4e269c558ad900af1020823c7cb0b15d326898893b3f96d19dfe74ba205a028a

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe
Size

82KB
MD5

a789d85112422769a4e5bfd578aeb490
SHA1

64df321279801aca306c432a8a38ebc553a78378
SHA256

4e269c558ad900af1020823c7cb0b15d326898893b3f96d19dfe74ba205a028a
SHA512

f70bd351fb551897fb67a84e5fb686e69e4f3dbbe61c74d7b48dfd656b69334b2140fe3a9ac9ab30aa668fd92398315266e4d530abbdbfcf8dba30b9bdcb5ae7
SSDEEP

1536:azUQz74LIvK/+Czax4IHVdmRvW1BDVwrVXwP:qUQz74TmFnmRvW1gXwP

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2912	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2816	wbb.exe
2936	wjt.exe
2496	wmki.exe
1724	wiy.exe
1780	wbfuwi.exe
2700	wta.exe
1856	wfc.exe
3056	wjaxqbj.exe
2240	wcgklmmg.exe
2532	wbnpfeao.exe
2668	wjtnr.exe
1264	wblkrtgi.exe
2208	wkbqkygfi.exe
592	wrq.exe
2452	wndpijqre.exe
1920	wfyrw.exe
1168	wryhn.exe
1612	wao.exe
2588	wuxwit.exe
2772	wej.exe
1696	wqr.exe
768	whbixgpqm.exe
3068	wqgfk.exe
2288	wuwpmv.exe
1100	wpihrdmw.exe
860	woawcxgn.exe
1564	wsex.exe
2476	wjprkyxjy.exe
2900	wovuf.exe
2376	wegosa.exe
2668	wvgxbok.exe
1868	winpfh.exe
1824	wwxacxno.exe
1576	wbpkckmuk.exe
1160	wkf.exe
3012	wcaiqwhim.exe
2200	wtatwjbws.exe
3028	wtrjigvne.exe
2240	wijt.exe
2016	whlsjonq.exe
2544	wolbru.exe
2668	wsjogghc.exe
1596	wbkgfks.exe
1056	wwroqnyye.exe
1680	wwfvi.exe
1548	wtl.exe
2812	wkl.exe
2572	wgqluxx.exe
2540	whhaetr.exe
2772	wkxlgfrh.exe
1156	wxybvcg.exe
1028	wwfgyx.exe
1852	wskionhu.exe
2680	wriou.exe
2784	wradfcdx.exe
1808	whlysr.exe
3008	wxkibg.exe
2696	wxjmqceh.exe
940	wgfuwen.exe
1716	wmwtfn.exe
852	wdfiabp.exe
1588	wusiany.exe
1596	wmenfp.exe
2252	wagcw.exe

