\Windows\\SysWOW64\\wxdqas.exe\""	wxdqas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpn = "\"C:\\Windows\\SysWOW64\\wpn.exe\""	wpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wolxrpvs = "\"C:\\Windows\\SysWOW64\\wolxrpvs.exe\""	wolxrpvs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdljf = "\"C:\\Windows\\SysWOW64\\wdljf.exe\""	wdljf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbkpwnx = "\"C:\\Windows\\SysWOW64\\wbkpwnx.exe\""	wbkpwnx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiukipa = "\"C:\\Windows\\SysWOW64\\wiukipa.exe\""	wiukipa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqkedqd = "\"C:\\Windows\\SysWOW64\\wqkedqd.exe\""	wqkedqd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkiqivkn = "\"C:\\Windows\\SysWOW64\\wkiqivkn.exe\""	wkiqivkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wit = "\"C:\\Windows\\SysWOW64\\wit.exe\""	wit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbtfgw = "\"C:\\Windows\\SysWOW64\\wbtfgw.exe\""	wbtfgw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjgaw = "\"C:\\Windows\\SysWOW64\\wjgaw.exe\""	wjgaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\watkrqf = "\"C:\\Windows\\SysWOW64\\watkrqf.exe\""	watkrqf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgxrux = "\"C:\\Windows\\SysWOW64\\wgxrux.exe\""	wgxrux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgqo = "\"C:\\Windows\\SysWOW64\\wgqo.exe\""	wgqo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtbpa = "\"C:\\Windows\\SysWOW64\\wtbpa.exe\""	wtbpa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdbulw = "\"C:\\Windows\\SysWOW64\\wdbulw.exe\""	wdbulw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgcwd = "\"C:\\Windows\\SysWOW64\\wgcwd.exe\""	wgcwd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wffavdmt = "\"C:\\Windows\\SysWOW64\\wffavdmt.exe\""	wffavdmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfq = "\"C:\\Windows\\SysWOW64\\wfq.exe\""	wfq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wox = "\"C:\\Windows\\SysWOW64\\wox.exe\""	wox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjaovluy = "\"C:\\Windows\\SysWOW64\\wjaovluy.exe\""	wjaovluy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkj = "\"C:\\Windows\\SysWOW64\\wkj.exe\""	wkj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfsp = "\"C:\\Windows\\SysWOW64\\wfsp.exe\""	wfsp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wgcwd.exe	wjyjqhox.exe
File opened for modification	C:\Windows\SysWOW64\wtkpyee.exe	whyhqh.exe
File opened for modification	C:\Windows\SysWOW64\wnruc.exe	wjefcil.exe
File created	C:\Windows\SysWOW64\weq.exe	wrebki.exe
File created	C:\Windows\SysWOW64\wnkoi.exe	wkw.exe
File opened for modification	C:\Windows\SysWOW64\wymfvi.exe	wlonflrm.exe
File created	C:\Windows\SysWOW64\wrwh.exe	wjkvwomf.exe
File created	C:\Windows\SysWOW64\whrb.exe	wdpwof.exe
File created	C:\Windows\SysWOW64\wgwgvb.exe	wbkpwnx.exe
File opened for modification	C:\Windows\SysWOW64\wkw.exe	wkigy.exe
File created	C:\Windows\SysWOW64\wjsjrvbti.exe	wnowg.exe
File created	C:\Windows\SysWOW64\wjgaw.exe	wsjlpf.exe
File created	C:\Windows\SysWOW64\wsuo.exe	wjjel.exe
File opened for modification	C:\Windows\SysWOW64\wnowg.exe	wobexwi.exe
File opened for modification	C:\Windows\SysWOW64\wlqeracoc.exe	wdeta.exe
File created	C:\Windows\SysWOW64\wwgdukcn.exe	wkj.exe
File opened for modification	C:\Windows\SysWOW64\wkigy.exe	wsgqef.exe
File created	C:\Windows\SysWOW64\wpfab.exe	wexy.exe
File opened for modification	C:\Windows\SysWOW64\wbkpwnx.exe	wtn.exe
File opened for modification	C:\Windows\SysWOW64\waxbww.exe	wnpxbysj.exe
File opened for modification	C:\Windows\SysWOW64\wpct.exe	wtksx.exe
File opened for modification	C:\Windows\SysWOW64\wnbag.exe	wjolemd.exe
File created	C:\Windows\SysWOW64\wmme.exe	wrsy.exe
File opened for modification	C:\Windows\SysWOW64\wdamtj.exe	wmrofs.exe
File created	C:\Windows\SysWOW64\wbnsunx.exe	wbnsk.exe
File created	C:\Windows\SysWOW64\wxqhtftu.exe	weck.exe
File created	C:\Windows\SysWOW64\wuymvq.exe	wqlw.exe
File opened for modification	C:\Windows\SysWOW64\wpjbvk.exe	wdljf.exe
File created	C:\Windows\SysWOW64\wfhjvlqbd.exe	wfsp.exe
File opened for modification	C:\Windows\SysWOW64\wsgqef.exe	wgcwd.exe
File opened for modification	C:\Windows\SysWOW64\wpgmps.exe	wbtfgw.exe
File opened for modification	C:\Windows\SysWOW64\wuwude.exe	wqkedqd.exe
File created	C:\Windows\SysWOW64\wexy.exe	wlfsq.exe
File opened for modification	C:\Windows\SysWOW64\wysdu.exe	wxeklta.exe
File created	C:\Windows\SysWOW64\wclsyesl.exe	wsxi.exe
File opened for modification	C:\Windows\SysWOW64\wdiifxg.exe	wmbk.exe
File created	C:\Windows\SysWOW64\wfjfe.exe	wghvd.exe
File created	C:\Windows\SysWOW64\wbam.exe	wbnsunx.exe
File created	C:\Windows\SysWOW64\wryye.exe	wneiri.exe
File opened for modification	C:\Windows\SysWOW64\wjdww.exe	wjaovluy.exe
File created	C:\Windows\SysWOW64\wertpl.exe	wjdww.exe
File opened for modification	C:\Windows\SysWOW64\wkmceq.exe	wcbpnm.exe
File created	C:\Windows\SysWOW64\wkj.exe	whlvsfb.exe
File created	C:\Windows\SysWOW64\wymfvi.exe	wlonflrm.exe
File opened for modification	C:\Windows\SysWOW64\wfjfe.exe	wghvd.exe
File opened for modification	C:\Windows\SysWOW64\wnbnw.exe	wvxxcip.exe
File created	C:\Windows\SysWOW64\wneiri.exe	wncapm.exe
File created	C:\Windows\SysWOW64\wkigy.exe	wsgqef.exe
File created	C:\Windows\SysWOW64\wountd.exe	wgxrux.exe
File opened for modification	C:\Windows\SysWOW64\wfbgrir.exe	wiiemfaq.exe
File opened for modification	C:\Windows\SysWOW64\wthwc.exe	wnjc.exe
File created	C:\Windows\SysWOW64\wtvqvxctx.exe	wpjbvk.exe
File opened for modification	C:\Windows\SysWOW64\wacoeb.exe	wigb.exe
File opened for modification	C:\Windows\SysWOW64\wmme.exe	wrsy.exe
File created	C:\Windows\SysWOW64\wbnsk.exe	wifltk.exe
File opened for modification	C:\Windows\SysWOW64\wnmikjyrj.exe	wapo.exe
File created	C:\Windows\SysWOW64\wnjc.exe	wevql.exe
File created	C:\Windows\SysWOW64\wnbag.exe	wjolemd.exe
File created	C:\Windows\SysWOW64\wjaovluy.exe	wancegwp.exe
File opened for modification	C:\Windows\SysWOW64\wkbqi.exe	wtijvnq.exe
File opened for modification	C:\Windows\SysWOW64\wahcliu.exe	wpfab.exe
File created	C:\Windows\SysWOW64\wkyers.exe	wxoviv.exe
File created	C:\Windows\SysWOW64\wcjcskhe.exe	wox.exe
File opened for modification	C:\Windows\SysWOW64\wjyjqhox.exe	wxqhtftu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
2320	1656	WerFault.exe	86
1716	5052	WerFault.exe	181
2528	2204	WerFault.exe	284
1984	2844	WerFault.exe	408
4228	2292	WerFault.exe	419
2072	1468	WerFault.exe	448
2292	668	WerFault.exe	480
2312	2872	WerFault.exe	597
4648	4060	WerFault.exe	659
2528	4944	WerFault.exe	708

