4dd34b527e763c4d064ba0e88eb1278ca524eac2358a7f083b6913815e96f9ac

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2024 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b6bf19114a7bba1048ebc21dd476b47.exe
Size

261KB
MD5

9b6bf19114a7bba1048ebc21dd476b47
SHA1

30025cb96c64532024da0057f9e03d8de76d8a7c
SHA256

4dd34b527e763c4d064ba0e88eb1278ca524eac2358a7f083b6913815e96f9ac
SHA512

5ab096e24edc9e7e8781382941de56ed548ed2f79f23b2a7b91d7b738f8976252bc448f18848fdc0a3b217f0e3357164dd736c77b8404ee4e0cd192c94c2d5ca
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpj7sF:ZY7xh6SZI4z7FSVpHsF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wofkfcgm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wyljklqk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wafuw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wdtntr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wlvcq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wvlixj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wcl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wuhosj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wblhxtiq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wjnkurtc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wph.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wykag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wlkbsdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wjbqjrljj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wjtgds.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wohsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wsuwpm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wmxo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wouexyu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wubgfam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wgcpsqa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	whwmow.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wvisbg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wdlxbjii.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wvdelh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wfaana.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wlrbcqs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wbdyeve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wnmqfavq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wvtyxg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	whcxl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wthwc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wjkcuw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wuj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wxjkv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wuim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wovg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wibsoo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wvknnanx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wpagq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wlwvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wgaosqp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wlugkod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wtkpuqc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wnkkqfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wybbwkv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wtsvbkos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wqxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wckcilg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wsvvbad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wmyle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wfyro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wiu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wjdq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wtrxk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wfoaykcme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wiqdvxw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	whx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wsdftsqd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wvwoy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wfdalwlo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	weqyumo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wacwe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	whmfwiloy.exe

