72216569506577835b62dccb15612f790480a1240cb792030a547b0661177a63

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acc8a201f1ef7b2dbef0a5d37c2df7a1.exe
Size

259KB
MD5

acc8a201f1ef7b2dbef0a5d37c2df7a1
SHA1

28c6e2be97eec741c5cbd2bd4429afe083696dd0
SHA256

72216569506577835b62dccb15612f790480a1240cb792030a547b0661177a63
SHA512

b395628d17af41efa8119daab6c8d8cd87a441e163a3a6528395b4f25b8144054905e0066342a2c44a00494bdb5a58b2a2dee6fb698e3a9045389637b6819872
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpuK:ZY7xh6SZI4z7FSVpuK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wdmopq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wrvsh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wuiepsj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wovslmv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	whdt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wpbp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wmtdcd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wlqlsh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wevvun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wpe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wfgjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wnljqlshi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wuyqyik.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	whrqs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wvtdbhy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wkha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wdacpj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wchhwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wpch.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wubdvmlr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	warply.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wxnopul.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wblkcytfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wjxcjeu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wtyq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wjefcil.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wakv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wxkdn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wnwfyq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wdahd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wjorhtrm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	winb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wuuqhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wjcbnpj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wnkm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wxsri.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wwfe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wtc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wtayj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wqhjey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wvuw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wsjvo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wgplee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wruxse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wsowrgh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wbqhvaiv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wlg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wpbwmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wrllf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wdpwcgf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wjulcpe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wjasahh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wboeiamx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wmf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wylcw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	whroa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wwbke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wwudlc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wsusg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wuhgbj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wpxnf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wcbisb.exe

Executes dropped EXE 64 IoCs

pid	Process
4756	wuyqyik.exe
3188	wdiikgv.exe
4436	wqhjey.exe
2932	whrqs.exe
2940	wsowrgh.exe
4588	wuiepsj.exe
3692	wvrdmmwc.exe
2676	wnwfyq.exe
3992	wjcbnpj.exe
3288	wlyemfo.exe
1204	wpbwmp.exe
3688	wovslmv.exe
948	wvuw.exe
3428	wboeiamx.exe
2052	wgmnpfuh.exe
1608	wsjvo.exe
4952	wmf.exe
232	wpe.exe
2960	wnkm.exe
1940	wmifym.exe
548	wblkcytfd.exe
4556	wgplee.exe
3540	wxsri.exe
2824	wovwk.exe
3428	wylcw.exe
2992	wdacpj.exe
2100	whdt.exe
3412	wsusg.exe
456	wunpbsp.exe
3936	wjxcjeu.exe
4612	wpbp.exe
3424	wmtdcd.exe
2144	wtyq.exe
412	whroa.exe
4660	wwfe.exe
4364	wjefcil.exe
4004	wdmopq.exe
2172	wchhwg.exe
5012	wbqhvaiv.exe
4376	wwbke.exe
3168	wruxse.exe
4532	wdahd.exe
4912	wtc.exe
4692	wrllf.exe
4372	wjorhtrm.exe
2028	wit.exe
2124	whwjgkhc.exe
2676	wakv.exe
3400	wdpwcgf.exe
1968	wfgjg.exe
1372	wydg.exe
5008	wegwi.exe
1376	wuhgbj.exe
5032	wjulcpe.exe
3760	wpxnf.exe
1828	wpch.exe
2968	wcbisb.exe
412	wjasahh.exe
2328	wjj.exe
2764	wubdvmlr.exe
2824	wto.exe
3720	wlg.exe
1724	winb.exe
3168	wvtdbhy.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\whroa.exe	wtyq.exe
File created	C:\Windows\SysWOW64\wwfe.exe	whroa.exe
File opened for modification	C:\Windows\SysWOW64\wdmopq.exe	wjefcil.exe
File opened for modification	C:\Windows\SysWOW64\wbqhvaiv.exe	wchhwg.exe
File created	C:\Windows\SysWOW64\wvves.exe	wkha.exe
File created	C:\Windows\SysWOW64\wpbp.exe	wjxcjeu.exe
File created	C:\Windows\SysWOW64\wjcbnpj.exe	wnwfyq.exe
File created	C:\Windows\SysWOW64\wboeiamx.exe	wvuw.exe
File opened for modification	C:\Windows\SysWOW64\wgplee.exe	wblkcytfd.exe
File opened for modification	C:\Windows\SysWOW64\wwbke.exe	wbqhvaiv.exe
File created	C:\Windows\SysWOW64\wruxse.exe	wwbke.exe
File opened for modification	C:\Windows\SysWOW64\whwjgkhc.exe	wit.exe
File created	C:\Windows\SysWOW64\wegwi.exe	wydg.exe
File created	C:\Windows\SysWOW64\wnwfyq.exe	wvrdmmwc.exe
File created	C:\Windows\SysWOW64\wvtdbhy.exe	winb.exe
File created	C:\Windows\SysWOW64\wxkdn.exe	wnxsb.exe
File opened for modification	C:\Windows\SysWOW64\wwpnbqq.exe	wxnopul.exe
File created	C:\Windows\SysWOW64\wdnxhxyt.exe	wwpnbqq.exe
File created	C:\Windows\SysWOW64\wpxnf.exe	wjulcpe.exe
File created	C:\Windows\SysWOW64\wsjvo.exe	wgmnpfuh.exe
File opened for modification	C:\Windows\SysWOW64\whdt.exe	wdacpj.exe
File opened for modification	C:\Windows\SysWOW64\wpbwmp.exe	wlyemfo.exe
File opened for modification	C:\Windows\SysWOW64\wovslmv.exe	wpbwmp.exe
File created	C:\Windows\SysWOW64\wunpbsp.exe	wsusg.exe
File opened for modification	C:\Windows\SysWOW64\wwfe.exe	whroa.exe
File created	C:\Windows\SysWOW64\wdahd.exe	wruxse.exe
File created	C:\Windows\SysWOW64\wakv.exe	whwjgkhc.exe
File created	C:\Windows\SysWOW64\wnxsb.exe	wrvsh.exe
File created	C:\Windows\SysWOW64\wuyqyik.exe	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe
File opened for modification	C:\Windows\SysWOW64\whrqs.exe	wqhjey.exe
File opened for modification	C:\Windows\SysWOW64\wxsri.exe	wgplee.exe
File opened for modification	C:\Windows\SysWOW64\wpbp.exe	wjxcjeu.exe
File opened for modification	C:\Windows\SysWOW64\wjorhtrm.exe	wrllf.exe
File opened for modification	C:\Windows\SysWOW64\wpch.exe	wpxnf.exe
File created	C:\Windows\SysWOW64\wnljqlshi.exe	wjafgy.exe
File opened for modification	C:\Windows\SysWOW64\wvves.exe	wkha.exe
File opened for modification	C:\Windows\SysWOW64\wdiikgv.exe	wuyqyik.exe
File created	C:\Windows\SysWOW64\wlyemfo.exe	wjcbnpj.exe
File opened for modification	C:\Windows\SysWOW64\wunpbsp.exe	wsusg.exe
File created	C:\Windows\SysWOW64\wjj.exe	wjasahh.exe
File opened for modification	C:\Windows\SysWOW64\wlg.exe	wto.exe
File created	C:\Windows\SysWOW64\wwudlc.exe	wxkdn.exe
File created	C:\Windows\SysWOW64\wvbxr.exe	wdnxhxyt.exe
File opened for modification	C:\Windows\SysWOW64\wvrdmmwc.exe	wuiepsj.exe
File created	C:\Windows\SysWOW64\wsusg.exe	whdt.exe
File created	C:\Windows\SysWOW64\wmtdcd.exe	wpbp.exe
File created	C:\Windows\SysWOW64\wjasahh.exe	wcbisb.exe
File created	C:\Windows\SysWOW64\wrvsh.exe	wwle.exe
File opened for modification	C:\Windows\SysWOW64\wlqlsh.exe	wlsrtkfw.exe
File created	C:\Windows\SysWOW64\wpe.exe	wmf.exe
File created	C:\Windows\SysWOW64\wnkm.exe	wpe.exe
File created	C:\Windows\SysWOW64\wchhwg.exe	wdmopq.exe
File opened for modification	C:\Windows\SysWOW64\wchhwg.exe	wdmopq.exe
File created	C:\Windows\SysWOW64\wtc.exe	wdahd.exe
File created	C:\Windows\SysWOW64\wjorhtrm.exe	wrllf.exe
File opened for modification	C:\Windows\SysWOW64\wwle.exe	wuuqhe.exe
File opened for modification	C:\Windows\SysWOW64\wsowrgh.exe	whrqs.exe
File created	C:\Windows\SysWOW64\wjxcjeu.exe	wunpbsp.exe
File opened for modification	C:\Windows\SysWOW64\wakv.exe	whwjgkhc.exe
File opened for modification	C:\Windows\SysWOW64\wjulcpe.exe	wuhgbj.exe
File opened for modification	C:\Windows\SysWOW64\wjafgy.exe	wvtdbhy.exe
File created	C:\Windows\SysWOW64\wmifym.exe	wnkm.exe
File created	C:\Windows\SysWOW64\wpbwmp.exe	wlyemfo.exe
File opened for modification	C:\Windows\SysWOW64\wsjvo.exe	wgmnpfuh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
4720	4756	WerFault.exe	99
2152	4952	WerFault.exe	153
440	3400	WerFault.exe	252
1280	3720	WerFault.exe	293
1536	3252	WerFault.exe	304
1984	3256	WerFault.exe	336