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 1656	2864	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe	86
PID 2864 wrote to memory of 1656	2864	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe	86
PID 2864 wrote to memory of 1656	2864	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe	86
PID 2864 wrote to memory of 1928	2864	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe	88
PID 2864 wrote to memory of 1928	2864	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe	88
PID 2864 wrote to memory of 1928	2864	c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe	88
PID 1656 wrote to memory of 2836	1656	wifltk.exe	95
PID 1656 wrote to memory of 2836	1656	wifltk.exe	95
PID 1656 wrote to memory of 2836	1656	wifltk.exe	95
PID 1656 wrote to memory of 4084	1656	wifltk.exe	96
PID 1656 wrote to memory of 4084	1656	wifltk.exe	96
PID 1656 wrote to memory of 4084	1656	wifltk.exe	96
PID 2836 wrote to memory of 4948	2836	wbnsk.exe	103
PID 2836 wrote to memory of 4948	2836	wbnsk.exe	103
PID 2836 wrote to memory of 4948	2836	wbnsk.exe	103
PID 2836 wrote to memory of 4476	2836	wbnsk.exe	104
PID 2836 wrote to memory of 4476	2836	wbnsk.exe	104
PID 2836 wrote to memory of 4476	2836	wbnsk.exe	104
PID 4948 wrote to memory of 1716	4948	wbnsunx.exe	106
PID 4948 wrote to memory of 1716	4948	wbnsunx.exe	106
PID 4948 wrote to memory of 1716	4948	wbnsunx.exe	106
PID 4948 wrote to memory of 4436	4948	wbnsunx.exe	107
PID 4948 wrote to memory of 4436	4948	wbnsunx.exe	107
PID 4948 wrote to memory of 4436	4948	wbnsunx.exe	107
PID 1716 wrote to memory of 3948	1716	wbam.exe	109
PID 1716 wrote to memory of 3948	1716	wbam.exe	109
PID 1716 wrote to memory of 3948	1716	wbam.exe	109
PID 1716 wrote to memory of 212	1716	wbam.exe	110
PID 1716 wrote to memory of 212	1716	wbam.exe	110
PID 1716 wrote to memory of 212	1716	wbam.exe	110
PID 3948 wrote to memory of 4412	3948	wgue.exe	112
PID 3948 wrote to memory of 4412	3948	wgue.exe	112
PID 3948 wrote to memory of 4412	3948	wgue.exe	112
PID 3948 wrote to memory of 768	3948	wgue.exe	113
PID 3948 wrote to memory of 768	3948	wgue.exe	113
PID 3948 wrote to memory of 768	3948	wgue.exe	113
PID 4412 wrote to memory of 3020	4412	wxxtkhp.exe	116
PID 4412 wrote to memory of 3020	4412	wxxtkhp.exe	116
PID 4412 wrote to memory of 3020	4412	wxxtkhp.exe	116
PID 4412 wrote to memory of 4524	4412	wxxtkhp.exe	117
PID 4412 wrote to memory of 4524	4412	wxxtkhp.exe	117
PID 4412 wrote to memory of 4524	4412	wxxtkhp.exe	117
PID 3020 wrote to memory of 3140	3020	wvxxcip.exe	119
PID 3020 wrote to memory of 3140	3020	wvxxcip.exe	119
PID 3020 wrote to memory of 3140	3020	wvxxcip.exe	119
PID 3020 wrote to memory of 556	3020	wvxxcip.exe	120
PID 3020 wrote to memory of 556	3020	wvxxcip.exe	120
PID 3020 wrote to memory of 556	3020	wvxxcip.exe	120
PID 3140 wrote to memory of 1868	3140	wnbnw.exe	122
PID 3140 wrote to memory of 1868	3140	wnbnw.exe	122
PID 3140 wrote to memory of 1868	3140	wnbnw.exe	122
PID 3140 wrote to memory of 2584	3140	wnbnw.exe	123
PID 3140 wrote to memory of 2584	3140	wnbnw.exe	123
PID 3140 wrote to memory of 2584	3140	wnbnw.exe	123
PID 1868 wrote to memory of 1984	1868	wmphfqd.exe	126
PID 1868 wrote to memory of 1984	1868	wmphfqd.exe	126
PID 1868 wrote to memory of 1984	1868	wmphfqd.exe	126
PID 1868 wrote to memory of 1656	1868	wmphfqd.exe	127
PID 1868 wrote to memory of 1656	1868	wmphfqd.exe	127
PID 1868 wrote to memory of 1656	1868	wmphfqd.exe	127
PID 1984 wrote to memory of 1712	1984	wncapm.exe	129
PID 1984 wrote to memory of 1712	1984	wncapm.exe	129
PID 1984 wrote to memory of 1712	1984	wncapm.exe	129
PID 1984 wrote to memory of 4564	1984	wncapm.exe	130

C:\Users\Admin\AppData\Local\Temp\c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe
"C:\Users\Admin\AppData\Local\Temp\c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\wifltk.exe
  "C:\Windows\system32\wifltk.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\wbnsk.exe
    "C:\Windows\system32\wbnsk.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\wbnsunx.exe
      "C:\Windows\system32\wbnsunx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Windows\SysWOW64\wbam.exe
        
        "C:\Windows\system32\wbam.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Windows\SysWOW64\wgue.exe
        
        "C:\Windows\system32\wgue.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\wxxtkhp.exe
        
        "C:\Windows\system32\wxxtkhp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\wvxxcip.exe
        
        "C:\Windows\system32\wvxxcip.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\wnbnw.exe
        
        "C:\Windows\system32\wnbnw.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\wmphfqd.exe
        
        "C:\Windows\system32\wmphfqd.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\wncapm.exe
        
        "C:\Windows\system32\wncapm.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\wneiri.exe
        
        "C:\Windows\system32\wneiri.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\wryye.exe
        
        "C:\Windows\system32\wryye.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1540
        
        C:\Windows\SysWOW64\wtijvnq.exe
        
        "C:\Windows\system32\wtijvnq.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\wkbqi.exe
        
        "C:\Windows\system32\wkbqi.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\wxeklta.exe
        
        "C:\Windows\system32\wxeklta.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\wysdu.exe
        
        "C:\Windows\system32\wysdu.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4616
        
        C:\Windows\SysWOW64\weck.exe
        
        "C:\Windows\system32\weck.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\wxqhtftu.exe
        
        "C:\Windows\system32\wxqhtftu.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\wjyjqhox.exe
        
        "C:\Windows\system32\wjyjqhox.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\wgcwd.exe
        
        "C:\Windows\system32\wgcwd.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\wsgqef.exe
        
        "C:\Windows\system32\wsgqef.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\wkigy.exe
        
        "C:\Windows\system32\wkigy.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3368
        
        C:\Windows\SysWOW64\wkw.exe
        
        "C:\Windows\system32\wkw.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\wnkoi.exe
        
        "C:\Windows\system32\wnkoi.exe"
        25⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\wsxe.exe
        
        "C:\Windows\system32\wsxe.exe"
        26⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\wpognsg.exe
        
        "C:\Windows\system32\wpognsg.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1388
        
        C:\Windows\SysWOW64\wblxdprye.exe
        
        "C:\Windows\system32\wblxdprye.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5104
        
        C:\Windows\SysWOW64\wcbpnm.exe
        
        "C:\Windows\system32\wcbpnm.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\wkmceq.exe
        