Executes dropped EXE 64 IoCs

pid	Process
4296	wafuw.exe
1764	wlkbsdr.exe
4740	wjkcuw.exe
872	wibsoo.exe
2892	whmfwiloy.exe
3208	wjbqjrljj.exe
3324	wrckts.exe
1712	wvwoy.exe
3604	wbdyeve.exe
556	wjdq.exe
3352	wuj.exe
464	wdtntr.exe
4944	wjtgds.exe
4472	wvlixj.exe
364	wckcilg.exe
4932	wqfjnwwl.exe
1772	wlvcq.exe
3156	wsvvbad.exe
5024	wnmqfavq.exe
1144	wxjkv.exe
1136	wmxo.exe
2992	whcxl.exe
1440	wfdalwlo.exe
2520	wvtyxg.exe
2260	wmyle.exe
4084	wtkpuqc.exe
2860	wvknnanx.exe
3996	wpagq.exe
4724	wblhxtiq.exe
1692	whwmow.exe
4880	wouexyu.exe
4912	wvoutcb.exe
1592	wjnkurtc.exe
1776	wvisbg.exe
3152	wcl.exe
4772	wthwc.exe
4708	wph.exe
2868	wykag.exe
3996	wnkkqfk.exe
4972	weqyumo.exe
400	wlwvr.exe
372	wubgfam.exe
2884	wybbwkv.exe
2520	wtsvbkos.exe
4624	wtrxk.exe
4356	wvdelh.exe
2388	wtegma.exe
4956	wgaosqp.exe
4036	wdlxbjii.exe
428	wfaana.exe
1760	wuhosj.exe
2176	wohsc.exe
3460	wfyro.exe
1080	wqxh.exe
2732	wofkfcgm.exe
3948	wsuwpm.exe
5040	wiqdvxw.exe
2352	wntf.exe
4772	wvpqp.exe
3352	whaqxtcm.exe
1504	wuim.exe
1432	wryhag.exe
4040	wgcpsqa.exe
4292	wiu.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\whmfwiloy.exe	wibsoo.exe
File created	C:\Windows\SysWOW64\wybbwkv.exe	wubgfam.exe
File opened for modification	C:\Windows\SysWOW64\wvpqp.exe	wntf.exe
File opened for modification	C:\Windows\SysWOW64\whaqxtcm.exe	wvpqp.exe
File opened for modification	C:\Windows\SysWOW64\wrckts.exe	wjbqjrljj.exe
File created	C:\Windows\SysWOW64\whwmow.exe	wblhxtiq.exe
File created	C:\Windows\SysWOW64\wohsc.exe	wuhosj.exe
File opened for modification	C:\Windows\SysWOW64\wohsc.exe	wuhosj.exe
File opened for modification	C:\Windows\SysWOW64\wbdyeve.exe	wvwoy.exe
File opened for modification	C:\Windows\SysWOW64\wvtyxg.exe	wfdalwlo.exe
File created	C:\Windows\SysWOW64\wtegma.exe	wvdelh.exe
File opened for modification	C:\Windows\SysWOW64\wjtgds.exe	wdtntr.exe
File opened for modification	C:\Windows\SysWOW64\wckcilg.exe	wvlixj.exe
File created	C:\Windows\SysWOW64\wqfjnwwl.exe	wckcilg.exe
File created	C:\Windows\SysWOW64\wfoaykcme.exe	whx.exe
File created	C:\Windows\SysWOW64\wlkbsdr.exe	wafuw.exe
File opened for modification	C:\Windows\SysWOW64\wlkbsdr.exe	wafuw.exe
File created	C:\Windows\SysWOW64\wjnkurtc.exe	wvoutcb.exe
File created	C:\Windows\SysWOW64\wvisbg.exe	wjnkurtc.exe
File opened for modification	C:\Windows\SysWOW64\wuhosj.exe	wfaana.exe
File created	C:\Windows\SysWOW64\weqyumo.exe	wnkkqfk.exe
File created	C:\Windows\SysWOW64\wovg.exe	wyljklqk.exe
File opened for modification	C:\Windows\SysWOW64\wlrbcqs.exe	wfoaykcme.exe
File opened for modification	C:\Windows\SysWOW64\wvwoy.exe	wrckts.exe
File created	C:\Windows\SysWOW64\wlvcq.exe	wqfjnwwl.exe
File created	C:\Windows\SysWOW64\wvtyxg.exe	wfdalwlo.exe
File opened for modification	C:\Windows\SysWOW64\wtkpuqc.exe	wmyle.exe
File opened for modification	C:\Windows\SysWOW64\wblhxtiq.exe	wpagq.exe
File opened for modification	C:\Windows\SysWOW64\wqfjnwwl.exe	wckcilg.exe
File opened for modification	C:\Windows\SysWOW64\wnmqfavq.exe	wsvvbad.exe
File created	C:\Windows\SysWOW64\wuhosj.exe	wfaana.exe
File created	C:\Windows\SysWOW64\wofkfcgm.exe	wqxh.exe
File opened for modification	C:\Windows\SysWOW64\wiu.exe	wgcpsqa.exe
File opened for modification	C:\Windows\SysWOW64\wiqdvxw.exe	wsuwpm.exe
File opened for modification	C:\Windows\SysWOW64\wgcpsqa.exe	wryhag.exe
File created	C:\Windows\SysWOW64\whx.exe	wlugkod.exe
File opened for modification	C:\Windows\SysWOW64\wibsoo.exe	wjkcuw.exe
File opened for modification	C:\Windows\SysWOW64\wmxo.exe	wxjkv.exe
File opened for modification	C:\Windows\SysWOW64\wykag.exe	wph.exe
File created	C:\Windows\SysWOW64\wgaosqp.exe	wtegma.exe
File created	C:\Windows\SysWOW64\wfyro.exe	wohsc.exe
File opened for modification	C:\Windows\SysWOW64\wfaana.exe	wdlxbjii.exe
File created	C:\Windows\SysWOW64\wjdq.exe	wbdyeve.exe
File opened for modification	C:\Windows\SysWOW64\wjdq.exe	wbdyeve.exe
File created	C:\Windows\SysWOW64\wjtgds.exe	wdtntr.exe
File opened for modification	C:\Windows\SysWOW64\wubgfam.exe	wlwvr.exe
File opened for modification	C:\Windows\SysWOW64\wdlxbjii.exe	wgaosqp.exe
File opened for modification	C:\Windows\SysWOW64\wuim.exe	whaqxtcm.exe
File created	C:\Windows\SysWOW64\wyljklqk.exe	wiu.exe
File created	C:\Windows\SysWOW64\whmfwiloy.exe	wibsoo.exe
File opened for modification	C:\Windows\SysWOW64\wvlixj.exe	wjtgds.exe
File opened for modification	C:\Windows\SysWOW64\wouexyu.exe	whwmow.exe
File opened for modification	C:\Windows\SysWOW64\wtrxk.exe	wtsvbkos.exe
File opened for modification	C:\Windows\SysWOW64\wgaosqp.exe	wtegma.exe
File opened for modification	C:\Windows\SysWOW64\wfdalwlo.exe	whcxl.exe
File created	C:\Windows\SysWOW64\wlwvr.exe	weqyumo.exe
File created	C:\Windows\SysWOW64\wtrxk.exe	wtsvbkos.exe
File created	C:\Windows\SysWOW64\wthwc.exe	wcl.exe
File created	C:\Windows\SysWOW64\wykag.exe	wph.exe
File opened for modification	C:\Windows\SysWOW64\wtsvbkos.exe	wybbwkv.exe
File opened for modification	C:\Windows\SysWOW64\wlugkod.exe	wovg.exe
File created	C:\Windows\SysWOW64\wrckts.exe	wjbqjrljj.exe
File created	C:\Windows\SysWOW64\wbdyeve.exe	wvwoy.exe
File created	C:\Windows\SysWOW64\wvlixj.exe	wjtgds.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
3028	872	WerFault.exe	98
924	3324	WerFault.exe	113
4048	364	WerFault.exe	140
1948	1144	WerFault.exe	157
4764	1136	WerFault.exe	160
1664	1440	WerFault.exe	170
1036	4724	WerFault.exe	190
4380	1700	WerFault.exe	306

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 4296	3796	9b6bf19114a7bba1048ebc21dd476b47.exe	84
PID 3796 wrote to memory of 4296	3796	9b6bf19114a7bba1048ebc21dd476b47.exe	84
PID 3796 wrote to memory of 4296	3796	9b6bf19114a7bba1048ebc21dd476b47.exe	84
PID 3796 wrote to memory of 4412	3796	9b6bf19114a7bba1048ebc21dd476b47.exe	86
PID 3796 wrote to memory of 4412	3796	9b6bf19114a7bba1048ebc21dd476b47.exe	86
PID 3796 wrote to memory of 4412	3796	9b6bf19114a7bba1048ebc21dd476b47.exe	86
PID 4296 wrote to memory of 1764	4296	wafuw.exe	88
PID 4296 wrote to memory of 1764	4296	wafuw.exe	88
PID 4296 wrote to memory of 1764	4296	wafuw.exe	88
PID 4296 wrote to memory of 1776	4296	wafuw.exe	89
PID 4296 wrote to memory of 1776	4296	wafuw.exe	89
PID 4296 wrote to memory of 1776	4296	wafuw.exe	89
PID 1764 wrote to memory of 4740	1764	wlkbsdr.exe	95
PID 1764 wrote to memory of 4740	1764	wlkbsdr.exe	95
PID 1764 wrote to memory of 4740	1764	wlkbsdr.exe	95
PID 1764 wrote to memory of 4424	1764	wlkbsdr.exe	96
PID 1764 wrote to memory of 4424	1764	wlkbsdr.exe	96
PID 1764 wrote to memory of 4424	1764	wlkbsdr.exe	96
PID 4740 wrote to memory of 872	4740	wjkcuw.exe	98
PID 4740 wrote to memory of 872	4740	wjkcuw.exe	98
PID 4740 wrote to memory of 872	4740	wjkcuw.exe	98
PID 4740 wrote to memory of 3564	4740	wjkcuw.exe	100
PID 4740 wrote to memory of 3564	4740	wjkcuw.exe	100
PID 4740 wrote to memory of 3564	4740	wjkcuw.exe	100
PID 872 wrote to memory of 2892	872	wibsoo.exe	102
PID 872 wrote to memory of 2892	872	wibsoo.exe	102
PID 872 wrote to memory of 2892	872	wibsoo.exe	102
PID 872 wrote to memory of 1760	872	wibsoo.exe	103
PID 872 wrote to memory of 1760	872	wibsoo.exe	103
PID 872 wrote to memory of 1760	872	wibsoo.exe	103
PID 2892 wrote to memory of 3208	2892	whmfwiloy.exe	110
PID 2892 wrote to memory of 3208	2892	whmfwiloy.exe	110
PID 2892 wrote to memory of 3208	2892	whmfwiloy.exe	110
PID 2892 wrote to memory of 2408	2892	whmfwiloy.exe	111
PID 2892 wrote to memory of 2408	2892	whmfwiloy.exe	111
PID 2892 wrote to memory of 2408	2892	whmfwiloy.exe	111
PID 3208 wrote to memory of 3324	3208	wjbqjrljj.exe	113
PID 3208 wrote to memory of 3324	3208	wjbqjrljj.exe	113
PID 3208 wrote to memory of 3324	3208	wjbqjrljj.exe	113
PID 3208 wrote to memory of 336	3208	wjbqjrljj.exe	114
PID 3208 wrote to memory of 336	3208	wjbqjrljj.exe	114
PID 3208 wrote to memory of 336	3208	wjbqjrljj.exe	114
PID 3324 wrote to memory of 1712	3324	wrckts.exe	116
PID 3324 wrote to memory of 1712	3324	wrckts.exe	116
PID 3324 wrote to memory of 1712	3324	wrckts.exe	116
PID 3324 wrote to memory of 2952	3324	wrckts.exe	119
PID 3324 wrote to memory of 2952	3324	wrckts.exe	119
PID 3324 wrote to memory of 2952	3324	wrckts.exe	119
PID 1712 wrote to memory of 3604	1712	wvwoy.exe	121
PID 1712 wrote to memory of 3604	1712	wvwoy.exe	121
PID 1712 wrote to memory of 3604	1712	wvwoy.exe	121
PID 1712 wrote to memory of 624	1712	wvwoy.exe	122
PID 1712 wrote to memory of 624	1712	wvwoy.exe	122
PID 1712 wrote to memory of 624	1712	wvwoy.exe	122
PID 3604 wrote to memory of 556	3604	wbdyeve.exe	124
PID 3604 wrote to memory of 556	3604	wbdyeve.exe	124
PID 3604 wrote to memory of 556	3604	wbdyeve.exe	124
PID 3604 wrote to memory of 4852	3604	wbdyeve.exe	125
PID 3604 wrote to memory of 4852	3604	wbdyeve.exe	125
PID 3604 wrote to memory of 4852	3604	wbdyeve.exe	125
PID 556 wrote to memory of 3352	556	wjdq.exe	127
PID 556 wrote to memory of 3352	556	wjdq.exe	127
PID 556 wrote to memory of 3352	556	wjdq.exe	127
PID 556 wrote to memory of 2876	556	wjdq.exe	128

C:\Users\Admin\AppData\Local\Temp\9b6bf19114a7bba1048ebc21dd476b47.exe
"C:\Users\Admin\AppData\Local\Temp\9b6bf19114a7bba1048ebc21dd476b47.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\SysWOW64\wafuw.exe
  "C:\Windows\system32\wafuw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\SysWOW64\wlkbsdr.exe
    "C:\Windows\system32\wlkbsdr.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\SysWOW64\wjkcuw.exe
      "C:\Windows\system32\wjkcuw.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\SysWOW64\wibsoo.exe
        
        "C:\Windows\system32\wibsoo.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:872
      - C:\Windows\SysWOW64\whmfwiloy.exe
        
        "C:\Windows\system32\whmfwiloy.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\wjbqjrljj.exe
        
        "C:\Windows\system32\wjbqjrljj.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\wrckts.exe
        
        "C:\Windows\system32\wrckts.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\wvwoy.exe
        
        "C:\Windows\system32\wvwoy.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\wbdyeve.exe
        
        "C:\Windows\system32\wbdyeve.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\wjdq.exe
        
        "C:\Windows\system32\wjdq.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\wuj.exe
        
        "C:\Windows\system32\wuj.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3352
        
        C:\Windows\SysWOW64\wdtntr.exe
        
        "C:\Windows\system32\wdtntr.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\wjtgds.exe
        
        "C:\Windows\system32\wjtgds.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\wvlixj.exe
        
        "C:\Windows\system32\wvlixj.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\wckcilg.exe
        
        "C:\Windows\system32\wckcilg.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:364
        
        C:\Windows\SysWOW64\wqfjnwwl.exe
        
        "C:\Windows\system32\wqfjnwwl.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\wlvcq.exe
        
        "C:\Windows\system32\wlvcq.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\wsvvbad.exe
        
        "C:\Windows\system32\wsvvbad.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3156
        
        C:\Windows\SysWOW64\wnmqfavq.exe
        
        "C:\Windows\system32\wnmqfavq.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\wxjkv.exe
        
        "C:\Windows\system32\wxjkv.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\wmxo.exe
        
        "C:\Windows\system32\wmxo.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\whcxl.exe
        
        "C:\Windows\system32\whcxl.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\wfdalwlo.exe
        
        "C:\Windows\system32\wfdalwlo.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\wvtyxg.exe
        
        "C:\Windows\system32\wvtyxg.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\wmyle.exe
        
        "C:\Windows\system32\wmyle.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\wtkpuqc.exe
        
        "C:\Windows\system32\wtkpuqc.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\SysWOW64\wvknnanx.exe
        
        "C:\Windows\system32\wvknnanx.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\wpagq.exe
        
        "C:\Windows\system32\wpagq.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\wblhxtiq.exe
        
        "C:\Windows\system32\wblhxtiq.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\whwmow.exe
        
        "C:\Windows\system32\whwmow.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\wouexyu.exe
        
        "C:\Windows\system32\wouexyu.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\wvoutcb.exe
        
        "C:\Windows\system32\wvoutcb.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\wjnkurtc.exe
        
        "C:\Windows\system32\wjnkurtc.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\wvisbg.exe
        
        "C:\Windows\system32\wvisbg.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\wcl.exe
        
        "C:\Windows\system32\wcl.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\wthwc.exe
        
        "C:\Windows\system32\wthwc.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\wph.exe
        
        "C:\Windows\system32\wph.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\wykag.exe
        
        "C:\Windows\system32\wykag.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\wnkkqfk.exe
        
        "C:\Windows\system32\wnkkqfk.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\weqyumo.exe
        
        "C:\Windows\system32\weqyumo.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\wlwvr.exe
        
        "C:\Windows\system32\wlwvr.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\wubgfam.exe
        
        "C:\Windows\system32\wubgfam.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\wybbwkv.exe
        
        "C:\Windows\system32\wybbwkv.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\wtsvbkos.exe
        
        "C:\Windows\system32\wtsvbkos.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\wtrxk.exe
        
        "C:\Windows\system32\wtrxk.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\wvdelh.exe
        
        "C:\Windows\system32\wvdelh.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\wtegma.exe
        
        "C:\Windows\system32\wtegma.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\wgaosqp.exe
        
        "C:\Windows\system32\wgaosqp.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\wdlxbjii.exe
        
        "C:\Windows\system32\wdlxbjii.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\wfaana.exe
        
        "C:\Windows\system32\wfaana.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\SysWOW64\wuhosj.exe
        
        "C:\Windows\system32\wuhosj.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\wohsc.exe
        
        "C:\Windows\system32\wohsc.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\wfyro.exe
        
        "C:\Windows\system32\wfyro.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\wqxh.exe
        
        "C:\Windows\system32\wqxh.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1080
        
        C:\Windows\SysWOW64\wofkfcgm.exe
        
        "C:\Windows\system32\wofkfcgm.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\wsuwpm.exe
        
        "C:\Windows\system32\wsuwpm.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\wiqdvxw.exe
        
        "C:\Windows\system32\wiqdvxw.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\wntf.exe
        
        "C:\Windows\system32\wntf.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\wvpqp.exe
        
        "C:\Windows\system32\wvpqp.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\whaqxtcm.exe
        
        "C:\Windows\system32\whaqxtcm.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\wuim.exe
        
        "C:\Windows\system32\wuim.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\wryhag.exe
        
        "C:\Windows\system32\wryhag.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\wgcpsqa.exe
        
        "C:\Windows\system32\wgcpsqa.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4040
        
        C:\Windows\SysWOW64\wiu.exe
        
        "C:\Windows\system32\wiu.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\wyljklqk.exe
        
        "C:\Windows\system32\wyljklqk.exe"
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:336
        
        C:\Windows\SysWOW64\wovg.exe
        
        "C:\Windows\system32\wovg.exe"
        67⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\wlugkod.exe
        
        "C:\Windows\system32\wlugkod.exe"
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\whx.exe
        
        "C:\Windows\system32\whx.exe"
        69⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\wfoaykcme.exe
        
        "C:\Windows\system32\wfoaykcme.exe"
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\wlrbcqs.exe
        
        "C:\Windows\system32\wlrbcqs.exe"
        71⤵
        Checks computer location settings
        
        PID:4004
        
        C:\Windows\SysWOW64\wsdftsqd.exe
        
        "C:\Windows\system32\wsdftsqd.exe"
        72⤵
        Checks computer location settings
        
        PID:548
        
        C:\Windows\SysWOW64\wacwe.exe
        
        "C:\Windows\system32\wacwe.exe"
        73⤵
        Checks computer location settings
        
        PID:3244
        
        C:\Windows\SysWOW64\wydyemmvl.exe
        
        "C:\Windows\system32\wydyemmvl.exe"
        74⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wacwe.exe"
        74⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsdftsqd.exe"
        73⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrbcqs.exe"
        72⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfoaykcme.exe"
        71⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whx.exe"
        70⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlugkod.exe"
        69⤵
        
