93ea3caa5e2b6ed8f1da347829664d1e4ec7ad2def94791b2ffdac2c526df48a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93ea3caa5e2b6ed8f1da347829664d1e4ec7ad2def94791b2ffdac2c526df48a.exe
Size

93KB
MD5

565f6ac5f84bc7f85552f9235e6f6c6d
SHA1

e36f88ed23ba029715f73743667db83cc56d3cc2
SHA256

93ea3caa5e2b6ed8f1da347829664d1e4ec7ad2def94791b2ffdac2c526df48a
SHA512

ac12e1eabdd017fc337cda3e33b3adb6a38bc768ee6238811b763d49ee2d3e36d9479f1be412944542d95c7406e194f0d4bc511c3a9fbe565a085363f29f3ad5
SSDEEP

1536:xch3vwSbax3rHV6+HwsWGhG5JiBzQmVvHz:BHTrhWiBzQK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wjnpr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wvvbhsufu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wmmyyo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wgmrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wwjyj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wpmaenqp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wobtnk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wybhdlxk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wtoheayp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wohnua.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wxeypbjnf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wtyvorma.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wcuoojeg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wygc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wdsyqv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wwpaht.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wvdelh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wmpudng.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wmkejgfsi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wnkpe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wnyinq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wvnopbg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wbbme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wcvvcm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wqoqvxxp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wehdrjs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wwpx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wdhwsnpn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wyxcmn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	whnbixc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wuiv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wcajyxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wrmlrnwc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wlgpcko.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wunmcn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wwxjyo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	woqhplo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wuvm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wountd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wryrhmr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wjo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wahvha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	whwefu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wvja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wxcll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wfbxnitym.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wlqxu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wwrpt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wisqocgpt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wignq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wwk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	whyqc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wakddxd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wqqt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	whe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wnluh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wwfpgt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wlbkeluc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	woocpb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wifsex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wcvfu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wvw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wbglx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wagfk.exe

Executes dropped EXE 64 IoCs

pid	Process
3324	wbnfkg.exe
4792	wqoqvxxp.exe
4100	wpckfun.exe
2192	wvdn.exe
2188	wurhh.exe
3960	wutpky.exe
1956	wagfk.exe
1820	wildv.exe
4944	wvfm.exe
4740	wbyeguq.exe
1920	wsrjthfds.exe
372	wsfccdt.exe
2100	wnbnai.exe
4912	wwxjyo.exe
4484	walxa.exe
3892	wnipoy.exe
1516	wavxxv.exe
3036	wjo.exe
3096	wjnpr.exe
3848	whavkse.exe
4156	wdsyqv.exe
3324	wahvha.exe
2796	wbjdjums.exe
2056	wehdrjs.exe
4424	woqhplo.exe
4852	wide.exe
5108	wigm.exe
2932	wakddxd.exe
1124	wvnopbg.exe
2256	wwpx.exe
3144	wwpaht.exe
4296	whwefu.exe
3516	wkucnk.exe
4396	wtveyobnb.exe
1224	wwue.exe
816	wpokrosrc.exe
2100	wlrve.exe
4628	wtosdx.exe
4360	wybhdlxk.exe
3128	wlgafh.exe
1352	wdyhs.exe
3232	wmlsjxeml.exe
1060	wqwhlky.exe
3956	wtvhryc.exe
3320	wuyquuj.exe
4520	wiqyq.exe
4312	wqovpuckc.exe
2616	wdmmer.exe
2008	wxo.exe
2800	whdlh.exe
848	wuadxxy.exe
1708	wvwgvnf.exe
2576	wvja.exe
764	wrmlrnwc.exe
1528	wifsex.exe
2072	wuouawhb.exe
2204	wdafscgk.exe
228	wvtmgn.exe
2600	warlmcypf.exe
4020	wvtyxg.exe
3748	wmq.exe
5036	wtoheayp.exe
2100	wqqt.exe
2944	wqemxy.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wigm.exe	wide.exe
File opened for modification	C:\Windows\SysWOW64\wkucnk.exe	whwefu.exe
File created	C:\Windows\SysWOW64\wtoheayp.exe	wmq.exe
File created	C:\Windows\SysWOW64\wucgur.exe	wmpudng.exe
File created	C:\Windows\SysWOW64\wgmufoxrm.exe	wountd.exe
File created	C:\Windows\SysWOW64\wqqt.exe	wtoheayp.exe
File created	C:\Windows\SysWOW64\whnbixc.exe	wpkkolde.exe
File created	C:\Windows\SysWOW64\wmfmqg.exe	wwjyj.exe
File opened for modification	C:\Windows\SysWOW64\whyqc.exe	wqdctu.exe
File opened for modification	C:\Windows\SysWOW64\welvcsw.exe	wwykkma.exe
File created	C:\Windows\SysWOW64\whey.exe	whrfwk.exe
File created	C:\Windows\SysWOW64\wikq.exe	wdvcthyt.exe
File created	C:\Windows\SysWOW64\wnrq.exe	wipljr.exe
File created	C:\Windows\SysWOW64\wjhy.exe	wtaaeaplg.exe
File opened for modification	C:\Windows\SysWOW64\wnbnai.exe	wsfccdt.exe
File created	C:\Windows\SysWOW64\wdyhs.exe	wlgafh.exe
File opened for modification	C:\Windows\SysWOW64\wtvhryc.exe	wqwhlky.exe
File created	C:\Windows\SysWOW64\wqemxy.exe	wqqt.exe
File opened for modification	C:\Windows\SysWOW64\wruo.exe	wuhrrmb.exe
File created	C:\Windows\SysWOW64\wtyvorma.exe	wcvfu.exe
File opened for modification	C:\Windows\SysWOW64\wryrhmr.exe	wwk.exe
File opened for modification	C:\Windows\SysWOW64\wutpky.exe	wurhh.exe
File opened for modification	C:\Windows\SysWOW64\walxa.exe	wwxjyo.exe
File opened for modification	C:\Windows\SysWOW64\wjgi.exe	wnqmiir.exe
File opened for modification	C:\Windows\SysWOW64\wvdelh.exe	wqqpksa.exe
File opened for modification	C:\Windows\SysWOW64\wnkpe.exe	wgmufoxrm.exe
File opened for modification	C:\Windows\SysWOW64\wpdcrg.exe	wobtnk.exe
File opened for modification	C:\Windows\SysWOW64\wwrpt.exe	wfxjfl.exe
File opened for modification	C:\Windows\SysWOW64\wagfk.exe	wutpky.exe
File opened for modification	C:\Windows\SysWOW64\wsfccdt.exe	wsrjthfds.exe
File created	C:\Windows\SysWOW64\walxa.exe	wwxjyo.exe
File opened for modification	C:\Windows\SysWOW64\wwpaht.exe	wwpx.exe
File opened for modification	C:\Windows\SysWOW64\wvfnnba.exe	wvdelh.exe
File opened for modification	C:\Windows\SysWOW64\wwltfv.exe	wnyinq.exe
File created	C:\Windows\SysWOW64\wsrjthfds.exe	wbyeguq.exe
File opened for modification	C:\Windows\SysWOW64\wtveyobnb.exe	wkucnk.exe
File created	C:\Windows\SysWOW64\wdmmer.exe	wqovpuckc.exe
File opened for modification	C:\Windows\SysWOW64\wtumlg.exe	wyqybdqdv.exe
File created	C:\Windows\SysWOW64\wisqocgpt.exe	whey.exe
File created	C:\Windows\SysWOW64\wmoquo.exe	wibbtbkf.exe
File opened for modification	C:\Windows\SysWOW64\whwefu.exe	wwpaht.exe
File created	C:\Windows\SysWOW64\wpokrosrc.exe	wwue.exe
File opened for modification	C:\Windows\SysWOW64\wnluh.exe	woxbajpx.exe
File created	C:\Windows\SysWOW64\wqjjq.exe	wyqdev.exe
File opened for modification	C:\Windows\SysWOW64\wipljr.exe	wmmyyo.exe
File created	C:\Windows\SysWOW64\wvfnnba.exe	wvdelh.exe
File created	C:\Windows\SysWOW64\wvfm.exe	wildv.exe
File opened for modification	C:\Windows\SysWOW64\woqhplo.exe	wehdrjs.exe
File created	C:\Windows\SysWOW64\wwue.exe	wtveyobnb.exe
File created	C:\Windows\SysWOW64\wqovpuckc.exe	wiqyq.exe
File opened for modification	C:\Windows\SysWOW64\wpkkolde.exe	wgmnpfuh.exe
File created	C:\Windows\SysWOW64\wiof.exe	whlvenc.exe
File opened for modification	C:\Windows\SysWOW64\wckqbay.exe	wghepww.exe
File opened for modification	C:\Windows\SysWOW64\wslpfw.exe	wcdqrhd.exe
File opened for modification	C:\Windows\SysWOW64\wbyeguq.exe	wvfm.exe
File created	C:\Windows\SysWOW64\wvnopbg.exe	wakddxd.exe
File created	C:\Windows\SysWOW64\wwpx.exe	wvnopbg.exe
File opened for modification	C:\Windows\SysWOW64\wondka.exe	wnluh.exe
File created	C:\Windows\SysWOW64\wxcll.exe	wfssem.exe
File opened for modification	C:\Windows\SysWOW64\wqqpksa.exe	wnrq.exe
File opened for modification	C:\Windows\SysWOW64\wygc.exe	wtumlg.exe
File opened for modification	C:\Windows\SysWOW64\wakddxd.exe	wigm.exe
File opened for modification	C:\Windows\SysWOW64\wrmlrnwc.exe	wvja.exe
File opened for modification	C:\Windows\SysWOW64\wqqt.exe	wtoheayp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 23 IoCs

pid	pid_target	Process	procid_target
1076	3324	WerFault.exe	86
4640	1820	WerFault.exe	118
816	848	WerFault.exe	254
1580	2072	WerFault.exe	271
448	1516	WerFault.exe	306
2852	3068	WerFault.exe	323
4228	3496	WerFault.exe	337
4040	116	WerFault.exe	361
4228	3692	WerFault.exe	364
1856	2724	WerFault.exe	395
1120	4020	WerFault.exe	398
4100	4020	WerFault.exe	398
2852	4128	WerFault.exe	410
716	1528	WerFault.exe	413
380	3840	WerFault.exe	429
2804	3840	WerFault.exe	429
880	3392	WerFault.exe	439
3840	2008	WerFault.exe	462
3440	972	WerFault.exe	500
5064	3392	WerFault.exe	537
516	2868	WerFault.exe	645
440	1120	WerFault.exe	654
3084	1540	WerFault.exe	677

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 3324	5108	93ea3caa5e2b6ed8f1da347829664d1e4ec7ad2def94791b2ffdac2c526df48a.exe	86
PID 5108 wrote to memory of 3324	5108	93ea3caa5e2b6ed8f1da347829664d1e4ec7ad2def94791b2ffdac2c526df48a.exe	86
PID 5108 wrote to memory of 3324	5108	93ea3caa5e2b6ed8f1da347829664d1e4ec7ad2def94791b2ffdac2c526df48a.exe	86
PID 5108 wrote to memory of 5024	5108	93ea3caa5e2b6ed8f1da347829664d1e4ec7ad2def94791b2ffdac2c526df48a.exe	88
PID 5108 wrote to memory of 5024	5108	93ea3caa5e2b6ed8f1da347829664d1e4ec7ad2def94791b2ffdac2c526df48a.exe	88
PID 5108 wrote to memory of 5024	5108	93ea3caa5e2b6ed8f1da347829664d1e4ec7ad2def94791b2ffdac2c526df48a.exe	88
PID 3324 wrote to memory of 4792	3324	wbnfkg.exe	90
PID 3324 wrote to memory of 4792	3324	wbnfkg.exe	90
PID 3324 wrote to memory of 4792	3324	wbnfkg.exe	90
PID 3324 wrote to memory of 1592	3324	wbnfkg.exe	91
PID 3324 wrote to memory of 1592	3324	wbnfkg.exe	91
PID 3324 wrote to memory of 1592	3324	wbnfkg.exe	91
PID 4792 wrote to memory of 4100	4792	wqoqvxxp.exe	98
PID 4792 wrote to memory of 4100	4792	wqoqvxxp.exe	98
PID 4792 wrote to memory of 4100	4792	wqoqvxxp.exe	98
PID 4792 wrote to memory of 1464	4792	wqoqvxxp.exe	99
PID 4792 wrote to memory of 1464	4792	wqoqvxxp.exe	99
PID 4792 wrote to memory of 1464	4792	wqoqvxxp.exe	99
PID 4100 wrote to memory of 2192	4100	wpckfun.exe	101
PID 4100 wrote to memory of 2192	4100	wpckfun.exe	101
PID 4100 wrote to memory of 2192	4100	wpckfun.exe	101
PID 4100 wrote to memory of 4308	4100	wpckfun.exe	102
PID 4100 wrote to memory of 4308	4100	wpckfun.exe	102
PID 4100 wrote to memory of 4308	4100	wpckfun.exe	102
PID 2192 wrote to memory of 2188	2192	wvdn.exe	108
PID 2192 wrote to memory of 2188	2192	wvdn.exe	108
PID 2192 wrote to memory of 2188	2192	wvdn.exe	108
PID 2192 wrote to memory of 2132	2192	wvdn.exe	109
PID 2192 wrote to memory of 2132	2192	wvdn.exe	109
PID 2192 wrote to memory of 2132	2192	wvdn.exe	109
PID 2188 wrote to memory of 3960	2188	wurhh.exe	112
PID 2188 wrote to memory of 3960	2188	wurhh.exe	112
PID 2188 wrote to memory of 3960	2188	wurhh.exe	112
PID 2188 wrote to memory of 3376	2188	wurhh.exe	113
PID 2188 wrote to memory of 3376	2188	wurhh.exe	113
PID 2188 wrote to memory of 3376	2188	wurhh.exe	113
PID 3960 wrote to memory of 1956	3960	wutpky.exe	115
PID 3960 wrote to memory of 1956	3960	wutpky.exe	115
PID 3960 wrote to memory of 1956	3960	wutpky.exe	115
PID 3960 wrote to memory of 1636	3960	wutpky.exe	116
PID 3960 wrote to memory of 1636	3960	wutpky.exe	116
PID 3960 wrote to memory of 1636	3960	wutpky.exe	116
PID 1956 wrote to memory of 1820	1956	wagfk.exe	118
PID 1956 wrote to memory of 1820	1956	wagfk.exe	118
PID 1956 wrote to memory of 1820	1956	wagfk.exe	118
PID 1956 wrote to memory of 2804	1956	wagfk.exe	119
PID 1956 wrote to memory of 2804	1956	wagfk.exe	119
PID 1956 wrote to memory of 2804	1956	wagfk.exe	119
PID 1820 wrote to memory of 4944	1820	wildv.exe	122
PID 1820 wrote to memory of 4944	1820	wildv.exe	122
PID 1820 wrote to memory of 4944	1820	wildv.exe	122
PID 1820 wrote to memory of 2056	1820	wildv.exe	123
PID 1820 wrote to memory of 2056	1820	wildv.exe	123
PID 1820 wrote to memory of 2056	1820	wildv.exe	123
PID 4944 wrote to memory of 4740	4944	wvfm.exe	127
PID 4944 wrote to memory of 4740	4944	wvfm.exe	127
PID 4944 wrote to memory of 4740	4944	wvfm.exe	127
PID 4944 wrote to memory of 4100	4944	wvfm.exe	128
PID 4944 wrote to memory of 4100	4944	wvfm.exe	128
PID 4944 wrote to memory of 4100	4944	wvfm.exe	128
PID 4740 wrote to memory of 1920	4740	wbyeguq.exe	130
PID 4740 wrote to memory of 1920	4740	wbyeguq.exe	130
PID 4740 wrote to memory of 1920	4740	wbyeguq.exe	130
PID 4740 wrote to memory of 1520	4740	wbyeguq.exe	131

C:\Users\Admin\AppData\Local\Temp\93ea3caa5e2b6ed8f1da347829664d1e4ec7ad2def94791b2ffdac2c526df48a.exe
"C:\Users\Admin\AppData\Local\Temp\93ea3caa5e2b6ed8f1da347829664d1e4ec7ad2def94791b2ffdac2c526df48a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\wbnfkg.exe
  "C:\Windows\system32\wbnfkg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\SysWOW64\wqoqvxxp.exe
    "C:\Windows\system32\wqoqvxxp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\SysWOW64\wpckfun.exe
      "C:\Windows\system32\wpckfun.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4100
    - - C:\Windows\SysWOW64\wvdn.exe
        
        "C:\Windows\system32\wvdn.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\SysWOW64\wurhh.exe
        
        "C:\Windows\system32\wurhh.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\wutpky.exe
        
        "C:\Windows\system32\wutpky.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\wagfk.exe
        
        "C:\Windows\system32\wagfk.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\wildv.exe
        
        "C:\Windows\system32\wildv.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\wvfm.exe
        
        "C:\Windows\system32\wvfm.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\wbyeguq.exe
        
        "C:\Windows\system32\wbyeguq.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\wsrjthfds.exe
        
        "C:\Windows\system32\wsrjthfds.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\wsfccdt.exe
        
        "C:\Windows\system32\wsfccdt.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\wnbnai.exe
        
        "C:\Windows\system32\wnbnai.exe"
        14⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\wwxjyo.exe
        
        "C:\Windows\system32\wwxjyo.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\walxa.exe
        
        "C:\Windows\system32\walxa.exe"
        16⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\wnipoy.exe
        
        "C:\Windows\system32\wnipoy.exe"
        17⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\wavxxv.exe
        
        "C:\Windows\system32\wavxxv.exe"
        18⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\wjo.exe
        
        "C:\Windows\system32\wjo.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\wjnpr.exe
        
        "C:\Windows\system32\wjnpr.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\whavkse.exe
        
        "C:\Windows\system32\whavkse.exe"
        21⤵
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\wdsyqv.exe
        
        "C:\Windows\system32\wdsyqv.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4156
        
        C:\Windows\SysWOW64\wahvha.exe
        
        "C:\Windows\system32\wahvha.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\wbjdjums.exe
        
        "C:\Windows\system32\wbjdjums.exe"
        24⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\wehdrjs.exe
        
        "C:\Windows\system32\wehdrjs.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\woqhplo.exe
        
        "C:\Windows\system32\woqhplo.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\wide.exe
        
        "C:\Windows\system32\wide.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\wigm.exe
        
        "C:\Windows\system32\wigm.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\wakddxd.exe
        
        "C:\Windows\system32\wakddxd.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\wvnopbg.exe
        
        "C:\Windows\system32\wvnopbg.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1124
        
        C:\Windows\SysWOW64\wwpx.exe
        
        "C:\Windows\system32\wwpx.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\wwpaht.exe
        
        "C:\Windows\system32\wwpaht.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\whwefu.exe
        
        "C:\Windows\system32\whwefu.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\wkucnk.exe
        
        "C:\Windows\system32\wkucnk.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\wtveyobnb.exe
        
        "C:\Windows\system32\wtveyobnb.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\wwue.exe
        
        "C:\Windows\system32\wwue.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\wpokrosrc.exe
        
        "C:\Windows\system32\wpokrosrc.exe"
        37⤵
        Executes dropped EXE
        
        PID:816
        
        C:\Windows\SysWOW64\wlrve.exe
        
        "C:\Windows\system32\wlrve.exe"
        38⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\wtosdx.exe
        
        "C:\Windows\system32\wtosdx.exe"
        39⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\wybhdlxk.exe
        
        "C:\Windows\system32\wybhdlxk.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\wlgafh.exe
        
        "C:\Windows\system32\wlgafh.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\wdyhs.exe
        
        "C:\Windows\system32\wdyhs.exe"
        42⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\wmlsjxeml.exe
        
        "C:\Windows\system32\wmlsjxeml.exe"
        43⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\wqwhlky.exe
        
        "C:\Windows\system32\wqwhlky.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\wtvhryc.exe
        
        "C:\Windows\system32\wtvhryc.exe"
        45⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\wuyquuj.exe
        
        "C:\Windows\system32\wuyquuj.exe"
        46⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\wiqyq.exe
        
        "C:\Windows\system32\wiqyq.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\wqovpuckc.exe
        
        "C:\Windows\system32\wqovpuckc.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\wdmmer.exe
        
        "C:\Windows\system32\wdmmer.exe"
        49⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\wxo.exe
        
        "C:\Windows\system32\wxo.exe"
        50⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\whdlh.exe
        
        "C:\Windows\system32\whdlh.exe"
        51⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\wuadxxy.exe
        
        "C:\Windows\system32\wuadxxy.exe"
        52⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\wvwgvnf.exe
        
        "C:\Windows\system32\wvwgvnf.exe"
        53⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\wvja.exe
        
        "C:\Windows\system32\wvja.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\wrmlrnwc.exe
        
        "C:\Windows\system32\wrmlrnwc.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:764
        
        C:\Windows\SysWOW64\wifsex.exe
        
        "C:\Windows\system32\wifsex.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\wuouawhb.exe
        
        "C:\Windows\system32\wuouawhb.exe"
        57⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\wdafscgk.exe
        
        "C:\Windows\system32\wdafscgk.exe"
        58⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\wvtmgn.exe
        
        "C:\Windows\system32\wvtmgn.exe"
        59⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\warlmcypf.exe
        
        "C:\Windows\system32\warlmcypf.exe"
        60⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\wvtyxg.exe
        
        "C:\Windows\system32\wvtyxg.exe"
        61⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\wmq.exe
        
        "C:\Windows\system32\wmq.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\wtoheayp.exe
        
        "C:\Windows\system32\wtoheayp.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\wqqt.exe
        
        "C:\Windows\system32\wqqt.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\wqemxy.exe
        
        "C:\Windows\system32\wqemxy.exe"
        65⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\wuhrrmb.exe
        
        "C:\Windows\system32\wuhrrmb.exe"
        66⤵
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\wruo.exe
        
        "C:\Windows\system32\wruo.exe"
        67⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\wdhwsnpn.exe
        
        "C:\Windows\system32\wdhwsnpn.exe"
        68⤵
        Checks computer location settings
        
        PID:1516
        
        C:\Windows\SysWOW64\whe.exe
        
        "C:\Windows\system32\whe.exe"
        69⤵
        Checks computer location settings
        
        PID:4852
        
        C:\Windows\SysWOW64\wyxcmn.exe
        
        "C:\Windows\system32\wyxcmn.exe"
        70⤵
        Checks computer location settings
        
        PID:3064
        
        C:\Windows\SysWOW64\wnqmiir.exe
        
        "C:\Windows\system32\wnqmiir.exe"
        71⤵
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\wjgi.exe
        
        "C:\Windows\system32\wjgi.exe"
        72⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\wohnua.exe
        
        "C:\Windows\system32\wohnua.exe"
        73⤵
        Checks computer location settings
        
        PID:3068
        
        C:\Windows\SysWOW64\wmtgdvda.exe
        
        "C:\Windows\system32\wmtgdvda.exe"
        74⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\wriuej.exe
        
        "C:\Windows\system32\wriuej.exe"
        75⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\wruonenx.exe
        
        "C:\Windows\system32\wruonenx.exe"
        76⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\woxbajpx.exe
        
        "C:\Windows\system32\woxbajpx.exe"
        77⤵
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\wnluh.exe
        
        "C:\Windows\system32\wnluh.exe"
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\wondka.exe
        
        "C:\Windows\system32\wondka.exe"
        79⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\wfssem.exe
        
        "C:\Windows\system32\wfssem.exe"
        80⤵
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\wxcll.exe
        
        "C:\Windows\system32\wxcll.exe"
        81⤵
        Checks computer location settings
        
        PID:1252
        
        C:\Windows\SysWOW64\wuvm.exe
        
        "C:\Windows\system32\wuvm.exe"
        82⤵
        Checks computer location settings
        
        PID:2808
        
        C:\Windows\SysWOW64\wcsjo.exe
        
        "C:\Windows\system32\wcsjo.exe"
        83⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\wsbhcur.exe
        
        "C:\Windows\system32\wsbhcur.exe"
        84⤵
        
        PID:116
        
        C:\Windows\SysWOW64\whnomstx.exe
        
        "C:\Windows\system32\whnomstx.exe"
        85⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\wbbme.exe
        
        "C:\Windows\system32\wbbme.exe"
        86⤵
        Checks computer location settings
        
        PID:2416
        
        C:\Windows\SysWOW64\wxeypbjnf.exe
        
        "C:\Windows\system32\wxeypbjnf.exe"
        87⤵
        Checks computer location settings
        
        PID:1076
        
        C:\Windows\SysWOW64\wtubsdab.exe
        
        "C:\Windows\system32\wtubsdab.exe"
        88⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\wqjwl.exe
        
        "C:\Windows\system32\wqjwl.exe"
        89⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\wcvfu.exe
        
        "C:\Windows\system32\wcvfu.exe"
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\wtyvorma.exe
        
        "C:\Windows\system32\wtyvorma.exe"
        91⤵
        Checks computer location settings
        
        PID:4424
        
        C:\Windows\SysWOW64\wyxuufr.exe
        
        "C:\Windows\system32\wyxuufr.exe"
        92⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\wubhhjt.exe
        
        "C:\Windows\system32\wubhhjt.exe"
        93⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\wgmnpfuh.exe
        
        "C:\Windows\system32\wgmnpfuh.exe"
        94⤵
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\wpkkolde.exe
        
        "C:\Windows\system32\wpkkolde.exe"
        95⤵
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\whnbixc.exe
        
        "C:\Windows\system32\whnbixc.exe"
        96⤵
        Checks computer location settings
        
        PID:4612
        
        C:\Windows\SysWOW64\wrrxdt.exe
        
        "C:\Windows\system32\wrrxdt.exe"
        97⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\wrermpn.exe
        
        "C:\Windows\system32\wrermpn.exe"
        98⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\wyqdev.exe
        
        "C:\Windows\system32\wyqdev.exe"
        99⤵
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\wqjjq.exe
        
        "C:\Windows\system32\wqjjq.exe"
        100⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\wvhi.exe
        
        "C:\Windows\system32\wvhi.exe"
        101⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\wvvbhsufu.exe
        
        "C:\Windows\system32\wvvbhsufu.exe"
        102⤵
        Checks computer location settings
        
        PID:3840
        
        C:\Windows\SysWOW64\wwykkma.exe
        
        "C:\Windows\system32\wwykkma.exe"
        103⤵
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\welvcsw.exe
        
        "C:\Windows\system32\welvcsw.exe"
        104⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\wexo.exe
        
        "C:\Windows\system32\wexo.exe"
        105⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\wfbxnitym.exe
        
        "C:\Windows\system32\wfbxnitym.exe"
        106⤵
        Checks computer location settings
        
        PID:2720
        
        C:\Windows\SysWOW64\wuiv.exe
        
        "C:\Windows\system32\wuiv.exe"
        107⤵
        Checks computer location settings
        
        PID:1448
        
        C:\Windows\SysWOW64\wignq.exe
        
        "C:\Windows\system32\wignq.exe"
        108⤵
        Checks computer location settings
        
        PID:5008
        
        C:\Windows\SysWOW64\whivt.exe
        
        "C:\Windows\system32\whivt.exe"
        109⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\wqtil.exe
        
        "C:\Windows\system32\wqtil.exe"
        110⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\wnwuwylcd.exe
        
        "C:\Windows\system32\wnwuwylcd.exe"
        111⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\wifob.exe
        
        "C:\Windows\system32\wifob.exe"
        112⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\wvw.exe
        
        "C:\Windows\system32\wvw.exe"
        113⤵
        Checks computer location settings
        
        PID:852
        
        C:\Windows\SysWOW64\wmmyyo.exe
        
        "C:\Windows\system32\wmmyyo.exe"
        114⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\wipljr.exe
        
        "C:\Windows\system32\wipljr.exe"
        115⤵
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\wnrq.exe
        
        "C:\Windows\system32\wnrq.exe"
        116⤵
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\wqqpksa.exe
        
        "C:\Windows\system32\wqqpksa.exe"
        117⤵
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\wvdelh.exe
        
        "C:\Windows\system32\wvdelh.exe"
        118⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\wvfnnba.exe
        
        "C:\Windows\system32\wvfnnba.exe"
        119⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\wed.exe
        
        "C:\Windows\system32\wed.exe"
        120⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\wmpudng.exe
        
        "C:\Windows\system32\wmpudng.exe"
        121⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\wucgur.exe
        
        "C:\Windows\system32\wucgur.exe"
        122⤵
        
        PID:60
        
        C:\Windows\SysWOW64\wmkejgfsi.exe
        
        "C:\Windows\system32\wmkejgfsi.exe"
        123⤵
        Checks computer location settings
        
        PID:972
        
        C:\Windows\SysWOW64\wgmrt.exe
        
        "C:\Windows\system32\wgmrt.exe"
        124⤵
        Checks computer location settings
        
        PID:3016
        
        C:\Windows\SysWOW64\wqydm.exe
        
        "C:\Windows\system32\wqydm.exe"
        125⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\wcvvcm.exe
        
        "C:\Windows\system32\wcvvcm.exe"
        126⤵
        Checks computer location settings
        
        PID:1124
        
        C:\Windows\SysWOW64\wwfpgt.exe
        
        "C:\Windows\system32\wwfpgt.exe"
        127⤵
        Checks computer location settings
        
        PID:2236
        
        C:\Windows\SysWOW64\wtaaeaplg.exe
        
        "C:\Windows\system32\wtaaeaplg.exe"
        128⤵
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\wjhy.exe
        
        "C:\Windows\system32\wjhy.exe"
        129⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\wountd.exe
        
        "C:\Windows\system32\wountd.exe"
        130⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\wgmufoxrm.exe
        
        "C:\Windows\system32\wgmufoxrm.exe"
        131⤵
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\wnkpe.exe
        
        "C:\Windows\system32\wnkpe.exe"
        132⤵
        Checks computer location settings
        
        PID:2804
        
        C:\Windows\SysWOW64\wnyinq.exe
        
        "C:\Windows\system32\wnyinq.exe"
        133⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\wwltfv.exe
        
        "C:\Windows\system32\wwltfv.exe"
        134⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\wjilush.exe
        
        "C:\Windows\system32\wjilush.exe"
        135⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\wwfe.exe
        
        "C:\Windows\system32\wwfe.exe"
        136⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\wrjqw.exe
        
        "C:\Windows\system32\wrjqw.exe"
        137⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\wwk.exe
        
        "C:\Windows\system32\wwk.exe"
        138⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\wryrhmr.exe
        
        "C:\Windows\system32\wryrhmr.exe"
        139⤵
        Checks computer location settings
        
        PID:3032
        
        C:\Windows\SysWOW64\wlqxu.exe
        
        "C:\Windows\system32\wlqxu.exe"
        140⤵
        Checks computer location settings
        
        PID:2192
        
        C:\Windows\SysWOW64\wcuoojeg.exe
        
        "C:\Windows\system32\wcuoojeg.exe"
        141⤵
        Checks computer location settings
        
        PID:1492
        
        C:\Windows\SysWOW64\wghepww.exe
        
        "C:\Windows\system32\wghepww.exe"
        142⤵
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\wckqbay.exe
        
        "C:\Windows\system32\wckqbay.exe"
        143⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\wvylsgmq.exe
        
        "C:\Windows\system32\wvylsgmq.exe"
        144⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\wxlgc.exe
        
        "C:\Windows\system32\wxlgc.exe"
        145⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\whmhm.exe
        
        "C:\Windows\system32\whmhm.exe"
        146⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\wbglx.exe
        
        "C:\Windows\system32\wbglx.exe"
        147⤵
        Checks computer location settings
        
        PID:1396
        
        C:\Windows\SysWOW64\wwjyj.exe
        
        "C:\Windows\system32\wwjyj.exe"
        148⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\wmfmqg.exe
        
        "C:\Windows\system32\wmfmqg.exe"
        149⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\whlvenc.exe
        
        "C:\Windows\system32\whlvenc.exe"
        150⤵
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\wiof.exe
        
        "C:\Windows\system32\wiof.exe"
        151⤵
        
        PID:772
        
        C:\Windows\SysWOW64\wpmaenqp.exe
        
        "C:\Windows\system32\wpmaenqp.exe"
        152⤵
        Checks computer location settings
        
        PID:4028
        
        C:\Windows\SysWOW64\wobtnk.exe
        
        "C:\Windows\system32\wobtnk.exe"
        153⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\wpdcrg.exe
        
        "C:\Windows\system32\wpdcrg.exe"
        154⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\wlgpcko.exe
        
        "C:\Windows\system32\wlgpcko.exe"
        155⤵
        Checks computer location settings
        
        PID:2280
        
        C:\Windows\SysWOW64\wtsato.exe
        
        "C:\Windows\system32\wtsato.exe"
        156⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\wyqybdqdv.exe
        
        "C:\Windows\system32\wyqybdqdv.exe"
        157⤵
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\wtumlg.exe
        
        "C:\Windows\system32\wtumlg.exe"
        158⤵
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\wygc.exe
        
        "C:\Windows\system32\wygc.exe"
        159⤵
        Checks computer location settings
        
        PID:3068
        
        C:\Windows\SysWOW64\wduqnih.exe
        
        "C:\Windows\system32\wduqnih.exe"
        160⤵
        
        PID:516
        
        C:\Windows\SysWOW64\wdhj.exe
        
        "C:\Windows\system32\wdhj.exe"
        161⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\wyal.exe
        
        "C:\Windows\system32\wyal.exe"
        162⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\wqdctu.exe
        
        "C:\Windows\system32\wqdctu.exe"
        163⤵
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\whyqc.exe
        
        "C:\Windows\system32\whyqc.exe"
        164⤵
        Checks computer location settings
        
        PID:3744
        
        C:\Windows\SysWOW64\wfddm.exe
        
        "C:\Windows\system32\wfddm.exe"
        165⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\wibbtbkf.exe
        
        "C:\Windows\system32\wibbtbkf.exe"
        166⤵
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\wmoquo.exe
        
        "C:\Windows\system32\wmoquo.exe"
        167⤵
        
        PID:644
        
        C:\Windows\SysWOW64\wlbkeluc.exe
        
        "C:\Windows\system32\wlbkeluc.exe"
        168⤵
        Checks computer location settings
        
        PID:4376
        
        C:\Windows\SysWOW64\wynr.exe
        
        "C:\Windows\system32\wynr.exe"
        169⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\wpl.exe
        
        "C:\Windows\system32\wpl.exe"
        170⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\wocgw.exe
        
        "C:\Windows\system32\wocgw.exe"
        171⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\wweiiys.exe
        
        "C:\Windows\system32\wweiiys.exe"
        172⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\wcbion.exe
        
        "C:\Windows\system32\wcbion.exe"
        173⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\wcdqrhd.exe
        
        "C:\Windows\system32\wcdqrhd.exe"
        174⤵
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\wslpfw.exe
        
        "C:\Windows\system32\wslpfw.exe"
        175⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\woocpb.exe
        
        "C:\Windows\system32\woocpb.exe"
        176⤵
        Checks computer location settings
        
        PID:1624
        
        C:\Windows\SysWOW64\wcajyxh.exe
        
        "C:\Windows\system32\wcajyxh.exe"
        177⤵
        Checks computer location settings
        
        PID:2808
        
        C:\Windows\SysWOW64\wfxjfl.exe
        
        "C:\Windows\system32\wfxjfl.exe"
        178⤵
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\wwrpt.exe
        
        "C:\Windows\system32\wwrpt.exe"
        179⤵
        Checks computer location settings
        
        PID:4396
        
        C:\Windows\SysWOW64\wtub.exe
        
        "C:\Windows\system32\wtub.exe"
        180⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\wxiqepv.exe
        
        "C:\Windows\system32\wxiqepv.exe"
        181⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\wplhac.exe
        
        "C:\Windows\system32\wplhac.exe"
        182⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\wpyajxk.exe
        
        "C:\Windows\system32\wpyajxk.exe"
        183⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\whrfwk.exe
        
        "C:\Windows\system32\whrfwk.exe"
        184⤵
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\whey.exe
        
        "C:\Windows\system32\whey.exe"
        185⤵
        Drops file in System32 directory
        
        PID:1252
        
        C:\Windows\SysWOW64\wisqocgpt.exe
        
        "C:\Windows\system32\wisqocgpt.exe"
        186⤵
        Checks computer location settings
        
        PID:1764
        
        C:\Windows\SysWOW64\wuwlrwb.exe
        
        "C:\Windows\system32\wuwlrwb.exe"
        187⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\wvyt.exe
        
        "C:\Windows\system32\wvyt.exe"
        188⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\wunmcn.exe
        
        "C:\Windows\system32\wunmcn.exe"
        189⤵
        Checks computer location settings
        
        PID:3600
        
        C:\Windows\SysWOW64\wmrdw.exe
        
        "C:\Windows\system32\wmrdw.exe"
        190⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\wjjf.exe
        
        "C:\Windows\system32\wjjf.exe"
        191⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\wdvcthyt.exe
        
        "C:\Windows\system32\wdvcthyt.exe"
        192⤵
        Drops file in System32 directory
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjjf.exe"
        192⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrdw.exe"
        191⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunmcn.exe"
        190⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvyt.exe"
        189⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwlrwb.exe"
        188⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wisqocgpt.exe"
        187⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whey.exe"
        186⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whrfwk.exe"
        185⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpyajxk.exe"
        184⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wplhac.exe"
        183⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxiqepv.exe"
        182⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtub.exe"
        181⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrpt.exe"
        180⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfxjfl.exe"
        179⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1076
        179⤵
        Program crash
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcajyxh.exe"
        178⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woocpb.exe"
        177⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wslpfw.exe"
        176⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcdqrhd.exe"
        175⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcbion.exe"
        174⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wweiiys.exe"
        173⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wocgw.exe"
        172⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 1208
        172⤵
        Program crash
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpl.exe"
        171⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wynr.exe"
        170⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1352
        170⤵
        Program crash
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlbkeluc.exe"
        169⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmoquo.exe"
        168⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibbtbkf.exe"
        167⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfddm.exe"
        166⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whyqc.exe"
        165⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqdctu.exe"
        164⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyal.exe"
        163⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdhj.exe"
        162⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wduqnih.exe"
        161⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wygc.exe"
        160⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtumlg.exe"
        159⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyqybdqdv.exe"
        158⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsato.exe"
        157⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlgpcko.exe"
        156⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpdcrg.exe"
        155⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobtnk.exe"
        154⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpmaenqp.exe"
        153⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiof.exe"
        152⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whlvenc.exe"
        151⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmfmqg.exe"
        150⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjyj.exe"
        149⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbglx.exe"
        148⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whmhm.exe"
        147⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxlgc.exe"
        146⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvylsgmq.exe"
        145⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckqbay.exe"
        144⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghepww.exe"
        143⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcuoojeg.exe"
        142⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqxu.exe"
        141⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryrhmr.exe"
        140⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwk.exe"
        139⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjqw.exe"
        138⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfe.exe"
        137⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjilush.exe"
        136⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwltfv.exe"
        135⤵
        
        PID:348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 1608
        135⤵
        Program crash
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnyinq.exe"
        134⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnkpe.exe"
        133⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgmufoxrm.exe"
        132⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wountd.exe"
        131⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhy.exe"
        130⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtaaeaplg.exe"
        129⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfpgt.exe"
        128⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvvcm.exe"
        127⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqydm.exe"
        126⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgmrt.exe"
        125⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmkejgfsi.exe"
        124⤵
        
        PID:916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 1556
        124⤵
        Program crash
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wucgur.exe"
        123⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpudng.exe"
        122⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wed.exe"
        121⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvfnnba.exe"
        120⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdelh.exe"
        119⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqpksa.exe"
        118⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnrq.exe"
        117⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipljr.exe"
        116⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmyyo.exe"
        115⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvw.exe"
        114⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifob.exe"
        113⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwuwylcd.exe"
        112⤵
        
        PID:972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1416
        112⤵
        Program crash
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqtil.exe"
        111⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whivt.exe"
        110⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wignq.exe"
        109⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuiv.exe"
        108⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfbxnitym.exe"
        107⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexo.exe"
        106⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\welvcsw.exe"
        105⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 1328
        105⤵
        Program crash
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwykkma.exe"
        104⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvvbhsufu.exe"
        103⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 116
        103⤵
        Program crash
        
        PID:380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1536
        103⤵
        Program crash
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvhi.exe"
        102⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqjjq.exe"
        101⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyqdev.exe"
        100⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrermpn.exe"
        99⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1420
        99⤵
        Program crash
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrrxdt.exe"
        98⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 116
        98⤵
        Program crash
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whnbixc.exe"
        97⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpkkolde.exe"
        96⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 116
        96⤵
        Program crash
        
        PID:1120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1536
        96⤵
        Program crash
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgmnpfuh.exe"
        95⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1664
        95⤵
        Program crash
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wubhhjt.exe"
        94⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxuufr.exe"
        93⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtyvorma.exe"
        92⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvfu.exe"
        91⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqjwl.exe"
        90⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtubsdab.exe"
        89⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxeypbjnf.exe"
        88⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbbme.exe"
        87⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whnomstx.exe"
        86⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 1536
        86⤵
        Program crash
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsbhcur.exe"
        85⤵
        
        PID:744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1372
        85⤵
        Program crash
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcsjo.exe"
        84⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuvm.exe"
        83⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxcll.exe"
        82⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfssem.exe"
        81⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wondka.exe"
        80⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnluh.exe"
        79⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxbajpx.exe"
        78⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1444
        78⤵
        Program crash
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wruonenx.exe"
        77⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wriuej.exe"
        76⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmtgdvda.exe"
        75⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohnua.exe"
        74⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1444
        74⤵
        Program crash
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjgi.exe"
        73⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqmiir.exe"
        72⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxcmn.exe"
        71⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whe.exe"
        70⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdhwsnpn.exe"
        69⤵
        
        PID:744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 748
        69⤵
        Program crash
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wruo.exe"
        68⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhrrmb.exe"
        67⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqemxy.exe"
        66⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqt.exe"
        65⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtoheayp.exe"
        64⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmq.exe"
        63⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtyxg.exe"
        62⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warlmcypf.exe"
        61⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtmgn.exe"
        60⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdafscgk.exe"
        59⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuouawhb.exe"
        58⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1484
        58⤵
        Program crash
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifsex.exe"
        57⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrmlrnwc.exe"
        56⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvja.exe"
        55⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvwgvnf.exe"
        54⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuadxxy.exe"
        53⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1440
        53⤵
        Program crash
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdlh.exe"
        52⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxo.exe"
        51⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdmmer.exe"
        50⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqovpuckc.exe"
        49⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiqyq.exe"
        48⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuyquuj.exe"
        47⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvhryc.exe"
        46⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqwhlky.exe"
        45⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmlsjxeml.exe"
        44⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdyhs.exe"
        43⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlgafh.exe"
        42⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybhdlxk.exe"
        41⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtosdx.exe"
        40⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrve.exe"
        39⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpokrosrc.exe"
        38⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwue.exe"
        37⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtveyobnb.exe"
        36⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkucnk.exe"
        35⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwefu.exe"
        34⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwpaht.exe"
        33⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwpx.exe"
        32⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvnopbg.exe"
        31⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wakddxd.exe"
        30⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigm.exe"
        29⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wide.exe"
        28⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woqhplo.exe"
        27⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wehdrjs.exe"
        26⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbjdjums.exe"
        25⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahvha.exe"
        24⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdsyqv.exe"
        23⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whavkse.exe"
        22⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjnpr.exe"
        21⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjo.exe"
        20⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wavxxv.exe"
        19⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnipoy.exe"
        18⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\walxa.exe"
        17⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwxjyo.exe"
        16⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbnai.exe"
        15⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsfccdt.exe"
        14⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsrjthfds.exe"
        13⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbyeguq.exe"
        12⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvfm.exe"
        11⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wildv.exe"
        10⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1416
        10⤵
        Program crash
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wagfk.exe"
        9⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wutpky.exe"
        8⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wurhh.exe"
        7⤵
        
        PID:3376
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdn.exe"
        6⤵
        
        PID:2132
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpckfun.exe"
        5⤵
        
        PID:4308
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqoqvxxp.exe"
      4⤵
      PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbnfkg.exe"
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1340
    3⤵
    - Program crash
    PID:1076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\93ea3caa5e2b6ed8f1da347829664d1e4ec7ad2def94791b2ffdac2c526df48a.exe"
  2⤵
  PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3324 -ip 3324
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1820 -ip 1820
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 848 -ip 848
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2072 -ip 2072
1⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1516 -ip 1516
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3068 -ip 3068
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3496 -ip 3496
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 116 -ip 116
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3692 -ip 3692
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2724 -ip 2724
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4020 -ip 4020
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4020 -ip 4020
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4128 -ip 4128
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1528 -ip 1528
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3840 -ip 3840
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3840 -ip 3840
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3392 -ip 3392
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2008 -ip 2008
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 972 -ip 972
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3392 -ip 3392
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2868 -ip 2868
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1120 -ip 1120
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1540 -ip 1540
1⤵
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wagfk.exe

Filesize
93KB

MD5
a401c52bd3a303eabde35fffb4f8eddf

SHA1
fd5855b6be087535bd39e7cb5944c81ff9dcf011

SHA256
9f4ec5300d7329f735c91260be3e0d141802f2fdd518fc049464a2825259b68e

SHA512
13778a274a3d1fbc1647ad7896e407193f0cbdd84d11a1206f6fb7f06dddaba63792f6fc6c8a2af75b3b2deabd834db6fc7ddc78187b8578ec15f8c847ff237e

Download Submit
C:\Windows\SysWOW64\wahvha.exe

Filesize
93KB

MD5
5b584ab75624a879108477cd18fd2088

SHA1
b7394f9c8b7bfd47e3e550c73c15a68f27960bd3

SHA256
25e72be79bf2b2324afc2277b217ce4519c10854e55a12c441277b8b7c784964

SHA512
9b4750f24d047ff47278ec71b477def3f945718bba917d7fe9c04e74820b7021304bac3d3a294c00315e659561d7bf6fdd037c07ddd8d7a97579370732ad4baf

Download Submit
C:\Windows\SysWOW64\wakddxd.exe

Filesize
94KB

MD5
a134ad9727cd50856941932c005b95fb

SHA1
c6065dbea65025d62a9d09cc13ec8f23a9d03feb

SHA256
4aebac918034d2aa49a0d478197c5ae6d9f711da6ae365c1a3f5feef7dd17ec7

SHA512
2b1a36c6b32ca4e69746417f3211099e70828319bd7907ff2d61ced5e169dd13bd2c0ef87347293366215e1b2a5e3181756cc4610ca9e7b350ae79ee402f3e58

Download Submit
C:\Windows\SysWOW64\walxa.exe

Filesize
93KB

MD5
96c19ee6856274f50543d385ff918037

SHA1
f94484a425400a66ff93733aaf76e1f0455c5b6e

SHA256
05e791bece478d580cae08a8b334dbf2ade0b79553e6a1916f06732ead3eef9c

SHA512
9273119b83d3a56d77c69722f341d909aef0ba6ff99411b25f47731480e587f1305a766a4127c2dc706d9915b1ce5694ddf17c3048db0fa3416e42425e4ddc45

Download Submit
C:\Windows\SysWOW64\wavxxv.exe

Filesize
93KB

MD5
5cc48d01b63d211e4c8efa674d5e8e1e

SHA1
47edc3c7a2de37db82d9909ca9838872fdc1f742

SHA256
b8a1e660a8f0a07d9cbfaa65152ccb4dcd99368e8b864c78ec06c2c16417779f

SHA512
af9a2ae7671aae93cc9aebcb85aaa6979539f60bfc3964be0ee5b870cd4c0336d65f8bc416439c86dcb2b473ff67c435829f71d68f7ff46b0c9b450da2373f1d

Download Submit
C:\Windows\SysWOW64\wbjdjums.exe

Filesize
93KB

MD5
e79606465f6783120750ba73f6d546e0

SHA1
69468a55e827c0435a3a43c6ec63d4846e624dc4

SHA256
353c91a8128815bdb287655a8a2d319f73f6739b56d62f4dd5a5f6294ca5cb90

SHA512
f560cd88b019fc29ce72dd5c4eaf6683f56677ec050eecb154294870022eab93870f7f1affbbfd5df75609ce07cdd83ebea23195f820eff2d63ad808d5e045e8

Download Submit
C:\Windows\SysWOW64\wbnfkg.exe

Filesize
93KB

MD5
4049549e335a3a32c6ee6a7a13529a93

SHA1
6bb90b7755d37c3d8eaa48e93d543b16f46d3359

SHA256
dd5ca2090bb8905019562b488be6f32e9c805590e9b0cd3267cf9230901c0e34

SHA512
de2686272256924fd10ec6a5edea0614efe4134eb0adf64d35b770fb2a21bec471eeb263da51c6b0778932fb1e4f49dd336a34585dcd7ef6b3074016499d3779

Download Submit
C:\Windows\SysWOW64\wbyeguq.exe

Filesize
93KB

MD5
c6db4dd0adb93b2f9750d81cd34f328c

SHA1
97976f952f76dcca8a2383eb4e777c8d361d9eb5

SHA256
ede4d379da6a0f7cfa6fe48dce759a8237fe68024158223640971ae9eabb34ce

SHA512
180bef5ca230a828baf981d37fc2ae13cedcd674804946c1efdea1e14afbecc8159741f48d8daebdff03209504f9819c9f65c320c9b7b2f8bf6cbf14392f9663

Download Submit
C:\Windows\SysWOW64\wdsyqv.exe

Filesize
93KB

MD5
5bcab79f512f2bfc023d648134ea130a

SHA1
77107635bf6e674ac93a6c22bc3b9aeaf406bc8f

SHA256
2999077c3eaa26151dd49d0129896295443d8ba8eba51d7b6d2b972532354006

SHA512
b3b915d729411cadff9867a3b88aa23b2110685650502ccba29ac6fa8616324ce526dec2ad66997f82ade7ffdc8e782940bd855376e80bf90617c7addde316c8

Download Submit
C:\Windows\SysWOW64\wehdrjs.exe

Filesize
93KB

MD5
1e70d81d4bdc305246bbd834d500d4b6

SHA1
8555bc531db83be952ab6a6210e06e5d5ce410d2

SHA256
e8a3eb0951f0c9beb99698331189797d8285606f6cb7d1e6128a13869b9691f8

SHA512
23dc0cbc4b24764c7eb5f48ef92044b095cd32a9f00f0a5efb67bb85211628db8df3291e7f3ac53fc1e6947dbd0db19b51b6b055535f4229b6e7a86968ffe701

Download Submit
C:\Windows\SysWOW64\whavkse.exe

Filesize
93KB

MD5
6fe6e580b9d7dfb5e592df05a73570b2

SHA1
9715ab2f26a649c3109775677fed56cc2412ae75

SHA256
19e3bda2a19984ed6f76224b3ce3649a2a0df1748d8c87e719f166c718b99f6d

SHA512
905433949546c95ce2e9885b330ce70b2f47208e442edce2457532fbe3ef6d0bbbc1fd3e7b6d4173a11ec91ad4830727d17896b0995bf5d3b8a383a8e6a40a67

Download Submit
C:\Windows\SysWOW64\whwefu.exe

Filesize
94KB

MD5
86a4068835a16aa9e76dde30e6ab633f

SHA1
0fc29671ad6eb5451d8f970fcffb136e97cdde90

SHA256
32e330c309dfbabdc05168f72e34acdce66e65ee5ff9bfb02ad15d5f124c9960

SHA512
41cf6898f3803c521cf31c4e37c275525be6906973bc0b683f5cd6b7e85e6aa966f7e317208af7bbee32589af302fb7944f66faba3afd960b3458e5198716172

Download Submit
C:\Windows\SysWOW64\wide.exe

Filesize
94KB

MD5
b9e027b1c6a25b55c162e3452e5dfdf6

SHA1
61e77c4eeb544ca2690f24099c5596f101145e4d

SHA256
2f82f7b4d53bfc7494d2bad0db726803e6b859437f1549254f59adbb35fc3177

SHA512
f3e79087557ecb20d480046b876c24518cafaaa38875e561b3ad4d2419acc9b1bf273516c1eb1a72f9a224c4035429d4b608d8e34c66645d81aa1d40fb4ac1cb

Download Submit
C:\Windows\SysWOW64\wigm.exe

Filesize
94KB

MD5
501fbb75d480a5c32b25c3ae24efc86c

SHA1
0d3c93859be6bfd349e80ebc2b677344350d7e67

SHA256
713831291307b47459889d50fae3c09ba599bdf69740cad64e932434a73ab796

SHA512
bafbcb3436c99f569fb46f2a7694c312e65f2995864495032f51d2afd13c425176e22ec8a05a94104257a3a0504bc3375de47ced1642b101c2c7c762e3a29961

Download Submit
C:\Windows\SysWOW64\wildv.exe

Filesize
93KB

MD5
517f0565c9b7e2ca725998d65c908cc3

SHA1
936429e6c291836b1ab2d56b0c6d8ab47da8c478

SHA256
5703bb39780ba12757dd2871bd7ec7e7d0230ca0117e45f228acb5daf5ba924a

SHA512
3ff9c8254b23ae7b78a1e659e175f2017dd598a476c4d07051a28c4b4b7dbc0e474ce9d4d84842189328d95834976c1a84a2210476350bec8b43e4fb5af77ee5

Download Submit
C:\Windows\SysWOW64\wjnpr.exe

Filesize
93KB

MD5
ee9aaf63f367b9cbb39a5342f2fb0452

SHA1
eea599f2c915b0f10e54bf6de7f132f10fdba35c

SHA256
b97159fe4969cddde35ca0f454ce4f812a5679dd92db7e1525851044c7be6e09

SHA512
10a9d626134de54f6fdc70063bbb152f32213d2532c58e0f683bc4a34ea19682a93ffadc0e628743803a66f339e2eddd41cc67e22d18b4fdd531a090d4bf6826

Download Submit
C:\Windows\SysWOW64\wjo.exe

Filesize
93KB

MD5
3cb9ed45a4af2e9943c58d37c30ef213

SHA1
c406818466aac216a1d71e0f36b93b7080a1fe9d

SHA256
8ca2ff6f22b5ecd2fd8c9b4b9213ef77a2dda7064e94b14931ad31a952be3db7

SHA512
c11687504cd0ce899525ef03e1bcfde508b3f15eedae7990d1b4750b1410de834196f95f0990d1b33434e9b99ecadc6f6e3143a31d30b74928307c355bafd0f1

Download Submit
C:\Windows\SysWOW64\wnbnai.exe

Filesize
93KB

MD5
0ed0ef54cf7d23e8f8ae098808dee3de

SHA1
cf3323cee9be9113b87c1d8d0e3e684ae92a6be3

SHA256
f1783672e3c6c25b7cb96cfb0a4be33f7cfc5c86dd9e04ddaf71ee10c9e390e0

SHA512
25e2a54bfefeec6ebe71a533b96e82f6b9c9446b0705523e5e34bd9f6008b6df39371b89245529ccf2a7784e933fea241ea5db7480e10c687a528b0511b0e1f9

Download Submit
C:\Windows\SysWOW64\wnipoy.exe

Filesize
93KB

MD5
17086fd5fe8414f11cc71f5f876fdb47

SHA1
275f097e0fa199b4947cf56595eeec7cd4425d45

SHA256
5737c072ce7689b1cbabf7a0dc6c575ff6e3182da3a4f45390270096affc07d2

SHA512
3e7cb14d2c5f818d86427ff5d8c4414de42fc444dbd1f5a7965f09438e43759f079d9510a70a4c034bc36681cad12df3d8faf2182d360ec8891c171eb4f9a656

Download Submit
C:\Windows\SysWOW64\woqhplo.exe

Filesize
94KB

MD5
af213789fa8a0bee75457b8699edc8ce

SHA1
71d97775ee55d8a3ddb67806bbfc026da210142b

SHA256
58d290d113d7e91ba54e61c8244918a52f34b19da436f0944b5f135708f8bf47

SHA512
63bc72373a6e1193ae6952d7a56476755d2adab357baed148bd871bb29bda1245c925827b6b54e814ec1580f4e8a3fe855cbebeeef1cc7cbd31c28a90d662f68