        "C:\Windows\system32\wkmceq.exe"
        30⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\wfaywv.exe
        
        "C:\Windows\system32\wfaywv.exe"
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1192
        
        C:\Windows\SysWOW64\wjnov.exe
        
        "C:\Windows\system32\wjnov.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\wobexwi.exe
        
        "C:\Windows\system32\wobexwi.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\wnowg.exe
        
        "C:\Windows\system32\wnowg.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1080
        
        C:\Windows\SysWOW64\wjsjrvbti.exe
        
        "C:\Windows\system32\wjsjrvbti.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\wxdqas.exe
        
        "C:\Windows\system32\wxdqas.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4496
        
        C:\Windows\SysWOW64\wwr.exe
        
        "C:\Windows\system32\wwr.exe"
        37⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\wxtrn.exe
        
        "C:\Windows\system32\wxtrn.exe"
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2772
        
        C:\Windows\SysWOW64\wgqo.exe
        
        "C:\Windows\system32\wgqo.exe"
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3948
        
        C:\Windows\SysWOW64\wsofbntwx.exe
        
        "C:\Windows\system32\wsofbntwx.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4088
        
        C:\Windows\SysWOW64\wfanjku.exe
        
        "C:\Windows\system32\wfanjku.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\wwimx.exe
        
        "C:\Windows\system32\wwimx.exe"
        42⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\wigenv.exe
        
        "C:\Windows\system32\wigenv.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\wewfqa.exe
        
        "C:\Windows\system32\wewfqa.exe"
        44⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\wypldh.exe
        
        "C:\Windows\system32\wypldh.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\wpma.exe
        
        "C:\Windows\system32\wpma.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3808
        
        C:\Windows\SysWOW64\wdyhs.exe
        
        "C:\Windows\system32\wdyhs.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\whlvsfb.exe
        
        "C:\Windows\system32\whlvsfb.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:556
        
        C:\Windows\SysWOW64\wkj.exe
        
        "C:\Windows\system32\wkj.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\SysWOW64\wpvkb.exe
        
        "C:\Windows\system32\wpvkb.exe"
        50⤵
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\wlonflrm.exe
        
        "C:\Windows\system32\wlonflrm.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\wymfvi.exe
        
        "C:\Windows\system32\wymfvi.exe"
        52⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\wptdi.exe
        
        "C:\Windows\system32\wptdi.exe"
        53⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\wfq.exe
        
        "C:\Windows\system32\wfq.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4180
        
        C:\Windows\SysWOW64\wsmkgjge.exe
        
        "C:\Windows\system32\wsmkgjge.exe"
        55⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\wlfpsus.exe
        
        "C:\Windows\system32\wlfpsus.exe"
        56⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\wxci.exe
        
        "C:\Windows\system32\wxci.exe"
        57⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\wjyay.exe
        
        "C:\Windows\system32\wjyay.exe"
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3968
        
        C:\Windows\SysWOW64\wkcial.exe
        
        "C:\Windows\system32\wkcial.exe"
        59⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\wnpxbysj.exe
        
        "C:\Windows\system32\wnpxbysj.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\waxbww.exe
        
        "C:\Windows\system32\waxbww.exe"
        61⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\weloxkkel.exe
        
        "C:\Windows\system32\weloxkkel.exe"
        62⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\wolqiowy.exe
        
        "C:\Windows\system32\wolqiowy.exe"
        63⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\webq.exe
        
        "C:\Windows\system32\webq.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\wit.exe
        
        "C:\Windows\system32\wit.exe"
        65⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4568
        
        C:\Windows\SysWOW64\wbtfgw.exe
        
        "C:\Windows\system32\wbtfgw.exe"
        66⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\wpgmps.exe
        
        "C:\Windows\system32\wpgmps.exe"
        67⤵
        Adds Run key to start application
        
        PID:1928
        
        C:\Windows\SysWOW64\wadf.exe
        
        "C:\Windows\system32\wadf.exe"
        68⤵
        Checks computer location settings
        
        PID:1704
        
        C:\Windows\SysWOW64\wnlgco.exe
        
        "C:\Windows\system32\wnlgco.exe"
        69⤵
        Adds Run key to start application
        
        PID:2112
        
        C:\Windows\SysWOW64\wywokl.exe
        
        "C:\Windows\system32\wywokl.exe"
        70⤵
        Checks computer location settings
        
        PID:804
        
        C:\Windows\SysWOW64\wiukipa.exe
        
        "C:\Windows\system32\wiukipa.exe"
        71⤵
        Adds Run key to start application
        
        PID:4344
        
        C:\Windows\SysWOW64\wuhrrmb.exe
        
        "C:\Windows\system32\wuhrrmb.exe"
        72⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\wqkedqd.exe
        
        "C:\Windows\system32\wqkedqd.exe"
        73⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\wuwude.exe
        
        "C:\Windows\system32\wuwude.exe"
        74⤵
        Checks computer location settings
        
        PID:2236
        
        C:\Windows\SysWOW64\wlfsq.exe
        
        "C:\Windows\system32\wlfsq.exe"
        75⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\wexy.exe
        
        "C:\Windows\system32\wexy.exe"
        76⤵
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\wpfab.exe
        
        "C:\Windows\system32\wpfab.exe"
        77⤵
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\wahcliu.exe
        
        "C:\Windows\system32\wahcliu.exe"
        78⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\wmoei.exe
        
        "C:\Windows\system32\wmoei.exe"
        79⤵
        Checks computer location settings
        
        PID:1952
        
        C:\Windows\SysWOW64\wtbpa.exe
        
        "C:\Windows\system32\wtbpa.exe"
        80⤵
        Adds Run key to start application
        
        PID:1660
        
        C:\Windows\SysWOW64\whyhqh.exe
        
        "C:\Windows\system32\whyhqh.exe"
        81⤵
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\wtkpyee.exe
        
        "C:\Windows\system32\wtkpyee.exe"
        82⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\wsxi.exe
        
        "C:\Windows\system32\wsxi.exe"
        83⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\wclsyesl.exe
        
        "C:\Windows\system32\wclsyesl.exe"
        84⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\wcxlib.exe
        
        "C:\Windows\system32\wcxlib.exe"
        85⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\wdbulw.exe
        
        "C:\Windows\system32\wdbulw.exe"
        86⤵
        Adds Run key to start application
        
        PID:3492
        
        C:\Windows\SysWOW64\wkyrkcw.exe
        
        "C:\Windows\system32\wkyrkcw.exe"
        87⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\wbvfqq.exe
        
        "C:\Windows\system32\wbvfqq.exe"
        88⤵
        Adds Run key to start application
        
        PID:348
        
        C:\Windows\SysWOW64\wkiqivkn.exe
        
        "C:\Windows\system32\wkiqivkn.exe"
        89⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3244
        
        C:\Windows\SysWOW64\wapo.exe
        
        "C:\Windows\system32\wapo.exe"
        90⤵
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\wnmikjyrj.exe
        
        "C:\Windows\system32\wnmikjyrj.exe"
        91⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2848
        
        C:\Windows\SysWOW64\wakybg.exe
        
        "C:\Windows\system32\wakybg.exe"
        92⤵
        
        PID:748
        
        C:\Windows\SysWOW64\wvn.exe
        
        "C:\Windows\system32\wvn.exe"
        93⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\wjkdchyr.exe
        
        "C:\Windows\system32\wjkdchyr.exe"
        94⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\wuhur.exe
        
        "C:\Windows\system32\wuhur.exe"
        95⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\watkrqf.exe
        
        "C:\Windows\system32\watkrqf.exe"
        96⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:740
        
        C:\Windows\SysWOW64\wevql.exe
        
        "C:\Windows\system32\wevql.exe"
        97⤵
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\wnjc.exe
        
        "C:\Windows\system32\wnjc.exe"
        98⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\wthwc.exe
        
