962732f246f5fe770084bb07359944f589764c1d98006d96a01fc0a775d5704d

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2024 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57efcc0242fee92bddbb8f9c25d23481.exe
Size

265KB
MD5

57efcc0242fee92bddbb8f9c25d23481
SHA1

118878852909d6cb317ee5c39113750bdd56dc4d
SHA256

962732f246f5fe770084bb07359944f589764c1d98006d96a01fc0a775d5704d
SHA512

f0cf55853941e2391a21561e7def1eaaa78b6f6f191a5c7138175064b864d6d2e62cb6001370493c1db16483f068480aef38de89e26fee1e8292f6c05ea47018
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpuJOm:ZY7xh6SZI4z7FSVpuJb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wnkkqfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wrxns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wmvafu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wpma.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wohlfiv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wycvem.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wkpfnlag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wvdchcijh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wquqtcwuj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wckgxosq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wgqdnr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	whmty.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	whpouv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wsgislxt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wirjunq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	waksiro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wypyuwj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	woqhplo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wjjj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wvlmxio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wktske.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wwk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	womxhj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	whhmgplv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	whcygx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wna.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wchqq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wehoki.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wvmo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wcsfqumg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wmmyyo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wresgu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wwvtnjs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wahsi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wausia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wlidu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wibgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wjsh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wlkhyywab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wjgw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wlb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wwjyj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wiffcn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wcexqe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wktslw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wkkyle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wclsyesl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wngfcyqq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	whwal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	weakl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wyqqqi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wguvy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wfaq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wgdolk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wusyed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wlgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	57efcc0242fee92bddbb8f9c25d23481.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wurhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wjmgeir.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wdaliliv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wxbqben.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wbfnixpoc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wjplng.exe