Download Submit
C:\Windows\SysWOW64\wpckfun.exe

Filesize
93KB

MD5
e0d079af03af0abe9847c9c0f370e076

SHA1
c0920c114fb8f622a21de2a46a2ba4074a73f51f

SHA256
0e4dbcc10e5fc120553d616e889c222aa2aa591f35bca01920da00f52a548f08

SHA512
a2d811d7b4e70ba00baa60cdf65810792fa014ea0ab42dd089369cf22a25bf660c160eb0ff099c7276371bf2507e297417a7e484006fc047332f0702082de421

Download Submit
C:\Windows\SysWOW64\wqoqvxxp.exe

Filesize
93KB

MD5
d917de6b7268c71958d5dfbdd3674f4e

SHA1
cca2e9721a0663e68b0ef61920fef3b67e03271f

SHA256
6fbfbc40b2d740b19f72097ef3c7366c1b97bf1b7baa305f742a6926cd62e69f

SHA512
87960757d9e0049bc121464c7a92237d981a2988f6635e88c27f10dfa2eca65763a3c2bd368e1707526ec70b2922bf6613b863e612dc2abc55ac49ba84914b05

Download Submit
C:\Windows\SysWOW64\wsfccdt.exe

Filesize
93KB

MD5
60b5f5e052dd1c898b0295e82f9b6b9f

SHA1
0946295ebb1994a0347a8445ea27566c91d8e322

SHA256
3f31fae970e1777c12cb9b5f663a9c43173f8a24b10cdbd4a6690344b5dff114

SHA512
6a77bc6839a11ca1ff12b71afbc531e2189bcfbf1dad18568c2e9f9a0ce69c504d5c7a85bc973f6e01cab48118e4ff08c1d4e613cb451bfd31a97b01c94de38a

Download Submit
C:\Windows\SysWOW64\wsrjthfds.exe

Filesize
93KB

MD5
1f04372fd682b9a173a4614ab9eb46ea

SHA1
cba44a05c58297c4f87217c781de88bca543940d

SHA256
947b109ffae981e7165a081415294f67688d818f9aa98620744291ec4a25a419

SHA512
6d70908b3acbc3733f887ecc4f0d3c73974487757c4c5d3aba47d10fe73847bed60a9c3fe8a0d6c1051a7c5925d6a2eb0a06d0bbc2dafaf4650e2d04d72494f8

Download Submit
C:\Windows\SysWOW64\wurhh.exe

Filesize
93KB

MD5
5aa0539e171fb9a45c7aef2a47b18852

SHA1
2ad15c459dc0ccba03a048579787fe3de2486e22

SHA256
c4a282d3994c55601afde5be5cdfe4e8cada2271d9c05368aa7c49719016cec2

SHA512
d343716d8aaa3b192349abdd3a0bcad46a1736ac3c46aa50922c0f68613698e87267120c3b4bc7e2a34bbcd5765d29c8f320bcd896ac9a1bc0b84a1efd2a8188

Download Submit
C:\Windows\SysWOW64\wutpky.exe

Filesize
93KB

MD5
24e669f5b3929d5e3e17fb51daac1eca

SHA1
665ccff4b1c3483e8d639db93531799fa0ca33a8

SHA256
867d30b6fa6b7d7a6b4081bf1cdc821c3f0062f8e20ff0d0427db4e2c5bc2d38

SHA512
6ee92f0f38eb632661032857d16ab6be6101df070a7c624d4ec4097f097e3de4797421a1e47396649b16d2cd6aace838cb92f314434c3cf28afb4bbe7b867b45

Download Submit
C:\Windows\SysWOW64\wvdn.exe

Filesize
93KB

MD5
7f765318b2f05d7235a79f86ba67589b

SHA1
a4c907139f0c9ea5f6ecf62d8b5bcba9d4ec89d5

SHA256
072703d4e28c5a54d4c46ec77f25b1b089fceb0ff4fa96da26d93c4dcfd1fbce

SHA512
4c6443df51f37cc4ce6db46c8e84454a54005e1baa58d1d30160ba2f75a6763265b0d368eef01e159338e46f6233d527e7c96a18c93fe0f4ec57abe2ac9fdc0b

Download Submit
C:\Windows\SysWOW64\wvfm.exe

Filesize
93KB

MD5
0cc45332174760fbe87b48a3a3cffa59

SHA1
f5cfc570d158853e8dc2a15c2cdc9c7220850fcf

SHA256
a85823fe8a9e9f3358ea47bcfeedbb7c523d3baed414d4aabcfc421f95a4e4e8

SHA512
1c0ebaace2fb647a1eb1fc5d6be80dddf2d9e0d250f714a38ab34a0a86094ab8bcf9a2327f6aed1d6094cd619a69b72be25807e7eab4909d66145ae9bc6c47af

Download Submit
C:\Windows\SysWOW64\wvnopbg.exe

Filesize
94KB

MD5
2a3d1232a815f69f0b870dc440ac6f58

SHA1
cad61840c974debf8675608d4eb9d2bbe265a482

SHA256
0efbb65616f0bec76e2fb358579af42833c971f464d3a352a068af3b72b009ac

SHA512
a3069e76725b1fe4596a1391d599e1a1123dab51c44812c2acd55d6fd2cd45db9af357bcefabe98661ca8f2edaf15dabee55e92bf92d55ff239fb4f806b3220c

Download Submit
C:\Windows\SysWOW64\wwpaht.exe

Filesize
94KB

MD5
8946af25509b1b9f0fb6e6b886fdc380

SHA1
f541fad47f00d6c3d9bf2feb3e9755712dc5dbca

SHA256
1604f4d0d432e5a5e421d3e2b73a480bbfab9042947adb1bb49a4b6973a346a3

SHA512
56e20eed1444fcfec42073001a7debd2a70af93d9d141af4519c7d4bbc97c59f7a32b1fc69720202bd3448a23149cf9d6ca1d05d7388fb3ca9ada88bc46a7bb0

Download Submit
C:\Windows\SysWOW64\wwpx.exe

Filesize
94KB

MD5
538750e4556ec5abfc9ac11b4631c13f

SHA1
acadc0d0b22ba028c90cf907db1b70a479994cf6

SHA256
bfa6e62dc89aed2ca7101af9a7c5236ac18dbaf14c504a7f93c3eefcce366933

SHA512
1b25d29385a183d5d04084835c853c68638e2cbccbbd1a5a121052b033e367d5850f072ba5c761282e36b0d6b05ea9b64fe1b55a9d25bc7b0090657a94a54496

Download Submit
C:\Windows\SysWOW64\wwxjyo.exe

Filesize
93KB

MD5
695a0a79632bc72da012837445c58a86

SHA1
437aaf0f9867dcfb2114a475ee6ff896212b44f0

SHA256
8635ca51f09a16bc40171cd145c226befe5be0a1384f2c0557a5bfa0ceb14fed

SHA512
4d986958ba39d0b88aeacf2d7bc54787cfb7b84de5983dcf43d265db3bc488b3e85f7854c05f193c6c3b7e6e574a49943e0a4f9fe050169f66c448d25a9949fb

Download Submit
memory/228-548-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/228-558-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/372-134-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/764-523-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/816-372-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/848-499-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1060-421-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1060-430-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1124-312-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1124-301-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1224-364-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1352-413-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1516-187-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1516-633-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1516-624-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1528-531-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-507-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-498-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1820-93-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1920-123-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1956-83-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2008-482-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2056-261-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2072-540-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2100-133-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2100-380-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2100-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2100-598-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2188-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2188-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2192-53-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2192-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-549-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-539-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2256-322-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2576-515-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2600-566-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2600-557-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2616-464-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2616-473-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2776-614-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2776-623-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2796-240-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2796-251-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2800-490-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2800-481-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2932-302-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2944-606-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3036-186-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3036-198-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3064-649-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3096-197-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3096-208-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3128-396-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3128-405-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3144-332-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3232-422-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3320-447-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3320-438-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3324-229-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3324-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3324-241-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3456-615-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3516-348-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3748-582-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3848-219-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3892-176-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3956-439-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3960-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4020-574-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4100-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4156-218-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4156-230-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4296-340-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4312-455-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4312-465-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4360-397-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4396-356-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4424-271-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4484-155-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4484-166-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4520-456-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4628-388-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4740-113-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4792-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4792-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4852-281-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4852-632-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4852-641-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4912-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4912-144-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4944-103-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5036-590-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5108-291-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5108-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5108-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download