        "C:\Windows\system32\wthwc.exe"
        99⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3584
        
        C:\Windows\SysWOW64\wdeta.exe
        
        "C:\Windows\system32\wdeta.exe"
        100⤵
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\wlqeracoc.exe
        
        "C:\Windows\system32\wlqeracoc.exe"
        101⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2844
        
        C:\Windows\SysWOW64\wxoviv.exe
        
        "C:\Windows\system32\wxoviv.exe"
        102⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\wkyers.exe
        
        "C:\Windows\system32\wkyers.exe"
        103⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:5060
        
        C:\Windows\SysWOW64\wknwypff.exe
        
        "C:\Windows\system32\wknwypff.exe"
        104⤵
        Adds Run key to start application
        
        PID:2292
        
        C:\Windows\SysWOW64\wtksx.exe
        
        "C:\Windows\system32\wtksx.exe"
        105⤵
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\wpct.exe
        
        "C:\Windows\system32\wpct.exe"
        106⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\wuqjdl.exe
        
        "C:\Windows\system32\wuqjdl.exe"
        107⤵
        Adds Run key to start application
        
        PID:4304
        
        C:\Windows\SysWOW64\wco.exe
        
        "C:\Windows\system32\wco.exe"
        108⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\wolxrpvs.exe
        
        "C:\Windows\system32\wolxrpvs.exe"
        109⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2180
        
        C:\Windows\SysWOW64\wsxmrc.exe
        
        "C:\Windows\system32\wsxmrc.exe"
        110⤵
        Checks computer location settings
        
        PID:2152
        
        C:\Windows\SysWOW64\wfufhab.exe
        
        "C:\Windows\system32\wfufhab.exe"
        111⤵
        Adds Run key to start application
        
        PID:3596
        
        C:\Windows\SysWOW64\wwqsno.exe
        
        "C:\Windows\system32\wwqsno.exe"
        112⤵
        Checks computer location settings
        
        PID:680
        
        C:\Windows\SysWOW64\wjolemd.exe
        
        "C:\Windows\system32\wjolemd.exe"
        113⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\wnbag.exe
        
        "C:\Windows\system32\wnbag.exe"
        114⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\wnejgt.exe
        
        "C:\Windows\system32\wnejgt.exe"
        115⤵
        Checks computer location settings
        
        PID:5104
        
        C:\Windows\SysWOW64\wubgfam.exe
        
        "C:\Windows\system32\wubgfam.exe"
        116⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\wepqwe.exe
        
        "C:\Windows\system32\wepqwe.exe"
        117⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\wqlw.exe
        
        "C:\Windows\system32\wqlw.exe"
        118⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\wuymvq.exe
        
        "C:\Windows\system32\wuymvq.exe"
        119⤵
        Checks computer location settings
        
        PID:5116
        
        C:\Windows\SysWOW64\wwvmdf.exe
        
        "C:\Windows\system32\wwvmdf.exe"
        120⤵
        
        PID:372
        
        C:\Windows\SysWOW64\wcjbdsow.exe
        
        "C:\Windows\system32\wcjbdsow.exe"
        121⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\wdljf.exe
        
        "C:\Windows\system32\wdljf.exe"
        122⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\wpjbvk.exe
        
        "C:\Windows\system32\wpjbvk.exe"
        123⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:668
        
        C:\Windows\SysWOW64\wtvqvxctx.exe
        
        "C:\Windows\system32\wtvqvxctx.exe"
        124⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\wtxaxu.exe
        
        "C:\Windows\system32\wtxaxu.exe"
        125⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\wckkp.exe
        
        "C:\Windows\system32\wckkp.exe"
        126⤵
        Adds Run key to start application
        
        PID:1424
        
        C:\Windows\SysWOW64\wcyeatw.exe
        
        "C:\Windows\system32\wcyeatw.exe"
        127⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:60
        
        C:\Windows\SysWOW64\wcmx.exe
        
        "C:\Windows\system32\wcmx.exe"
        128⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\wsjlpf.exe
        
        "C:\Windows\system32\wsjlpf.exe"
        129⤵
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\wjgaw.exe
        
        "C:\Windows\system32\wjgaw.exe"
        130⤵
        Adds Run key to start application
        
        PID:3016
        
        C:\Windows\SysWOW64\wwdrmr.exe
        
        "C:\Windows\system32\wwdrmr.exe"
        131⤵
        Adds Run key to start application
        
        PID:3900
        
        C:\Windows\SysWOW64\woygsgus.exe
        
        "C:\Windows\system32\woygsgus.exe"
        132⤵
        Adds Run key to start application
        
        PID:3376
        
        C:\Windows\SysWOW64\wigb.exe
        
        "C:\Windows\system32\wigb.exe"
        133⤵
        Drops file in System32 directory
        
        PID:668
        
        C:\Windows\SysWOW64\wacoeb.exe
        
        "C:\Windows\system32\wacoeb.exe"
        134⤵
        Checks computer location settings
        
        PID:1716
        
        C:\Windows\SysWOW64\wyk.exe
        
        "C:\Windows\system32\wyk.exe"
        135⤵
        Checks computer location settings
        
        PID:4832
        
        C:\Windows\SysWOW64\wtqbfgb.exe
        
        "C:\Windows\system32\wtqbfgb.exe"
        136⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\wox.exe
        
        "C:\Windows\system32\wox.exe"
        137⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\wcjcskhe.exe
        
        "C:\Windows\system32\wcjcskhe.exe"
        138⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\wgxrux.exe
        
        "C:\Windows\system32\wgxrux.exe"
        139⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\wountd.exe
        
        "C:\Windows\system32\wountd.exe"
        140⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\wahvayl.exe
        
        "C:\Windows\system32\wahvayl.exe"
        141⤵
        Adds Run key to start application
        
        PID:3468
        
        C:\Windows\SysWOW64\wwts.exe
        
        "C:\Windows\system32\wwts.exe"
        142⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\wtn.exe
        
        "C:\Windows\system32\wtn.exe"
        143⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\wbkpwnx.exe
        
        "C:\Windows\system32\wbkpwnx.exe"
        144⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\wgwgvb.exe
        
        "C:\Windows\system32\wgwgvb.exe"
        145⤵
        Adds Run key to start application
        
        PID:4356
        
        C:\Windows\SysWOW64\wjkvwomf.exe
        
        "C:\Windows\system32\wjkvwomf.exe"
        146⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\wrwh.exe
        
        "C:\Windows\system32\wrwh.exe"
        147⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1320
        
        C:\Windows\SysWOW64\wjefcil.exe
        
        "C:\Windows\system32\wjefcil.exe"
        148⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\wnruc.exe
        
        "C:\Windows\system32\wnruc.exe"
        149⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\wrsy.exe
        
        "C:\Windows\system32\wrsy.exe"
        150⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\wmme.exe
        
        "C:\Windows\system32\wmme.exe"
        151⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\wbfof.exe
        
        "C:\Windows\system32\wbfof.exe"
        152⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\wqcclaei.exe
        
        "C:\Windows\system32\wqcclaei.exe"
        153⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\weytb.exe
        
        "C:\Windows\system32\weytb.exe"
        154⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\wpwlpt.exe
        
        "C:\Windows\system32\wpwlpt.exe"
        155⤵
        Checks computer location settings
        
        PID:764
        
        C:\Windows\SysWOW64\wuja.exe
        
        "C:\Windows\system32\wuja.exe"
        156⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\wxv.exe
        
        "C:\Windows\system32\wxv.exe"
        157⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\wqiuriwi.exe
        
        "C:\Windows\system32\wqiuriwi.exe"
        158⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\wdpwof.exe
        
        "C:\Windows\system32\wdpwof.exe"
        159⤵
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\whrb.exe
        
        "C:\Windows\system32\whrb.exe"
        160⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4120
        
        C:\Windows\SysWOW64\wtoswq.exe
        
        "C:\Windows\system32\wtoswq.exe"
        161⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\wdnmnh.exe
        