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 4756	552	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe	99
PID 552 wrote to memory of 4756	552	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe	99
PID 552 wrote to memory of 4756	552	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe	99
PID 552 wrote to memory of 2052	552	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe	101
PID 552 wrote to memory of 2052	552	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe	101
PID 552 wrote to memory of 2052	552	acc8a201f1ef7b2dbef0a5d37c2df7a1.exe	101
PID 4756 wrote to memory of 3188	4756	wuyqyik.exe	102
PID 4756 wrote to memory of 3188	4756	wuyqyik.exe	102
PID 4756 wrote to memory of 3188	4756	wuyqyik.exe	102
PID 4756 wrote to memory of 1940	4756	wuyqyik.exe	103
PID 4756 wrote to memory of 1940	4756	wuyqyik.exe	103
PID 4756 wrote to memory of 1940	4756	wuyqyik.exe	103
PID 3188 wrote to memory of 4436	3188	wdiikgv.exe	107
PID 3188 wrote to memory of 4436	3188	wdiikgv.exe	107
PID 3188 wrote to memory of 4436	3188	wdiikgv.exe	107
PID 3188 wrote to memory of 2312	3188	wdiikgv.exe	108
PID 3188 wrote to memory of 2312	3188	wdiikgv.exe	108
PID 3188 wrote to memory of 2312	3188	wdiikgv.exe	108
PID 4436 wrote to memory of 2932	4436	wqhjey.exe	111
PID 4436 wrote to memory of 2932	4436	wqhjey.exe	111
PID 4436 wrote to memory of 2932	4436	wqhjey.exe	111
PID 4436 wrote to memory of 2980	4436	wqhjey.exe	112
PID 4436 wrote to memory of 2980	4436	wqhjey.exe	112
PID 4436 wrote to memory of 2980	4436	wqhjey.exe	112
PID 2932 wrote to memory of 2940	2932	whrqs.exe	114
PID 2932 wrote to memory of 2940	2932	whrqs.exe	114
PID 2932 wrote to memory of 2940	2932	whrqs.exe	114
PID 2932 wrote to memory of 4772	2932	whrqs.exe	116
PID 2932 wrote to memory of 4772	2932	whrqs.exe	116
PID 2932 wrote to memory of 4772	2932	whrqs.exe	116
PID 2940 wrote to memory of 4588	2940	wsowrgh.exe	117
PID 2940 wrote to memory of 4588	2940	wsowrgh.exe	117
PID 2940 wrote to memory of 4588	2940	wsowrgh.exe	117
PID 2940 wrote to memory of 2160	2940	wsowrgh.exe	118
PID 2940 wrote to memory of 2160	2940	wsowrgh.exe	118
PID 2940 wrote to memory of 2160	2940	wsowrgh.exe	118
PID 4588 wrote to memory of 3692	4588	wuiepsj.exe	120
PID 4588 wrote to memory of 3692	4588	wuiepsj.exe	120
PID 4588 wrote to memory of 3692	4588	wuiepsj.exe	120
PID 4588 wrote to memory of 4904	4588	wuiepsj.exe	121
PID 4588 wrote to memory of 4904	4588	wuiepsj.exe	121
PID 4588 wrote to memory of 4904	4588	wuiepsj.exe	121
PID 3692 wrote to memory of 2676	3692	wvrdmmwc.exe	123
PID 3692 wrote to memory of 2676	3692	wvrdmmwc.exe	123
PID 3692 wrote to memory of 2676	3692	wvrdmmwc.exe	123
PID 3692 wrote to memory of 4112	3692	wvrdmmwc.exe	124
PID 3692 wrote to memory of 4112	3692	wvrdmmwc.exe	124
PID 3692 wrote to memory of 4112	3692	wvrdmmwc.exe	124
PID 2676 wrote to memory of 3992	2676	wnwfyq.exe	126
PID 2676 wrote to memory of 3992	2676	wnwfyq.exe	126
PID 2676 wrote to memory of 3992	2676	wnwfyq.exe	126
PID 2676 wrote to memory of 4504	2676	wnwfyq.exe	127
PID 2676 wrote to memory of 4504	2676	wnwfyq.exe	127
PID 2676 wrote to memory of 4504	2676	wnwfyq.exe	127
PID 3992 wrote to memory of 3288	3992	wjcbnpj.exe	131
PID 3992 wrote to memory of 3288	3992	wjcbnpj.exe	131
PID 3992 wrote to memory of 3288	3992	wjcbnpj.exe	131
PID 3992 wrote to memory of 852	3992	wjcbnpj.exe	132
PID 3992 wrote to memory of 852	3992	wjcbnpj.exe	132
PID 3992 wrote to memory of 852	3992	wjcbnpj.exe	132
PID 3288 wrote to memory of 1204	3288	wlyemfo.exe	134
PID 3288 wrote to memory of 1204	3288	wlyemfo.exe	134
PID 3288 wrote to memory of 1204	3288	wlyemfo.exe	134
PID 3288 wrote to memory of 320	3288	wlyemfo.exe	135

