c11d9779a1a2a843f258178d6f8b57b739382db3486ab655e90a1a86f07ba4e3

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe
Size

316KB
MD5

06876b683169a8e631eafe49ad0ab020
SHA1

68b618e0bed354d693e20c0556f01dc651191b20
SHA256

c11d9779a1a2a843f258178d6f8b57b739382db3486ab655e90a1a86f07ba4e3
SHA512

d44f17b138e95faa7f7546e37f2b1d102e73681e21f4628f5e6f055b4a86511702a029cccafb002349f4fccdec4b00535f0b31f9aea2d2c4de448d0a266cefc9
SSDEEP

3072:mYUb5QoJ4g+LsP9iGqT8ZjKIz1ZdW4SrOLVSVpe1GhpSBfmz:mY699qT8hKSZI4zLVSVpe1GvOfM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2560 cmd.exe

pid	process
2560	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

wkgn.exewlbvr.exewkvsviim.exewtaqhl.exewgmofjagd.exewrct.exewfqxxbk.exewceu.exewdvlo.exewgam.exewpc.exewxrl.exewnrwi.exewfsgp.exewaqonxi.exewtbft.exewtlsqbe.exewswgnyp.exewjkfpm.exewikie.exewhfgihwx.exewasgi.exewtmlu.exewqahldj.exewhhfyr.exewgkqi.exewaofba.exewqve.exewgaxoglkx.exewoxtn.exewedloeqap.exewpvardyq.exewjds.exewjpnnkr.exewxjxhb.exewhhsfhm.exewwbbyvw.exewvoxqwlac.exewlvv.exewgnaq.exewvstrlyel.exewqkxds.exewfehw.exewwwpr.exewifrmx.exewghew.exewoqjc.exewlfftetex.exewdxnmtfi.exewtf.exeweywejnov.exewarcpp.exewsurhye.exewjtfgj.exewdm.exewpfwuq.exewjxcgx.exewycuhp.exewpksv.exewjninm.exeweg.exewax.exewoq.exewmlbymwbs.exe

pid	process
2924	wkgn.exe
2652	wlbvr.exe
820	wkvsviim.exe
684	wtaqhl.exe
2224	wgmofjagd.exe
1120	wrct.exe
1156	wfqxxbk.exe
1056	wceu.exe
1752	wdvlo.exe
2012	wgam.exe
2648	wpc.exe
3052	wxrl.exe
2232	wnrwi.exe
324	wfsgp.exe
2820	waqonxi.exe
2952	wtbft.exe
1636	wtlsqbe.exe
1164	wswgnyp.exe
2376	wjkfpm.exe
1748	wikie.exe
2556	whfgihwx.exe
1648	wasgi.exe
1800	wtmlu.exe
1828	wqahldj.exe
2980	whhfyr.exe
608	wgkqi.exe
2288	waofba.exe
2972	wqve.exe
2712	wgaxoglkx.exe
2868	woxtn.exe
1688	wedloeqap.exe
880	wpvardyq.exe
684	wjds.exe
1376	wjpnnkr.exe
1996	wxjxhb.exe
912	whhsfhm.exe
2864	wwbbyvw.exe
2660	wvoxqwlac.exe
292	wlvv.exe
2316	wgnaq.exe
784	wvstrlyel.exe
1696	wqkxds.exe
748	wfehw.exe
1560	wwwpr.exe
3032	wifrmx.exe
1824	wghew.exe
2964	woqjc.exe
2308	wlfftetex.exe
2364	wdxnmtfi.exe
2016	wtf.exe
1832	weywejnov.exe
2272	warcpp.exe
2816	wsurhye.exe
2116	wjtfgj.exe
1752	wdm.exe
2956	wpfwuq.exe
596	wjxcgx.exe
2896	wycuhp.exe
1116	wpksv.exe
1012	wjninm.exe
2232	weg.exe
1576	wax.exe
1056	woq.exe
3024	wmlbymwbs.exe

Loads dropped DLL 64 IoCs

Processes:

06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exewkgn.exewlbvr.exewkvsviim.exewtaqhl.exewgmofjagd.exewrct.exewfqxxbk.exewceu.exewdvlo.exewgam.exeWerFault.exewpc.exewxrl.exewnrwi.exewfsgp.exe

pid	process
2064	06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe
2064	06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe
2064	06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe
2064	06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe
2924	wkgn.exe
2924	wkgn.exe
2924	wkgn.exe
2924	wkgn.exe
2652	wlbvr.exe
2652	wlbvr.exe
2652	wlbvr.exe
2652	wlbvr.exe
820	wkvsviim.exe
820	wkvsviim.exe
820	wkvsviim.exe
820	wkvsviim.exe
684	wtaqhl.exe
684	wtaqhl.exe
684	wtaqhl.exe
684	wtaqhl.exe
2224	wgmofjagd.exe
2224	wgmofjagd.exe
2224	wgmofjagd.exe
2224	wgmofjagd.exe
1120	wrct.exe
1120	wrct.exe
1120	wrct.exe
1120	wrct.exe
1156	wfqxxbk.exe
1156	wfqxxbk.exe
1156	wfqxxbk.exe
1156	wfqxxbk.exe
1056	wceu.exe
1056	wceu.exe
1056	wceu.exe
1056	wceu.exe
1752	wdvlo.exe
1752	wdvlo.exe
1752	wdvlo.exe
1752	wdvlo.exe
2012	wgam.exe
2012	wgam.exe
2012	wgam.exe
2012	wgam.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2648	wpc.exe
2648	wpc.exe
2648	wpc.exe
2648	wpc.exe
3052	wxrl.exe
3052	wxrl.exe
3052	wxrl.exe
3052	wxrl.exe
2232	wnrwi.exe
2232	wnrwi.exe
2232	wnrwi.exe
2232	wnrwi.exe
324	wfsgp.exe
324	wfsgp.exe
324	wfsgp.exe
324	wfsgp.exe

Drops file in System32 directory 64 IoCs

Processes:

wikie.exewnclgpcxr.exewaqonxi.exewasgi.exewqnhnqpge.exewceu.exewcwgnb.exewpkjym.exeweywejnov.exewcfpvp.exewkhxiyjw.exewrub.exewgupsx.exewobmjlrm.exewjpnnkr.exewte.exewwtoptku.exewgwclcqvf.exewedloeqap.exewhfgihwx.exewhhsfhm.exewbgxsy.exewwfvi.exewgmofjagd.exewowe.exewdxnmtfi.exewbdney.exewoeupnegf.exewqqotwf.exewcsdig.exewwvwdx.exewgnaq.exewiraxv.exewknlelk.exewskuk.exewjkfpm.exewtbft.exewolpsou.exewltucg.exeweegqss.exewrfxyb.exewiwodppf.exewioexh.exewaykhuar.exewvgltaj.exewyahyiep.exewpc.exewfsgp.exewhhfyr.exewpvardyq.exewhwxt.exewrkcs.exewnrdbmpi.exewgam.exewdqhcovc.exewmftkxa.exewwwpr.exewifrmx.exewqkxds.exewjxcgx.exe