        "C:\Windows\system32\wdnmnh.exe"
        162⤵
        Checks computer location settings
        
        PID:1216
        
        C:\Windows\SysWOW64\wkj.exe
        
        "C:\Windows\system32\wkj.exe"
        163⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3916
        
        C:\Windows\SysWOW64\wwgdukcn.exe
        
        "C:\Windows\system32\wwgdukcn.exe"
        164⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\wfsp.exe
        
        "C:\Windows\system32\wfsp.exe"
        165⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\wfhjvlqbd.exe
        
        "C:\Windows\system32\wfhjvlqbd.exe"
        166⤵
        Checks computer location settings
        
        PID:2600
        
        C:\Windows\SysWOW64\wrebki.exe
        
        "C:\Windows\system32\wrebki.exe"
        167⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\weq.exe
        
        "C:\Windows\system32\weq.exe"
        168⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2376
        
        C:\Windows\SysWOW64\wyxcxmi.exe
        
        "C:\Windows\system32\wyxcxmi.exe"
        169⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\wmikhjk.exe
        
        "C:\Windows\system32\wmikhjk.exe"
        170⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\wyfdwgwd.exe
        
        "C:\Windows\system32\wyfdwgwd.exe"
        171⤵
        Checks computer location settings
        
        PID:2768
        
        C:\Windows\SysWOW64\wpn.exe
        
        "C:\Windows\system32\wpn.exe"
        172⤵
        Adds Run key to start application
        
        PID:3976
        
        C:\Windows\SysWOW64\wkkljb.exe
        
        "C:\Windows\system32\wkkljb.exe"
        173⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1496
        
        C:\Windows\SysWOW64\wovaj.exe
        
        "C:\Windows\system32\wovaj.exe"
        174⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\wffavdmt.exe
        
        "C:\Windows\system32\wffavdmt.exe"
        175⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4284
        
        C:\Windows\SysWOW64\wfgiy.exe
        
        "C:\Windows\system32\wfgiy.exe"
        176⤵
        
        PID:936
        
        C:\Windows\SysWOW64\wancegwp.exe
        
        "C:\Windows\system32\wancegwp.exe"
        177⤵
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\wjaovluy.exe
        
        "C:\Windows\system32\wjaovluy.exe"
        178⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\wjdww.exe
        
        "C:\Windows\system32\wjdww.exe"
        179⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\wertpl.exe
        
        "C:\Windows\system32\wertpl.exe"
        180⤵
        Checks computer location settings
        
        PID:2316
        
        C:\Windows\SysWOW64\wfelagd.exe
        
        "C:\Windows\system32\wfelagd.exe"
        181⤵
        Adds Run key to start application
        
        PID:4456
        
        C:\Windows\SysWOW64\wghvd.exe
        
        "C:\Windows\system32\wghvd.exe"
        182⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\wfjfe.exe
        
        "C:\Windows\system32\wfjfe.exe"
        183⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\wjjel.exe
        
        "C:\Windows\system32\wjjel.exe"
        184⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\wsuo.exe
        
        "C:\Windows\system32\wsuo.exe"
        185⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\wncj.exe
        
        "C:\Windows\system32\wncj.exe"
        186⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\wiiemfaq.exe
        
        "C:\Windows\system32\wiiemfaq.exe"
        187⤵
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\wfbgrir.exe
        
        "C:\Windows\system32\wfbgrir.exe"
        188⤵
        Checks computer location settings
        
        PID:4100
        
        C:\Windows\SysWOW64\waetdmt.exe
        
        "C:\Windows\system32\waetdmt.exe"
        189⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\wmbk.exe
        
        "C:\Windows\system32\wmbk.exe"
        190⤵
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\wdiifxg.exe
        
        "C:\Windows\system32\wdiifxg.exe"
        191⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\wmv.exe
        
        "C:\Windows\system32\wmv.exe"
        192⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2796
        
        C:\Windows\SysWOW64\wcdum.exe
        
        "C:\Windows\system32\wcdum.exe"
        193⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\wlqfc.exe
        
        "C:\Windows\system32\wlqfc.exe"
        194⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\wmrofs.exe
        
        "C:\Windows\system32\wmrofs.exe"
        195⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\wdamtj.exe
        
        "C:\Windows\system32\wdamtj.exe"
        196⤵
        Checks computer location settings
        
        PID:2320
        
        C:\Windows\SysWOW64\wklxknid.exe
        
        "C:\Windows\system32\wklxknid.exe"
        197⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdamtj.exe"
        197⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrofs.exe"
        196⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqfc.exe"
        195⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1336
        195⤵
        Program crash
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcdum.exe"
        194⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmv.exe"
        193⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdiifxg.exe"
        192⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmbk.exe"
        191⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waetdmt.exe"
        190⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfbgrir.exe"
        189⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiiemfaq.exe"
        188⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wncj.exe"
        187⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsuo.exe"
        186⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjjel.exe"
        185⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfjfe.exe"
        184⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghvd.exe"
        183⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfelagd.exe"
        182⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wertpl.exe"
        181⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdww.exe"
        180⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1652
        180⤵
        Program crash
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjaovluy.exe"
        179⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wancegwp.exe"
        178⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfgiy.exe"
        177⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wffavdmt.exe"
        176⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovaj.exe"
        175⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkkljb.exe"
        174⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpn.exe"
        173⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyfdwgwd.exe"
        172⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmikhjk.exe"
        171⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxcxmi.exe"
        170⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weq.exe"
        169⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrebki.exe"
        168⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfhjvlqbd.exe"
        167⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfsp.exe"
        166⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwgdukcn.exe"
        165⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkj.exe"
        164⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnmnh.exe"
        163⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtoswq.exe"
        162⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whrb.exe"
        161⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdpwof.exe"
        160⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1088
        160⤵
        Program crash
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqiuriwi.exe"
        159⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxv.exe"
        158⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuja.exe"
        157⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpwlpt.exe"
        156⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weytb.exe"
        155⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqcclaei.exe"
        154⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbfof.exe"
        153⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmme.exe"
        152⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrsy.exe"
        151⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnruc.exe"
        150⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjefcil.exe"
        149⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwh.exe"
        148⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjkvwomf.exe"
        147⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwgvb.exe"
        146⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbkpwnx.exe"
        145⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtn.exe"
        144⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwts.exe"
        143⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahvayl.exe"
        142⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wountd.exe"
        141⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxrux.exe"
        140⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjcskhe.exe"
        139⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wox.exe"
        138⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtqbfgb.exe"
        137⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyk.exe"
        136⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wacoeb.exe"
        135⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigb.exe"
        134⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woygsgus.exe"
        133⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwdrmr.exe"
        132⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjgaw.exe"
        131⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjlpf.exe"
        130⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcmx.exe"
        129⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcyeatw.exe"
        128⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckkp.exe"
        127⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxaxu.exe"
        126⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvqvxctx.exe"
        125⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpjbvk.exe"
        124⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 1208
        124⤵
        Program crash
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdljf.exe"
        123⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjbdsow.exe"
        122⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwvmdf.exe"
        121⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuymvq.exe"
        120⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqlw.exe"
        119⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wepqwe.exe"
        118⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wubgfam.exe"
        117⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnejgt.exe"
        116⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbag.exe"
        115⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjolemd.exe"
        114⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1428
        114⤵
        Program crash
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwqsno.exe"
        113⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfufhab.exe"
        112⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxmrc.exe"
        111⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wolxrpvs.exe"
        110⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wco.exe"
        109⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuqjdl.exe"
        108⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpct.exe"
        107⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtksx.exe"
        106⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wknwypff.exe"
        105⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1676
        105⤵
        Program crash
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkyers.exe"
        104⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxoviv.exe"
        103⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqeracoc.exe"
        102⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1440
        102⤵
        Program crash
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdeta.exe"
        101⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wthwc.exe"
        100⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnjc.exe"
        99⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wevql.exe"
        98⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\watkrqf.exe"
        97⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhur.exe"
        96⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjkdchyr.exe"
        95⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvn.exe"
        94⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wakybg.exe"
        93⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnmikjyrj.exe"
        92⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wapo.exe"
        91⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkiqivkn.exe"
        90⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvfqq.exe"
        89⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkyrkcw.exe"
        88⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbulw.exe"
        87⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcxlib.exe"
        86⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wclsyesl.exe"
        85⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxi.exe"
        84⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtkpyee.exe"
        83⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whyhqh.exe"
        82⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtbpa.exe"
        81⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmoei.exe"
        80⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahcliu.exe"
        79⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpfab.exe"
        78⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexy.exe"
        77⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfsq.exe"
        76⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwude.exe"
        75⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqkedqd.exe"
        74⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhrrmb.exe"
        73⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiukipa.exe"
        72⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywokl.exe"
        71⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnlgco.exe"
        70⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wadf.exe"
        69⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpgmps.exe"
        68⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbtfgw.exe"
        67⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wit.exe"
        66⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\webq.exe"
        65⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wolqiowy.exe"
        64⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weloxkkel.exe"
        63⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 116
        63⤵
        Program crash
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waxbww.exe"
        62⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnpxbysj.exe"
        61⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcial.exe"
        60⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjyay.exe"
        59⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxci.exe"
        58⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfpsus.exe"
        57⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsmkgjge.exe"
        56⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfq.exe"
        55⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wptdi.exe"
        54⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymfvi.exe"
        53⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlonflrm.exe"
        52⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvkb.exe"
        51⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkj.exe"
        50⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whlvsfb.exe"
        49⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdyhs.exe"
        48⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpma.exe"
        47⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wypldh.exe"
        46⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wewfqa.exe"
        45⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigenv.exe"
        44⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwimx.exe"
        43⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfanjku.exe"
        42⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsofbntwx.exe"
        41⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqo.exe"
        40⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxtrn.exe"
        39⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwr.exe"
        38⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxdqas.exe"
        37⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjsjrvbti.exe"
        36⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnowg.exe"
        35⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobexwi.exe"
        34⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjnov.exe"
        33⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfaywv.exe"
        32⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkmceq.exe"
        31⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcbpnm.exe"
        30⤵
        