Executes dropped EXE 64 IoCs

pid	Process
2448	wgdolk.exe
3096	wahsi.exe
916	wurhh.exe
3984	wvmo.exe
3552	womxhj.exe
3808	whhmgplv.exe
4672	woqhplo.exe
2464	wcsfqumg.exe
3892	wmvafu.exe
4300	wpma.exe
5028	whcygx.exe
2396	wjmgeir.exe
4356	wsgislxt.exe
2676	wiffcn.exe
3256	wusyed.exe
4416	wohlfiv.exe
1808	wgqdnr.exe
3808	wycvem.exe
528	wausia.exe
4912	wquqtcwuj.exe
4700	wlidu.exe
636	wclsyesl.exe
1052	wlgd.exe
4656	wkpfnlag.exe
664	wlb.exe
4208	wvdchcijh.exe
3808	wngfcyqq.exe
3096	wna.exe
848	wdaliliv.exe
232	wnkkqfk.exe
2448	wxbqben.exe
3100	wibgs.exe
3848	weakl.exe
1292	wrxns.exe
3408	wchqq.exe
4668	whwal.exe
1556	wehoki.exe
664	wyqqqi.exe
4056	wjsh.exe
4860	wmmyyo.exe
1484	wirjunq.exe
816	whmty.exe
2116	whpouv.exe
1980	wresgu.exe
2712	wjplng.exe
3328	wcexqe.exe
3508	wktske.exe
464	wktslw.exe
1984	wjjj.exe
4928	wwk.exe
4356	wlkhyywab.exe
3212	waksiro.exe
4368	wguvy.exe
4212	wypyuwj.exe
424	wwjyj.exe
3160	wbfnixpoc.exe
4068	wud.exe
4804	wwvtnjs.exe
4960	wfaq.exe
4328	wckgxosq.exe
2588	wkkyle.exe
4500	wrgjsl.exe
544	wvlmxio.exe
4828	wjgw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wiffcn.exe	wsgislxt.exe
File created	C:\Windows\SysWOW64\wausia.exe	wycvem.exe
File opened for modification	C:\Windows\SysWOW64\wrxns.exe	weakl.exe
File created	C:\Windows\SysWOW64\wvlmxio.exe	wrgjsl.exe
File opened for modification	C:\Windows\SysWOW64\wsgislxt.exe	wjmgeir.exe
File created	C:\Windows\SysWOW64\wclsyesl.exe	wlidu.exe
File opened for modification	C:\Windows\SysWOW64\wlb.exe	wkpfnlag.exe
File opened for modification	C:\Windows\SysWOW64\wvdchcijh.exe	wlb.exe
File opened for modification	C:\Windows\SysWOW64\wvlmxio.exe	wrgjsl.exe
File created	C:\Windows\SysWOW64\wmvafu.exe	wcsfqumg.exe
File created	C:\Windows\SysWOW64\wckgxosq.exe	wfaq.exe
File opened for modification	C:\Windows\SysWOW64\wibgs.exe	wxbqben.exe
File created	C:\Windows\SysWOW64\wmmyyo.exe	wjsh.exe
File opened for modification	C:\Windows\SysWOW64\wirjunq.exe	wmmyyo.exe
File created	C:\Windows\SysWOW64\whpouv.exe	whmty.exe
File opened for modification	C:\Windows\SysWOW64\wrgjsl.exe	wkkyle.exe
File created	C:\Windows\SysWOW64\wpma.exe	wmvafu.exe
File created	C:\Windows\SysWOW64\wchqq.exe	wrxns.exe
File opened for modification	C:\Windows\SysWOW64\wngfcyqq.exe	wvdchcijh.exe
File opened for modification	C:\Windows\SysWOW64\wmvafu.exe	wcsfqumg.exe
File created	C:\Windows\SysWOW64\wibgs.exe	wxbqben.exe
File created	C:\Windows\SysWOW64\wktslw.exe	wktske.exe
File created	C:\Windows\SysWOW64\wwk.exe	wjjj.exe
File opened for modification	C:\Windows\SysWOW64\wkkyle.exe	wckgxosq.exe
File opened for modification	C:\Windows\SysWOW64\whhmgplv.exe	womxhj.exe
File created	C:\Windows\SysWOW64\wirjunq.exe	wmmyyo.exe
File opened for modification	C:\Windows\SysWOW64\wktske.exe	wcexqe.exe
File created	C:\Windows\SysWOW64\wngfcyqq.exe	wvdchcijh.exe
File created	C:\Windows\SysWOW64\whcygx.exe	wpma.exe
File created	C:\Windows\SysWOW64\wohlfiv.exe	wusyed.exe
File opened for modification	C:\Windows\SysWOW64\wcexqe.exe	wjplng.exe
File created	C:\Windows\SysWOW64\wjjj.exe	wktslw.exe
File created	C:\Windows\SysWOW64\wypyuwj.exe	wguvy.exe
File opened for modification	C:\Windows\SysWOW64\wwjyj.exe	wypyuwj.exe
File opened for modification	C:\Windows\SysWOW64\wvmo.exe	wurhh.exe
File opened for modification	C:\Windows\SysWOW64\wpma.exe	wmvafu.exe
File created	C:\Windows\SysWOW64\wkpfnlag.exe	wlgd.exe
File created	C:\Windows\SysWOW64\whmty.exe	wirjunq.exe
File created	C:\Windows\SysWOW64\wktske.exe	wcexqe.exe
File created	C:\Windows\SysWOW64\whhmgplv.exe	womxhj.exe
File opened for modification	C:\Windows\SysWOW64\wnkkqfk.exe	wdaliliv.exe
File created	C:\Windows\SysWOW64\wdaliliv.exe	wna.exe
File opened for modification	C:\Windows\SysWOW64\wquqtcwuj.exe	wausia.exe
File opened for modification	C:\Windows\SysWOW64\wlidu.exe	wquqtcwuj.exe
File opened for modification	C:\Windows\SysWOW64\wlgd.exe	wclsyesl.exe
File opened for modification	C:\Windows\SysWOW64\wxghct.exe	wjgw.exe
File opened for modification	C:\Windows\SysWOW64\wusyed.exe	wiffcn.exe
File opened for modification	C:\Windows\SysWOW64\wycvem.exe	wgqdnr.exe
File opened for modification	C:\Windows\SysWOW64\wna.exe	wngfcyqq.exe
File opened for modification	C:\Windows\SysWOW64\weakl.exe	wibgs.exe
File opened for modification	C:\Windows\SysWOW64\wehoki.exe	whwal.exe
File opened for modification	C:\Windows\SysWOW64\wmmyyo.exe	wjsh.exe
File created	C:\Windows\SysWOW64\wrgjsl.exe	wkkyle.exe
File opened for modification	C:\Windows\SysWOW64\wjgw.exe	wvlmxio.exe
File opened for modification	C:\Windows\SysWOW64\wcsfqumg.exe	woqhplo.exe
File created	C:\Windows\SysWOW64\wusyed.exe	wiffcn.exe
File opened for modification	C:\Windows\SysWOW64\wyqqqi.exe	wehoki.exe
File opened for modification	C:\Windows\SysWOW64\wurhh.exe	wahsi.exe
File created	C:\Windows\SysWOW64\wnkkqfk.exe	wdaliliv.exe
File opened for modification	C:\Windows\SysWOW64\wktslw.exe	wktske.exe
File created	C:\Windows\SysWOW64\waksiro.exe	wlkhyywab.exe
File created	C:\Windows\SysWOW64\wsgislxt.exe	wjmgeir.exe
File opened for modification	C:\Windows\SysWOW64\wresgu.exe	whpouv.exe
File opened for modification	C:\Windows\SysWOW64\wjjj.exe	wktslw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
1508	2448	WerFault.exe	94
4676	4300	WerFault.exe	131
1776	1808	WerFault.exe	155
1556	3808	WerFault.exe	158
4200	1980	WerFault.exe	242
1032	1980	WerFault.exe	242
1056	3212	WerFault.exe	273
3508	3212	WerFault.exe	273
4500	3212	WerFault.exe	273
216	3212	WerFault.exe	273

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2448	1872	57efcc0242fee92bddbb8f9c25d23481.exe	94
PID 1872 wrote to memory of 2448	1872	57efcc0242fee92bddbb8f9c25d23481.exe	94
PID 1872 wrote to memory of 2448	1872	57efcc0242fee92bddbb8f9c25d23481.exe	94
PID 1872 wrote to memory of 1664	1872	57efcc0242fee92bddbb8f9c25d23481.exe	96
PID 1872 wrote to memory of 1664	1872	57efcc0242fee92bddbb8f9c25d23481.exe	96
PID 1872 wrote to memory of 1664	1872	57efcc0242fee92bddbb8f9c25d23481.exe	96
PID 2448 wrote to memory of 3096	2448	wgdolk.exe	100
PID 2448 wrote to memory of 3096	2448	wgdolk.exe	100
PID 2448 wrote to memory of 3096	2448	wgdolk.exe	100
PID 2448 wrote to memory of 3232	2448	wgdolk.exe	101
PID 2448 wrote to memory of 3232	2448	wgdolk.exe	101
PID 2448 wrote to memory of 3232	2448	wgdolk.exe	101
PID 3096 wrote to memory of 916	3096	wahsi.exe	108
PID 3096 wrote to memory of 916	3096	wahsi.exe	108
PID 3096 wrote to memory of 916	3096	wahsi.exe	108
PID 3096 wrote to memory of 4372	3096	wahsi.exe	109
PID 3096 wrote to memory of 4372	3096	wahsi.exe	109
PID 3096 wrote to memory of 4372	3096	wahsi.exe	109
PID 916 wrote to memory of 3984	916	wurhh.exe	111
PID 916 wrote to memory of 3984	916	wurhh.exe	111
PID 916 wrote to memory of 3984	916	wurhh.exe	111
PID 916 wrote to memory of 4812	916	wurhh.exe	112
PID 916 wrote to memory of 4812	916	wurhh.exe	112
PID 916 wrote to memory of 4812	916	wurhh.exe	112
PID 3984 wrote to memory of 3552	3984	wvmo.exe	114
PID 3984 wrote to memory of 3552	3984	wvmo.exe	114
PID 3984 wrote to memory of 3552	3984	wvmo.exe	114
PID 3984 wrote to memory of 2392	3984	wvmo.exe	116
PID 3984 wrote to memory of 2392	3984	wvmo.exe	116
PID 3984 wrote to memory of 2392	3984	wvmo.exe	116
PID 3552 wrote to memory of 3808	3552	womxhj.exe	117
PID 3552 wrote to memory of 3808	3552	womxhj.exe	117
PID 3552 wrote to memory of 3808	3552	womxhj.exe	117
PID 3552 wrote to memory of 2756	3552	womxhj.exe	118
PID 3552 wrote to memory of 2756	3552	womxhj.exe	118
PID 3552 wrote to memory of 2756	3552	womxhj.exe	118
PID 3808 wrote to memory of 4672	3808	whhmgplv.exe	120
PID 3808 wrote to memory of 4672	3808	whhmgplv.exe	120
PID 3808 wrote to memory of 4672	3808	whhmgplv.exe	120
PID 3808 wrote to memory of 2288	3808	whhmgplv.exe	121
PID 3808 wrote to memory of 2288	3808	whhmgplv.exe	121
PID 3808 wrote to memory of 2288	3808	whhmgplv.exe	121
PID 4672 wrote to memory of 2464	4672	woqhplo.exe	125
PID 4672 wrote to memory of 2464	4672	woqhplo.exe	125
PID 4672 wrote to memory of 2464	4672	woqhplo.exe	125
PID 4672 wrote to memory of 920	4672	woqhplo.exe	126
PID 4672 wrote to memory of 920	4672	woqhplo.exe	126
PID 4672 wrote to memory of 920	4672	woqhplo.exe	126
PID 2464 wrote to memory of 3892	2464	wcsfqumg.exe	128
PID 2464 wrote to memory of 3892	2464	wcsfqumg.exe	128
PID 2464 wrote to memory of 3892	2464	wcsfqumg.exe	128
PID 2464 wrote to memory of 2636	2464	wcsfqumg.exe	129
PID 2464 wrote to memory of 2636	2464	wcsfqumg.exe	129
PID 2464 wrote to memory of 2636	2464	wcsfqumg.exe	129
PID 3892 wrote to memory of 4300	3892	wmvafu.exe	131
PID 3892 wrote to memory of 4300	3892	wmvafu.exe	131
PID 3892 wrote to memory of 4300	3892	wmvafu.exe	131
PID 3892 wrote to memory of 2324	3892	wmvafu.exe	132
PID 3892 wrote to memory of 2324	3892	wmvafu.exe	132
PID 3892 wrote to memory of 2324	3892	wmvafu.exe	132
PID 4300 wrote to memory of 5028	4300	wpma.exe	134
PID 4300 wrote to memory of 5028	4300	wpma.exe	134
PID 4300 wrote to memory of 5028	4300	wpma.exe	134
PID 4300 wrote to memory of 1716	4300	wpma.exe	135

C:\Users\Admin\AppData\Local\Temp\57efcc0242fee92bddbb8f9c25d23481.exe
"C:\Users\Admin\AppData\Local\Temp\57efcc0242fee92bddbb8f9c25d23481.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\wgdolk.exe
  "C:\Windows\system32\wgdolk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\wahsi.exe
    "C:\Windows\system32\wahsi.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Windows\SysWOW64\wurhh.exe
      "C:\Windows\system32\wurhh.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Windows\SysWOW64\wvmo.exe
        
        "C:\Windows\system32\wvmo.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3984
      - C:\Windows\SysWOW64\womxhj.exe
        
        "C:\Windows\system32\womxhj.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\whhmgplv.exe
        
        "C:\Windows\system32\whhmgplv.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\woqhplo.exe
        
        "C:\Windows\system32\woqhplo.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\wcsfqumg.exe
        
        "C:\Windows\system32\wcsfqumg.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\wmvafu.exe
        
        "C:\Windows\system32\wmvafu.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\wpma.exe
        
        "C:\Windows\system32\wpma.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\whcygx.exe
        
        "C:\Windows\system32\whcygx.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\wjmgeir.exe
        
        "C:\Windows\system32\wjmgeir.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\wsgislxt.exe
        
        "C:\Windows\system32\wsgislxt.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\wiffcn.exe
        
        "C:\Windows\system32\wiffcn.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\wusyed.exe
        
        "C:\Windows\system32\wusyed.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\wohlfiv.exe
        
        "C:\Windows\system32\wohlfiv.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\wgqdnr.exe
        
        "C:\Windows\system32\wgqdnr.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\wycvem.exe
        
        "C:\Windows\system32\wycvem.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\wausia.exe
        
        "C:\Windows\system32\wausia.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\wquqtcwuj.exe
        
        "C:\Windows\system32\wquqtcwuj.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\wlidu.exe
        
        "C:\Windows\system32\wlidu.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\wclsyesl.exe
        
        "C:\Windows\system32\wclsyesl.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\wlgd.exe
        
        "C:\Windows\system32\wlgd.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\wkpfnlag.exe
        
        "C:\Windows\system32\wkpfnlag.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\wlb.exe
        
        "C:\Windows\system32\wlb.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:664
        
        C:\Windows\SysWOW64\wvdchcijh.exe
        
        "C:\Windows\system32\wvdchcijh.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\wngfcyqq.exe
        
        "C:\Windows\system32\wngfcyqq.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\wna.exe
        
        "C:\Windows\system32\wna.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\wdaliliv.exe
        
        "C:\Windows\system32\wdaliliv.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\wnkkqfk.exe
        
        "C:\Windows\system32\wnkkqfk.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\wxbqben.exe
        
        "C:\Windows\system32\wxbqben.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\wibgs.exe
        
        "C:\Windows\system32\wibgs.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\weakl.exe
        
        "C:\Windows\system32\weakl.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\wrxns.exe
        
        "C:\Windows\system32\wrxns.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\wchqq.exe
        
        "C:\Windows\system32\wchqq.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3408
        
        C:\Windows\SysWOW64\whwal.exe
        
        "C:\Windows\system32\whwal.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4668
        
        C:\Windows\SysWOW64\wehoki.exe
        
        "C:\Windows\system32\wehoki.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\wyqqqi.exe
        
        "C:\Windows\system32\wyqqqi.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:664
        
        C:\Windows\SysWOW64\wjsh.exe
        
        "C:\Windows\system32\wjsh.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\wmmyyo.exe
        
        "C:\Windows\system32\wmmyyo.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\wirjunq.exe
        
        "C:\Windows\system32\wirjunq.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\whmty.exe
        
        "C:\Windows\system32\whmty.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:816
        
        C:\Windows\SysWOW64\whpouv.exe
        
        "C:\Windows\system32\whpouv.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\wresgu.exe
        
        "C:\Windows\system32\wresgu.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\wjplng.exe
        
        "C:\Windows\system32\wjplng.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\wcexqe.exe
        
        "C:\Windows\system32\wcexqe.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\wktske.exe
        
        "C:\Windows\system32\wktske.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\wktslw.exe
        
        "C:\Windows\system32\wktslw.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\wjjj.exe
        
        "C:\Windows\system32\wjjj.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\wwk.exe
        
        "C:\Windows\system32\wwk.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\wlkhyywab.exe
        
        "C:\Windows\system32\wlkhyywab.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\waksiro.exe
        
        "C:\Windows\system32\waksiro.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1680
        54⤵
        Program crash
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waksiro.exe"
        54⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\wguvy.exe
        
        "C:\Windows\system32\wguvy.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\wypyuwj.exe
        
        "C:\Windows\system32\wypyuwj.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wypyuwj.exe"
        56⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\wwjyj.exe
        
        "C:\Windows\system32\wwjyj.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjyj.exe"
        57⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\wbfnixpoc.exe
        
        "C:\Windows\system32\wbfnixpoc.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbfnixpoc.exe"
        58⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\wud.exe
        
        "C:\Windows\system32\wud.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wud.exe"
        59⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\wwvtnjs.exe
        
        "C:\Windows\system32\wwvtnjs.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\wfaq.exe
        
        "C:\Windows\system32\wfaq.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfaq.exe"
        61⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\wckgxosq.exe
        
        "C:\Windows\system32\wckgxosq.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckgxosq.exe"
        62⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\wkkyle.exe
        
        "C:\Windows\system32\wkkyle.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkkyle.exe"
        63⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\wrgjsl.exe
        
        "C:\Windows\system32\wrgjsl.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrgjsl.exe"
        64⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\wvlmxio.exe
        
        "C:\Windows\system32\wvlmxio.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\wjgw.exe
        
        "C:\Windows\system32\wjgw.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjgw.exe"
        66⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\wxghct.exe
        
        "C:\Windows\system32\wxghct.exe"
        66⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxghct.exe"
        67⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\wdoojfire.exe
        
        "C:\Windows\system32\wdoojfire.exe"
        67⤵
        
        PID:840
        
        C:\Windows\SysWOW64\wtdo.exe
        
        "C:\Windows\system32\wtdo.exe"
        68⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\wmv.exe
        
        "C:\Windows\system32\wmv.exe"
        69⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmv.exe"
        70⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\wwdndcbct.exe
        
        "C:\Windows\system32\wwdndcbct.exe"
        70⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwdndcbct.exe"
        71⤵
        
        PID:552
        
        C:\Windows\SysWOW64\wglpbdwg.exe
        
        "C:\Windows\system32\wglpbdwg.exe"
        71⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtdo.exe"
        69⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdoojfire.exe"
        68⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvlmxio.exe"
        65⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwvtnjs.exe"
        60⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wguvy.exe"
        55⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1684
        54⤵
        Program crash
        
        PID:3508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 660
        54⤵
        Program crash
        
        PID:4500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 668
        54⤵
        Program crash
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkhyywab.exe"
        53⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwk.exe"
        52⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjjj.exe"
        51⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wktslw.exe"
        50⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wktske.exe"
        49⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcexqe.exe"
        48⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjplng.exe"
        47⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wresgu.exe"
        46⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1080
        46⤵
        Program crash
        
        PID:4200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1672
        46⤵
        Program crash
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whpouv.exe"
        45⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whmty.exe"
        44⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirjunq.exe"
        43⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmyyo.exe"
        42⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjsh.exe"
        41⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyqqqi.exe"
        40⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wehoki.exe"
        39⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwal.exe"
        38⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchqq.exe"
        37⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrxns.exe"
        36⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weakl.exe"
        35⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibgs.exe"
        34⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxbqben.exe"
        33⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnkkqfk.exe"
        32⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdaliliv.exe"
        31⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wna.exe"
        30⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wngfcyqq.exe"
        29⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdchcijh.exe"
        28⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlb.exe"
        27⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkpfnlag.exe"
        26⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlgd.exe"
        25⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wclsyesl.exe"
        24⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlidu.exe"
        23⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wquqtcwuj.exe"
        22⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wausia.exe"
        21⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wycvem.exe"
        20⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 116
        20⤵
        Program crash
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqdnr.exe"
        19⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 1620
        19⤵
        Program crash
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohlfiv.exe"
        18⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wusyed.exe"
        17⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiffcn.exe"
        16⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsgislxt.exe"
        15⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjmgeir.exe"
        14⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whcygx.exe"
        13⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpma.exe"
        12⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1656
        12⤵
        Program crash
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmvafu.exe"
        11⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcsfqumg.exe"
        10⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woqhplo.exe"
        9⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whhmgplv.exe"
        8⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womxhj.exe"
        7⤵
        
        PID:2756
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvmo.exe"
        6⤵
        
        PID:2392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wurhh.exe"
        5⤵
        
        PID:4812
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahsi.exe"
      4⤵
      PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgdolk.exe"
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1476
    3⤵
    - Program crash
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\57efcc0242fee92bddbb8f9c25d23481.exe"
  2⤵
  PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2448 -ip 2448
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4300 -ip 4300
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1808 -ip 1808
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3808 -ip 3808
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1980 -ip 1980
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1980 -ip 1980
1⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3212 -ip 3212
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3212 -ip 3212
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3212 -ip 3212
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3212 -ip 3212
1⤵
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wahsi.exe

Filesize
265KB

MD5
b4f9fcf5f85046b5d2153efcb2a26927

SHA1
e2e32a79399c0c04e994911832d1dc0a55ed4c05

SHA256
b990777115d305686b345392a31003626e4f9ba2eac6564924d0ad72650eb98a

SHA512
2838c55466bf800546e057309bd08577801be074c49deeb436e0e45626cb520091aec7c6c95bfb21568e7e12b0b1a85315110cd8f7ac727e61c042dd53d8c87c

Download Submit
C:\Windows\SysWOW64\wausia.exe

Filesize
265KB

MD5
078c8cc9512799630f3edcc49832ca0d

SHA1
080ad957a700a7d620c3956ea228a98760638858

SHA256
741709cc3911193123dcf1092a243c976ab12f2132581928f0a7a7693f77b9e5

SHA512
033c133325b1546c5df8bfcbea655f3634ba549529fb8570a4e22a8b98d49a04796407c92e6528ad569ef0d5000ebfd67100d5bdb22d6fe50aa27032eff28a48

Download Submit
C:\Windows\SysWOW64\wclsyesl.exe

Filesize
265KB

MD5
7302acb5f4335b2914289eb46d27fc34

SHA1
993da5f0ff65e95810e7345c83b60ff8d4eb7982

SHA256
a773cb56d2d85c0338c0ede9843936403315b97930a693ba6afdaed2116f594d

SHA512
ac3667684b5517e67606ef04c6f7ae06d949351bcbb5d1e190f16e88a0c5a7dc5f87e73e2713e6f3da0ca4219a2f1eaca6634fcaec9fe42bf67fbe12301dbffc

Download Submit
C:\Windows\SysWOW64\wcsfqumg.exe

Filesize
265KB

MD5
bf24c35898ae79a5e79ca229c90e3615

SHA1
0c731db47710910417d41bb85f2ad24d4e9bc1bb

SHA256
7af83fbc9accb88d8ddf0187d740500fa4473d8fd1579e846e4815945470c867

SHA512
038e0ce085cf74aaa89d9049d7cf122fd4a2c5204c8d2686b2e9bb46d873a94e194076e854eaa0678402dba9e8c6e6c28d4a46772292d9c905099679476ef027

Download Submit
C:\Windows\SysWOW64\wdaliliv.exe

Filesize
265KB

MD5
0082d168fb6743d8a481c6b2bf7b28a2

SHA1
817a4c6082851699924c36a0a5e693281f82a751

SHA256
f3352acf121ac6f9d515cc132d908bd230504b2ee066003359270f007dcf0c2b

SHA512
72d4c1bc6f53ba9ed7c47f18aacfb9a06a0675f50380563c28bd422c6b4b3f14ba86183f746e27ead4f76e8eefeaa7422f60a2a0ff602ba1ce4409024210677e

Download Submit
C:\Windows\SysWOW64\wgdolk.exe

Filesize
265KB

MD5
a9ee5339cff42ef02f58b4f2ae7b4425

SHA1
694f4bec65c622bf5a3b063b6b5f3a4bfde2c65c

SHA256
cdeea467b96bb8d6e1bc4e45b94b3792278fd5526af099206fe8f48647bc8fe5

SHA512
bf99caba918a191c5ca26e75b49c5de19e17eb1fdba2a782c1f3f1dfd90b9ee57cc70a01a401f68b8be347e5fd880892dfa3057dcabf46d9c28edd60947ed671

Download Submit
C:\Windows\SysWOW64\wgdolk.exe

Filesize
116KB

MD5
bb4531d86fecfe3789e623deb2109386

SHA1
9e7f40a540b4045a887a4ffc46c096c9300f1b33

SHA256
ef596277c3fa6d368ef25ec781b36217266d7a25b7a7cc4f013a4c1c0c1d1d0d

SHA512
7cdcbafd15f24040da530ee1b0e6ec176bf9abddea396cae89e8361994a60eb07eff65bf58ca8f27b5c0e687bafa433584255bc1fb11466fd43556c791ae0851

Download Submit
C:\Windows\SysWOW64\wgqdnr.exe

Filesize
265KB

MD5
efec6c2228f21fdf50b6a210761c7e27

SHA1
ba05e7a83fe4f8e3eb44a56646302c614de660da

SHA256
cb2a255fa84c048420a16b1e84a3dea09b4891f4aafc4f3232f43de04d7abe9f

SHA512
9a1bc4f3d07d190b968c67909a0152e34baf1c90b6135c545b49e825291ed1f9f5e7b0c9da35b3b037a46d942623a7da85109b59594ed6ef536650a96cdc5895

Download Submit
C:\Windows\SysWOW64\whcygx.exe

Filesize
265KB

MD5
c3eec8a6b4a2238db9207b7eda125ab4

SHA1
84aac7e53217cf77a4b40c51b654d952012775f8

SHA256
7ce8cc7f027d9150a9c53c1bac946e5d0384c406190910f62d8dd8347692e5a5

SHA512
7c006f12ed98ea3f1f6228b45f3e6fc9aa4d7a46537824da98b21e0519c04aff5fa5f7081be1cc19ac1fe4cb944d74ee23a83346d1077e4184a394364be1fdf0

Download Submit
C:\Windows\SysWOW64\whhmgplv.exe

Filesize
265KB

MD5
eaa1c2ba5f16fd4828d2ad786714a8c9

SHA1
2534dd66cc771a15b03438556528a05d6d6f8330

SHA256
abf1885e10f1a1e1b6a51a7589731387e944b69e03b828511e32b364ce942152

SHA512
cd4796a46060e9ee24f724eefa1fa677cf3e4291c338cdec6a1c9ba63f2b3a267331680381b28f09537a32e68bebe16aba32af4d7cf7c6c58235de9506741a75

Download Submit
C:\Windows\SysWOW64\wibgs.exe

Filesize
236KB

MD5
1afd529e1ea30fba129658eff62da7e0

SHA1
a5615bc07d22c9e25718da7cc5c02db7507ccaf4

SHA256
b30c8f6cb2d68797cf7b2d571ce0f72b975ee77cf9ae68c84fdcb5e1ce5b4e93

SHA512
0a69004855978e5fece8ff71d71e9791ddd02ca6a5ce7bcd2c31fc0881a674a2af8380e76a87705ae5240fc902d9188659da022a48bd6dd59e8ac87dc52a9f4b

Download Submit
C:\Windows\SysWOW64\wibgs.exe

Filesize
265KB

MD5
3e9852c900bbb2448c0c693433588a50

SHA1
39d9a4ab1d9e1c1dfb9e75f935fa825cb7567919

SHA256
fd72a15013fc42f484ac49b20f77b1b582bdd1a29df32e327247b84631bc7cd9

SHA512
1d5a94d60873e2cd85a5ea553eb3297b94b1d6482d42c3e5273672f94c0e4f392807eb08e6ad2218735242712075fa5b4354f78cb5d231a1a5be2b1dfcf1f2a3

Download Submit
C:\Windows\SysWOW64\wiffcn.exe

Filesize
265KB

MD5
9d3bcd9bf3d6b6d650e976a209483a77

SHA1
7984f43bbb35d4424470773e44738ffa6eeb1b8a

SHA256
3c076fef54bc89ece4aa9744a39758fc366a3d377222d180afd7bc33ee4f1c1f

SHA512
d9c9fa30b12c5a58a03e5659c6d0e6a49be03dc7a60710b64e4090acd77ceff196282cb821defec6650624e1ee238ee94a4b4572d49985e576a3d1c77b62cfc8

Download Submit
C:\Windows\SysWOW64\wjmgeir.exe

Filesize
265KB

MD5
77533bd7167d28db7ad12f96c8f10f13

SHA1
18ccdfe30ea521362676aaaed42584e55518a759

SHA256
9d57584f2a99b36e7c1918f7b40a2b98de99df428d5d0a337bfb58954ec5fbf5

SHA512
f3017947ef809c2f8e0af889ad4c2bf0a4509980107bc20965ea11de064b75dcd6b16c2a6dad0ae8d13ea2a4b9ba6d1574fa298934cb62f59d981b2664302248

Download Submit
C:\Windows\SysWOW64\wkpfnlag.exe

Filesize
265KB

MD5
cb0b88463db5a73d4936244c408d672f

SHA1
6935afc474c69bebeec0406d70f4d640ef7defec

SHA256
810feeea64a87b57c8173591f56248641d4083403528128d6e466ec14c2743ac

SHA512
54b071775878d170a622ba8392bde560eb1db277098c62debffe9c9b113800ab977bd5aad04166262d10a6b4c0b120f78f8d62d2283fe3e57ba6aa728d0e8a44

Download Submit
C:\Windows\SysWOW64\wlb.exe

Filesize
265KB

MD5
85859c0fc6a9b7517df8c62357b6d581

SHA1
f972012684c15d2036e981f8a4fd3b694b9c13fc

SHA256
06752d3cfbedd6c6897dd3bedaa4d05a71a8aabcffded581353b5fb37861dcec

SHA512
a8273b293ed3871a89227775c4b538002a49b2f8d5f8d117bded800630cbecb0c46f2bb7451c6c2111d69f8b48ad973f91249ba5a01abb9c9f7424c0b35d1cb4

Download Submit
C:\Windows\SysWOW64\wlgd.exe

Filesize
265KB

MD5
14bdca37a68e377ae3f34e3b0d3781e4

SHA1
4775032f8c730478a9c6bf9efaac28c7fa612746

SHA256
5a7c82b125a65711b555aec230b355f5c1d20fcbd6bf587e85b1b17185b46fad

SHA512
605e4c80e3263e78e084a25bd674ef8537f4f7e07666ab4f42f3a158da5afcf1bab46cc240bc7040eae9580d9a0b7650a77214c4b82c094c7d124f8708b84324

Download Submit
C:\Windows\SysWOW64\wlidu.exe

Filesize
265KB

MD5
872370634c0618624c70dd4e246cc85c

SHA1
81e6279de1ad184aff9a0b3cf4ed554ddeb2fdab

SHA256
f3ee92ae18885b8d112d6e2d361de5a237299b6f974468eb8297feeeab247e9d

SHA512
376886f36c1f62c62529a4513865d0ed8ae2597c7e28717dee8f1d3f23311fa2fc0da0cf8f0371f203a4d51091f79ae0529866971ee44d11335ee5505f626c67

Download Submit
C:\Windows\SysWOW64\wmvafu.exe

Filesize
265KB

MD5
6ebbed1250f8d1aea5819d91f4906afd

SHA1
2b5318ab4a3203a62c2b9bb1bdd062cd5b17a3d7

SHA256
7cc9389c8f8c1c7d54a03f2ba498a41ed9205049edcf767c2ded6a8ebb99dffd

SHA512
57e7f708ddec13e49bda20c802ee2b8a1a819acfc505ff91a4fab2a70d01641cf6f239e2028ab07edf888e414ca4e50043a389c96a7481874733ba0ed896bd58

Download Submit
C:\Windows\SysWOW64\wna.exe

Filesize
265KB

MD5
4ba487522b2cbab8e5f358d3486db4f0

SHA1
4d9818b07ef59d085aa1db05bfa4a1524d9b1e5d

SHA256
202da796ab679a775c0123b322b9f3b29f27c2ec0da35d0124bede8b618b0933

SHA512
bb5161353ca7ada6a8ea746c2c5f9ac1e2c7cc92b13b0fff903f294f9a9bdaeb162925b2b5916797c57a4e0b835b0dd03e1e4c8f3bcd620e95b88661a6baeba0

Download Submit
C:\Windows\SysWOW64\wngfcyqq.exe

Filesize
265KB

MD5
195df4f61faa8cdb2270d1bbee809a26

SHA1
2791fa748058ff165175d5ad4118a09b7b30ce6a

SHA256
12593b9a19e317a81d19426c7f7b514e52c07a815910414dcfd4490bc2e7d309

SHA512
90b679c7574182c18eb8e3ff9ee23b1d65e4404e75d9e195736d388ea053e5d48ab4b17ad4677f9c46a0e2ae6ebd57061a68827c6588301344e27dbda4155446

Download Submit
C:\Windows\SysWOW64\wnkkqfk.exe

Filesize
265KB

MD5
199d75335f4f859e7c4d02cb26112413

SHA1
56674366d965d8e92bccbb5ddea9bf47f1c95200

SHA256
a512f89fc9965a9bc830c2e7acd6fb7c37005903a74218fed34cfed175410283

SHA512
4a0fb39c9936de1b87956bd4dea7d25118313d3b7d92b4c5d20736880d45863d4b70fc7e8d2000915e65496d4b89c195917d92096158a042c83f6a48075d4546

Download Submit
C:\Windows\SysWOW64\wohlfiv.exe

Filesize
265KB

MD5
83785b24352679b09d9a4029b21a4f2f

SHA1
dfc253d880ce338f68b3525a6dd914841b5dee12

SHA256
6d21e1d6b192418587dd683dc673ceeb5e98c2bfbfbb7cbc287ac4fe48430d05

SHA512
dc58a9c5421e08fad07397f74dd0c5b2b83a73366361954afec268345bb4d7ed2dee45bfd1849fe8e988b15a0da473e39ad90664c4c89e2108bde2d8a6bc1fd6

Download Submit
C:\Windows\SysWOW64\womxhj.exe

Filesize
265KB

MD5
148d12e1afe70f34022d4a6fa9098b1b

SHA1
f2c7da20e198b75b008ba5a234f769cd996ea6e3

SHA256
ef95675102e4f8805e74866781e424389d2857ee366a89fc69abd564d69f4a30

SHA512
b64199527d045d249a12cd477fbe974c97d592056a1971d87447aed971392467097f18bb31a5180514970cd7eb98b4ec5fb8eb3c3becf14ca1faa6072b380f5f

Download Submit
C:\Windows\SysWOW64\woqhplo.exe

Filesize
265KB

MD5
3853113dbcd9e6262789afd764d99721

SHA1
1f6768d5939963dcd0976e2ac3f9b6d2ddf77483

SHA256
6a71e2c451654c036bde6a0d47eb992283c9858a8cda2f5faafd5c26dec091f0

SHA512
d4c6a711e7ff41a48d742f73f00e632a90b27c02098ec215483705553ad63713b60c68e7a3da281b93a14f6991adb65d44c65f4c115879df8569320f74eec8d7

Download Submit
C:\Windows\SysWOW64\wpma.exe

Filesize
265KB

MD5
3705d9ecd44d7bb44c8f6aeb574e8adb

SHA1
451a9b78b2212d8725e173e684bca346e3c711f0

SHA256
b00c32f122165886dbed5b7924a95c12c194f1223a15d9fbe724d0af3a89b0de

SHA512
9a3d29182a86c7a8901b9cb886802d50c75da1dfad15a1c4fc422f4454d8fce04da44fcdee56427f0a9eefc533fd801e9ca5a144b307bc3faf1ee49ce3381635

Download Submit
C:\Windows\SysWOW64\wquqtcwuj.exe

Filesize
265KB

MD5
95da371e41012d5f19d770a5b211fa6b

SHA1
c0c046731edfffb591717cdd2e6e95cace4d580a

SHA256
c1048659266a95845df3440730c8fa5ab1ab94d64f7ad860117885be56505941

SHA512
703ac19b9181d7deec29377e8e927f4a829dbbda4b809b6ddb75f936f30c96324eb2d7da7a1f46e8ed7cad14c17971cf381330400829cdd4a5d70d38053cea32

Download Submit
C:\Windows\SysWOW64\wsgislxt.exe

Filesize
265KB

MD5
8eba0d4f36443410b7f110d68aae3f69

SHA1
679b1f4db3d50ffbf3f74975c0999d9b36ab9082

SHA256
38b776076df0cc01c8c43c779d0f42d25c5162b8341b329f591e3ffe2a5a8d12

SHA512
6d6c1c00cfbbd58d469542af07611280f6a5d11cd01a91674a648c88f31ca2ce93348bd53397d13957ec9737ef56ccff2822414422c850e539bfafbf61c8637b

Download Submit
C:\Windows\SysWOW64\wurhh.exe

Filesize
265KB

MD5
88608ec72ed5ac9b1b41307080a89ce8

SHA1
fbea7b4d95a67dc020a685ca79f154af33b68b0a

SHA256
b6d76b2b7d631db5c8cca31803450bceb569d19779b96877981aa5d8c712a7e2

SHA512
0b07bf3dfb2775ca1566e802eedbc1c772608faf606c4537e281cf0edf02f8aaa82b4cd17242c54fb66f49a3b000b0f74e05d5722aced8b5eaf7499191ba32c8

Download Submit
C:\Windows\SysWOW64\wusyed.exe

Filesize
265KB

MD5
ff8a5c9f8822e7c4434fde54b47f0126

SHA1
8b7bc8b25cea2449f1a4e204f9114ab04c41ac71

SHA256
274ddeab3d3b4128f9c80bb6eadd1b6f464ec4272b621ce4cb8e03063bfef1fa

SHA512
679164b67730020b947bb44f28efe0eeec7540d58475cb2907d0bbec4b55699a79bd1984e80cbd09193f1577e24631fd3cc4e863a5677e34d8b0256e88bc9828

Download Submit
C:\Windows\SysWOW64\wvdchcijh.exe

Filesize
265KB

MD5
a73b227f74a7e625f3517c248c32c232

SHA1
6ce82da9a9757ce17e110f3f7df5e287055826e1

SHA256
ddc4ccaa8d91688800deb46fa89d3c9b0a028c7088ea2bbeded82fd3299e7393

SHA512
5de8d9f03d2fa2b037e2d1e37b94da45e8a3ee427a6eb86a6f001b0f4ef1c9dc8d85917fdd9966dc2e1e3e06d44842c575b3947bbc56f9908b9a34f7b0de3a22

Download Submit
C:\Windows\SysWOW64\wvmo.exe

Filesize
265KB

MD5
9f7aac2992ea4ada03b9ec4d836e20e1

SHA1
439774f95ce27992918b86530f61505a352e45c2

SHA256
1c062ef98ec7a9fbe24bfccca211884c28fc1bb2dd132d6b0f307686f7369776

SHA512
da0235c30ba39eed977f9878117633255ea9573e78b685d9c6b0793ad5d4285bef772b302a58443b1ef83ff5879e23eef8dbf8df3dee73218ca8259e776a40fc

Download Submit
C:\Windows\SysWOW64\wxbqben.exe

Filesize
265KB

MD5
b4701563bdecaf0b79f3e4b5b714b4b3

SHA1
99c884e164546c91e8d9500a3423b8f8a28df5f0

SHA256
9ef7a79ae11b63e900608b7e814436703dae733b0a2778e15973a5a9d6261469

SHA512
0456b85bf00d8f9c3f190cc5a232945795d9238ad9c03cedf892df1247792dc6900fb819dd810ab7ed9ded2e18e7199217b1e3d808200349a2580ff60fa457a9

Download Submit
C:\Windows\SysWOW64\wycvem.exe

Filesize
265KB

MD5
c0d632d60f60cc548d2f188894f48b52

SHA1
2c26018503d826c9cc568c17e0ba8e5651f58dfc

SHA256
41d6e89520b76f225ddaf633c885887a74b9769b67cb6f443bd0b809258e6000

SHA512
4112bbc7980a444fb54ecfb2e9a5a6b43c93eda7cf81590fe9b9393e5baa8e2f3a99dea6aaec95c09e5ab6a1958a3857db6684d5a80c86f3998da40572254ec7

Download Submit
memory/232-328-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/528-212-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/528-199-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/636-244-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/636-233-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/664-264-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/664-276-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/664-389-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/664-398-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/848-317-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/916-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1052-254-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1292-355-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1292-364-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1484-416-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1484-425-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1556-390-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1556-380-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1808-189-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1808-177-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1872-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1872-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2396-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2448-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2448-338-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2448-327-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2464-94-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2676-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2676-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3096-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3096-307-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3096-296-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3100-346-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3256-167-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3408-372-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3552-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3552-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3808-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3808-297-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3808-201-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3808-74-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3848-347-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3848-356-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3892-105-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3984-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3984-40-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4056-406-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4208-286-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4208-275-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4300-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4300-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4356-146-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4416-166-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4416-178-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4656-265-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4668-381-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4672-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4672-84-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4700-222-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4700-234-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4860-415-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4912-211-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4912-223-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5028-125-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download