description	ioc	process
File created	C:\Windows\SysWOW64\whfgihwx.exe	wikie.exe
File created	C:\Windows\SysWOW64\wgupsx.exe	wnclgpcxr.exe
File opened for modification	C:\Windows\SysWOW64\wtbft.exe	waqonxi.exe
File created	C:\Windows\SysWOW64\wtmlu.exe	wasgi.exe
File opened for modification	C:\Windows\SysWOW64\wlemxy.exe	wqnhnqpge.exe
File created	C:\Windows\SysWOW64\wdvlo.exe	wceu.exe
File created	C:\Windows\SysWOW64\wsefasifx.exe	wcwgnb.exe
File created	C:\Windows\SysWOW64\wmfjsibl.exe	wpkjym.exe
File created	C:\Windows\SysWOW64\warcpp.exe	weywejnov.exe
File created	C:\Windows\SysWOW64\wjov.exe	wcfpvp.exe
File created	C:\Windows\SysWOW64\wubkkxr.exe	wkhxiyjw.exe
File created	C:\Windows\SysWOW64\wini.exe	wrub.exe
File opened for modification	C:\Windows\SysWOW64\wtocuvah.exe	wgupsx.exe
File created	C:\Windows\SysWOW64\wisqushgd.exe	wobmjlrm.exe
File created	C:\Windows\SysWOW64\wxjxhb.exe	wjpnnkr.exe
File opened for modification	C:\Windows\SysWOW64\wrspyc.exe	wte.exe
File opened for modification	C:\Windows\SysWOW64\wmnwkjv.exe	wwtoptku.exe
File created	C:\Windows\SysWOW64\wbogwk.exe	wgwclcqvf.exe
File opened for modification	C:\Windows\SysWOW64\wpvardyq.exe	wedloeqap.exe
File opened for modification	C:\Windows\SysWOW64\wasgi.exe	whfgihwx.exe
File opened for modification	C:\Windows\SysWOW64\wwbbyvw.exe	whhsfhm.exe
File created	C:\Windows\SysWOW64\wioexh.exe	wbgxsy.exe
File created	C:\Windows\SysWOW64\wlemxy.exe	wqnhnqpge.exe
File created	C:\Windows\SysWOW64\wowe.exe	wwfvi.exe
File opened for modification	C:\Windows\SysWOW64\wrct.exe	wgmofjagd.exe
File opened for modification	C:\Windows\SysWOW64\warqfv.exe	wowe.exe
File opened for modification	C:\Windows\SysWOW64\wtf.exe	wdxnmtfi.exe
File opened for modification	C:\Windows\SysWOW64\wrwuyp.exe	wbdney.exe
File created	C:\Windows\SysWOW64\wbm.exe	woeupnegf.exe
File created	C:\Windows\SysWOW64\wntaex.exe	wqqotwf.exe
File created	C:\Windows\SysWOW64\wrkmcwtrj.exe	wcsdig.exe
File created	C:\Windows\SysWOW64\woeupnegf.exe	wwvwdx.exe
File created	C:\Windows\SysWOW64\wvstrlyel.exe	wgnaq.exe
File created	C:\Windows\SysWOW64\whgvovhvq.exe	wiraxv.exe
File created	C:\Windows\SysWOW64\wskuk.exe	wknlelk.exe
File opened for modification	C:\Windows\SysWOW64\wjrsycv.exe	wskuk.exe
File created	C:\Windows\SysWOW64\wikie.exe	wjkfpm.exe
File opened for modification	C:\Windows\SysWOW64\wtlsqbe.exe	wtbft.exe
File created	C:\Windows\SysWOW64\wiftfwk.exe	wolpsou.exe
File created	C:\Windows\SysWOW64\wkvfl.exe	wltucg.exe
File created	C:\Windows\SysWOW64\wqnhnqpge.exe	weegqss.exe
File opened for modification	C:\Windows\SysWOW64\wcylc.exe	wrfxyb.exe
File opened for modification	C:\Windows\SysWOW64\wcosqwean.exe	wiwodppf.exe
File opened for modification	C:\Windows\SysWOW64\whroh.exe	wioexh.exe
File opened for modification	C:\Windows\SysWOW64\wmrxkuh.exe	waykhuar.exe
File created	C:\Windows\SysWOW64\wionp.exe	wvgltaj.exe
File created	C:\Windows\SysWOW64\wltucg.exe	wyahyiep.exe
File opened for modification	C:\Windows\SysWOW64\wxrl.exe	wpc.exe
File opened for modification	C:\Windows\SysWOW64\waqonxi.exe	wfsgp.exe
File opened for modification	C:\Windows\SysWOW64\wgkqi.exe	whhfyr.exe
File opened for modification	C:\Windows\SysWOW64\wjds.exe	wpvardyq.exe
File opened for modification	C:\Windows\SysWOW64\wwfvi.exe	whwxt.exe
File opened for modification	C:\Windows\SysWOW64\wiott.exe	wrkcs.exe
File created	C:\Windows\SysWOW64\wfkmvccn.exe	wnrdbmpi.exe
File opened for modification	C:\Windows\SysWOW64\wpc.exe	wgam.exe
File created	C:\Windows\SysWOW64\wsjqwehf.exe	wdqhcovc.exe
File created	C:\Windows\SysWOW64\wdxcf.exe	wmftkxa.exe
File opened for modification	C:\Windows\SysWOW64\wifrmx.exe	wwwpr.exe
File opened for modification	C:\Windows\SysWOW64\wghew.exe	wifrmx.exe
File created	C:\Windows\SysWOW64\wfehw.exe	wqkxds.exe
File opened for modification	C:\Windows\SysWOW64\wycuhp.exe	wjxcgx.exe
File created	C:\Windows\SysWOW64\wcosqwean.exe	wiwodppf.exe
File created	C:\Windows\SysWOW64\wxrl.exe	wpc.exe
File created	C:\Windows\SysWOW64\wtlsqbe.exe	wtbft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2888	2012	WerFault.exe	wgam.exe
2880	324	WerFault.exe	wfsgp.exe
2128	1832	WerFault.exe	weywejnov.exe
2088	1700	WerFault.exe	wkhxiyjw.exe
348	2728	WerFault.exe	wjrksjiw.exe
628	412	WerFault.exe	wkvfl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exewkgn.exewlbvr.exewkvsviim.exewtaqhl.exewgmofjagd.exewrct.exewfqxxbk.exe