        PID:668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1420
        30⤵
        Program crash
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wblxdprye.exe"
        29⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpognsg.exe"
        28⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxe.exe"
        27⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnkoi.exe"
        26⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkw.exe"
        25⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkigy.exe"
        24⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsgqef.exe"
        23⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgcwd.exe"
        22⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjyjqhox.exe"
        21⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxqhtftu.exe"
        20⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weck.exe"
        19⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wysdu.exe"
        18⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxeklta.exe"
        17⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbqi.exe"
        16⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtijvnq.exe"
        15⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryye.exe"
        14⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wneiri.exe"
        13⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wncapm.exe"
        12⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmphfqd.exe"
        11⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbnw.exe"
        10⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvxxcip.exe"
        9⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxtkhp.exe"
        8⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgue.exe"
        7⤵
        
        PID:768
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbam.exe"
        6⤵
        
        PID:212
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbnsunx.exe"
        5⤵
        
        PID:4436
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbnsk.exe"
      4⤵
      PID:4476
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifltk.exe"
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1676
    3⤵
    - Program crash
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\c7fe6ecb86c0679d3e6bc54f26358a692e0c16de6e737a4082f3d4fec426392b.exe"
  2⤵
  PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1656 -ip 1656
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5052 -ip 5052
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2204 -ip 2204
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2844 -ip 2844
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2292 -ip 2292
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1468 -ip 1468
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 668 -ip 668
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2872 -ip 2872
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4060 -ip 4060
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4944 -ip 4944
1⤵
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wbam.exe

Filesize
92KB

MD5
ff7f4e7f53e04aa4a01840e126bd8c68

SHA1
18fa3f3501fa85e885ef45fbd62607421b4e62b2

SHA256
b2c10683cfa602e5646a6490f951899792128d94d8952f99f9815b3d3623b727

SHA512
3d8a672bf73519380c1826404bb62e531617bfeb256497e1e6ce6e1ece9f497e64571795d2b514bd3065917913b62ff65039f69a993e9e8520ee9f0f493e8938

Download Submit
C:\Windows\SysWOW64\wblxdprye.exe

Filesize
93KB

MD5
8b509a0710b3b65d5df7050a12095678

SHA1
8363a989769da31eef63fac8502139c3feb9b2d3

SHA256
6e46e5cee55fd8f749d63e321f2df4b1d953eb9e5cce3b56226ba98121c0f164

SHA512
98836c7f559c06c99deff90e6f7a9a6ca09f668a0b538ac6c9e39cd2d9d9d200c88d2e9972ed58b4040a5c60905d93f4d3c80b6585272ae165e546d03bfb96db

Download Submit
C:\Windows\SysWOW64\wbnsk.exe

Filesize
92KB

MD5
e0de4e56391a99076cc88100c7fc081b

SHA1
3fdab5a25e5c1b76113211890aab555718dd6fa0

SHA256
6c9e9ce819a0d7189251b97704304372ed36c46b66a9c27f2edb4e37ad4c16db

SHA512
865334af411bcf77d5741b75de483b3e74a83f00cfb87f48cd368224ace88446ab35e89302f11610a887a74370eb66b5550c6951bcc117de5e7eec41304f9c6c

Download Submit
C:\Windows\SysWOW64\wbnsunx.exe

Filesize
92KB

MD5
23b61ec085fb9c8c3fe247b5fb8e8997

SHA1
298f537b51e96d218f9a5810d2413850bf59efd9

SHA256
83063fb9f16fc6c00906b32f2b5646cf13327bfad1a3179c9e90624c23bc8fc6

SHA512
ce58464c20812c06d296cc24e448388e11c90a214ee8e93592f21473c72299913a19a12c72d9760b820e0eb069b81be6a6b55b5a81e8d18e70769c24b929719b

Download Submit
C:\Windows\SysWOW64\wcbpnm.exe

Filesize
93KB

MD5
a885d9db002295431aeabf33fb7112a4

SHA1
e8e96602ac5a91a43a81cee8f5103c03ee2324f6

SHA256
2d4d101295440a4bc58c5c4f15bf6d2858b297dcfba2fa0b42e7d58ead53a076

SHA512
d3fb3467649bce3cb0f2f3e702add9520b9e77cff649b11afff5eed295de5f3bfbaa335c19073501f71d6eba241353b26e980a6127d312cc277d1bb4e79e15cf

Download Submit
C:\Windows\SysWOW64\weck.exe

Filesize
92KB

MD5
451598f5251f7263120bb24505d81656

SHA1
3927c1938cc3e244bcd3f529d1dadb1555a78acf

SHA256
364c62da4e8be0ca85c1c8f429a4d4dc33cadbd9e02e80710f36e2cdf3659bb0

SHA512
a2fdf1b6cbae3ef3cb6cffaaeafc97c54707c0821c739aeb99ab83a111b2285ee54a463b0117163be867a8493805c378daf32635987da2c71e45e08a90dd23de

Download Submit
C:\Windows\SysWOW64\wfaywv.exe

Filesize
93KB

MD5
07262f3e15fc890d3c4f478254880057

SHA1
e59ebefd9d92282a2b3b8b8929f5962112545754

SHA256
53e3b21cd5c6e22a3ab869f4a32254c34ce7e649e4362faed9f0694aa173929d

SHA512
dec2dd795b6aa4486881465463ecb17a405803d56e6b44d2c7cb04ae9316cb2ceaa0d4bb2b84115a23834c7c5b74831427ad8eeb7b9507595da8c90494ae284a