C:\Users\Admin\AppData\Local\Temp\acc8a201f1ef7b2dbef0a5d37c2df7a1.exe
"C:\Users\Admin\AppData\Local\Temp\acc8a201f1ef7b2dbef0a5d37c2df7a1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\SysWOW64\wuyqyik.exe
  "C:\Windows\system32\wuyqyik.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\SysWOW64\wdiikgv.exe
    "C:\Windows\system32\wdiikgv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\SysWOW64\wqhjey.exe
      "C:\Windows\system32\wqhjey.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\SysWOW64\whrqs.exe
        
        "C:\Windows\system32\whrqs.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\wsowrgh.exe
        
        "C:\Windows\system32\wsowrgh.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\wuiepsj.exe
        
        "C:\Windows\system32\wuiepsj.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\wvrdmmwc.exe
        
        "C:\Windows\system32\wvrdmmwc.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\wnwfyq.exe
        
        "C:\Windows\system32\wnwfyq.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\wjcbnpj.exe
        
        "C:\Windows\system32\wjcbnpj.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\wlyemfo.exe
        
        "C:\Windows\system32\wlyemfo.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\wpbwmp.exe
        
        "C:\Windows\system32\wpbwmp.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\wovslmv.exe
        
        "C:\Windows\system32\wovslmv.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\SysWOW64\wvuw.exe
        
        "C:\Windows\system32\wvuw.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\wboeiamx.exe
        
        "C:\Windows\system32\wboeiamx.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\wgmnpfuh.exe
        
        "C:\Windows\system32\wgmnpfuh.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2052
        
        C:\Windows\SysWOW64\wsjvo.exe
        
        "C:\Windows\system32\wsjvo.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\wmf.exe
        
        "C:\Windows\system32\wmf.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\wpe.exe
        
        "C:\Windows\system32\wpe.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\wnkm.exe
        
        "C:\Windows\system32\wnkm.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\wmifym.exe
        
        "C:\Windows\system32\wmifym.exe"
        21⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\wblkcytfd.exe
        
        "C:\Windows\system32\wblkcytfd.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\wgplee.exe
        
        "C:\Windows\system32\wgplee.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\wxsri.exe
        
        "C:\Windows\system32\wxsri.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\wovwk.exe
        
        "C:\Windows\system32\wovwk.exe"
        25⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\wylcw.exe
        
        "C:\Windows\system32\wylcw.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\wdacpj.exe
        
        "C:\Windows\system32\wdacpj.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\whdt.exe
        
        "C:\Windows\system32\whdt.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\wsusg.exe
        
        "C:\Windows\system32\wsusg.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\wunpbsp.exe
        
        "C:\Windows\system32\wunpbsp.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\wjxcjeu.exe
        
        "C:\Windows\system32\wjxcjeu.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\wpbp.exe
        
        "C:\Windows\system32\wpbp.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\wmtdcd.exe
        
        "C:\Windows\system32\wmtdcd.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3424
        
        C:\Windows\SysWOW64\wtyq.exe
        
        "C:\Windows\system32\wtyq.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\whroa.exe
        
        "C:\Windows\system32\whroa.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\wwfe.exe
        
        "C:\Windows\system32\wwfe.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\wjefcil.exe
        
        "C:\Windows\system32\wjefcil.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\wdmopq.exe
        
        "C:\Windows\system32\wdmopq.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\wchhwg.exe
        
        "C:\Windows\system32\wchhwg.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\wbqhvaiv.exe
        
        "C:\Windows\system32\wbqhvaiv.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\wwbke.exe
        
        "C:\Windows\system32\wwbke.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\wruxse.exe
        
        "C:\Windows\system32\wruxse.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\wdahd.exe
        
        "C:\Windows\system32\wdahd.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4532
        
        C:\Windows\SysWOW64\wtc.exe
        
        "C:\Windows\system32\wtc.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\wrllf.exe
        
        "C:\Windows\system32\wrllf.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\wjorhtrm.exe
        
        "C:\Windows\system32\wjorhtrm.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\wit.exe
        
        "C:\Windows\system32\wit.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\whwjgkhc.exe
        
        "C:\Windows\system32\whwjgkhc.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\wakv.exe
        
        "C:\Windows\system32\wakv.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\wdpwcgf.exe
        
        "C:\Windows\system32\wdpwcgf.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\wfgjg.exe
        
        "C:\Windows\system32\wfgjg.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\wydg.exe
        
        "C:\Windows\system32\wydg.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1372
        
        C:\Windows\SysWOW64\wegwi.exe
        
        "C:\Windows\system32\wegwi.exe"
        53⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\wuhgbj.exe
        
        "C:\Windows\system32\wuhgbj.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\wjulcpe.exe
        
        "C:\Windows\system32\wjulcpe.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\wpxnf.exe
        
        "C:\Windows\system32\wpxnf.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\wpch.exe
        
        "C:\Windows\system32\wpch.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\SysWOW64\wcbisb.exe
        
        "C:\Windows\system32\wcbisb.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\wjasahh.exe
        
        "C:\Windows\system32\wjasahh.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\wjj.exe
        
        "C:\Windows\system32\wjj.exe"
        60⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\wubdvmlr.exe
        
        "C:\Windows\system32\wubdvmlr.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\wto.exe
        
        "C:\Windows\system32\wto.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\wlg.exe
        
        "C:\Windows\system32\wlg.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\winb.exe
        
        "C:\Windows\system32\winb.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\wvtdbhy.exe
        
        "C:\Windows\system32\wvtdbhy.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\wjafgy.exe
        
        "C:\Windows\system32\wjafgy.exe"
        66⤵
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\wnljqlshi.exe
        
        "C:\Windows\system32\wnljqlshi.exe"
        67⤵
        Checks computer location settings
        
        PID:4696
        
        C:\Windows\SysWOW64\warply.exe
        
        "C:\Windows\system32\warply.exe"
        68⤵
        Checks computer location settings
        
        PID:4500
        
        C:\Windows\SysWOW64\wuuqhe.exe
        
        "C:\Windows\system32\wuuqhe.exe"
        69⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\wwle.exe
        
        "C:\Windows\system32\wwle.exe"
        70⤵
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\wrvsh.exe
        
        "C:\Windows\system32\wrvsh.exe"
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\wnxsb.exe
        
        "C:\Windows\system32\wnxsb.exe"
        72⤵
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\wxkdn.exe
        
        "C:\Windows\system32\wxkdn.exe"
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\wwudlc.exe
        
        "C:\Windows\system32\wwudlc.exe"
        74⤵
        Checks computer location settings
        
        PID:1652
        
        C:\Windows\SysWOW64\whus.exe
        
        "C:\Windows\system32\whus.exe"
        75⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\wlsrtkfw.exe
        
        "C:\Windows\system32\wlsrtkfw.exe"
        76⤵
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\wlqlsh.exe
        
        "C:\Windows\system32\wlqlsh.exe"
        77⤵
        Checks computer location settings
        
        PID:5084
        
        C:\Windows\SysWOW64\wtayj.exe
        
        "C:\Windows\system32\wtayj.exe"
        78⤵
        Checks computer location settings
        
        PID:3944
        
        C:\Windows\SysWOW64\wxdqvg.exe
        
        "C:\Windows\system32\wxdqvg.exe"
        79⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\wkha.exe
        
        "C:\Windows\system32\wkha.exe"
        80⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\wvves.exe
        
        "C:\Windows\system32\wvves.exe"
        81⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\wrtlbyy.exe
        
        "C:\Windows\system32\wrtlbyy.exe"
        82⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\wevvun.exe
        
        "C:\Windows\system32\wevvun.exe"
        83⤵
        Checks computer location settings
        
        PID:1468
        
        C:\Windows\SysWOW64\wxnopul.exe
        
        "C:\Windows\system32\wxnopul.exe"
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1372
        
        C:\Windows\SysWOW64\wwpnbqq.exe
        
        "C:\Windows\system32\wwpnbqq.exe"
        85⤵
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\wdnxhxyt.exe
        
        "C:\Windows\system32\wdnxhxyt.exe"
        86⤵
        Drops file in System32 directory
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwpnbqq.exe"
        86⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxnopul.exe"
        85⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wevvun.exe"
        84⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtlbyy.exe"
        83⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvves.exe"
        82⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkha.exe"
        81⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxdqvg.exe"
        80⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtayj.exe"
        79⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqlsh.exe"
        78⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsrtkfw.exe"
        77⤵
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 1240
        77⤵
        Program crash
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whus.exe"
        76⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwudlc.exe"
        75⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxkdn.exe"
        74⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnxsb.exe"
        73⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrvsh.exe"
        72⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwle.exe"
        71⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuuqhe.exe"
        70⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warply.exe"
        69⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnljqlshi.exe"
        68⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjafgy.exe"
        67⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1280
        67⤵
        Program crash
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtdbhy.exe"
        66⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winb.exe"
        65⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlg.exe"
        64⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 1280
        64⤵
        Program crash
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wto.exe"
        63⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wubdvmlr.exe"
        62⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjj.exe"
        61⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjasahh.exe"
        60⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcbisb.exe"
        59⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpch.exe"
        58⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpxnf.exe"
        57⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjulcpe.exe"
        56⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhgbj.exe"
        55⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wegwi.exe"
        54⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydg.exe"
        53⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfgjg.exe"
        52⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdpwcgf.exe"
        51⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1088
        51⤵
        Program crash
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wakv.exe"
        50⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwjgkhc.exe"
        49⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wit.exe"
        48⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjorhtrm.exe"
        47⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrllf.exe"
        46⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtc.exe"
        45⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdahd.exe"
        44⤵
        
        PID:500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wruxse.exe"
        43⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbke.exe"
        42⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbqhvaiv.exe"
        41⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchhwg.exe"
        40⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdmopq.exe"
        39⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjefcil.exe"
        38⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfe.exe"
        37⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whroa.exe"
        36⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtyq.exe"
        35⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmtdcd.exe"
        34⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbp.exe"
        33⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjxcjeu.exe"
        32⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunpbsp.exe"
        31⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsusg.exe"
        30⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdt.exe"
        29⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdacpj.exe"
        28⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wylcw.exe"
        27⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovwk.exe"
        26⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxsri.exe"
        25⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgplee.exe"
        24⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wblkcytfd.exe"
        23⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmifym.exe"
        22⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnkm.exe"
        21⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpe.exe"
        20⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmf.exe"
        19⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1388
        19⤵
        Program crash
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjvo.exe"
        18⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgmnpfuh.exe"
        17⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wboeiamx.exe"
        16⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvuw.exe"
        15⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovslmv.exe"
        14⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbwmp.exe"
        13⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyemfo.exe"
        12⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjcbnpj.exe"
        11⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwfyq.exe"
        10⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvrdmmwc.exe"
        9⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuiepsj.exe"
        8⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsowrgh.exe"
        7⤵
        
        PID:2160
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whrqs.exe"
        6⤵
        
        PID:4772
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqhjey.exe"
        5⤵
        
        PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdiikgv.exe"
      4⤵
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuyqyik.exe"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 1448
    3⤵
    - Program crash
    PID:4720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\acc8a201f1ef7b2dbef0a5d37c2df7a1.exe"
  2⤵
  PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4756 -ip 4756
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4952 -ip 4952
1⤵
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3400 -ip 3400
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3720 -ip 3720
1⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3252 -ip 3252
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3256 -ip 3256
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wblkcytfd.exe

Filesize
260KB

MD5
d59f3ddcd93618b6bd4e64412fc07ae0

SHA1
cad6d0dc6b41df56574fb0e33cec1ce7a5e62081

SHA256
03dd1b0d35b50eb07802b1c6f7b402326ae3472886fd09be057f13cd15b4461c

SHA512
7eee42de3b7fb6a6b25675b5bfb70ddc54b81fcdbdb501dc1d342952d5ef4a5a374b5ef4f8794d5bafa85edb65c58a97b577cd196d05c726e35ae60aa8cba29a

Download Submit
C:\Windows\SysWOW64\wboeiamx.exe

Filesize
260KB

MD5
d49203f02ba86247c1a91ce55a120bf0

SHA1
676183975c6b86ab39643bb9a0d29dd4ce1ff243

SHA256
1f9a14cd42b48db2c92837843d58a2c38741aa151a553964efed3934f1294aee

SHA512
ddf4056fd37e393e7310589fc651c7b5fa262bd0d02ee91a153e9db1643610bac2fdb101381629347a094523a4f8be2a4d016187834b0db614b6765ee36efb69

Download Submit
C:\Windows\SysWOW64\wdacpj.exe

Filesize
260KB

MD5
769eddf9593570ba2a56f6cb1434bdce

SHA1
90d8ee863f15235fd082d04d47a4b015d0efa00a

SHA256
0fec3d503da2f9b32e2e71cd44fbb6fcded585d400ac5605793233a24fdf7d2d

SHA512
eb8cc3a655eddf121b410ee332ffd8364456df97eaaef7d6322c6552ef1f7070833f0e612bb6cb7dcebfb2869c5fb7a9f41daacc989fc1dee318a2358804b0ea

Download Submit
C:\Windows\SysWOW64\wdiikgv.exe

Filesize
259KB

MD5
692b86b04b57c524195ca0cd4b13e993

SHA1
8cb911c4bfb6ed09f2d79f6569830835e79ae343

SHA256
98349b78ebfee00b10161da378003196bded37f476f99ea3dc5c1e79ee1e30d0

SHA512
f9ff0c49068ce916d4267c490de4ea49c810d461cbe02250a0ddaab614deb7d681b625e34679f8ed46f2b9a2c6ae387c30fe50f9731abdb82dce7e67bbdc8fc9

Download Submit
C:\Windows\SysWOW64\wgmnpfuh.exe

Filesize
260KB

MD5
4a49cba55f5200e3339a50508fd1fa1d

SHA1
839fdbf69ed7c935b4740637d3bdd99fa2e6b4ee

SHA256
5626f41620c87e0b474fa58deb50aa663436b626b3b3b5ca9addbf13b79bf1fc

SHA512
8a6676bc43fb03df79949be84f726cbac440498c219b67f4098c7ea75d498f68d0fc437193e46034b68396c352bf27696ddff6f50786203bea9bce4bb14d4d0f

Download Submit
C:\Windows\SysWOW64\wgplee.exe

Filesize
260KB

MD5
8835f9253edf255d5c996d03b1f8ea41

SHA1
55014e8485b128393548a7e04ff7ba2980ec474d

SHA256
3ead9d05b21c9a893785d4e82537a9311a8ffcd0cc43b7e8d7980a609fdca942

SHA512
dbc0d9d938d98bacd63a2dd0cd93306c21f2bf33ff3d3f5cf240cb378b799736ca9a7b9c558ba978b3ee22f0e9be631c8c1cac4b3ebf6e2d2b8456d55b650a08

Download Submit
C:\Windows\SysWOW64\whdt.exe

Filesize
260KB

MD5
a8036284f6b30a1a1b0622ca10b6cc56

SHA1
05f5110d4e223cc545fdef7834da2a003582c033

SHA256
a33b94bc047f0840b740ddb2fe939ceaab3001474884a3fa744d1c95c1de07c6

SHA512
3da6750abff113b92a0e34476e26c9e94fd28618eaace25e12d7deb508c34f4f6d500eb69480977c7e035cb013da74ec51e9ad36033b70a3ee54a07d3add1a25

Download Submit
C:\Windows\SysWOW64\whrqs.exe

Filesize
259KB

MD5
b7b10386b27bd6a916e4389413d59d49

SHA1
d999861d546849194ec8764af312d57f4858452c

SHA256
b65b8cc6dc3a33c923a84367b3f1041a758926641d0c38752fc19cf40c3cebf2

SHA512
01a402356e278b37067ad52d72a3f31bae8df20b63313a4ad48ed4a38e2612f3aad29c634fa7a822be30db26e5f0ca0a46f82cea7f5bd5564203d62484e1e98c

Download Submit
C:\Windows\SysWOW64\wjcbnpj.exe

Filesize
260KB

MD5
5d3d9ea74111d487d7103f8dcecede0d

SHA1
10b19466a5c507c424eaf8a2f8a93e993962ef82

SHA256
3612e322e37772e91e76defe9c9a8d864173618fa427ba566894670ccf300936

SHA512
e528b3c234a875f8f3dc5c657030172a0445372beec0eb7bd32d25557c393fe9419cac33e43ba707bdaa88edec1dcac6eebb488a3ab68a9b5be2819ee07c8fa1

Download Submit
C:\Windows\SysWOW64\wjxcjeu.exe

Filesize
260KB

MD5
929a52ffdf9745878dc6f9f28da3971f

SHA1
a89d8d38058c256c7fe30ce346ee25caa6ddff8a

SHA256
e90e9c97e3f79d815d795dbb4d353c23126062b13927ed5c4f063dd51586e57c

SHA512
978e2eacaed814e74a9f05fe546f0be17b8ef8d3db1c649ec028d1351d795176a0027c6d153e985d0d53937c490996dc68c838c6fad1a72e13e32e275e982797

Download Submit
C:\Windows\SysWOW64\wlyemfo.exe

Filesize
260KB

MD5
3e9cacb59815ba811e3c88e96df3360a

SHA1
4fd9705703beb3dc37de8533fb8f34fa1804a189

SHA256
6c4897ccee59a59d4717f0ef23fb14abfb731c319df07d2183b282fd48d93053

SHA512
acea0db128e12dcf9a02e0cd24d450f6f44eae85923135e94a7c3ea6dc367660b978d1fd00918b6eb751f670636281a3c8b85fbaa8dc83bd5a3305a5bc3ec73c

Download Submit
C:\Windows\SysWOW64\wmf.exe

Filesize
260KB

MD5
db0bfdf9bb79ba3cc75edfe798e3a3a1

SHA1
b9cf09384cc127a1bd1a0952dbcd8081b2460ef8

SHA256
df8eb57fd1fee52f191e76fdbb1cc7521cda44bc9efc1cc42de6101cc0994b2b

SHA512
83bb005c1ec2844fe4a74c8e07bf5397e459b00e54fac0ac29f84b4a2e25857476f9921f12686ef3f878fed88c0c05a04a497f8bfb48e8df2191d8f66b6cf5ac

Download Submit
C:\Windows\SysWOW64\wmifym.exe

Filesize
260KB

MD5
4ab4ed2761ef54322f173551bd6cfa17

SHA1
d687d9059b2b4947b4a506aa5c36e9246267accc

SHA256
b7c73852219eec3f226507ea0c9b6fbd03fa7b4bc29af8df991f04fe4edca808

SHA512
1be1af8f691570fd4a390ee85fc64775fb7585e5d062ed86c2efe91f883b7b4705de076b53273e8138d8f2cd5cbdd2c5971b9a2d33ba53c135bd3c39d272a207

Download Submit
C:\Windows\SysWOW64\wmtdcd.exe

Filesize
260KB

MD5
0667e94b329243e70560d2117cf2fd56

SHA1
976a744ebfcd09080f3b67c68a0aaed60b03472f

SHA256
d0f6e8910ae167f7f8b9c1e977010fdc206cfe897d4b6bade98ef33b81771394

SHA512
f521c37a96d505105833880505cdd67cdf0fa69a29e747c0b0a4a8b7ab99a41e4be8fba7debc1d79b9bde7011192302eca9447f5cf001530106d1e0b12d12c33

Download Submit
C:\Windows\SysWOW64\wnkm.exe

Filesize
260KB

MD5
1f481bb2fa69fdf818a6260c3f0f23b6

SHA1
2f581b9c02003145c2058cb380342249e4ca432f

SHA256
35f1d16e99b321859a51d97a13b2511a322124ed5adf1b09632f4b41bac9aff6

SHA512
c2be5de32ca6b862a2ad868360919b52a098183319983396432f7f5638727b5c172e043d98dcbc46248a941656665c689e7fd68fa968205b64a14661884962c5

Download Submit
C:\Windows\SysWOW64\wnwfyq.exe

Filesize
260KB

MD5
1da6100af2d99e2e3dc19fe271c527f6

SHA1
9824a0e6043c5cb2582f6b60f2b2d8178aa2adc1

SHA256
8c4cc499e0a8c6beab8f517df08d07421db55eac551d02dff0d255fdaa23d665

SHA512
f8de87dd5267bb5982696b9974adfcf90edc7b5216414881206d48c774fc2b99c75a45cccecf65ca58226fbc63bc189a08206180d351be54625945110fc0cb42

Download Submit
C:\Windows\SysWOW64\wovslmv.exe

Filesize
260KB

MD5
056f3b87926db3229ddcd800ef8b83a9

SHA1
3d2497cf294f1d46d98521f7fdf89252fa25b09c

SHA256
49721dfc3052da070770bd0a9c4cf4c846549295f30aca051b494821a9797bb5

SHA512
ae09fcd2a130950a001d559d3b758638b363d92db85882c7bb22706426dc0d423991a55ad22225ab9f1fcca2da9adc4bbbd1cd5647f5cef99d82c4b58bc28a49

Download Submit
C:\Windows\SysWOW64\wovwk.exe

Filesize
260KB

MD5
0db4ca5b40652686f0c5ac24187c2435

SHA1
d79d2a28af9a0af20e66ce0ac59c38ca427a80df

SHA256
1fc78c8d594c500c3a75dee0118ecdc0ece8508d29235c471484c5bae73a5752

SHA512
a21b25b6e36366ce8405561cc0f2ea1e13304bf16a3b9d0cb2263728ff8c525bec42b87b99d32d786b74f869735133b14d7354e781e07d44f140f02cfa2d6cdd

Download Submit
C:\Windows\SysWOW64\wpbp.exe

Filesize
260KB

MD5
b71ed45f13b6810036eaf8d2df5957e9

SHA1
b9b53cdd47a85029675c16defa135be634c0b64e

SHA256
e13571a173b7fa408f9bacc93e5d0c53f8e5e83822bb0ae4b79a204fbf7be4aa

SHA512
e774a9ab3e38b47b362133c1483f8d0732132a2bc364ee198ffbca8556c7707ec471350bb11912a9339000b89b5cff9a72a2bdef9e5b15c9f33f4271146a3dc3

Download Submit
C:\Windows\SysWOW64\wpbwmp.exe

Filesize
260KB

MD5
b15a24512909c0227b45e1edd60c02cf

SHA1
53b74245d1cb6362897fc40b4bc3fe41b1bc3e6e

SHA256
4d286c850f8003c40e01f0f4daebce23a8f84bd617ff9eab0042a32c39d09b74

SHA512
00a85ef7d48753105944e7f30b28c46015309d624bf2faab30f5417c6aee8e66f03cfa0a5c9483f6221ba06b7f9c5a6ac1c86654ae43d6ad1b40427f46eb6676

Download Submit
C:\Windows\SysWOW64\wpe.exe

Filesize
260KB

MD5
47f796b7063593ee63a7bf4c6a84600e

SHA1
3c94591676b52469627715a2c213faecded94ddd

SHA256
bb7c7513fd9c03a275965cfbbe1de5ddf775aa0549b17ec6f7496573b79a3ea4

SHA512
3abd9778be34f8ea675975c52687418f3e7acafa6e3649f2e68eb9a6547e5f294ee745d01a540f4224141c8d78c72c40964cb76fb7c3cad0b2e69c73951a6bf9

Download Submit
C:\Windows\SysWOW64\wqhjey.exe

Filesize
259KB

MD5
1ad10f48f16df72a81da3aad220a219c

SHA1
2fc1c376a31b61d2d42b4931338160c35996f6fc

SHA256
a7a8b20d7f5078f557825d38d240cabe2934ca6201c59847b531af517bd17d57

SHA512
947e852832acb364298dd6cbfa930fa1b335263f0c830ad502d18c9068a0cb106f0ab678c5612592524b5676142be46b433cf6064ee409d07fd00e6aaa7ff4e8

Download Submit
C:\Windows\SysWOW64\wsjvo.exe

Filesize
260KB

MD5
56f0e1153e0037044bd65855c08e815c

SHA1
c8a00b756e0c04dc9f497c331729981fee74e01e

SHA256
39566b12f83b8023f85d0992fae841132d98525b260bd23dc130e64b1f11df49

SHA512
decc1ff797dd1c9315be13dd578135486435925aad138d9aaf8db421b22005aec8c2bc86ab8984a4e078b4a439cc06f3e8b7a0cc707826fb0016b5ebb1956fd8

Download Submit
C:\Windows\SysWOW64\wsowrgh.exe

Filesize
259KB

MD5
b330dcf763195c234cbce1af48cdda49

SHA1
c0b5d45b6e9fc5f17162613b99c03273d9985732

SHA256
70838e62adb4ab79871e211059993a2563b5f3618a2f437e6eda5568eeff7f44

SHA512
a1c41424a2a67786d3aa9871b8b7efa0461e8114dba03f5d6141b617c9416c1d7aa9c2a4f40082afc6c36b70fd98364b5dd527970f1a1146971eed2fc50350d3