description	pid	process	target process
PID 2064 wrote to memory of 2924	2064	06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe	wkgn.exe
PID 2064 wrote to memory of 2924	2064	06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe	wkgn.exe
PID 2064 wrote to memory of 2924	2064	06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe	wkgn.exe
PID 2064 wrote to memory of 2924	2064	06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe	wkgn.exe
PID 2064 wrote to memory of 2560	2064	06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe	cmd.exe
PID 2064 wrote to memory of 2560	2064	06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe	cmd.exe
PID 2064 wrote to memory of 2560	2064	06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe	cmd.exe
PID 2064 wrote to memory of 2560	2064	06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe	cmd.exe
PID 2924 wrote to memory of 2652	2924	wkgn.exe	wlbvr.exe
PID 2924 wrote to memory of 2652	2924	wkgn.exe	wlbvr.exe
PID 2924 wrote to memory of 2652	2924	wkgn.exe	wlbvr.exe
PID 2924 wrote to memory of 2652	2924	wkgn.exe	wlbvr.exe
PID 2924 wrote to memory of 2624	2924	wkgn.exe	cmd.exe
PID 2924 wrote to memory of 2624	2924	wkgn.exe	cmd.exe
PID 2924 wrote to memory of 2624	2924	wkgn.exe	cmd.exe
PID 2924 wrote to memory of 2624	2924	wkgn.exe	cmd.exe
PID 2652 wrote to memory of 820	2652	wlbvr.exe	wkvsviim.exe
PID 2652 wrote to memory of 820	2652	wlbvr.exe	wkvsviim.exe
PID 2652 wrote to memory of 820	2652	wlbvr.exe	wkvsviim.exe
PID 2652 wrote to memory of 820	2652	wlbvr.exe	wkvsviim.exe
PID 2652 wrote to memory of 2608	2652	wlbvr.exe	cmd.exe
PID 2652 wrote to memory of 2608	2652	wlbvr.exe	cmd.exe
PID 2652 wrote to memory of 2608	2652	wlbvr.exe	cmd.exe
PID 2652 wrote to memory of 2608	2652	wlbvr.exe	cmd.exe
PID 820 wrote to memory of 684	820	wkvsviim.exe	wtaqhl.exe
PID 820 wrote to memory of 684	820	wkvsviim.exe	wtaqhl.exe
PID 820 wrote to memory of 684	820	wkvsviim.exe	wtaqhl.exe
PID 820 wrote to memory of 684	820	wkvsviim.exe	wtaqhl.exe
PID 820 wrote to memory of 1260	820	wkvsviim.exe	cmd.exe
PID 820 wrote to memory of 1260	820	wkvsviim.exe	cmd.exe
PID 820 wrote to memory of 1260	820	wkvsviim.exe	cmd.exe
PID 820 wrote to memory of 1260	820	wkvsviim.exe	cmd.exe
PID 684 wrote to memory of 2224	684	wtaqhl.exe	wgmofjagd.exe
PID 684 wrote to memory of 2224	684	wtaqhl.exe	wgmofjagd.exe
PID 684 wrote to memory of 2224	684	wtaqhl.exe	wgmofjagd.exe
PID 684 wrote to memory of 2224	684	wtaqhl.exe	wgmofjagd.exe
PID 684 wrote to memory of 2856	684	wtaqhl.exe	cmd.exe
PID 684 wrote to memory of 2856	684	wtaqhl.exe	cmd.exe
PID 684 wrote to memory of 2856	684	wtaqhl.exe	cmd.exe
PID 684 wrote to memory of 2856	684	wtaqhl.exe	cmd.exe
PID 2224 wrote to memory of 1120	2224	wgmofjagd.exe	wrct.exe
PID 2224 wrote to memory of 1120	2224	wgmofjagd.exe	wrct.exe
PID 2224 wrote to memory of 1120	2224	wgmofjagd.exe	wrct.exe
PID 2224 wrote to memory of 1120	2224	wgmofjagd.exe	wrct.exe
PID 2224 wrote to memory of 2276	2224	wgmofjagd.exe	cmd.exe
PID 2224 wrote to memory of 2276	2224	wgmofjagd.exe	cmd.exe
PID 2224 wrote to memory of 2276	2224	wgmofjagd.exe	cmd.exe
PID 2224 wrote to memory of 2276	2224	wgmofjagd.exe	cmd.exe
PID 1120 wrote to memory of 1156	1120	wrct.exe	wfqxxbk.exe
PID 1120 wrote to memory of 1156	1120	wrct.exe	wfqxxbk.exe
PID 1120 wrote to memory of 1156	1120	wrct.exe	wfqxxbk.exe
PID 1120 wrote to memory of 1156	1120	wrct.exe	wfqxxbk.exe
PID 1120 wrote to memory of 1576	1120	wrct.exe	cmd.exe
PID 1120 wrote to memory of 1576	1120	wrct.exe	cmd.exe
PID 1120 wrote to memory of 1576	1120	wrct.exe	cmd.exe
PID 1120 wrote to memory of 1576	1120	wrct.exe	cmd.exe
PID 1156 wrote to memory of 1056	1156	wfqxxbk.exe	wceu.exe
PID 1156 wrote to memory of 1056	1156	wfqxxbk.exe	wceu.exe
PID 1156 wrote to memory of 1056	1156	wfqxxbk.exe	wceu.exe
PID 1156 wrote to memory of 1056	1156	wfqxxbk.exe	wceu.exe
PID 1156 wrote to memory of 1932	1156	wfqxxbk.exe	cmd.exe
PID 1156 wrote to memory of 1932	1156	wfqxxbk.exe	cmd.exe
PID 1156 wrote to memory of 1932	1156	wfqxxbk.exe	cmd.exe
PID 1156 wrote to memory of 1932	1156	wfqxxbk.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\wkgn.exe
  "C:\Windows\system32\wkgn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\wlbvr.exe
    "C:\Windows\system32\wlbvr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\wkvsviim.exe
      "C:\Windows\system32\wkvsviim.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:820
    - - C:\Windows\SysWOW64\wtaqhl.exe
        
        "C:\Windows\system32\wtaqhl.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:684
      - C:\Windows\SysWOW64\wgmofjagd.exe
        
        "C:\Windows\system32\wgmofjagd.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\wrct.exe
        
        "C:\Windows\system32\wrct.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\wfqxxbk.exe
        
        "C:\Windows\system32\wfqxxbk.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\wceu.exe
        
        "C:\Windows\system32\wceu.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\wdvlo.exe
        
        "C:\Windows\system32\wdvlo.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1752
        
        C:\Windows\SysWOW64\wgam.exe
        
        "C:\Windows\system32\wgam.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\wpc.exe
        
        "C:\Windows\system32\wpc.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2648
        
        C:\Windows\SysWOW64\wxrl.exe
        
        "C:\Windows\system32\wxrl.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3052
        
        C:\Windows\SysWOW64\wnrwi.exe
        
        "C:\Windows\system32\wnrwi.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2232
        
        C:\Windows\SysWOW64\wfsgp.exe
        
        "C:\Windows\system32\wfsgp.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:324
        
        C:\Windows\SysWOW64\waqonxi.exe
        
        "C:\Windows\system32\waqonxi.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2820
        
        C:\Windows\SysWOW64\wtbft.exe
        
        "C:\Windows\system32\wtbft.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\wtlsqbe.exe
        
        "C:\Windows\system32\wtlsqbe.exe"
        18⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\wswgnyp.exe
        
        "C:\Windows\system32\wswgnyp.exe"
        19⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\wjkfpm.exe
        
        "C:\Windows\system32\wjkfpm.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\wikie.exe
        
        "C:\Windows\system32\wikie.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\whfgihwx.exe
        
        "C:\Windows\system32\whfgihwx.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\wasgi.exe
        
        "C:\Windows\system32\wasgi.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\wtmlu.exe
        
        "C:\Windows\system32\wtmlu.exe"
        24⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\wqahldj.exe
        
        "C:\Windows\system32\wqahldj.exe"
        25⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\SysWOW64\whhfyr.exe
        
        "C:\Windows\system32\whhfyr.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\wgkqi.exe
        
        "C:\Windows\system32\wgkqi.exe"
        27⤵
        Executes dropped EXE
        
        PID:608
        
        C:\Windows\SysWOW64\waofba.exe
        
        "C:\Windows\system32\waofba.exe"
        28⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\wqve.exe
        
        "C:\Windows\system32\wqve.exe"
        29⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\wgaxoglkx.exe
        
        "C:\Windows\system32\wgaxoglkx.exe"
        30⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\woxtn.exe
        
        "C:\Windows\system32\woxtn.exe"
        31⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\wedloeqap.exe
        
        "C:\Windows\system32\wedloeqap.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\wpvardyq.exe
        
        "C:\Windows\system32\wpvardyq.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\wjds.exe
        
        "C:\Windows\system32\wjds.exe"
        34⤵
        Executes dropped EXE
        
        PID:684
        
        C:\Windows\SysWOW64\wjpnnkr.exe
        
        "C:\Windows\system32\wjpnnkr.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\wxjxhb.exe
        
        "C:\Windows\system32\wxjxhb.exe"
        36⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\whhsfhm.exe
        
        "C:\Windows\system32\whhsfhm.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\wwbbyvw.exe
        
        "C:\Windows\system32\wwbbyvw.exe"
        38⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\wvoxqwlac.exe
        
        "C:\Windows\system32\wvoxqwlac.exe"
        39⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\wlvv.exe
        
        "C:\Windows\system32\wlvv.exe"
        40⤵
        Executes dropped EXE
        
        PID:292
        
        C:\Windows\SysWOW64\wgnaq.exe
        
        "C:\Windows\system32\wgnaq.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\wvstrlyel.exe
        
        "C:\Windows\system32\wvstrlyel.exe"
        42⤵
        Executes dropped EXE
        
        PID:784
        
        C:\Windows\SysWOW64\wqkxds.exe
        
        "C:\Windows\system32\wqkxds.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\wfehw.exe
        
        "C:\Windows\system32\wfehw.exe"
        44⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\wwwpr.exe
        
        "C:\Windows\system32\wwwpr.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\wifrmx.exe
        
        "C:\Windows\system32\wifrmx.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\wghew.exe
        
        "C:\Windows\system32\wghew.exe"
        47⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\woqjc.exe
        
        "C:\Windows\system32\woqjc.exe"
        48⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\wlfftetex.exe
        
        "C:\Windows\system32\wlfftetex.exe"
        49⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\wdxnmtfi.exe
        
        "C:\Windows\system32\wdxnmtfi.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2364
        
        C:\Windows\SysWOW64\wtf.exe
        
        "C:\Windows\system32\wtf.exe"
        51⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\weywejnov.exe
        
        "C:\Windows\system32\weywejnov.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\warcpp.exe
        
        "C:\Windows\system32\warcpp.exe"
        53⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\wsurhye.exe
        
        "C:\Windows\system32\wsurhye.exe"
        54⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\wjtfgj.exe
        
        "C:\Windows\system32\wjtfgj.exe"
        55⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\wdm.exe
        
        "C:\Windows\system32\wdm.exe"
        56⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\wpfwuq.exe
        
        "C:\Windows\system32\wpfwuq.exe"
        57⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\wjxcgx.exe
        
        "C:\Windows\system32\wjxcgx.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:596
        
        C:\Windows\SysWOW64\wycuhp.exe
        
        "C:\Windows\system32\wycuhp.exe"
        59⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\wpksv.exe
        
        "C:\Windows\system32\wpksv.exe"
        60⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\wjninm.exe
        
        "C:\Windows\system32\wjninm.exe"
        61⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\weg.exe
        
        "C:\Windows\system32\weg.exe"
        62⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\wax.exe
        
        "C:\Windows\system32\wax.exe"
        63⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\woq.exe
        
        "C:\Windows\system32\woq.exe"
        64⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\wmlbymwbs.exe
        
        "C:\Windows\system32\wmlbymwbs.exe"
        65⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\wlnnimax.exe
        
        "C:\Windows\system32\wlnnimax.exe"
        66⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\wswsmtuk.exe
        
        "C:\Windows\system32\wswsmtuk.exe"
        67⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\wbgxsy.exe
        
        "C:\Windows\system32\wbgxsy.exe"
        68⤵
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\wioexh.exe
        
        "C:\Windows\system32\wioexh.exe"
        69⤵
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\whroh.exe
        
        "C:\Windows\system32\whroh.exe"
        70⤵
        
        PID:356
        
        C:\Windows\SysWOW64\wobun.exe
        
        "C:\Windows\system32\wobun.exe"
        71⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\wiraxv.exe
        
        "C:\Windows\system32\wiraxv.exe"
        72⤵
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\whgvovhvq.exe
        
        "C:\Windows\system32\whgvovhvq.exe"
        73⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\wxot.exe
        
        "C:\Windows\system32\wxot.exe"
        74⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\wnsmdcfh.exe
        
        "C:\Windows\system32\wnsmdcfh.exe"
        75⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\wha.exe
        
        "C:\Windows\system32\wha.exe"
        76⤵
        
        PID:800
        
        C:\Windows\SysWOW64\wys.exe
        
        "C:\Windows\system32\wys.exe"
        77⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\wvgltaj.exe
        
        "C:\Windows\system32\wvgltaj.exe"
        78⤵
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\wionp.exe
        
        "C:\Windows\system32\wionp.exe"
        79⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\wcsdig.exe
        
        "C:\Windows\system32\wcsdig.exe"
        80⤵
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\wrkmcwtrj.exe
        
        "C:\Windows\system32\wrkmcwtrj.exe"
        81⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\wneqne.exe
        
        "C:\Windows\system32\wneqne.exe"
        82⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\wpme.exe
        
        "C:\Windows\system32\wpme.exe"
        83⤵
        
        PID:788
        
        C:\Windows\SysWOW64\wcfpvp.exe
        
        "C:\Windows\system32\wcfpvp.exe"
        84⤵
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\wjov.exe
        
        "C:\Windows\system32\wjov.exe"
        85⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\whqhjveaq.exe
        
        "C:\Windows\system32\whqhjveaq.exe"
        86⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\wpa.exe
        
        "C:\Windows\system32\wpa.exe"
        87⤵
        
        PID:280
        
        C:\Windows\SysWOW64\weegqss.exe
        
        "C:\Windows\system32\weegqss.exe"
        88⤵
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\wqnhnqpge.exe
        
        "C:\Windows\system32\wqnhnqpge.exe"
        89⤵
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\wlemxy.exe
        
        "C:\Windows\system32\wlemxy.exe"
        90⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\wkhxiyjw.exe
        
        "C:\Windows\system32\wkhxiyjw.exe"
        91⤵
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\wubkkxr.exe
        
        "C:\Windows\system32\wubkkxr.exe"
        92⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\whjmiuoo.exe
        
        "C:\Windows\system32\whjmiuoo.exe"
        93⤵
        
        PID:560
        
        C:\Windows\SysWOW64\wcbrs.exe
        
        "C:\Windows\system32\wcbrs.exe"
        94⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\wrub.exe
        
        "C:\Windows\system32\wrub.exe"
        95⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\wini.exe
        
        "C:\Windows\system32\wini.exe"
        96⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\wxrcjbxj.exe
        
        "C:\Windows\system32\wxrcjbxj.exe"
        97⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\wskhuhndm.exe
        
        "C:\Windows\system32\wskhuhndm.exe"
        98⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\wnclgpcxr.exe
        
        "C:\Windows\system32\wnclgpcxr.exe"
        99⤵
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\wgupsx.exe
        
        "C:\Windows\system32\wgupsx.exe"
        100⤵
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\wtocuvah.exe
        
        "C:\Windows\system32\wtocuvah.exe"
        101⤵
        
        PID:696
        
        C:\Windows\SysWOW64\wjtuw.exe
        
        "C:\Windows\system32\wjtuw.exe"
        102⤵
        
        PID:952
        
        C:\Windows\SysWOW64\wfgfvokx.exe
        
        "C:\Windows\system32\wfgfvokx.exe"
        103⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\waykhuar.exe
        
        "C:\Windows\system32\waykhuar.exe"
        104⤵
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\wmrxkuh.exe
        
        "C:\Windows\system32\wmrxkuh.exe"
        105⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\wbkgfks.exe
        
        "C:\Windows\system32\wbkgfks.exe"
        106⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\wvekqti.exe
        
        "C:\Windows\system32\wvekqti.exe"
        107⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\whwxt.exe
        
        "C:\Windows\system32\whwxt.exe"
        108⤵
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\wwfvi.exe
        
        "C:\Windows\system32\wwfvi.exe"
        109⤵
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\wowe.exe
        
        "C:\Windows\system32\wowe.exe"
        110⤵
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\warqfv.exe
        
        "C:\Windows\system32\warqfv.exe"
        111⤵
        
        PID:628
        
        C:\Windows\SysWOW64\wtiu.exe
        
        "C:\Windows\system32\wtiu.exe"
        112⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\wkooqtv.exe
        
        "C:\Windows\system32\wkooqtv.exe"
        113⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\wyhwmki.exe
        
        "C:\Windows\system32\wyhwmki.exe"
        114⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\wpnuaa.exe
        
        "C:\Windows\system32\wpnuaa.exe"
        115⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\wjrksjiw.exe
        
        "C:\Windows\system32\wjrksjiw.exe"
        116⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\wekpdqxq.exe
        
        "C:\Windows\system32\wekpdqxq.exe"
        117⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\wqsrbn.exe
        
        "C:\Windows\system32\wqsrbn.exe"
        118⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\whvlbf.exe
        
        "C:\Windows\system32\whvlbf.exe"
        119⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\wbopmn.exe
        
        "C:\Windows\system32\wbopmn.exe"
        120⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\wvgtxtw.exe
        
        "C:\Windows\system32\wvgtxtw.exe"
        121⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\wqqotwf.exe
        
        "C:\Windows\system32\wqqotwf.exe"
        122⤵
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\wntaex.exe
        
        "C:\Windows\system32\wntaex.exe"
        123⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\wivpvgk.exe
        
        "C:\Windows\system32\wivpvgk.exe"
        124⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\wqfubmc.exe
        
        "C:\Windows\system32\wqfubmc.exe"
        125⤵
        
        PID:820
        
        C:\Windows\SysWOW64\wte.exe
        
        "C:\Windows\system32\wte.exe"
        126⤵
        Drops file in System32 directory
        
        PID:588
        
        C:\Windows\SysWOW64\wrspyc.exe
        
        "C:\Windows\system32\wrspyc.exe"
        127⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\whlysr.exe
        
        "C:\Windows\system32\whlysr.exe"
        128⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\wcddfy.exe
        
        "C:\Windows\system32\wcddfy.exe"
        129⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\wrkcs.exe
        
        "C:\Windows\system32\wrkcs.exe"
        130⤵
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\wiott.exe
        
        "C:\Windows\system32\wiott.exe"
        131⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\wchyfn.exe
        
        "C:\Windows\system32\wchyfn.exe"
        132⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\wobmjlrm.exe
        
        "C:\Windows\system32\wobmjlrm.exe"
        133⤵
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\wisqushgd.exe
        
        "C:\Windows\system32\wisqushgd.exe"
        134⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\wcwgnb.exe
        
        "C:\Windows\system32\wcwgnb.exe"
        135⤵
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\wsefasifx.exe
        
        "C:\Windows\system32\wsefasifx.exe"
        136⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\wnwkmy.exe
        
        "C:\Windows\system32\wnwkmy.exe"
        137⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\wecbnq.exe
        
        "C:\Windows\system32\wecbnq.exe"
        138⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\wtuli.exe
        
        "C:\Windows\system32\wtuli.exe"
        139⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\wolpsou.exe
        
        "C:\Windows\system32\wolpsou.exe"
        140⤵
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\SysWOW64\wiftfwk.exe
        
        "C:\Windows\system32\wiftfwk.exe"
        141⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\wcvapdy.exe
        
        "C:\Windows\system32\wcvapdy.exe"
        142⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\wfcghql.exe
        
        "C:\Windows\system32\wfcghql.exe"
        143⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\waicmx.exe
        
        "C:\Windows\system32\waicmx.exe"
        144⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\wwvwdx.exe
        
        "C:\Windows\system32\wwvwdx.exe"
        145⤵
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\woeupnegf.exe
        
        "C:\Windows\system32\woeupnegf.exe"
        146⤵
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\wbm.exe
        
        "C:\Windows\system32\wbm.exe"
        147⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\wpfghc.exe
        
        "C:\Windows\system32\wpfghc.exe"
        148⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\wkitylp.exe
        
        "C:\Windows\system32\wkitylp.exe"
        149⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\wwrxvj.exe
        
        "C:\Windows\system32\wwrxvj.exe"
        150⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\wquloql.exe
        
        "C:\Windows\system32\wquloql.exe"
        151⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\wdnxr.exe
        
        "C:\Windows\system32\wdnxr.exe"
        152⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\wowbooq.exe
        
        "C:\Windows\system32\wowbooq.exe"
        153⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\wdojie.exe
        
        "C:\Windows\system32\wdojie.exe"
        154⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\wpivmd.exe
        
        "C:\Windows\system32\wpivmd.exe"
        155⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\wknlelk.exe
        
        "C:\Windows\system32\wknlelk.exe"
        156⤵
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\wskuk.exe
        
        "C:\Windows\system32\wskuk.exe"
        157⤵
        Drops file in System32 directory
        
        PID:576
        
        C:\Windows\SysWOW64\wjrsycv.exe
        
        "C:\Windows\system32\wjrsycv.exe"
        158⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\weuhql.exe
        
        "C:\Windows\system32\weuhql.exe"
        159⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\wxxwisv.exe
        
        "C:\Windows\system32\wxxwisv.exe"
        160⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\wmqfck.exe
        
        "C:\Windows\system32\wmqfck.exe"
        161⤵
        
        PID:280
        
        C:\Windows\SysWOW64\wyahyiep.exe
        
        "C:\Windows\system32\wyahyiep.exe"
        162⤵
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\wltucg.exe
        
        "C:\Windows\system32\wltucg.exe"
        163⤵
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\wkvfl.exe
        
        "C:\Windows\system32\wkvfl.exe"
        164⤵
        
        PID:412
        
        C:\Windows\SysWOW64\wrelqn.exe
        
        "C:\Windows\system32\wrelqn.exe"
        165⤵
        
        PID:928
        
        C:\Windows\SysWOW64\winkecke.exe
        
        "C:\Windows\system32\winkecke.exe"
        166⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\whovndm.exe
        
        "C:\Windows\system32\whovndm.exe"
        167⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\wwtoptku.exe
        
        "C:\Windows\system32\wwtoptku.exe"
        168⤵
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\SysWOW64\wmnwkjv.exe
        
        "C:\Windows\system32\wmnwkjv.exe"
        169⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\wgfburk.exe
        
        "C:\Windows\system32\wgfburk.exe"
        170⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\wsmerphui.exe
        
        "C:\Windows\system32\wsmerphui.exe"
        171⤵
        
        PID:380
        
        C:\Windows\SysWOW64\wjfmlfsaw.exe
        
        "C:\Windows\system32\wjfmlfsaw.exe"
        172⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\wyyuhvfem.exe
        
        "C:\Windows\system32\wyyuhvfem.exe"
        173⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\wnrdbmpi.exe
        
        "C:\Windows\system32\wnrdbmpi.exe"
        174⤵
        Drops file in System32 directory
        
        PID:240
        
        C:\Windows\SysWOW64\wfkmvccn.exe
        
        "C:\Windows\system32\wfkmvccn.exe"
        175⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\wrfxyb.exe
        
        "C:\Windows\system32\wrfxyb.exe"
        176⤵
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\wcylc.exe
        
        "C:\Windows\system32\wcylc.exe"
        177⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\wsfjpps.exe
        
        "C:\Windows\system32\wsfjpps.exe"
        178⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\wikbqgpd.exe
        
        "C:\Windows\system32\wikbqgpd.exe"
        179⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\wyqaeup.exe
        
        "C:\Windows\system32\wyqaeup.exe"
        180⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\wpkjym.exe
        
        "C:\Windows\system32\wpkjym.exe"
        181⤵
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\wmfjsibl.exe
        
        "C:\Windows\system32\wmfjsibl.exe"
        182⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\wiwodppf.exe
        
        "C:\Windows\system32\wiwodppf.exe"
        183⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\wcosqwean.exe
        
        "C:\Windows\system32\wcosqwean.exe"
        184⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\wrtmrn.exe
        
        "C:\Windows\system32\wrtmrn.exe"
        185⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\wiblfccjr.exe
        
        "C:\Windows\system32\wiblfccjr.exe"
        186⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\wxfdg.exe
        
        "C:\Windows\system32\wxfdg.exe"
        187⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\wwipotc.exe
        
        "C:\Windows\system32\wwipotc.exe"
        188⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\wqasacqt.exe
        
        "C:\Windows\system32\wqasacqt.exe"
        189⤵
        
        PID:852
        
        C:\Windows\SysWOW64\wdivw.exe
        
        "C:\Windows\system32\wdivw.exe"
        190⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\waligasr.exe
        
        "C:\Windows\system32\waligasr.exe"
        191⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\wmftkxa.exe
        
        "C:\Windows\system32\wmftkxa.exe"
        192⤵
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\wdxcf.exe
        
        "C:\Windows\system32\wdxcf.exe"
        193⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\wgwclcqvf.exe
        
        "C:\Windows\system32\wgwclcqvf.exe"
        194⤵
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\wbogwk.exe
        
        "C:\Windows\system32\wbogwk.exe"
        195⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\wqhnraqtb.exe
        
        "C:\Windows\system32\wqhnraqtb.exe"
        196⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\wlkeki.exe
        
        "C:\Windows\system32\wlkeki.exe"
        197⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\wbdney.exe
        
        "C:\Windows\system32\wbdney.exe"
        198⤵
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\wrwuyp.exe
        
        "C:\Windows\system32\wrwuyp.exe"
        199⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\wdqhcovc.exe
        
        "C:\Windows\system32\wdqhcovc.exe"
        200⤵
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwuyp.exe"
        200⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbdney.exe"
        199⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkeki.exe"
        198⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqhnraqtb.exe"
        197⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbogwk.exe"
        196⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwclcqvf.exe"
        195⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxcf.exe"
        194⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmftkxa.exe"
        193⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waligasr.exe"
        192⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdivw.exe"
        191⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqasacqt.exe"
        190⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwipotc.exe"
        189⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxfdg.exe"
        188⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiblfccjr.exe"
        187⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtmrn.exe"
        186⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcosqwean.exe"
        185⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiwodppf.exe"
        184⤵
        
        PID:356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmfjsibl.exe"
        183⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpkjym.exe"
        182⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyqaeup.exe"
        181⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikbqgpd.exe"
        180⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsfjpps.exe"
        179⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcylc.exe"
        178⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrfxyb.exe"
        177⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfkmvccn.exe"
        176⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnrdbmpi.exe"
        175⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyyuhvfem.exe"
        174⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjfmlfsaw.exe"
        173⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsmerphui.exe"
        172⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgfburk.exe"
        171⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmnwkjv.exe"
        170⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwtoptku.exe"
        169⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whovndm.exe"
        168⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winkecke.exe"
        167⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrelqn.exe"
        166⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvfl.exe"
        165⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 756
        165⤵
        Program crash
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wltucg.exe"
        164⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyahyiep.exe"
        163⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmqfck.exe"
        162⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxwisv.exe"
        161⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weuhql.exe"
        160⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjrsycv.exe"
        159⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wskuk.exe"
        158⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wknlelk.exe"
        157⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpivmd.exe"
        156⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdojie.exe"
        155⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wowbooq.exe"
        154⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnxr.exe"
        153⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wquloql.exe"
        152⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrxvj.exe"
        151⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkitylp.exe"
        150⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpfghc.exe"
        149⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbm.exe"
        148⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woeupnegf.exe"
        147⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwvwdx.exe"
        146⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waicmx.exe"
        145⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfcghql.exe"
        144⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvapdy.exe"
        143⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiftfwk.exe"
        142⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wolpsou.exe"
        141⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtuli.exe"
        140⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wecbnq.exe"
        139⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwkmy.exe"
        138⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsefasifx.exe"
        137⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwgnb.exe"
        136⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wisqushgd.exe"
        135⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobmjlrm.exe"
        134⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchyfn.exe"
        133⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiott.exe"
        132⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkcs.exe"
        131⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcddfy.exe"
        130⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whlysr.exe"
        129⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrspyc.exe"
        128⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wte.exe"
        127⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqfubmc.exe"
        126⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivpvgk.exe"
        125⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntaex.exe"
        124⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqotwf.exe"
        123⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgtxtw.exe"
        122⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbopmn.exe"
        121⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whvlbf.exe"
        120⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqsrbn.exe"
        119⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekpdqxq.exe"
        118⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjrksjiw.exe"
        117⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 596
        117⤵
        Program crash
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpnuaa.exe"
        116⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyhwmki.exe"
        115⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkooqtv.exe"
        114⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtiu.exe"
        113⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warqfv.exe"
        112⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wowe.exe"
        111⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfvi.exe"
        110⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwxt.exe"
        109⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvekqti.exe"
        108⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbkgfks.exe"
        107⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrxkuh.exe"
        106⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waykhuar.exe"
        105⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfgfvokx.exe"
        104⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjtuw.exe"
        103⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtocuvah.exe"
        102⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgupsx.exe"
        101⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnclgpcxr.exe"
        100⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wskhuhndm.exe"
        99⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxrcjbxj.exe"
        98⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wini.exe"
        97⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrub.exe"
        96⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcbrs.exe"
        95⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whjmiuoo.exe"
        94⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wubkkxr.exe"
        93⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkhxiyjw.exe"
        92⤵
        
        PID:832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 604
        92⤵
        Program crash
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlemxy.exe"
        91⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqnhnqpge.exe"
        90⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weegqss.exe"
        89⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpa.exe"
        88⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whqhjveaq.exe"
        87⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjov.exe"
        86⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcfpvp.exe"
        85⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpme.exe"
        84⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wneqne.exe"
        83⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkmcwtrj.exe"
        82⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcsdig.exe"
        81⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wionp.exe"
        80⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgltaj.exe"
        79⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wys.exe"
        78⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wha.exe"
        77⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnsmdcfh.exe"
        76⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxot.exe"
        75⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whgvovhvq.exe"
        74⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiraxv.exe"
        73⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobun.exe"
        72⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whroh.exe"
        71⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wioexh.exe"
        70⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbgxsy.exe"
        69⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wswsmtuk.exe"
        68⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnnimax.exe"
        67⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmlbymwbs.exe"
        66⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woq.exe"
        65⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wax.exe"
        64⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weg.exe"
        63⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjninm.exe"
        62⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpksv.exe"
        61⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wycuhp.exe"
        60⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjxcgx.exe"
        59⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpfwuq.exe"
        58⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdm.exe"
        57⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjtfgj.exe"
        56⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsurhye.exe"
        55⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warcpp.exe"
        54⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weywejnov.exe"
        53⤵
        