        PID:64
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 1280
        69⤵
        Program crash
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovg.exe"
        68⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyljklqk.exe"
        67⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiu.exe"
        66⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgcpsqa.exe"
        65⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryhag.exe"
        64⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuim.exe"
        63⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whaqxtcm.exe"
        62⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvpqp.exe"
        61⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntf.exe"
        60⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiqdvxw.exe"
        59⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsuwpm.exe"
        58⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofkfcgm.exe"
        57⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqxh.exe"
        56⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfyro.exe"
        55⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohsc.exe"
        54⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhosj.exe"
        53⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfaana.exe"
        52⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdlxbjii.exe"
        51⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgaosqp.exe"
        50⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtegma.exe"
        49⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdelh.exe"
        48⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtrxk.exe"
        47⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsvbkos.exe"
        46⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybbwkv.exe"
        45⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wubgfam.exe"
        44⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwvr.exe"
        43⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weqyumo.exe"
        42⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnkkqfk.exe"
        41⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wykag.exe"
        40⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wph.exe"
        39⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wthwc.exe"
        38⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcl.exe"
        37⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvisbg.exe"
        36⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjnkurtc.exe"
        35⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvoutcb.exe"
        34⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wouexyu.exe"
        33⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwmow.exe"
        32⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wblhxtiq.exe"
        31⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1700
        31⤵
        Program crash
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpagq.exe"
        30⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvknnanx.exe"
        29⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtkpuqc.exe"
        28⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmyle.exe"
        27⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtyxg.exe"
        26⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfdalwlo.exe"
        25⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1668
        25⤵
        Program crash
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whcxl.exe"
        24⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmxo.exe"
        23⤵
        
        PID:832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 1708
        23⤵
        Program crash
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxjkv.exe"
        22⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1236
        22⤵
        Program crash
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnmqfavq.exe"
        21⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsvvbad.exe"
        20⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvcq.exe"
        19⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqfjnwwl.exe"
        18⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckcilg.exe"
        17⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 1416
        17⤵
        Program crash
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvlixj.exe"
        16⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjtgds.exe"
        15⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdtntr.exe"
        14⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuj.exe"
        13⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdq.exe"
        12⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbdyeve.exe"
        11⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvwoy.exe"
        10⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrckts.exe"
        9⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1396
        9⤵
        Program crash
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjbqjrljj.exe"
        8⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whmfwiloy.exe"
        7⤵
        
        PID:2408
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibsoo.exe"
        6⤵
        
        PID:1760
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 1672
        6⤵
        Program crash
        
        PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjkcuw.exe"
        5⤵
        
        PID:3564
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkbsdr.exe"
      4⤵
      PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wafuw.exe"
    3⤵
    PID:1776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\9b6bf19114a7bba1048ebc21dd476b47.exe"
  2⤵
  PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 872 -ip 872
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3324 -ip 3324
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 364 -ip 364
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1144 -ip 1144
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1136 -ip 1136
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1440 -ip 1440
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4724 -ip 4724
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1700 -ip 1700
1⤵
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wafuw.exe

Filesize
261KB

MD5
859ea6685900f43af8bd064553cc5ae0

SHA1
980c6045a0e418350db1e3120d20fef26a8bd636

SHA256
c425afcc3452a7ecb5baafc33f2e71423c0d5ff76b98dc66ffa5650cfc7feaf6

SHA512
7bdabef1108f2243d67cd5eda430d9054a781870f5b76a15d2e25a14c67cf05ad7fa910ee654ec06b90fb95ebb05efd12c377dd8d206f586b8c1f263a50c50f1

Download Submit
C:\Windows\SysWOW64\wbdyeve.exe

Filesize
261KB

MD5
27f02c44d1572190d6397adffe6f7e02

SHA1
8862b9d118bec210338283564bf05da95c87002f

SHA256
f6172c3fc7afd4a9d04ed48f5399a3716c9b02614287de10e91586e0a5dd32f4

SHA512
797cd7d7b64143da16fc4f1a628668a59709e58f2803ad9da79397186baadab00f3fb749efc37ae7a8073862b1afcce85308b15f48d9377990c1770991c3ccea

Download Submit
C:\Windows\SysWOW64\wblhxtiq.exe

Filesize
262KB

MD5
24d3512f5810dce5f3162e8337f463da

SHA1
a6aa1501bbb2192de61550bfbc10208c0d6165a2

SHA256
eedc96ae15ba1800a0523381dcecc63bcc90d0a26dc84fd71d827cbc156e69ac

SHA512
2657d092f34e7551f7ea239bbcd4d0ee742410113ae563607dcadcb1c98a681b58f0d4b510316730e21f22b72ee67cbe94808b5d1c290c3e19b7c1521d998a1d

Download Submit
C:\Windows\SysWOW64\wckcilg.exe

Filesize
261KB

MD5
3256a0d3194007ff47ff4e3d49123f4c

SHA1
97a8cac7acc1120ff16639d0177dff77bc81a1e9

SHA256
d8f16339a67ff9897e04626d28adeaee75c5555637ba28a5971f4d049e5e6c8f

SHA512
add349ee432791ccdfb2700a5dfcd0c5d70db59e116cab706e55c57942a0111bf791f9952324df9443ca6b74e7ff97615f00e8c30d93753218d7b703d6f2cb9f

Download Submit
C:\Windows\SysWOW64\wdtntr.exe

Filesize
261KB

MD5
f5d822f29d11f0874d5f52c8164868ce

SHA1
e0430fd941c5250222ededb3e890d6c6a49c2b35

SHA256
fd8b5cb90be259e89d52a4a0ae2d066ea0c80e36c0dbfdbd31c48dc0b7f01f95

SHA512
21dff15922b25ba58a800e6e82f66ff6af8951f818e7fa76acab58e23e51d3393de6460752b35823f056708755dbefe9348aa021643a30f2cec5b0ff64275d00

Download Submit
C:\Windows\SysWOW64\wfdalwlo.exe

Filesize
262KB

MD5
8cca031c5e9f46d8bbd001cf439b820d

SHA1
c2eaa3f28101c3f58800f0ed92eb6907acd5167c

SHA256
10e8332a1734daa29ae13b9961023308c315d7a04d60a1f391da526b6756b9f3

SHA512
885af9c7b1471454ca46e30baeee7ece78790c035a43d144bcdbd4b8c8dcf183bbcc1d6509c5f2f5a50010fb435b7e7db9aa1e0c7a016fe9170232b7079301b4

Download Submit
C:\Windows\SysWOW64\whcxl.exe

Filesize
262KB

MD5
eb18f4e503df1349689af37760fba5bb

SHA1
6bd39013f925342d43e4f632e321fac71b482fbf

SHA256
69dc2b3392fd26c7b2fd3d088052429dfb2d0140d4ee33d33a6d110ca138ea38

SHA512
069eb218906086d794b21458c6b81352d6717d36515a62f9f8f3fc1fd4597659943d394ff166b80a2faec61a1e2ac5286b6c2766248a697cb6cc32cf15e8bb31

Download Submit
C:\Windows\SysWOW64\whmfwiloy.exe

Filesize
261KB

MD5
376885616b8980025371c2519a0aa847

SHA1
aaa7175bb69239672638af3881894724814271cf

SHA256
85ffcefde38f418529d307adc037e7d984e7537c657c605ca567916e79ce72e7

SHA512
9bf92370637dbae1279f3c007986b718fc84e93dc232136ceefd3c84dc79c4d53e41e53ec334def4fa1b1e0567c239c8fb35baa0eb0bebb5ec8c0e2061956e51

Download Submit
C:\Windows\SysWOW64\whwmow.exe

Filesize
262KB

MD5
c116b7052f1a95163ba195663aa96a4e

SHA1
0bb980b2a47a574e8466496a76ff68f7abb53845

SHA256
1f685977dc7e876ff5168f04a4bf51c6940bcca5ea2811f9b1eb89a9c6792b5c

SHA512
8b23acf2954a34f71f7af734eac70786c8513a4875874cc5c2e0c9aa31ad3063abe175a2bd34e0eaa131a56dee75baff7349f364034951d229ccbdecbe5ea335

Download Submit
C:\Windows\SysWOW64\wibsoo.exe

Filesize
261KB

MD5
11794f8984f0e63e28017c80b6e06f46

SHA1
bf17a130e2b032eb182688cf98b491b304563c7b

SHA256
23052af414f6faa79c1613a0bf9795b071545a67cccfaf4e25eb2f4af7e96f2c

SHA512
4f138cd1a0fddaab4f5c50eaa2fd9f7ff28cfbfc3dd84f793b9fe7972fc656e86995c22903eb052e7f42451300fd40bae7ab96ad1b7fa3948da5711b2fd6f954

Download Submit
C:\Windows\SysWOW64\wjbqjrljj.exe

Filesize
261KB

MD5
34a0c136b13cde75968ddbc82ec35863

SHA1
c3c6142ee3e1ce53b5c7dadfb56ff865ff00509e

SHA256
0dc03560ad336820d5be1a6dce782c766e98654e3f126f383e0f871a195842a1

SHA512
1a256af2789b695a9cecb1c3f1f8f3ae9118619c4751689bac33f1ca734625ac75c081d321a55b057ce06d574962bbb9e339afbf8c40f5d3f2fcca51f0825d2b

Download Submit
C:\Windows\SysWOW64\wjdq.exe

Filesize
261KB

MD5
bb985e4ee7a0834d4583b220bc60b20d

SHA1
7c2d71d06563f418dd9b3f0aa9e46330fba1d539

SHA256
9f2670d4235069d023f02dcc72b614ed88ca624eb454421d303b109246699a04

SHA512
26d08b8bb806d2c7be3c8096142b327f07d8ece77ea50c2baf626722366dced46d5750b534724ff2078fc1f499e5433d705675b05d9793425f1381543dc40816

Download Submit
C:\Windows\SysWOW64\wjkcuw.exe

Filesize
261KB

MD5
2a2923a80e47b48e639b7178b70cfd07

SHA1
4505726b3bd09b304a0ca7831705420593e62ea7

SHA256
a2965e5da35148127c2f095820b16a8eb671bbc3cd172b4c1624477383708c18

SHA512
e7ba1dc3ff7acdd92baeab3f84239d1ba6382454b98c3ed01628993a9bc6048bb6d81ec65c4e65e59b987a47c05f2ff4d9f7f926fcfae35653fc320d2516fd86

Download Submit
C:\Windows\SysWOW64\wjtgds.exe

Filesize
261KB

MD5
a6b630354e6537e52fa200ce218ba1e4

SHA1
66c57ea1a0c93c0dc461a45d50254e1d1ce19bd5

SHA256
c0c6da0ebc60c117160b76cea2cc6e0b8a3f2c0835dd81e612c8eac082ce799c

SHA512
9dfac248f9ceedb5124835c0fea96b160b2f12f9f949dd7ea1bfb54ff4a6dcc4c8bcd660b4efbcbcf2292897087e1a5ac24c8e3266d1136706db5e6c2a544f7c