Download Submit
C:\Windows\SysWOW64\wsusg.exe

Filesize
260KB

MD5
40828f26442bc695c87dc848078814fc

SHA1
ab5c466711674f7ca62124c2f7044d7500b5a852

SHA256
2bc1d09357628552180668504949c4b4b7249917cf4406091b786c7b2665f58b

SHA512
63b9ab3471438d61c193eeb4cbb03404707b0272b0fe53b3935577592dd775a7932edc5befa9af9883afe9fcfe8779a4c4db2f86b8e399a3efc6d1237f44b9ba

Download Submit
C:\Windows\SysWOW64\wuiepsj.exe

Filesize
260KB

MD5
0a4e42f3bd15e868d3b3f0426e68c5a7

SHA1
f3b336a127930acd994ccdf4a4533e47af2ce536

SHA256
6a7a3965e4fa5cc6557593a80b9eec98001816427a1ba68d8f5473d5bd5d0f4a

SHA512
84837c5b35edb8029675cf6923d7ab596e8a648723550297400e2e295bcbc5ebec723f7b6d6a5eb1f75c6b0762a19266c2aba7087cc11d74bdeba830cf70c008

Download Submit
C:\Windows\SysWOW64\wunpbsp.exe

Filesize
260KB

MD5
7cf2c87606f95036cbece57b68bcff31

SHA1
adfddead4af83ff406e9ace4fd61228cd3a1c482

SHA256
8297acf58507ea6932926d3bfa6748bd137a6cfce327226a86adee3bcbac96ea

SHA512
2efef5ba87c5ba03a49e2781dc27615ecedec7d09b8d390d59ee3f389db1525548017af019930a00ef3aaf13e398ed5b8dba70264cc94938cc9d6bd3d2f9976f

Download Submit
C:\Windows\SysWOW64\wuyqyik.exe

Filesize
259KB

MD5
be6025f4889cb1a897c4b3bd908387b6

SHA1
7834f452eff8abcc08c73ccfb8271ff2cd31d8b5

SHA256
ba9c9cdd5bcaf41b8f0cb3e5b83198a5dbb9d3650c2f6184dbb2378797ec357c

SHA512
1c1aaa2b8cf7eaace5c6f4246067994557984205404dabb402c6858a8c2e4b60ae80427ad5092b7f59a06cc6d0e4d3fc7b8d73317120f8dba9d7bf360cd31002

Download Submit
C:\Windows\SysWOW64\wvrdmmwc.exe

Filesize
260KB

MD5
8cd9738bf6c489c7f77e3c4ac1461ab9

SHA1
a40c66866d9cf75803fb1cb3e79012edb201874c

SHA256
ec41c8d2a4639c41e354b6cf2734ed1e8630632303aeada28d73940db7bd102c

SHA512
610378c75316ad9f500e2c38ac32043f6a6bc773b053e554246b8dd4d9194b0b75a82ec1cdd5809b1a94c30bd29469f056ed0afa7fb849c7f621b98c757b7267

Download Submit
C:\Windows\SysWOW64\wvuw.exe

Filesize
260KB

MD5
2f7ef598fded6bdefe4a207313188113

SHA1
5ddaa18371e3b25cfaed5ff44a1a6076da896eeb

SHA256
3e126c211099a805bb16284f37714c3b40c8a1c945e6669f50e1d61325caff5b

SHA512
70434d2641b25d363e36443c9660602cf9e410605794c7556a2f8072b2ccaf5584624e0c4588ac973aa251a1f068b2e5b545e7981fbd8162cfc7cbd7c639b571

Download Submit
C:\Windows\SysWOW64\wxsri.exe

Filesize
260KB

MD5
3999734fd2b2873f3442f7bf36ddac6b

SHA1
a4f68c4e45713c677f5ce6ae6d32b46f785278ba

SHA256
67e7da0823fa1c9ca80193b0be4f289a18384e59b8e6dc7eb817e7a8f94aaf8c

SHA512
59c57745159d1edb36703bef5e858e5432dc1be7c1bf0af3d959e43ff6ba2daea1eda4d2ee67b0f81bc08c6ad107bba6a0e14259d42b450ed9d942ca413b80bc

Download Submit
C:\Windows\SysWOW64\wylcw.exe

Filesize
260KB

MD5
cc5da6e69ba9c12ed090acd05ae3b949

SHA1
54647b6bf6662dfdd32ab98c4f4e5362147f44c2

SHA256
25fe67e918ee4fe7af0feea449a13080de036a1b13c59b272549ed32cbe49e2b

SHA512
9b7528f6df76d3ac3dd5165d5a4b25dc93595b98a4748cb3286d0554afcfb50ae35b7d08bb6ab1d89cce38857bc0660e2b9ce2ba0550ae84cf32acc4a6b13d1f

Download Submit
memory/232-193-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/412-349-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/412-542-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/456-305-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/548-224-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/552-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/552-19-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/948-143-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1204-123-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1372-485-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1376-502-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1608-173-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-526-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1940-214-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1968-477-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2028-445-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-163-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2100-285-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2124-453-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2144-341-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2172-381-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2676-461-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2676-92-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2824-244-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2824-255-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2932-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2940-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2940-50-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2960-203-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2968-534-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2992-275-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3168-405-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3188-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3288-113-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3400-469-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3412-295-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3424-333-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3428-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3428-265-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3540-245-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3688-133-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3692-82-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3760-518-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3936-315-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3992-103-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4004-373-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4364-365-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4372-437-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4376-397-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4436-40-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4436-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4532-413-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4556-234-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4588-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4588-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4612-325-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4660-357-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-429-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4756-93-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4912-421-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4952-189-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5008-493-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5012-389-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5032-510-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download