Download Submit
C:\Windows\SysWOW64\wgcwd.exe

Filesize
92KB

MD5
d7aeb10359d9c90068c271ec110c1e10

SHA1
7bb6f318d338f911bc36ee6db78ef338ca2c828c

SHA256
df0a213b45109dfe028754c42dec766bf546cac263e99e9b73ef8ea2323dc6a5

SHA512
8fd965c7f8c5dfff440b76cbafebffaba3956511e4749b88ce518cd354b944d78d4d02cc1e1baff8a8a7f79e3ee8e001a70ca23589d76c674c9c38d78e3b71e7

Download Submit
C:\Windows\SysWOW64\wgue.exe

Filesize
92KB

MD5
2485a3010437569f0f5e95b91cf082e1

SHA1
9e60913cdb2114aafe3aaf447f9e1eaf035787de

SHA256
e7a17c0a2b3b3633f66fa2d60b44b2bf41c0f75a8cac57421d80e23ad2502552

SHA512
14bd7144cd5d009ce9514392016326d637cd0518378fe8499d28f50d58eb8aa0d6503b8c727bd89c6e16a5e88e492c3679812a335b250f5aae30eefd3fa9ea76

Download Submit
C:\Windows\SysWOW64\wifltk.exe

Filesize
92KB

MD5
336b4f6c8cb7f7b6b7245416f20eb004

SHA1
31be6b64600072e2d9453069a0988b71edb799eb

SHA256
02828b2f41e9c9586b35400a2e199083ff88b569c527149a4d49508bbcc63293

SHA512
56fcdbaf3525159c9b3439e4148f01bcc83818304ad0c9f34e9c3869590e3fb68a91d52fb5cc4b1bc0e2133ae758f27823352e9e6f45695a5cb7bcfdb508b06c

Download Submit
C:\Windows\SysWOW64\wjnov.exe

Filesize
93KB

MD5
decc7b3fdfb5cff4840661c35c72b240

SHA1
10c82ec8824a6dadc34874609d9d305b1af8aa12

SHA256
a77c8ade89b35db6e1d0c7de1f05dc702291d6ede6fb61ac353e10a91d941edc

SHA512
18e87e963e42a2eecf87c885f015a221610f7312b18a72d6374b062906957b5660f74551369fa809412568852949cca7631408cfa1be802111d8697d6791b9e8

Download Submit
C:\Windows\SysWOW64\wjyjqhox.exe

Filesize
92KB

MD5
b1e68bcb349b4d82f60e035a69609c08

SHA1
f5a67ff7108d388e33a66fc13c851d17a707f8fe

SHA256
dd3d0541a7d6a9dd30c65207ebf0936b6aaac00f6fd40c616906c6a7cf47b641

SHA512
222be1bd16d3881c812a76aa328600b4c786048f9f2cf99950ead98a294fba8e321004f1ebfeb57e0b969d8502fc205f29413fc49fba59872a3f0ec01033873d

Download Submit
C:\Windows\SysWOW64\wkbqi.exe

Filesize
92KB

MD5
2942b9cb106a28a288555ba49a1dfa99

SHA1
970424084c513ad5a8bfb2afd8c0ea50038cb270

SHA256
296d98ec90c988893d7a43ed10d89e73f691b51f4d459232c6a18b960b02210f

SHA512
ceecf033201c2ad4f53e7d6ec98b589f56e62c525763a41e22c89695c891070ef0b70b4df9491d85f610c15bfba0fb47225a0539252864fc63c2372e68b835bf

Download Submit
C:\Windows\SysWOW64\wkigy.exe

Filesize
92KB

MD5
24ae00ef0e1071cce8bf7e69228183ff

SHA1
36da49be1a6a3479ef9c28f436891b55ad5ab0d1

SHA256
ab423fd0e1971c0c05f7a6d4c64982671c87132e329949183c5ab3ed22b1e780

SHA512
b0981e9c8444a570458ae7aa06cc4f2683f66cf149c7586e667895bcf91664bea4bbfcfe4eedf9ea88bd26b52b594101c7093993c9a3b1cb4330e34942690e4a

Download Submit
C:\Windows\SysWOW64\wkmceq.exe

Filesize
93KB

MD5
cb300b86fa1b15622e04838ca66b0740

SHA1
ffba02ff337e0fbc07f5307b82b04468f5c4e472

SHA256
6e5cd4ae06bab11810a6ee767cceb33ca21e889883dd115b96ae52a47e6028fb

SHA512
b1d65759c06f69bf39a92809d606640b069116945aa86e163cb3b035a28b36d1d4eacda37d05706bcb1ee0932ea23a96dd8980410734b4441be66a7ff6babf59

Download Submit
C:\Windows\SysWOW64\wkw.exe

Filesize
92KB

MD5
f7f546d72a146603d59389ea44ac033f

SHA1
d9511b133dc3fe7e152e323d269947d9e1ce7f24

SHA256
b0b225bd1c3988c0f1a4f7d2d72ab48b34978f6d38ab360de5c10216044f0dc2

SHA512
7f58ddf76215e8f76cfa4df5ee98cfa9afad3e7508a1f2dab4125f3ff6120a771da2b649b66a0cfb78ed42447175c8ab4ef74ce1e4ab2a29050cf84ea1264c0e

Download Submit
C:\Windows\SysWOW64\wmphfqd.exe

Filesize
92KB

MD5
200d518ba03b93fac3ce30bfe149434e

SHA1
ddf8abd051b94706518d2a871ce516325b1ceb0f

SHA256
8b21dd536760f9a27d48169c90748f96f695457c316d9fe6ddd282b2a57bcc84

SHA512
76134f1e7e4c69d9ace24afd6edfee6888db2e206cf4ceb5dce7da8b6e42f1ac0304390da140860d2aaffe11bc7912559a749f607b715948cb0ee4ce833d5d52

Download Submit
C:\Windows\SysWOW64\wnbnw.exe

Filesize
92KB

MD5
a82ce082d7e180d7d18c2a18a484a1b0

SHA1
56c23d19357e16075b3918d2c900000ebd4dde73

SHA256
2c600e328c330d6f7042678d285e026c65e2fbe9964b94fb0b4b258aa94210b4

SHA512
290835e40a2a4e0dced4969a79541c0ea1d6db9451696def1e72f29e7545d02eceba15b4d654a5228fe6435583b6b1f654f6bf90f62b09357061cad33becc208

Download Submit
C:\Windows\SysWOW64\wncapm.exe

Filesize
92KB

MD5
cdab3cfc582aa91bd5ee7de108c052b1

SHA1
66c423d1e0116f6246ff06194d6c507c5590eb43

SHA256
adf4f6ae6e10fb7daecdadb2a92c6563d658835e7e44739a6f5ea699fde83f23

SHA512
1d771f50528e50509fa23e8aaf323e62575deea2b82a5e6f2ff857c271c3e3f55562856f396cb18f0b914ca71da030be0e1b0def28b692dfee2153aa485d8738

Download Submit
C:\Windows\SysWOW64\wneiri.exe

Filesize
92KB

MD5
9d2321cb29fe5a6419bb8876e2aa41ac

SHA1
96fb9a5251e3755371c4c02e9dd5e66425214348

SHA256
cbe7a05285a1e07d03386d8e399c4867247d315e02d4ee83caa64f9f11d4865f

SHA512
218c755579400d38fa097761058f86b71a6138f00edbf4ae7f5ff3989325421913a1dd425c6e72410690825e073acf8d09b8e5ad77e4e365b4276fa864e08dc0

Download Submit
C:\Windows\SysWOW64\wnkoi.exe

Filesize
92KB

MD5
6e16c4b8c028e48500f1b9095c56d913

SHA1
64be60b9490be2dcd6a5de0e4ee018eb0ac45968

SHA256
c81f268d72799e2083dfd8b311ca91f5cafaa99ae92e777a4bfe8a2a35f03cbe

SHA512
bee85a8aaff497491a8fcd4bab23b0a104be0e8633afbaca043881c30ccbfd159bed3b80247a17315dd319d73d067f4d627fee37b7516e6c37d4c6184ef61551