Loads dropped DLL 64 IoCs

pid	Process
2236	a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe
2236	a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe
2236	a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe
2236	a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe
2816	wbb.exe
2816	wbb.exe
2816	wbb.exe
2816	wbb.exe
2816	wbb.exe
2936	wjt.exe
2936	wjt.exe
2936	wjt.exe
2936	wjt.exe
2936	wjt.exe
2496	wmki.exe
2496	wmki.exe
2496	wmki.exe
2496	wmki.exe
2496	wmki.exe
1724	wiy.exe
1724	wiy.exe
1724	wiy.exe
1724	wiy.exe
1724	wiy.exe
1780	wbfuwi.exe
1780	wbfuwi.exe
1780	wbfuwi.exe
1780	wbfuwi.exe
1780	wbfuwi.exe
2700	wta.exe
2700	wta.exe
2700	wta.exe
2700	wta.exe
2700	wta.exe
1856	wfc.exe
1856	wfc.exe
1856	wfc.exe
1856	wfc.exe
1856	wfc.exe
3056	wjaxqbj.exe
3056	wjaxqbj.exe
3056	wjaxqbj.exe
3056	wjaxqbj.exe
3056	wjaxqbj.exe
2240	wcgklmmg.exe
2240	wcgklmmg.exe
2240	wcgklmmg.exe
2240	wcgklmmg.exe
2240	wcgklmmg.exe
2532	wbnpfeao.exe
2532	wbnpfeao.exe
2532	wbnpfeao.exe
2532	wbnpfeao.exe
2532	wbnpfeao.exe
2668	wjtnr.exe
2668	wjtnr.exe
2668	wjtnr.exe
2668	wjtnr.exe
2668	wjtnr.exe
1264	wblkrtgi.exe
1264	wblkrtgi.exe
1264	wblkrtgi.exe
1264	wblkrtgi.exe
1264	wblkrtgi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wwfence.exe	wwyxjit.exe
File created	C:\Windows\SysWOW64\wjaxqbj.exe	wfc.exe
File created	C:\Windows\SysWOW64\wwaof.exe	wedykx.exe
File created	C:\Windows\SysWOW64\wdxyq.exe	wymc.exe
File opened for modification	C:\Windows\SysWOW64\wkhvjqky.exe	wdrmqmh.exe
File opened for modification	C:\Windows\SysWOW64\wlebne.exe	wdc.exe
File opened for modification	C:\Windows\SysWOW64\wytfw.exe	wlebne.exe
File opened for modification	C:\Windows\SysWOW64\wccpyak.exe	wtmhh.exe
File opened for modification	C:\Windows\SysWOW64\wnbrm.exe	wtjyup.exe
File created	C:\Windows\SysWOW64\wedykx.exe	wuhvbjve.exe
File opened for modification	C:\Windows\SysWOW64\wqseievr.exe	weqprggq.exe
File opened for modification	C:\Windows\SysWOW64\wdxyq.exe	wymc.exe
File opened for modification	C:\Windows\SysWOW64\wdfiabp.exe	wmwtfn.exe
File created	C:\Windows\SysWOW64\wwjsuk.exe	wstgt.exe
File opened for modification	C:\Windows\SysWOW64\wpussyyd.exe	wjjbe.exe
File opened for modification	C:\Windows\SysWOW64\wtrjigvne.exe	wtatwjbws.exe
File created	C:\Windows\SysWOW64\wolbru.exe	whlsjonq.exe
File opened for modification	C:\Windows\SysWOW64\wgqluxx.exe	wkl.exe
File created	C:\Windows\SysWOW64\whhaetr.exe	wgqluxx.exe
File opened for modification	C:\Windows\SysWOW64\wnwrdqxv.exe	wfhklm.exe
File created	C:\Windows\SysWOW64\wvxldu.exe	wnwrdqxv.exe
File opened for modification	C:\Windows\SysWOW64\wkl.exe	wtl.exe
File created	C:\Windows\SysWOW64\wwhiamyx.exe	wkhvjqky.exe
File created	C:\Windows\SysWOW64\wqseievr.exe	weqprggq.exe
File opened for modification	C:\Windows\SysWOW64\wwyxjit.exe	wwhiamyx.exe
File opened for modification	C:\Windows\SysWOW64\wjtnr.exe	wbnpfeao.exe
File opened for modification	C:\Windows\SysWOW64\wryhn.exe	wfyrw.exe
File created	C:\Windows\SysWOW64\whlsjonq.exe	wijt.exe
File opened for modification	C:\Windows\SysWOW64\wsjogghc.exe	wolbru.exe
File opened for modification	C:\Windows\SysWOW64\wwfgyx.exe	wxybvcg.exe
File created	C:\Windows\SysWOW64\wwjbsvyn.exe	wossarv.exe
File created	C:\Windows\SysWOW64\wkf.exe	wbpkckmuk.exe
File opened for modification	C:\Windows\SysWOW64\whhaetr.exe	wgqluxx.exe
File created	C:\Windows\SysWOW64\wxybvcg.exe	wkxlgfrh.exe
File created	C:\Windows\SysWOW64\wta.exe	wbfuwi.exe
File opened for modification	C:\Windows\SysWOW64\wtatwjbws.exe	wcaiqwhim.exe
File opened for modification	C:\Windows\SysWOW64\witamkh.exe	werfewxjg.exe
File created	C:\Windows\SysWOW64\wnwrdqxv.exe	wfhklm.exe
File created	C:\Windows\SysWOW64\wndpijqre.exe	wrq.exe
File created	C:\Windows\SysWOW64\wbpkckmuk.exe	wwxacxno.exe
File opened for modification	C:\Windows\SysWOW64\wlkcpey.exe	wdtuxy.exe
File created	C:\Windows\SysWOW64\wujfxul.exe	wiudn.exe
File created	C:\Windows\SysWOW64\wijt.exe	wtrjigvne.exe
File opened for modification	C:\Windows\SysWOW64\wdmxb.exe	whfpoek.exe
File opened for modification	C:\Windows\SysWOW64\wxxebbu.exe	wdywcu.exe
File created	C:\Windows\SysWOW64\wrq.exe	wkbqkygfi.exe
File opened for modification	C:\Windows\SysWOW64\wfbkeg.exe	wgxkojnu.exe
File created	C:\Windows\SysWOW64\wmlexue.exe	wuocjlm.exe
File created	C:\Windows\SysWOW64\wdywcu.exe	wqyjlyg.exe
File created	C:\Windows\SysWOW64\wkhvjqky.exe	wdrmqmh.exe
File created	C:\Windows\SysWOW64\wxvvnuacj.exe	wfhvm.exe
File opened for modification	C:\Windows\SysWOW64\wcaiqwhim.exe	wkf.exe
File created	C:\Windows\SysWOW64\whfpoek.exe	weerfpbjk.exe
File created	C:\Windows\SysWOW64\wnbrm.exe	wtjyup.exe
File created	C:\Windows\SysWOW64\wofhqk.exe	wfbkeg.exe
File created	C:\Windows\SysWOW64\wjprkyxjy.exe	wsex.exe
File created	C:\Windows\SysWOW64\wtsfne.exe	wcwcy.exe
File opened for modification	C:\Windows\SysWOW64\wqyjlyg.exe	wqseievr.exe
File opened for modification	C:\Windows\SysWOW64\wqr.exe	wej.exe
File opened for modification	C:\Windows\SysWOW64\wlwq.exe	wiuvjqsk.exe
File opened for modification	C:\Windows\SysWOW64\wlsous.exe	wtsfne.exe
File opened for modification	C:\Windows\SysWOW64\wghgwes.exe	wcrsuq.exe
File created	C:\Windows\SysWOW64\woawcxgn.exe	wpihrdmw.exe
File created	C:\Windows\SysWOW64\wtl.exe	wwfvi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2816	2236	a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 2816	2236	a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 2816	2236	a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 2816	2236	a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 2912	2236	a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe	29
PID 2236 wrote to memory of 2912	2236	a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe	29
PID 2236 wrote to memory of 2912	2236	a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe	29
PID 2236 wrote to memory of 2912	2236	a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe	29
PID 2816 wrote to memory of 2936	2816	wbb.exe	31
PID 2816 wrote to memory of 2936	2816	wbb.exe	31
PID 2816 wrote to memory of 2936	2816	wbb.exe	31
PID 2816 wrote to memory of 2936	2816	wbb.exe	31
PID 2816 wrote to memory of 2772	2816	wbb.exe	32
PID 2816 wrote to memory of 2772	2816	wbb.exe	32
PID 2816 wrote to memory of 2772	2816	wbb.exe	32
PID 2816 wrote to memory of 2772	2816	wbb.exe	32
PID 2936 wrote to memory of 2496	2936	wjt.exe	34
PID 2936 wrote to memory of 2496	2936	wjt.exe	34
PID 2936 wrote to memory of 2496	2936	wjt.exe	34
PID 2936 wrote to memory of 2496	2936	wjt.exe	34
PID 2936 wrote to memory of 2844	2936	wjt.exe	35
PID 2936 wrote to memory of 2844	2936	wjt.exe	35
PID 2936 wrote to memory of 2844	2936	wjt.exe	35
PID 2936 wrote to memory of 2844	2936	wjt.exe	35
PID 2496 wrote to memory of 1724	2496	wmki.exe	37
PID 2496 wrote to memory of 1724	2496	wmki.exe	37
PID 2496 wrote to memory of 1724	2496	wmki.exe	37
PID 2496 wrote to memory of 1724	2496	wmki.exe	37
PID 2496 wrote to memory of 2144	2496	wmki.exe	38
PID 2496 wrote to memory of 2144	2496	wmki.exe	38
PID 2496 wrote to memory of 2144	2496	wmki.exe	38
PID 2496 wrote to memory of 2144	2496	wmki.exe	38
PID 1724 wrote to memory of 1780	1724	wiy.exe	40
PID 1724 wrote to memory of 1780	1724	wiy.exe	40
PID 1724 wrote to memory of 1780	1724	wiy.exe	40
PID 1724 wrote to memory of 1780	1724	wiy.exe	40
PID 1724 wrote to memory of 1328	1724	wiy.exe	41
PID 1724 wrote to memory of 1328	1724	wiy.exe	41
PID 1724 wrote to memory of 1328	1724	wiy.exe	41
PID 1724 wrote to memory of 1328	1724	wiy.exe	41
PID 1780 wrote to memory of 2700	1780	wbfuwi.exe	43
PID 1780 wrote to memory of 2700	1780	wbfuwi.exe	43
PID 1780 wrote to memory of 2700	1780	wbfuwi.exe	43
PID 1780 wrote to memory of 2700	1780	wbfuwi.exe	43
PID 1780 wrote to memory of 568	1780	wbfuwi.exe	44
PID 1780 wrote to memory of 568	1780	wbfuwi.exe	44
PID 1780 wrote to memory of 568	1780	wbfuwi.exe	44
PID 1780 wrote to memory of 568	1780	wbfuwi.exe	44
PID 2700 wrote to memory of 1856	2700	wta.exe	46
PID 2700 wrote to memory of 1856	2700	wta.exe	46
PID 2700 wrote to memory of 1856	2700	wta.exe	46
PID 2700 wrote to memory of 1856	2700	wta.exe	46
PID 2700 wrote to memory of 2192	2700	wta.exe	47
PID 2700 wrote to memory of 2192	2700	wta.exe	47
PID 2700 wrote to memory of 2192	2700	wta.exe	47
PID 2700 wrote to memory of 2192	2700	wta.exe	47
PID 1856 wrote to memory of 3056	1856	wfc.exe	49
PID 1856 wrote to memory of 3056	1856	wfc.exe	49
PID 1856 wrote to memory of 3056	1856	wfc.exe	49
PID 1856 wrote to memory of 3056	1856	wfc.exe	49
PID 1856 wrote to memory of 2172	1856	wfc.exe	50
PID 1856 wrote to memory of 2172	1856	wfc.exe	50
PID 1856 wrote to memory of 2172	1856	wfc.exe	50
PID 1856 wrote to memory of 2172	1856	wfc.exe	50

C:\Users\Admin\AppData\Local\Temp\a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\wbb.exe
  "C:\Windows\system32\wbb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\wjt.exe
    "C:\Windows\system32\wjt.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\wmki.exe
      "C:\Windows\system32\wmki.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\SysWOW64\wiy.exe
        
        "C:\Windows\system32\wiy.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - C:\Windows\SysWOW64\wbfuwi.exe
        
        "C:\Windows\system32\wbfuwi.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\wta.exe
        
        "C:\Windows\system32\wta.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\wfc.exe
        
        "C:\Windows\system32\wfc.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\wjaxqbj.exe
        
        "C:\Windows\system32\wjaxqbj.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3056
        
        C:\Windows\SysWOW64\wcgklmmg.exe
        
        "C:\Windows\system32\wcgklmmg.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2240
        
        C:\Windows\SysWOW64\wbnpfeao.exe
        
        "C:\Windows\system32\wbnpfeao.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\wjtnr.exe
        
        "C:\Windows\system32\wjtnr.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2668
        
        C:\Windows\SysWOW64\wblkrtgi.exe
        
        "C:\Windows\system32\wblkrtgi.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1264
        
        C:\Windows\SysWOW64\wkbqkygfi.exe
        
        "C:\Windows\system32\wkbqkygfi.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\wrq.exe
        
        "C:\Windows\system32\wrq.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:592
        
        C:\Windows\SysWOW64\wndpijqre.exe
        
        "C:\Windows\system32\wndpijqre.exe"
        16⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\wfyrw.exe
        
        "C:\Windows\system32\wfyrw.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\wryhn.exe
        
        "C:\Windows\system32\wryhn.exe"
        18⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\wao.exe
        
        "C:\Windows\system32\wao.exe"
        19⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\wuxwit.exe
        
        "C:\Windows\system32\wuxwit.exe"
        20⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\wej.exe
        
        "C:\Windows\system32\wej.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\wqr.exe
        
        "C:\Windows\system32\wqr.exe"
        22⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\whbixgpqm.exe
        
        "C:\Windows\system32\whbixgpqm.exe"
        23⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\wqgfk.exe
        
        "C:\Windows\system32\wqgfk.exe"
        24⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\wuwpmv.exe
        
        "C:\Windows\system32\wuwpmv.exe"
        25⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\wpihrdmw.exe
        
        "C:\Windows\system32\wpihrdmw.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\woawcxgn.exe
        
        "C:\Windows\system32\woawcxgn.exe"
        27⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\wsex.exe
        
        "C:\Windows\system32\wsex.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\wjprkyxjy.exe
        
        "C:\Windows\system32\wjprkyxjy.exe"
        29⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\wovuf.exe
        
        "C:\Windows\system32\wovuf.exe"
        30⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\wegosa.exe
        
        "C:\Windows\system32\wegosa.exe"
        31⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\SysWOW64\wvgxbok.exe
        
        "C:\Windows\system32\wvgxbok.exe"
        32⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\winpfh.exe
        
        "C:\Windows\system32\winpfh.exe"
        33⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\wwxacxno.exe
        
        "C:\Windows\system32\wwxacxno.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\wbpkckmuk.exe
        
        "C:\Windows\system32\wbpkckmuk.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\wkf.exe
        
        "C:\Windows\system32\wkf.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\wcaiqwhim.exe
        
        "C:\Windows\system32\wcaiqwhim.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\wtatwjbws.exe
        
        "C:\Windows\system32\wtatwjbws.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\wtrjigvne.exe
        
        "C:\Windows\system32\wtrjigvne.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\wijt.exe
        
        "C:\Windows\system32\wijt.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\whlsjonq.exe
        
        "C:\Windows\system32\whlsjonq.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\wolbru.exe
        
        "C:\Windows\system32\wolbru.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\wsjogghc.exe
        
        "C:\Windows\system32\wsjogghc.exe"
        43⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\wbkgfks.exe
        
        "C:\Windows\system32\wbkgfks.exe"
        44⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\wwroqnyye.exe
        
        "C:\Windows\system32\wwroqnyye.exe"
        45⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\wwfvi.exe
        
        "C:\Windows\system32\wwfvi.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\wtl.exe
        
        "C:\Windows\system32\wtl.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\wkl.exe
        
        "C:\Windows\system32\wkl.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\wgqluxx.exe
        
        "C:\Windows\system32\wgqluxx.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\whhaetr.exe
        
        "C:\Windows\system32\whhaetr.exe"
        50⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\wkxlgfrh.exe
        
        "C:\Windows\system32\wkxlgfrh.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\wxybvcg.exe
        
        "C:\Windows\system32\wxybvcg.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\wwfgyx.exe
        
        "C:\Windows\system32\wwfgyx.exe"
        53⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\wskionhu.exe
        
        "C:\Windows\system32\wskionhu.exe"
        54⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\wriou.exe
        
        "C:\Windows\system32\wriou.exe"
        55⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\wradfcdx.exe
        
        "C:\Windows\system32\wradfcdx.exe"
        56⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\SysWOW64\whlysr.exe
        
        "C:\Windows\system32\whlysr.exe"
        57⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\wxkibg.exe
        
        "C:\Windows\system32\wxkibg.exe"
        58⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\wxjmqceh.exe
        
        "C:\Windows\system32\wxjmqceh.exe"
        59⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\wgfuwen.exe
        
        "C:\Windows\system32\wgfuwen.exe"
        60⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\wmwtfn.exe
        
        "C:\Windows\system32\wmwtfn.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\wdfiabp.exe
        
        "C:\Windows\system32\wdfiabp.exe"
        62⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\wusiany.exe
        
        "C:\Windows\system32\wusiany.exe"
        63⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\wmenfp.exe
        
        "C:\Windows\system32\wmenfp.exe"
        64⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\wagcw.exe
        
        "C:\Windows\system32\wagcw.exe"
        65⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\werfewxjg.exe
        
        "C:\Windows\system32\werfewxjg.exe"
        66⤵
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\witamkh.exe
        
        "C:\Windows\system32\witamkh.exe"
        67⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\wfhklm.exe
        
        "C:\Windows\system32\wfhklm.exe"
        68⤵
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\wnwrdqxv.exe
        
        "C:\Windows\system32\wnwrdqxv.exe"
        69⤵
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\wvxldu.exe
        
        "C:\Windows\system32\wvxldu.exe"
        70⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\wdc.exe
        
        "C:\Windows\system32\wdc.exe"
        71⤵
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\wlebne.exe
        
        "C:\Windows\system32\wlebne.exe"
        72⤵
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\wytfw.exe
        
        "C:\Windows\system32\wytfw.exe"
        73⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\wdnxr.exe
        
        "C:\Windows\system32\wdnxr.exe"
        74⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\wwxsn.exe
        
        "C:\Windows\system32\wwxsn.exe"
        75⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\weoagyf.exe
        
        "C:\Windows\system32\weoagyf.exe"
        76⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\wroowt.exe
        
        "C:\Windows\system32\wroowt.exe"
        77⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\weerfpbjk.exe
        
        "C:\Windows\system32\weerfpbjk.exe"
        78⤵
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\whfpoek.exe
        
        "C:\Windows\system32\whfpoek.exe"
        79⤵
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\wdmxb.exe
        
        "C:\Windows\system32\wdmxb.exe"
        80⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\wtmhh.exe
        
        "C:\Windows\system32\wtmhh.exe"
        81⤵
        Drops file in System32 directory
        
        PID:568
        
        C:\Windows\SysWOW64\wccpyak.exe
        
        "C:\Windows\system32\wccpyak.exe"
        82⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\wgrbcmjj.exe
        
        "C:\Windows\system32\wgrbcmjj.exe"
        83⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\wossarv.exe
        
        "C:\Windows\system32\wossarv.exe"
        84⤵
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\wwjbsvyn.exe
        
        "C:\Windows\system32\wwjbsvyn.exe"
        85⤵
        
        PID:320
        
        C:\Windows\SysWOW64\wfyhk.exe
        
        "C:\Windows\system32\wfyhk.exe"
        86⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\wdtuxy.exe
        
        "C:\Windows\system32\wdtuxy.exe"
        87⤵
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\wlkcpey.exe
        
        "C:\Windows\system32\wlkcpey.exe"
        88⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\wxkrgao.exe
        
        "C:\Windows\system32\wxkrgao.exe"
        89⤵
        
        PID:764
        
        C:\Windows\SysWOW64\wauatod.exe
        
        "C:\Windows\system32\wauatod.exe"
        90⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\wvuhsvck.exe
        
        "C:\Windows\system32\wvuhsvck.exe"
        91⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\wiuvjqsk.exe
        
        "C:\Windows\system32\wiuvjqsk.exe"
        92⤵
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\wlwq.exe
        
        "C:\Windows\system32\wlwq.exe"
        93⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\wcwcy.exe
        
        "C:\Windows\system32\wcwcy.exe"
        94⤵
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\wtsfne.exe
        
        "C:\Windows\system32\wtsfne.exe"
        95⤵
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\wlsous.exe
        
        "C:\Windows\system32\wlsous.exe"
        96⤵
        
        PID:896
        
        C:\Windows\SysWOW64\wstgt.exe
        
        "C:\Windows\system32\wstgt.exe"
        97⤵
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\wwjsuk.exe
        
        "C:\Windows\system32\wwjsuk.exe"
        98⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\wtjyup.exe
        
        "C:\Windows\system32\wtjyup.exe"
        99⤵
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\wnbrm.exe
        
        "C:\Windows\system32\wnbrm.exe"
        100⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\wchxmwpn.exe
        
        "C:\Windows\system32\wchxmwpn.exe"
        101⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\wgxkojnu.exe
        
        "C:\Windows\system32\wgxkojnu.exe"
        102⤵
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\wfbkeg.exe
        
        "C:\Windows\system32\wfbkeg.exe"
        103⤵
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\wofhqk.exe
        
        "C:\Windows\system32\wofhqk.exe"
        104⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\werdfyp.exe
        
        "C:\Windows\system32\werdfyp.exe"
        105⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\wrqpuu.exe
        
        "C:\Windows\system32\wrqpuu.exe"
        106⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\wcrsuq.exe
        
        "C:\Windows\system32\wcrsuq.exe"
        107⤵
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\wghgwes.exe
        
        "C:\Windows\system32\wghgwes.exe"
        108⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\wjjbe.exe
        
        "C:\Windows\system32\wjjbe.exe"
        109⤵
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\wpussyyd.exe
        
        "C:\Windows\system32\wpussyyd.exe"
        110⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\wuhvbjve.exe
        
        "C:\Windows\system32\wuhvbjve.exe"
        111⤵
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\wedykx.exe
        
        "C:\Windows\system32\wedykx.exe"
        112⤵
        Drops file in System32 directory
        
        PID:268
        
        C:\Windows\SysWOW64\wwaof.exe
        
        "C:\Windows\system32\wwaof.exe"
        113⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\wrfxqjo.exe
        
        "C:\Windows\system32\wrfxqjo.exe"
        114⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\wmxqkm.exe
        
        "C:\Windows\system32\wmxqkm.exe"
        115⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\wewcra.exe
        
        "C:\Windows\system32\wewcra.exe"
        116⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\wnnijfba.exe
        
        "C:\Windows\system32\wnnijfba.exe"
        117⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\wuocjlm.exe
        
        "C:\Windows\system32\wuocjlm.exe"
        118⤵
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\wmlexue.exe
        
        "C:\Windows\system32\wmlexue.exe"
        119⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\weqprggq.exe
        
        "C:\Windows\system32\weqprggq.exe"
        120⤵
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\wqseievr.exe
        
        "C:\Windows\system32\wqseievr.exe"
        121⤵
        Drops file in System32 directory
        
        PID:1352
        
        C:\Windows\SysWOW64\wqyjlyg.exe
        
        "C:\Windows\system32\wqyjlyg.exe"
        122⤵
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\wdywcu.exe
        
        "C:\Windows\system32\wdywcu.exe"
        123⤵
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\wxxebbu.exe
        
        "C:\Windows\system32\wxxebbu.exe"
        124⤵
        
        PID:928
        
        C:\Windows\SysWOW64\wiudn.exe
        
        "C:\Windows\system32\wiudn.exe"
        125⤵
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\wujfxul.exe
        
        "C:\Windows\system32\wujfxul.exe"
        126⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\wymc.exe
        
        "C:\Windows\system32\wymc.exe"
        127⤵
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\wdxyq.exe
        
        "C:\Windows\system32\wdxyq.exe"
        128⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\wufklr.exe
        
        "C:\Windows\system32\wufklr.exe"
        129⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\wykmfe.exe
        
        "C:\Windows\system32\wykmfe.exe"
        130⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\wqqxbpr.exe
        
        "C:\Windows\system32\wqqxbpr.exe"
        131⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\wdrmqmh.exe
        
        "C:\Windows\system32\wdrmqmh.exe"
        132⤵
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\wkhvjqky.exe
        
        "C:\Windows\system32\wkhvjqky.exe"
        133⤵
        Drops file in System32 directory
        
        PID:2564
        
        C:\Windows\SysWOW64\wwhiamyx.exe
        
        "C:\Windows\system32\wwhiamyx.exe"
        134⤵
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\wwyxjit.exe
        
        "C:\Windows\system32\wwyxjit.exe"
        135⤵
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\wwfence.exe
        
        "C:\Windows\system32\wwfence.exe"
        136⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\wfhvm.exe
        
        "C:\Windows\system32\wfhvm.exe"
        137⤵
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfence.exe"
        137⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwyxjit.exe"
        136⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhiamyx.exe"
        135⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkhvjqky.exe"
        134⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrmqmh.exe"
        133⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqxbpr.exe"
        132⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wykmfe.exe"
        131⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wufklr.exe"
        130⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxyq.exe"
        129⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymc.exe"
        128⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujfxul.exe"
        127⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiudn.exe"
        126⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxebbu.exe"
        125⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdywcu.exe"
        124⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqyjlyg.exe"
        123⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqseievr.exe"
        122⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weqprggq.exe"
        121⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmlexue.exe"
        120⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuocjlm.exe"
        119⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnnijfba.exe"
        118⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wewcra.exe"
        117⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmxqkm.exe"
        116⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrfxqjo.exe"
        115⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwaof.exe"
        114⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wedykx.exe"
        113⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhvbjve.exe"
        112⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpussyyd.exe"
        111⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjjbe.exe"
        110⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghgwes.exe"
        109⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcrsuq.exe"
        108⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrqpuu.exe"
        107⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\werdfyp.exe"
        106⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofhqk.exe"
        105⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfbkeg.exe"
        104⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxkojnu.exe"
        103⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchxmwpn.exe"
        102⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbrm.exe"
        101⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtjyup.exe"
        100⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjsuk.exe"
        99⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wstgt.exe"
        98⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsous.exe"
        97⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsfne.exe"
        96⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwcy.exe"
        95⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwq.exe"
        94⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiuvjqsk.exe"
        93⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvuhsvck.exe"
        92⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wauatod.exe"
        91⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxkrgao.exe"
        90⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkcpey.exe"
        89⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdtuxy.exe"
        88⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfyhk.exe"
        87⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjbsvyn.exe"
        86⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wossarv.exe"
        85⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrbcmjj.exe"
        84⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccpyak.exe"
        83⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtmhh.exe"
        82⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdmxb.exe"
        81⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whfpoek.exe"
        80⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weerfpbjk.exe"
        79⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wroowt.exe"
        78⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weoagyf.exe"
        77⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwxsn.exe"
        76⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnxr.exe"
        75⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wytfw.exe"
        74⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlebne.exe"
        73⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdc.exe"
        72⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvxldu.exe"
        71⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwrdqxv.exe"
        70⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfhklm.exe"
        69⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\witamkh.exe"
        68⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\werfewxjg.exe"
        67⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wagcw.exe"
        66⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmenfp.exe"
        65⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wusiany.exe"
        64⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdfiabp.exe"
        63⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmwtfn.exe"
        62⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgfuwen.exe"
        61⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxjmqceh.exe"
        60⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxkibg.exe"
        59⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whlysr.exe"
        58⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wradfcdx.exe"
        57⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wriou.exe"
        56⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wskionhu.exe"
        55⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfgyx.exe"
        54⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxybvcg.exe"
        53⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkxlgfrh.exe"
        52⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whhaetr.exe"
        51⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqluxx.exe"
        50⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkl.exe"
        49⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtl.exe"
        48⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfvi.exe"
        47⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwroqnyye.exe"
        46⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbkgfks.exe"
        45⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjogghc.exe"
        44⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wolbru.exe"
        43⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whlsjonq.exe"
        42⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wijt.exe"
        41⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtrjigvne.exe"
        40⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtatwjbws.exe"
        39⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcaiqwhim.exe"
        38⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkf.exe"
        37⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpkckmuk.exe"
        36⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwxacxno.exe"
        35⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winpfh.exe"
        34⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgxbok.exe"
        33⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wegosa.exe"
        32⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovuf.exe"
        31⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjprkyxjy.exe"
        30⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsex.exe"
        29⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woawcxgn.exe"
        28⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpihrdmw.exe"
        27⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwpmv.exe"
        26⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgfk.exe"
        25⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whbixgpqm.exe"
        24⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqr.exe"
        23⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wej.exe"
        22⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuxwit.exe"
        21⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wao.exe"
        20⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryhn.exe"
        19⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfyrw.exe"
        18⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wndpijqre.exe"
        17⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrq.exe"
        16⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbqkygfi.exe"
        15⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wblkrtgi.exe"
        14⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjtnr.exe"
        13⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbnpfeao.exe"
        12⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcgklmmg.exe"
        11⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjaxqbj.exe"
        10⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfc.exe"
        9⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wta.exe"
        8⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbfuwi.exe"
        7⤵
        
        PID:568
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiy.exe"
        6⤵
        
        PID:1328
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmki.exe"
        5⤵
        
        PID:2144
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjt.exe"
      4⤵
      PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbb.exe"
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\a789d85112422769a4e5bfd578aeb490_NeikiAnalytics.exe"
  2⤵
  - Deletes itself
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PSWP3PAR.txt

Filesize
99B

MD5
bc81e3fdc0142496ec8a50ae2cbf85fb

SHA1
42c9859b3b83c8949d187c1906591c0b0f4ddacb

SHA256
bda1682bd9f104844e9d3ee0456bfe1f432179259c31c647edcd52e11441bfa7

SHA512
fe5943c5cb0ce65d4df4a49d6430a8111e4b693d7e56e5bbc0f323b7438630cb452f3d354387d3b847f04720451bfad07eb929c5cfe2615490df24544f733e63

Download Submit
\Windows\SysWOW64\wbb.exe

Filesize
82KB

MD5
cb0313d0faec3afd3220cea2900fa46c

SHA1
cbcc0fcee0e1676ea09c1d9dc1de1cee220066e4

SHA256
1164dee995d06b4198808680307551ef2af8a85b86753f81efa9d58b517f4efc

SHA512
955d5c2867391fe48db3d161c5f4511d978973930122f29e3916240cc8daa6bf21ac4d5deedafd12c94704e0f19beed3cee1ed9d4f5e040b27b8e13046105330

Download Submit
\Windows\SysWOW64\wbfuwi.exe

Filesize
82KB

MD5
2e06ada388688e4926211908d15b44d5

SHA1
1cd4660fdb706042f376adff2118f000e72f057e

SHA256
6350ce86c73f8a8b9a434d1a3ed084d782dcbca210ae94a79891b838ef4f0a4f

SHA512
87451376f92acf489d21f6be9e02c2b525fa5c557421d58bfaf100cb804fe35c3a20a8b035ac86ee26762d060fb579b1972a4f4706afaf7736fc53a7e7e08a31

Download Submit
\Windows\SysWOW64\wbnpfeao.exe

Filesize
82KB

MD5
6374c5883ba394cf3156c8ea1e0d2e34

SHA1
0b35cc676677d0fbb331a22fae2a64167fdca55d

SHA256
67b71a2ba7bcc957daad6f862feb999d1742121bcad8804d742d17095da2b049

SHA512
779abc4763e2236e07f9394b768ef948397e416e4a70b33e019975186895c6964092d5802dcf46b687117b196244cdd792ec032f5f6c624a2060a26382c42aad

Download Submit
\Windows\SysWOW64\wcgklmmg.exe

Filesize
82KB

MD5
68f2c452da4f5905195bed88606d0049

SHA1
411f966b4e4882959445d0a29a62ee02ddaa9257

SHA256
95ee4f1b6a4b1b054db9d05b2812a2824f393e83290302827f8cf91d2098faf4

SHA512
150b34244f80fa048bd37a415f98b4fbf88e4e1ca883749af3eb3b2652b16ecaae7480645e0a4d73ab8ed6411a6ec957622e6132d86a337205022719a56a0e71

Download Submit
\Windows\SysWOW64\wfc.exe

Filesize
82KB

MD5
bc94198e978dac95830e48c8aac1bf25

SHA1
cb3ba8d63da575850113669309a3cb37638fd580

SHA256
24c2a37f85cb05163dd4199c2cdf7f59847a815ecece0b4ea45c7c86dec7aaf7

SHA512
31ab5da0e4c92c44abc7146af6cbad6035849429323545cfa43a6bab9bbf3fbdc1cd4e63818fe7dce367e1d9928812131e45a48909105dffaf47154876727a3d

Download Submit
\Windows\SysWOW64\wiy.exe

Filesize
82KB

MD5
f2c91879a09335a75328a7a28a97a1bd

SHA1
97dd8889f5bc7caeb9397a8206f8bfb7f3d920d4

SHA256
b010374a4bc76a9f20e9870c26756f00eef6b95fc64f4eb2760ed9bdd7fa138a

SHA512
a2a947ca85367991b8147de8372952b07ef802526ea793817f11a5bae322a4458365d336ee86a89096f67c753aca80e66af058d0bdd6c65dcf37d1415feb48c0

Download Submit
\Windows\SysWOW64\wjaxqbj.exe

Filesize
82KB

MD5
aea71b1de716e7b1356bf3ff08000dc8

SHA1
38109cec5b09c7c86fbaaf14e0d8dcd269d948ef

SHA256
4e94d27fad1eecbef607036df90a674be618846117007a34d8431ddfe02294c1

SHA512
371c792056d2bbfbfe81aa81c1c96cbd034fc44a4667712b15b03eb77210d445712618d4e5955a353bfa67a9165bcd63fa2e20d6580f71e4430f78d7452d034b

Download Submit
\Windows\SysWOW64\wjt.exe

Filesize
82KB

MD5
68a5ca556bed40650a7f8aaa6d8ea488

SHA1
583c8d33a0a17043dae535973eebf9eb8abc2611

SHA256
8b10f565eb859a98537e013fb602c232b8cddadba7ab286bb3469148a83321f2

SHA512
02a3bc5bf99b95163de6a47e38632e47af015dd0487b623fe7a5c0d87d23d11bd8e93b498f5d56e46691a919612790c3ba21d5f5fac63df93965fcddb95b47e7

Download Submit
\Windows\SysWOW64\wmki.exe

Filesize
82KB

MD5
b9b1be40169d0f88d69aff1786267152

SHA1
8af3edacfbb146437214e62002903506ec67bc07

SHA256
f082eb29f31bf541947f4981f96bb5e8b34e723e9b29221eddaada47a8a1bee0

SHA512
5fdeda0e2a8c9c0b20c615e24ceb65a5c3554651c06b1f3dd96aea8cf1916c28b9fd2bc423fd6f70ac2f0223734c565f9561e79d8adec690c98f29ff567be8be

Download Submit
\Windows\SysWOW64\wta.exe

Filesize
82KB

MD5
269deee6226800c6b200a6c134e59510

SHA1
1beb1e6fb8b7e980baf145adfa8d6c47eb391ba3

SHA256
a96f21fc6392f3aea6dcbba14465ab590b6d8431a2c0f370f2a2718effa65c2a

SHA512
aaf396d4bd42fc77901f7ffeb6100e701eaaa24583c6e7fb7bcb1b85e1bbdc87310614b7a78273f2cfcd36e3a52f17ca7655a2aefbb15b73030c4c1cf937933d

Download Submit
memory/592-301-0x0000000003BC0000-0x0000000003BD7000-memory.dmp

Filesize
92KB

Download
memory/592-294-0x0000000003BB0000-0x0000000003BC7000-memory.dmp

Filesize
92KB

Download
memory/592-295-0x0000000003BB0000-0x0000000003BC7000-memory.dmp

Filesize
92KB

Download
memory/592-302-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/592-300-0x0000000003BC0000-0x0000000003BD7000-memory.dmp

Filesize
92KB

Download
memory/1168-351-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1168-333-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1168-347-0x0000000002F60000-0x0000000002F77000-memory.dmp

Filesize
92KB

Download
memory/1168-348-0x0000000003040000-0x0000000003057000-memory.dmp

Filesize
92KB

Download
memory/1168-349-0x0000000003040000-0x0000000003057000-memory.dmp

Filesize
92KB

Download
memory/1168-350-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/1264-269-0x0000000003DC0000-0x0000000003DD7000-memory.dmp

Filesize
92KB

Download
memory/1264-266-0x0000000003DC0000-0x0000000003DD7000-memory.dmp

Filesize
92KB

Download
memory/1264-270-0x0000000003B90000-0x0000000003BA0000-memory.dmp

Filesize
64KB

Download
memory/1264-268-0x0000000003DC0000-0x0000000003DD7000-memory.dmp

Filesize
92KB

Download
memory/1264-263-0x0000000003DC0000-0x0000000003DD7000-memory.dmp

Filesize
92KB

Download
memory/1264-271-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1612-360-0x0000000003C80000-0x0000000003C97000-memory.dmp

Filesize
92KB

Download
memory/1612-365-0x0000000003C30000-0x0000000003C40000-memory.dmp

Filesize
64KB

Download
memory/1612-366-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1724-109-0x0000000003B30000-0x0000000003B47000-memory.dmp

Filesize
92KB

Download
memory/1724-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1724-89-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1724-110-0x0000000003B30000-0x0000000003B47000-memory.dmp

Filesize
92KB

Download
memory/1724-108-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/1724-113-0x0000000003B30000-0x0000000003B40000-memory.dmp

Filesize
64KB

Download
memory/1780-133-0x0000000003C80000-0x0000000003C97000-memory.dmp

Filesize
92KB

Download
memory/1780-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1780-125-0x0000000003AB0000-0x0000000003AC7000-memory.dmp

Filesize
92KB

Download
memory/1780-132-0x0000000003C80000-0x0000000003C97000-memory.dmp

Filesize
92KB

Download
memory/1856-185-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1856-167-0x0000000003810000-0x0000000003827000-memory.dmp

Filesize
92KB

Download
memory/1856-180-0x0000000003820000-0x0000000003837000-memory.dmp

Filesize
92KB

Download
memory/1856-179-0x0000000003820000-0x0000000003837000-memory.dmp

Filesize
92KB

Download
memory/1856-178-0x0000000003810000-0x0000000003827000-memory.dmp

Filesize
92KB

Download
memory/1856-184-0x0000000003820000-0x0000000003830000-memory.dmp

Filesize
64KB

Download
memory/1920-332-0x0000000003B40000-0x0000000003B57000-memory.dmp

Filesize
92KB

Download
memory/1920-334-0x0000000003480000-0x0000000003490000-memory.dmp

Filesize
64KB

Download
memory/1920-335-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1920-330-0x0000000003470000-0x0000000003487000-memory.dmp

Filesize
92KB

Download
memory/1920-331-0x0000000003B40000-0x0000000003B57000-memory.dmp

Filesize
92KB

Download
memory/2208-284-0x0000000003C80000-0x0000000003C97000-memory.dmp

Filesize
92KB

Download
memory/2208-285-0x0000000003A60000-0x0000000003A70000-memory.dmp

Filesize
64KB

Download
memory/2208-286-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2208-283-0x0000000003AB0000-0x0000000003AC7000-memory.dmp

Filesize
92KB

Download
memory/2236-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2236-17-0x0000000003C30000-0x0000000003C47000-memory.dmp

Filesize
92KB

Download
memory/2236-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2236-19-0x0000000003C30000-0x0000000003C40000-memory.dmp

Filesize
64KB

Download
memory/2240-207-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2240-224-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2452-311-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/2452-318-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2452-316-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/2452-317-0x0000000003C70000-0x0000000003C80000-memory.dmp

Filesize
64KB

Download
memory/2452-310-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/2496-84-0x00000000037A0000-0x00000000037B7000-memory.dmp

Filesize
92KB

Download
memory/2496-86-0x0000000003C90000-0x0000000003CA7000-memory.dmp

Filesize
92KB

Download
memory/2496-85-0x0000000003C90000-0x0000000003CA7000-memory.dmp

Filesize
92KB

Download
memory/2496-90-0x00000000037B0000-0x00000000037C0000-memory.dmp

Filesize
64KB

Download
memory/2496-92-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2532-223-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2532-237-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/2532-236-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/2532-238-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2588-379-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/2588-381-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2588-364-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2588-374-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/2588-380-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/2668-251-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/2668-250-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/2668-252-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/2668-254-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2668-253-0x0000000003C70000-0x0000000003C80000-memory.dmp

Filesize
64KB

Download
memory/2700-156-0x0000000003370000-0x0000000003387000-memory.dmp

Filesize
92KB

Download
memory/2700-155-0x0000000003370000-0x0000000003387000-memory.dmp

Filesize
92KB

Download
memory/2700-154-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/2700-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2700-159-0x0000000003370000-0x0000000003380000-memory.dmp

Filesize
64KB

Download
memory/2700-161-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2816-38-0x0000000003B30000-0x0000000003B47000-memory.dmp

Filesize
92KB

Download
memory/2816-43-0x0000000003B30000-0x0000000003B40000-memory.dmp

Filesize
64KB

Download
memory/2816-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2816-39-0x0000000003B30000-0x0000000003B47000-memory.dmp

Filesize
92KB

Download
memory/2936-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2936-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2936-51-0x0000000003AB0000-0x0000000003AC7000-memory.dmp

Filesize
92KB

Download
memory/2936-62-0x0000000003AC0000-0x0000000003AD7000-memory.dmp

Filesize
92KB

Download
memory/2936-63-0x0000000003AC0000-0x0000000003AD7000-memory.dmp

Filesize
92KB

Download
memory/2936-66-0x0000000003AC0000-0x0000000003AD0000-memory.dmp

Filesize
64KB

Download
memory/3056-183-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3056-202-0x0000000003D80000-0x0000000003D97000-memory.dmp

Filesize
92KB

Download
memory/3056-201-0x0000000003AB0000-0x0000000003AC7000-memory.dmp

Filesize
92KB

Download
memory/3056-208-0x0000000003AC0000-0x0000000003AD0000-memory.dmp

Filesize
64KB

Download
memory/3056-210-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download