        PID:880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 588
        53⤵
        Program crash
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtf.exe"
        52⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxnmtfi.exe"
        51⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfftetex.exe"
        50⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woqjc.exe"
        49⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghew.exe"
        48⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifrmx.exe"
        47⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwwpr.exe"
        46⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfehw.exe"
        45⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqkxds.exe"
        44⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvstrlyel.exe"
        43⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgnaq.exe"
        42⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvv.exe"
        41⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvoxqwlac.exe"
        40⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbbyvw.exe"
        39⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whhsfhm.exe"
        38⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxjxhb.exe"
        37⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjpnnkr.exe"
        36⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjds.exe"
        35⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvardyq.exe"
        34⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wedloeqap.exe"
        33⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxtn.exe"
        32⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgaxoglkx.exe"
        31⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqve.exe"
        30⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waofba.exe"
        29⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkqi.exe"
        28⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whhfyr.exe"
        27⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqahldj.exe"
        26⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtmlu.exe"
        25⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wasgi.exe"
        24⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whfgihwx.exe"
        23⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikie.exe"
        22⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjkfpm.exe"
        21⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wswgnyp.exe"
        20⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtlsqbe.exe"
        19⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtbft.exe"
        18⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waqonxi.exe"
        17⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfsgp.exe"
        16⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 852
        16⤵
        Program crash
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnrwi.exe"
        15⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxrl.exe"
        14⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpc.exe"
        13⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgam.exe"
        12⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 800
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvlo.exe"
        11⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wceu.exe"
        10⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfqxxbk.exe"
        9⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrct.exe"
        8⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgmofjagd.exe"
        7⤵
        
        PID:2276
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtaqhl.exe"
        6⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvsviim.exe"
        5⤵
        
        PID:1260
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlbvr.exe"
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkgn.exe"
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\06876b683169a8e631eafe49ad0ab020_NeikiAnalytics.exe"
  2⤵
  - Deletes itself
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WP6437GO.txt

Filesize
99B

MD5
9291096bfa90a85776662f5d4152253b

SHA1
6264f2d23cbae92eae2abe744d226abf6dfac750

SHA256
cabbb533f62860e86af52b9ae003f5d87ef28b416f6dd0cf46c533ac8c2ada69

SHA512
cab8375db88b7b4aaeaf6b5087365752e18bed71929b9094e42f0497d3c8c817c3563b6f997981302371a87bc213720f9b9ef5fb526dd652d08883f47dfddf37

Download Submit
\Windows\SysWOW64\wceu.exe

Filesize
316KB

MD5
411571535d1c8f48db59efe5ab6db606

SHA1
9c70ca390efa1de842df93838ad5390fc208918f

SHA256
fa7ca79b7612481ea62e51e268e9e3b4636bd0d88fcc9b43370c1cdaecaf7758

SHA512
c07af66e9b554361806b281e7e8cacef2f7fd744f6f10cd7773aa390e9cb8e2db5d5c55d2530dce9d1526fb1c9f414b575bfd27aa174ac82bc177ccc2e550fac

Download Submit
\Windows\SysWOW64\wdvlo.exe

Filesize
316KB

MD5
4c7983a8401c07fc55b406727b679f1f

SHA1
5343717e1e4f7c16563f56647b24b1e1131b5be1

SHA256
9ce8e1f5cd8b1e2cb9008c027b4a10374a5272936decbde2f151cdd10aa57188

SHA512
36a0f664c7159d203854576925cea9f9d92b4bca75971f98f8175363634158730c570a3cc518a46868804105f09b13a37ae13094b4233632e161e07fac2d3e58

Download Submit
\Windows\SysWOW64\wfqxxbk.exe

Filesize
316KB

MD5
6a6f2dcde623b4229ae5ac587cb5f5eb

SHA1
64ee0538775677338a891fa65af3619094f6db0c

SHA256
6f3747ef4de50496ed9b047d148c3a8e60d99cd53b53956a05923fd6f0202d2a

SHA512
a6a1e28851ba702c07cdabac65a8d6166c4fcffdb5ddd71ed44c43737c9fde35769a9b492516c8688c3e657b699013c8c6705df0b0b786f3b92107e0c9b9e483

Download Submit
\Windows\SysWOW64\wgam.exe

Filesize
316KB

MD5
8026838bbdc70eafed83cd37f883d7c5

SHA1
aba60c2f9e5f73504b5c065aef3a3b314619814b

SHA256
c055cf96e0d0677722b17a6c9f63f62e53ed4557134d8af2d37494f494df022e

SHA512
87885ffce640b1dbe5393e26f8303db5d8f48cb2ed18aec0acfd8923fcb1bdbbaead49c5db2a7ca49cba614ce4e534cf193179c5121efcacc0d7f9f98279efd5

Download Submit
\Windows\SysWOW64\wgmofjagd.exe

Filesize
316KB

MD5
f76764bb8dda5608547c849cc93b3e09

SHA1
c5e75fb34f4d782df17109052e3094c43639b22f

SHA256
2d51bd8b6c31fdd6e507ac457fc9998ab023c579a4ec8af9d98d3fc89d8c9bd2

SHA512
efee922ff2fd6f19b3478418f15dc0f777d3e070b6a27b4de710d4b77bf933ebb71162cc3912a775c4822b2c037e2136d004dcbe6c02b4b43fd62bbc47eee5e1

Download Submit
\Windows\SysWOW64\wkgn.exe

Filesize
316KB

MD5
d1dbfc17b959516495a7a94ace045a5c

SHA1
8c54e83b4aa8be692eabef947a55c8d7572c666f

SHA256
2fde31de6d3f556724ce2f5912a3a3bcb7d1c57d6e10a6be555c34186cff9ce0

SHA512
dc05c0f313d1178e1459174a12d02df218aeb655978c5e0e56b33f0ab4f0778ef102d5c9adeba3f9da3842b6a5465d87e6c8d6b5abb791621d44d12bb9275bf3

Download Submit
\Windows\SysWOW64\wkvsviim.exe

Filesize
316KB

MD5
0312a00ff4348230cbd9539e016ba54a

SHA1
5e6e10603b487f729e895d392455bb0e1ed974c7

SHA256
06e26435e01fd2652f6f1863e16c552ee19412aa64ff942f210ad24b236b25b1

SHA512
267aea89a2a146e129edbe1e1692814f52057594e36c28d4cd2c4b996097c00b785c214607dd0548f4a4593249b407bb21941e128041266a1cc6fbd7ee5e990d

Download Submit
\Windows\SysWOW64\wlbvr.exe

Filesize
316KB

MD5
0b965feded931a194c47f73d8f5eea1c

SHA1
131aa55cae5f2f12b47c28b46f97d12aad3f24be

SHA256
3d972e996c7ba56e842ce5ec89e69e1e92d70d8c43fd822b7132f12c2e5f7886

SHA512
36fff757c34eef98689b0bda34d7ce43f04997b84ed9f96ad10f37af6d2ac573d2aa7b581935b67235badb91028a73d5f69e983463e5f7225841c427908983e1

Download Submit
\Windows\SysWOW64\wpc.exe

Filesize
316KB

MD5
7ef969a52d42542bc9b94c1d3303db93

SHA1
157661d82934e799d5e169560992e9c009513d9f

SHA256
ab39cd0fc64682a41069e37e4549ff7c2ac0ae09511db5bcde8a16482baaa674

SHA512
eebf871b5fb30d775f16a894161d574bd9a0f620db95e31d5c6df6c6bc56b2d902b940560ee4a2cca96e4edff437d3c8d3a1f65c0644629dcb365be06f57e103

Download Submit
\Windows\SysWOW64\wrct.exe

Filesize
316KB

MD5
dff4bad27668bc7e7a7d94cc45dcbc24

SHA1
3333202a882d2431b2d7742b4a48776526638818

SHA256
175244497ce09ffe6b5a9f5e8e45797b859d9553e066fd247f0fa13f1e89918c

SHA512
cb24be09700e53e65b3b46d0246455774d107c19c797b120da2b051232ba9f18526b72a5dc0a08aa82fa37ca30be8832076dd32ed943b6145337c0e50c9fca70