Download Submit
C:\Windows\SysWOW64\wobexwi.exe

Filesize
93KB

MD5
684587c639e0d916931a7649584ace5d

SHA1
bc08b590f1b267cdc8a2c1c1aa4b508769327e9d

SHA256
48794a359f15e10bd74199f9fc508a9849f9f33f397664f9cac9d45e0ca459f7

SHA512
64eb6d3331149ca66072755e109a3841280dac6ee0baf0d027efd7f1833eeed2e5f43deb1ad3cbfbc638c2351aac6b7d2c912fb685538698c9c1aa6cebbad149

Download Submit
C:\Windows\SysWOW64\wpognsg.exe

Filesize
93KB

MD5
512cf0fa67ced15dc149b30c129ea108

SHA1
e4b61b9436edbe91c08d83896b00c7dd5f9ee3b1

SHA256
6625e3be04c0170270d649f5280898b1795f9e67e74f2b62d1be93acab6d9676

SHA512
3b2e6e593ce0885c65ae64336d7f525a9371bd146213e0cdc33de9f9532305ef994a2230c0aac75ae5d1d722fe7de0ec4df46029b33c7780d2b26ae69e1b1448

Download Submit
C:\Windows\SysWOW64\wryye.exe

Filesize
92KB

MD5
de8395d060c1528950da0c9064814f13

SHA1
835093cc7d8e53e3d59f12bc372d33f4573749fc

SHA256
dd52920a1d53bebdaf9ff9b760c7c02762824cfd0afa1992fcaff3f4a0976f9f

SHA512
8fe3f7ae59bb65176fa094fe73e1d57e6c699ddd10a9604a5f04ffcb02b33a17e2c2a2c3b6247c22fceed26727968f41df035ff0ebf8d94650110b03d7c1fe78

Download Submit
C:\Windows\SysWOW64\wsgqef.exe

Filesize
92KB

MD5
3d164a864600039c1f8e106e0fef499e

SHA1
d333142908390d04895a65e0a0e2de6c9f71da6c

SHA256
22e404ba974f8b79c9c770be0461431632d71e204bd69562ee2a1460c41a3e58

SHA512
6a87aa6aecba3062b2458bce67e0456d655ca9ef8b3d26c9580baea57964cb0928420ae47b8a98e8779ba1b780f8783f089ba5250261012f503a8877357af2a2

Download Submit
C:\Windows\SysWOW64\wsxe.exe

Filesize
93KB

MD5
5df8f80b222e28f3f68a05b308fe381a

SHA1
da7b58741a990ca8c31dc1c84d1732ec231ad7c7

SHA256
8b8871fbed54ea7dc18bf8873680f20e35111bc7ce11523b26b0625c7720ca78

SHA512
4c4be43885571fd66834527ef25e6a7f7d939579854c4a1763fc45176a76b9703264b9838a21583c2fe13ca495967ecf1c351499a4d9a4c3777af605929fec00

Download Submit
C:\Windows\SysWOW64\wtijvnq.exe

Filesize
92KB

MD5
9a43b1b3cf26e8964bfcf49b268a8c41

SHA1
42347d5e5d0a9a12e1b07dd541c191d3f4d4d605

SHA256
22f1ca4ca1faa58734f9946bc68d7b49aa9ce25566d8cdd76783a298cf316a69

SHA512
b6039a17d54c75702de2d384d2f648f9272d4e0a7060ab932058f93e08f825d4bdca6f6aa79104954543030b26aa66b69225c782506322cae946088a41884902

Download Submit
C:\Windows\SysWOW64\wvxxcip.exe

Filesize
92KB

MD5
7e0cb4c074e09300a1b7f52b5a3dedf0

SHA1
2dd5eab8a3159b9c4ed40bc16983d7ecf2e564e1

SHA256
61bcb0dc48eb52cfc0d9f8526e8a34135c58907bc4cc9deed7b2885ce998f55c

SHA512
aafc433a16e65d821562ef8d4f23ae0b7c1452d319f05b8c5ae36460d50e06368813f20403055e1fe3d461b17226bc8cb2f17830eeb4f0e12fcef84057791742

Download Submit
C:\Windows\SysWOW64\wxeklta.exe

Filesize
92KB

MD5
5fbeccb8b166f94bf6259988b4263af3

SHA1
e55c6aa7dc1ba30d2059d5fb4111e0549a3c863e

SHA256
a1fcf78247d8d7828ceb556d6093c0855409c0ee765c4ecf8e7115c00053cf6e

SHA512
a173a372df4aea159c4a86057abb398b437a07fa093290ddc0813f8e50278d6ab87b09d8bbadd10e6063f2ff30662a00bcb78be57af4582d85205a8de2f2cfc0

Download Submit
C:\Windows\SysWOW64\wxqhtftu.exe

Filesize
92KB

MD5
54633fa75e92c681699f017c36807971

SHA1
41aedc0d06b8653c154aec7f57b34bfb97551cec

SHA256
3a0b25cfb4ca97b10aca80a136feee31909755daf35cd372ca71c38f2d111d94

SHA512
f9fe1c0c234174b9a4c0e54f6c6874fa884252ebefd7d619ebeaee6db0d14519750c0e6373d1d3b6ccd3b8b4cc52ad2941fb259192ed1725a503db72256d3305

Download Submit
C:\Windows\SysWOW64\wxxtkhp.exe

Filesize
92KB

MD5
5b0792cc989be6439f124babd91cbc3d

SHA1
0ddb89550aaba2570fb5cde6879f5d9b66273f81

SHA256
04929ef667e999d8b0f094c96eac2353ab9ff32419eded198ed34756cdde0d3e

SHA512
5f4ea2e51e600f3313bf5a200f76d3b8d345c8ecd6cf68c10ef11729c3d4c3457b07c996ccf2d8d7a82c8b3d295daffe3dd764af60fc1009f2eed0eed74611ab

Download Submit
C:\Windows\SysWOW64\wysdu.exe

Filesize
92KB

MD5
59e139cf126fc0d05f501ecc2e487d40

SHA1
9226436d1ac8a74cac7a3679022f56862885605a

SHA256
5a34c2187706d13983167860a1c33614622c7253d39a9c8cd31674bbb0c1f630

SHA512
894e49512ffee7d4086810d27f17465186d70caa33a3239758a0d74cb88956a06f03cc99e5a659745bfffb6f2644a55a4133de34e3f60dd1404e6c1d0824f6e2

Download Submit
memory/8-272-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/440-324-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/440-336-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/556-475-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/680-155-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/680-167-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/768-314-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1080-262-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1080-344-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1080-354-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1192-313-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1192-325-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1388-283-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1540-135-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1656-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1712-113-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1712-124-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1716-51-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1716-594-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1764-450-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1868-92-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1868-103-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1984-114-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2204-585-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2772-380-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2772-390-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2800-544-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2800-535-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2836-363-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2836-31-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2836-353-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2864-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2864-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3016-156-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3020-82-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3140-93-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3188-381-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3188-371-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3188-536-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3316-231-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3356-134-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3356-145-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3368-242-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3368-230-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3512-501-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3512-511-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3608-586-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3644-335-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3644-345-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3808-458-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3808-449-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3872-552-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3912-577-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3948-62-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3948-399-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3948-389-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3968-561-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3988-189-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3988-200-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3988-441-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4088-398-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4088-407-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4092-459-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4092-467-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4120-425-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4120-415-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4144-493-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4144-483-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4180-527-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4188-484-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4228-433-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4228-424-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4412-61-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4412-72-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4444-569-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4444-560-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4488-220-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4496-372-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4496-362-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4572-416-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4572-241-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4572-252-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4616-166-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4616-178-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4812-492-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4812-502-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4844-188-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4844-177-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4912-199-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4912-210-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4940-519-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4940-510-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4948-41-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5052-303-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5104-282-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5104-293-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads