32747ca9866755b8012b5f1d808eb1448ae9546ecb9f02f649744d0c9d11a101

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df90957ba6f50984691db34c361ed270.exe
Size

268KB
MD5

df90957ba6f50984691db34c361ed270
SHA1

321cdf217c65310da42ba359b69c74335b26c752
SHA256

32747ca9866755b8012b5f1d808eb1448ae9546ecb9f02f649744d0c9d11a101
SHA512

de44ebe4afd2a756053c29b02e570fd76daf8827ba8f8a2a64a0d5a135926e19a62fa595b1d4cc23e184acb7e4f805ff6d0c390b1bcf8ee17bbb5074b9e506d6
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpuJOW:ZY7xh6SZI4z7FSVpuJh

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wkxut.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wcigdt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wghyklx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wxl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wjxefw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wuxwic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wnwuwylcd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wqinwur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wogig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wypwblhy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	woquqo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wrqwrq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wjthx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wylnu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	whcu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wpj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wpeck.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wcwfb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wsmqxd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wsvsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wikwc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wkkub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wumbfqh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	weoj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wuskgb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wnmqpiw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wwatbtis.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wievtvls.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wgccku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	whf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wimrkr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wqnkx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wwno.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wuo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wrce.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	waadqbbnq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wrftru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	whdguev.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wgikos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wqdvl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wiohbs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wgv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wukeua.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wwxoxcun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wqlb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wfar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wulrgxrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wbvfqefyb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wkiqe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wfni.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wcfaj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wgtvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wgoecvhk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wgttftwxm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wciqc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wdvitd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	whcpbxs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wwasi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wrm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wtkye.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	df90957ba6f50984691db34c361ed270.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wnpx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wcpue.exe

Executes dropped EXE 64 IoCs

pid	Process
3428	wievtvls.exe
4132	wtpgovdph.exe
1460	wuo.exe
3896	wgv.exe
2492	wkiqe.exe
3260	wpeck.exe
4328	wgccku.exe
3376	wacvmpv.exe
864	whf.exe
2484	wrce.exe
3700	wukeua.exe
4280	wrqwrq.exe
4428	whcpbxs.exe
2144	wgikos.exe
2120	wuxwic.exe
4480	wimrkr.exe
4312	wkxut.exe
1536	wvuerc.exe
944	wsvsc.exe
4924	wnwuwylcd.exe
2872	wulrgxrt.exe
3212	wqinwur.exe
1784	wogig.exe
2920	wbbdvp.exe
2904	wvhnj.exe
1344	wikwc.exe
4112	wqnkx.exe
4692	wgtvs.exe
3700	wypwblhy.exe
3668	wfni.exe
2884	wwxoxcun.exe
4312	wqlb.exe
1612	wgoecvhk.exe
4940	wjthx.exe
3224	wkkub.exe
4112	wuskgb.exe
4356	wfar.exe
3764	wcigdt.exe
4472	wjxpw.exe
2372	wcfaj.exe
3792	wnmqpiw.exe
4972	wuaoyf.exe
4408	wiohbs.exe
4900	wnpx.exe
4636	wbvfqefyb.exe
348	wdii.exe
2756	wrqt.exe
2900	wumbfqh.exe
4972	wff.exe
4576	wxl.exe
4276	wwasi.exe
5024	weudym.exe
3972	wbli.exe
4340	wcwfb.exe
4412	wylnu.exe
524	wghyklx.exe
2996	wsmqxd.exe
640	wgttftwxm.exe
2408	waadqbbnq.exe
1676	wtxyah.exe
1460	wwatbtis.exe
4424	wotkh.exe
3192	wrm.exe
640	wciqc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wimrkr.exe	wuxwic.exe
File created	C:\Windows\SysWOW64\wikwc.exe	wvhnj.exe
File created	C:\Windows\SysWOW64\wqnkx.exe	wikwc.exe
File created	C:\Windows\SysWOW64\wgoecvhk.exe	wqlb.exe
File created	C:\Windows\SysWOW64\wuskgb.exe	wkkub.exe
File created	C:\Windows\SysWOW64\wjxpw.exe	wcigdt.exe
File created	C:\Windows\SysWOW64\wkiqe.exe	wgv.exe
File created	C:\Windows\SysWOW64\wff.exe	wumbfqh.exe
File created	C:\Windows\SysWOW64\weudym.exe	wwasi.exe
File created	C:\Windows\SysWOW64\wylnu.exe	wcwfb.exe
File opened for modification	C:\Windows\SysWOW64\wcigdt.exe	wfar.exe
File created	C:\Windows\SysWOW64\wcfaj.exe	wjxpw.exe
File created	C:\Windows\SysWOW64\wdii.exe	wbvfqefyb.exe
File created	C:\Windows\SysWOW64\wtpgovdph.exe	wievtvls.exe
File opened for modification	C:\Windows\SysWOW64\wtpgovdph.exe	wievtvls.exe
File opened for modification	C:\Windows\SysWOW64\wuo.exe	wtpgovdph.exe
File created	C:\Windows\SysWOW64\wgccku.exe	wpeck.exe
File opened for modification	C:\Windows\SysWOW64\wrqwrq.exe	wukeua.exe
File created	C:\Windows\SysWOW64\wkxut.exe	wimrkr.exe
File created	C:\Windows\SysWOW64\wwxoxcun.exe	wfni.exe
File opened for modification	C:\Windows\SysWOW64\wqlb.exe	wwxoxcun.exe
File opened for modification	C:\Windows\SysWOW64\wuaoyf.exe	wnmqpiw.exe
File opened for modification	C:\Windows\SysWOW64\wqdvl.exe	whdguev.exe
File created	C:\Windows\SysWOW64\weoj.exe	wcpue.exe
File opened for modification	C:\Windows\SysWOW64\wnwuwylcd.exe	wsvsc.exe
File opened for modification	C:\Windows\SysWOW64\wkkub.exe	wjthx.exe
File created	C:\Windows\SysWOW64\wwatbtis.exe	wtxyah.exe
File opened for modification	C:\Windows\SysWOW64\wotkh.exe	wwatbtis.exe
File created	C:\Windows\SysWOW64\wdvitd.exe	weoj.exe
File created	C:\Windows\SysWOW64\wacvmpv.exe	wgccku.exe
File created	C:\Windows\SysWOW64\wrqwrq.exe	wukeua.exe
File opened for modification	C:\Windows\SysWOW64\wvhnj.exe	wbbdvp.exe
File created	C:\Windows\SysWOW64\wcigdt.exe	wfar.exe
File opened for modification	C:\Windows\SysWOW64\wgttftwxm.exe	wsmqxd.exe
File created	C:\Windows\SysWOW64\wwno.exe	wrftru.exe
File opened for modification	C:\Windows\SysWOW64\weoj.exe	wcpue.exe
File opened for modification	C:\Windows\SysWOW64\woquqo.exe	wtkye.exe
File created	C:\Windows\SysWOW64\wgtvs.exe	wqnkx.exe
File opened for modification	C:\Windows\SysWOW64\wfni.exe	wypwblhy.exe
File opened for modification	C:\Windows\SysWOW64\waadqbbnq.exe	wgttftwxm.exe
File created	C:\Windows\SysWOW64\wotkh.exe	wwatbtis.exe
File opened for modification	C:\Windows\SysWOW64\wulrgxrt.exe	wnwuwylcd.exe
File opened for modification	C:\Windows\SysWOW64\wrqt.exe	wdii.exe
File opened for modification	C:\Windows\SysWOW64\weudym.exe	wwasi.exe
File created	C:\Windows\SysWOW64\wbli.exe	weudym.exe
File opened for modification	C:\Windows\SysWOW64\wdvitd.exe	weoj.exe
File opened for modification	C:\Windows\SysWOW64\wgccku.exe	wpeck.exe
File created	C:\Windows\SysWOW64\wvuerc.exe	wkxut.exe
File created	C:\Windows\SysWOW64\wfni.exe	wypwblhy.exe
File created	C:\Windows\SysWOW64\wnmqpiw.exe	wcfaj.exe
File opened for modification	C:\Windows\SysWOW64\wumbfqh.exe	wrqt.exe
File created	C:\Windows\SysWOW64\wwasi.exe	wxl.exe
File opened for modification	C:\Windows\SysWOW64\wciqc.exe	wrm.exe
File created	C:\Windows\SysWOW64\wpeck.exe	wkiqe.exe
File created	C:\Windows\SysWOW64\wrce.exe	whf.exe
File created	C:\Windows\SysWOW64\wrqt.exe	wdii.exe
File opened for modification	C:\Windows\SysWOW64\wsmqxd.exe	wghyklx.exe
File opened for modification	C:\Windows\SysWOW64\whf.exe	wacvmpv.exe
File opened for modification	C:\Windows\SysWOW64\wbbdvp.exe	wogig.exe
File opened for modification	C:\Windows\SysWOW64\wiohbs.exe	wuaoyf.exe
File opened for modification	C:\Windows\SysWOW64\wwatbtis.exe	wtxyah.exe
File opened for modification	C:\Windows\SysWOW64\wievtvls.exe	df90957ba6f50984691db34c361ed270.exe
File opened for modification	C:\Windows\SysWOW64\wvuerc.exe	wkxut.exe
File created	C:\Windows\SysWOW64\wqlb.exe	wwxoxcun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1432	3428	WerFault.exe	97
3168	2904	WerFault.exe	185
2832	2372	WerFault.exe	233

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 3428	1292	df90957ba6f50984691db34c361ed270.exe	97
PID 1292 wrote to memory of 3428	1292	df90957ba6f50984691db34c361ed270.exe	97
PID 1292 wrote to memory of 3428	1292	df90957ba6f50984691db34c361ed270.exe	97
PID 1292 wrote to memory of 4544	1292	df90957ba6f50984691db34c361ed270.exe	99
PID 1292 wrote to memory of 4544	1292	df90957ba6f50984691db34c361ed270.exe	99
PID 1292 wrote to memory of 4544	1292	df90957ba6f50984691db34c361ed270.exe	99
PID 3428 wrote to memory of 4132	3428	wievtvls.exe	107
PID 3428 wrote to memory of 4132	3428	wievtvls.exe	107
PID 3428 wrote to memory of 4132	3428	wievtvls.exe	107
PID 3428 wrote to memory of 3792	3428	wievtvls.exe	108
PID 3428 wrote to memory of 3792	3428	wievtvls.exe	108
PID 3428 wrote to memory of 3792	3428	wievtvls.exe	108
PID 4132 wrote to memory of 1460	4132	wtpgovdph.exe	113
PID 4132 wrote to memory of 1460	4132	wtpgovdph.exe	113
PID 4132 wrote to memory of 1460	4132	wtpgovdph.exe	113
PID 4132 wrote to memory of 1252	4132	wtpgovdph.exe	114
PID 4132 wrote to memory of 1252	4132	wtpgovdph.exe	114
PID 4132 wrote to memory of 1252	4132	wtpgovdph.exe	114
PID 1460 wrote to memory of 3896	1460	wuo.exe	117
PID 1460 wrote to memory of 3896	1460	wuo.exe	117
PID 1460 wrote to memory of 3896	1460	wuo.exe	117
PID 1460 wrote to memory of 1928	1460	wuo.exe	118
PID 1460 wrote to memory of 1928	1460	wuo.exe	118
PID 1460 wrote to memory of 1928	1460	wuo.exe	118
PID 3896 wrote to memory of 2492	3896	wgv.exe	120
PID 3896 wrote to memory of 2492	3896	wgv.exe	120
PID 3896 wrote to memory of 2492	3896	wgv.exe	120
PID 3896 wrote to memory of 3376	3896	wgv.exe	122
PID 3896 wrote to memory of 3376	3896	wgv.exe	122
PID 3896 wrote to memory of 3376	3896	wgv.exe	122
PID 2492 wrote to memory of 3260	2492	wkiqe.exe	125
PID 2492 wrote to memory of 3260	2492	wkiqe.exe	125
PID 2492 wrote to memory of 3260	2492	wkiqe.exe	125
PID 2492 wrote to memory of 3888	2492	wkiqe.exe	126
PID 2492 wrote to memory of 3888	2492	wkiqe.exe	126
PID 2492 wrote to memory of 3888	2492	wkiqe.exe	126
PID 3260 wrote to memory of 4328	3260	wpeck.exe	128
PID 3260 wrote to memory of 4328	3260	wpeck.exe	128
PID 3260 wrote to memory of 4328	3260	wpeck.exe	128
PID 3260 wrote to memory of 2996	3260	wpeck.exe	129
PID 3260 wrote to memory of 2996	3260	wpeck.exe	129
PID 3260 wrote to memory of 2996	3260	wpeck.exe	129
PID 4328 wrote to memory of 3376	4328	wgccku.exe	131
PID 4328 wrote to memory of 3376	4328	wgccku.exe	131
PID 4328 wrote to memory of 3376	4328	wgccku.exe	131
PID 4328 wrote to memory of 2204	4328	wgccku.exe	132
PID 4328 wrote to memory of 2204	4328	wgccku.exe	132
PID 4328 wrote to memory of 2204	4328	wgccku.exe	132
PID 3376 wrote to memory of 864	3376	wacvmpv.exe	134
PID 3376 wrote to memory of 864	3376	wacvmpv.exe	134
PID 3376 wrote to memory of 864	3376	wacvmpv.exe	134
PID 3376 wrote to memory of 1656	3376	wacvmpv.exe	135
PID 3376 wrote to memory of 1656	3376	wacvmpv.exe	135
PID 3376 wrote to memory of 1656	3376	wacvmpv.exe	135
PID 864 wrote to memory of 2484	864	whf.exe	138
PID 864 wrote to memory of 2484	864	whf.exe	138
PID 864 wrote to memory of 2484	864	whf.exe	138
PID 864 wrote to memory of 3260	864	whf.exe	139
PID 864 wrote to memory of 3260	864	whf.exe	139
PID 864 wrote to memory of 3260	864	whf.exe	139
PID 2484 wrote to memory of 3700	2484	wrce.exe	141
PID 2484 wrote to memory of 3700	2484	wrce.exe	141
PID 2484 wrote to memory of 3700	2484	wrce.exe	141
PID 2484 wrote to memory of 3920	2484	wrce.exe	142