Download Submit
\Windows\SysWOW64\wtaqhl.exe

Filesize
316KB

MD5
98d0b7239510569f7c89c278b57d7bfb

SHA1
c57fd350b2f41172a65b21f4e07f723e7e3be6eb

SHA256
281b2dcb14ddb01d4551e3aced380ce85ff9ee5e2c8ad6e4ca76da1e5d8c66b7

SHA512
72c27128b4174fe2c0107ac5e9f550578659e46b6083078d28e72c98bb42723164a7f7982359ed2a1f9eaaacbc736c4e5f29470ecd32396c351cee04cdb4aed1

Download Submit
memory/324-286-0x0000000003EC0000-0x0000000003EDE000-memory.dmp

Filesize
120KB

Download
memory/324-287-0x0000000003EC0000-0x0000000003EDE000-memory.dmp

Filesize
120KB

Download
memory/684-107-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/684-98-0x0000000003540000-0x000000000355E000-memory.dmp

Filesize
120KB

Download
memory/684-105-0x00000000035A0000-0x00000000035BE000-memory.dmp

Filesize
120KB

Download
memory/684-99-0x0000000003540000-0x000000000355E000-memory.dmp

Filesize
120KB

Download
memory/684-85-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/820-83-0x0000000003340000-0x000000000335E000-memory.dmp

Filesize
120KB

Download
memory/820-84-0x0000000003350000-0x000000000336E000-memory.dmp

Filesize
120KB

Download
memory/820-82-0x0000000003340000-0x000000000335E000-memory.dmp

Filesize
120KB

Download
memory/820-87-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1056-183-0x0000000003E90000-0x0000000003EAE000-memory.dmp

Filesize
120KB

Download
memory/1056-184-0x0000000003E90000-0x0000000003EAE000-memory.dmp

Filesize
120KB

Download
memory/1056-173-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1056-194-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1120-149-0x0000000004280000-0x000000000429E000-memory.dmp

Filesize
120KB

Download
memory/1120-128-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1120-142-0x0000000004180000-0x000000000419E000-memory.dmp

Filesize
120KB

Download
memory/1120-141-0x0000000004180000-0x000000000419E000-memory.dmp

Filesize
120KB

Download
memory/1120-150-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1156-163-0x00000000035F0000-0x000000000360E000-memory.dmp

Filesize
120KB

Download
memory/1156-174-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1156-157-0x00000000035F0000-0x000000000360E000-memory.dmp

Filesize
120KB

Download
memory/1156-169-0x00000000035F0000-0x000000000360E000-memory.dmp

Filesize
120KB

Download
memory/1156-170-0x00000000035F0000-0x000000000360E000-memory.dmp

Filesize
120KB

Download
memory/1164-343-0x0000000004020000-0x000000000403E000-memory.dmp

Filesize
120KB

Download
memory/1164-345-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1164-328-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1164-341-0x0000000004010000-0x000000000402E000-memory.dmp

Filesize
120KB

Download
memory/1164-342-0x0000000004010000-0x000000000402E000-memory.dmp

Filesize
120KB

Download
memory/1164-344-0x0000000004020000-0x000000000403E000-memory.dmp

Filesize
120KB

Download
memory/1208-2342-0x0000000077240000-0x000000007735F000-memory.dmp

Filesize
1.1MB

Download
memory/1208-2343-0x0000000077140000-0x000000007723A000-memory.dmp

Filesize
1000KB

Download
memory/1636-326-0x0000000000540000-0x000000000055E000-memory.dmp

Filesize
120KB

Download
memory/1636-329-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1636-325-0x0000000000540000-0x000000000055E000-memory.dmp

Filesize
120KB

Download
memory/1636-327-0x0000000003410000-0x000000000342E000-memory.dmp

Filesize
120KB

Download
memory/1648-404-0x0000000003730000-0x000000000374E000-memory.dmp

Filesize
120KB

Download
memory/1648-401-0x0000000003730000-0x000000000374E000-memory.dmp

Filesize
120KB

Download
memory/1648-402-0x0000000003730000-0x000000000374E000-memory.dmp

Filesize
120KB

Download
memory/1648-403-0x0000000003730000-0x000000000374E000-memory.dmp

Filesize
120KB

Download
memory/1648-406-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1748-359-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1748-372-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1752-193-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1752-216-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1752-213-0x0000000003EE0000-0x0000000003EFE000-memory.dmp

Filesize
120KB

Download
memory/1752-206-0x0000000003ED0000-0x0000000003EEE000-memory.dmp

Filesize
120KB

Download
memory/1800-419-0x0000000002490000-0x00000000024AE000-memory.dmp

Filesize
120KB

Download
memory/1800-405-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1800-418-0x0000000002490000-0x00000000024AE000-memory.dmp

Filesize
120KB

Download
memory/1800-420-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1828-435-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1828-433-0x00000000036D0000-0x00000000036EE000-memory.dmp

Filesize
120KB

Download
memory/1828-432-0x00000000036D0000-0x00000000036EE000-memory.dmp

Filesize
120KB

Download
memory/1828-434-0x0000000003C20000-0x0000000003C3E000-memory.dmp

Filesize
120KB

Download
memory/2012-232-0x0000000003520000-0x000000000353E000-memory.dmp

Filesize
120KB

Download
memory/2012-214-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2012-225-0x0000000003510000-0x000000000352E000-memory.dmp

Filesize
120KB

Download
memory/2064-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2064-11-0x00000000034A0000-0x00000000034BE000-memory.dmp

Filesize
120KB

Download
memory/2064-19-0x00000000034A0000-0x00000000034BE000-memory.dmp

Filesize
120KB

Download
memory/2064-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2064-12-0x00000000034A0000-0x00000000034BE000-memory.dmp

Filesize
120KB

Download
memory/2224-109-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2224-120-0x00000000004A0000-0x00000000004BE000-memory.dmp

Filesize
120KB

Download
memory/2224-127-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2232-274-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2232-273-0x0000000003650000-0x000000000366E000-memory.dmp

Filesize
120KB

Download
memory/2376-358-0x00000000034D0000-0x00000000034EE000-memory.dmp

Filesize
120KB

Download
memory/2376-346-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2376-360-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2556-387-0x0000000003530000-0x000000000354E000-memory.dmp

Filesize
120KB

Download
memory/2556-389-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2556-373-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2556-386-0x0000000003520000-0x000000000353E000-memory.dmp

Filesize
120KB

Download
memory/2556-385-0x0000000003520000-0x000000000353E000-memory.dmp

Filesize
120KB

Download
memory/2556-388-0x0000000003530000-0x000000000354E000-memory.dmp

Filesize
120KB

Download
memory/2648-244-0x0000000003610000-0x000000000362E000-memory.dmp

Filesize
120KB

Download
memory/2648-245-0x0000000003610000-0x000000000362E000-memory.dmp

Filesize
120KB

Download
memory/2648-247-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2652-44-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2652-51-0x0000000004020000-0x000000000403E000-memory.dmp

Filesize
120KB

Download
memory/2652-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2820-300-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2820-288-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-45-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-42-0x0000000004010000-0x000000000402E000-memory.dmp

Filesize
120KB

Download
memory/2924-41-0x0000000004010000-0x000000000402E000-memory.dmp

Filesize
120KB

Download
memory/2924-43-0x0000000004120000-0x000000000413E000-memory.dmp

Filesize
120KB

Download
memory/2952-313-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2952-301-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2980-436-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3052-259-0x0000000003590000-0x00000000035AE000-memory.dmp

Filesize
120KB

Download
memory/3052-246-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3052-261-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3052-258-0x0000000003590000-0x00000000035AE000-memory.dmp

Filesize
120KB

Download