Download Submit
C:\Windows\SysWOW64\wlkbsdr.exe

Filesize
261KB

MD5
7371992ee608955dd6f4ebb1dba4f6c8

SHA1
d45023b975ae1de886e112a1735dda129253b0aa

SHA256
bdda6d9e37d7f34b93380e05266f445cd32115e2e711f41a3d2c12f7711a8993

SHA512
4b599c5a300dc59cb34cd01e9f76fac433efdc4eff7193f15e8b02609b5e16c8ae355f48b4da14bd1c11c4d83e1f58253477f417f1553d7156cbc76eaca29a7d

Download Submit
C:\Windows\SysWOW64\wlvcq.exe

Filesize
261KB

MD5
8afa6dad741bbe9a7ae2871ce5bc1c43

SHA1
9809162f2656d2784ab8ba844bf9530c90b12d93

SHA256
98d674f92c4999df16f6ab53469e23ae0c23b4b9a4e712aa90f396143a7428f5

SHA512
2fd1496f5bd0a7b2e40611e66e4e58e439988f7cd3ce24e13ad77f808bbc1974d6768dfbe24ef209dbccc01cc0002d2f2985fa71f30bf93f055664702ae5a0dc

Download Submit
C:\Windows\SysWOW64\wmxo.exe

Filesize
262KB

MD5
a668405f04ca476ce2980a7cd019b0c9

SHA1
41f14610dd0e0d98487095671e4c38355a2f2029

SHA256
2ad0af683eb6823142b4b72853228fc3b000d8c5e33ef9d108eecaf4af17fa89

SHA512
02fbb6117a20f86e8049295b1e2da33e07dfa93ed80a6f172e2e9d6d448fc77a0e16325447cc804f0c4731d11aa1571073ca6e10f3ade23f4bf8f14c00eb695d

Download Submit
C:\Windows\SysWOW64\wmyle.exe

Filesize
262KB

MD5
68a8083f1bc9276cb50dfa6d05f914c3

SHA1
ef9b94d6a8132d026c2027ab6341b897bd68becd

SHA256
a04318cd8efbef7d1e14128d76b43021ce731aa25691963108f4288fe924b03a

SHA512
f7025337cdcbcea256f1fc1b4c5ff7a0ab31c0c11e585906e92e2f78fa87c2d475818a84a9614dc4440f94defb221fbdc12c9a6ccc302961fcf9fa7c85c589ae

Download Submit
C:\Windows\SysWOW64\wnmqfavq.exe

Filesize
261KB

MD5
3d186024901148386bab37cab1131fb1

SHA1
dcb18bc74895fb192ec117bc3ee51a995ab0c564

SHA256
4900ca4a79802a364b1aac7f03741161fd0931c2379c421c3923d3cfe1b160a1

SHA512
b2acc860b3427f88f1315d2f73d76de56672cfa72377492f57ec2546b9d0f1e0f4bc74d47c603df90e61f1443f71560d62089498c9470a467893b44f05ec109e

Download Submit
C:\Windows\SysWOW64\wouexyu.exe

Filesize
262KB

MD5
f67c4986b20e3869757618d1dcbd4653

SHA1
57e34646f5102627033ec2b3b615e8cc1ccc3de3

SHA256
5f0b389c6b69c1c8413f2da5637e833e248dbb0b66a1dc16dfd31ab591eea3ed

SHA512
cdb041984624b91d686c82e0b25211fa952a721279f47f0c67e287e82847bbd25a82a037ca81a192025d768f3ad51a701dfd377136da78506779b41a64c7e534

Download Submit
C:\Windows\SysWOW64\wpagq.exe

Filesize
262KB

MD5
9b1c4c6d118d277b12f193d623dfe7b6

SHA1
82526a5ad39494979845b32335425d40d8f0d6c9

SHA256
0a646f702209944224ad5bb42e9c5ae7820d738fd5a3b9b7082ab1759a9b9a59

SHA512
64f334b4d51523c530e3d0fdcd0243f7a1558ba489945ba0b2297c577616b13325e8c7e3a6ab59ed21a7887585aa2efd536b5aeb4b7b15b5179ff53a4a60caaa

Download Submit
C:\Windows\SysWOW64\wqfjnwwl.exe

Filesize
261KB

MD5
1349b90162ae5ddc641c1f44d6bdcef3

SHA1
98c74b9d8bdc36d1effa94718ed1f1b0e400da25

SHA256
ecf3541bec1f5851024a9f8b4364628e002d84d23c1f071699f81f2bd79664ff

SHA512
d59cc7d040e5bd61f45c460cfad6eddaf058c8328b178b7868cb4f0f2228c9f6d8ea4a1016fc00293684ba221f33a6a626a5e7a614a85d07a553fac916897d2d

Download Submit
C:\Windows\SysWOW64\wrckts.exe

Filesize
261KB

MD5
cfd901096c0b13482705588398ddb449

SHA1
6e561a3abc7b4d6365b95fd5f7a774fcd74697d7

SHA256
2b97a849ac7d06c76d8a60c8f66a8738dea2589ca23e1e8730b702c3c528ebc9

SHA512
1f414053c02983f519c873b6336524bbc4531e9dcd6716f71c9cb16ff0a3e30678f4cd67ed1afe924767a1f3373f39b30801bcfe01fd027aa6185c9cf5746276

Download Submit
C:\Windows\SysWOW64\wsvvbad.exe

Filesize
261KB

MD5
224c83f733d17310d60354a0e62a133d

SHA1
7070fb9d2f05606edb1182062f639d1a2c9138e9

SHA256
16fba6ff8702f91dd76c455233a2ea96de1179abd3e6ac6a9112a91b7c488fbf

SHA512
0c0cd2d506daba261ce7acd51ccb8a9098dcb1e538c1b2cf049aba07369de1ff26d9658163757c2973294753d6082d3149169b4b9e58a14c331e629b672256fd

Download Submit
C:\Windows\SysWOW64\wtkpuqc.exe

Filesize
262KB

MD5
2e801ee6e5ff584171cd5878eed44c6d

SHA1
2f39e9bde3c36c64caab4fcb2927de518e7166af

SHA256
07598f48bfa88a7866a63a8faf846ba01e6fa3106666dd6b279bf7ffb81a2426

SHA512
080fb107c027eaa5aedb73e0d2923416eecdccd12152220ff7e2e9119cc3f162519eaec34d17ecb5698217b10928c5a0f18d282f34c6552f648444e073b824ba

Download Submit
C:\Windows\SysWOW64\wuj.exe

Filesize
261KB

MD5
415adaef50d156452a9eb7aaaf8e5b21

SHA1
4b5d1ca3d4cec0ebc7120bc7dd9e0c6c5d9357bf

SHA256
06aea476aee904e3acb773461409f77da4a48791fd1c085f0d34ac2a80ef3658

SHA512
5af53672c35893e1c22e29e7c5957ac36dda1c6155c0fee8eced53b74e1b738af0d2cc1e694aff05136f589b8c769fdbaafc2cbd0f94880cf7258080556d7f2c

Download Submit
C:\Windows\SysWOW64\wvknnanx.exe

Filesize
262KB

MD5
ed222bb86c42008bea609e8e4bcda2cd

SHA1
174effb618df968c0d3654b9a05b84581acc5055

SHA256
917adaf4b2f57c2be6f48b494d6021a08a58fdb1a5055f7c2ffc5fd6118475b5

SHA512
138bed8a1f4f70deed4421e1a918ce9ec12ebcfe60d186bc7b1d38aecaecae965469988dd156be42655d99853bdd8c6ecc35d5d6925bf5fcff2ea6df722be060

Download Submit
C:\Windows\SysWOW64\wvlixj.exe

Filesize
261KB

MD5
2ae42c851f6302d8a5babf773aac05eb

SHA1
477e1e4284632a4767c70a5dfdec3f1c3260bb9e

SHA256
334516681c897d1e395d826507918d67d3b242523155dde33b42765440082e5f

SHA512
1f9931b90055f81e1a7c045914fd6b35424740803f96b462ca0439b78c657536d6e866740094af6df3036c8ffdc733a3cc1adb2205e14ae8fd98f6e3ae70ca46

Download Submit
C:\Windows\SysWOW64\wvoutcb.exe

Filesize
262KB

MD5
566e870284ff12a409d34f4b67c41542

SHA1
3b33d63c33bf45a30f6e52e6a269a841af46649a

SHA256
718c1432ce58833b3a0797976e6abbf31771b0af18b842c3a416d1cbaf8667dc

SHA512
a834a1cda86bed23ae2f83663982858258ec64380f838da8c124ceb25547ec5a03ad426cdacd6c3266140ffe2f8e0887d8a27f47852e21a31e5f73d63291829c

Download Submit
C:\Windows\SysWOW64\wvtyxg.exe

Filesize
262KB

MD5
363058cc48c436a0a64ab9d2ba68daae

SHA1
b88dfcca4a2bc215819fe24df74e180cbaed23cb

SHA256
cc2b8133a74687b9b5873503764cd3fc15f281b4b5695af9859110ab64f6f634

SHA512
1025d88e19a009b3da77afa48e5b044022fe55fe86e320cbd254a86ea3ba4e991e573e461a73b3da00cbe1e2faba117e32b5abadd9ea54471b6f47b3f7e2c3ed

Download Submit
C:\Windows\SysWOW64\wvwoy.exe

Filesize
261KB

MD5
955080233de7b544d435684a24f8802a

SHA1
a10367f39bd71a3c838e14516a09f640b3903249

SHA256
f230c747a64ed20cc1ef2f0caedca148bd02f90fcbb7f9fafbc9ef735ee99afc

SHA512
a68f4bd8b0289cb7b334567e98fa03c6f549247beee9fb7e0dc5076684f955753b2acc5615fd821b43271d9b78cebc30a5413d18e1f105e3b2d317ba849d473d

Download Submit
C:\Windows\SysWOW64\wxjkv.exe

Filesize
262KB

MD5
9ee7263c4ea414432f32bc5eb25a396c

SHA1
263845fbd763d852891dedee83c6a09d5cf4e37f

SHA256
d17a5cf78523123e2eb30dc5ce3812e94fa0ddaf77f32cf69608ea1aeb2907d9

SHA512
752b4a42a048693558b6db56ac2c6c7be55f6961ba791d188dae6c2088db68f23bb62c17f3ca115e0c1a73cf17a8c18cb970a9c01a7c84b4686069c654edc7aa

Download Submit
memory/364-167-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/372-430-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/400-412-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/400-421-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/464-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/556-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/556-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/872-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1136-231-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1136-218-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1144-220-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1440-253-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1592-344-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1592-353-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1692-325-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1712-82-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1712-94-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1764-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1772-177-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1772-188-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1776-361-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2260-274-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2260-263-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-264-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-251-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2860-294-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2868-395-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2868-386-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2884-438-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2884-429-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2892-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2892-50-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2992-230-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2992-241-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3152-369-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3156-198-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3208-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3208-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3324-83-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3352-125-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3604-93-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3604-105-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3796-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3796-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3996-305-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3996-404-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4084-284-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4296-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4472-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4708-387-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4708-377-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4724-304-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4740-40-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4772-378-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4880-336-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4912-335-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4912-345-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4932-178-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4932-166-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4944-146-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4944-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4972-413-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4972-403-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5024-208-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download