C:\Users\Admin\AppData\Local\Temp\df90957ba6f50984691db34c361ed270.exe
"C:\Users\Admin\AppData\Local\Temp\df90957ba6f50984691db34c361ed270.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\wievtvls.exe
  "C:\Windows\system32\wievtvls.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\SysWOW64\wtpgovdph.exe
    "C:\Windows\system32\wtpgovdph.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\SysWOW64\wuo.exe
      "C:\Windows\system32\wuo.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\SysWOW64\wgv.exe
        
        "C:\Windows\system32\wgv.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3896
      - C:\Windows\SysWOW64\wkiqe.exe
        
        "C:\Windows\system32\wkiqe.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\wpeck.exe
        
        "C:\Windows\system32\wpeck.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\wgccku.exe
        
        "C:\Windows\system32\wgccku.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\wacvmpv.exe
        
        "C:\Windows\system32\wacvmpv.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\whf.exe
        
        "C:\Windows\system32\whf.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\wrce.exe
        
        "C:\Windows\system32\wrce.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\wukeua.exe
        
        "C:\Windows\system32\wukeua.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\wrqwrq.exe
        
        "C:\Windows\system32\wrqwrq.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\whcpbxs.exe
        
        "C:\Windows\system32\whcpbxs.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\wgikos.exe
        
        "C:\Windows\system32\wgikos.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\wuxwic.exe
        
        "C:\Windows\system32\wuxwic.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\wimrkr.exe
        
        "C:\Windows\system32\wimrkr.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\wkxut.exe
        
        "C:\Windows\system32\wkxut.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\wvuerc.exe
        
        "C:\Windows\system32\wvuerc.exe"
        19⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\wsvsc.exe
        
        "C:\Windows\system32\wsvsc.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\wnwuwylcd.exe
        
        "C:\Windows\system32\wnwuwylcd.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\wulrgxrt.exe
        
        "C:\Windows\system32\wulrgxrt.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SysWOW64\wqinwur.exe
        
        "C:\Windows\system32\wqinwur.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\wogig.exe
        
        "C:\Windows\system32\wogig.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\wbbdvp.exe
        
        "C:\Windows\system32\wbbdvp.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\wvhnj.exe
        
        "C:\Windows\system32\wvhnj.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\wikwc.exe
        
        "C:\Windows\system32\wikwc.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\wqnkx.exe
        
        "C:\Windows\system32\wqnkx.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\wgtvs.exe
        
        "C:\Windows\system32\wgtvs.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\wypwblhy.exe
        
        "C:\Windows\system32\wypwblhy.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\wfni.exe
        
        "C:\Windows\system32\wfni.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\wwxoxcun.exe
        
        "C:\Windows\system32\wwxoxcun.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\wqlb.exe
        
        "C:\Windows\system32\wqlb.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\wgoecvhk.exe
        
        "C:\Windows\system32\wgoecvhk.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\wjthx.exe
        
        "C:\Windows\system32\wjthx.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\wkkub.exe
        
        "C:\Windows\system32\wkkub.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\wuskgb.exe
        
        "C:\Windows\system32\wuskgb.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\wfar.exe
        
        "C:\Windows\system32\wfar.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\wcigdt.exe
        
        "C:\Windows\system32\wcigdt.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3764
        
        C:\Windows\SysWOW64\wjxpw.exe
        
        "C:\Windows\system32\wjxpw.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\wcfaj.exe
        
        "C:\Windows\system32\wcfaj.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\wnmqpiw.exe
        
        "C:\Windows\system32\wnmqpiw.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\wuaoyf.exe
        
        "C:\Windows\system32\wuaoyf.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\wiohbs.exe
        
        "C:\Windows\system32\wiohbs.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\wnpx.exe
        
        "C:\Windows\system32\wnpx.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\wbvfqefyb.exe
        
        "C:\Windows\system32\wbvfqefyb.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\wdii.exe
        
        "C:\Windows\system32\wdii.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:348
        
        C:\Windows\SysWOW64\wrqt.exe
        
        "C:\Windows\system32\wrqt.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\wumbfqh.exe
        
        "C:\Windows\system32\wumbfqh.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\wff.exe
        
        "C:\Windows\system32\wff.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\wxl.exe
        
        "C:\Windows\system32\wxl.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\wwasi.exe
        
        "C:\Windows\system32\wwasi.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\weudym.exe
        
        "C:\Windows\system32\weudym.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\wbli.exe
        
        "C:\Windows\system32\wbli.exe"
        54⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\wcwfb.exe
        
        "C:\Windows\system32\wcwfb.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\wylnu.exe
        
        "C:\Windows\system32\wylnu.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\wghyklx.exe
        
        "C:\Windows\system32\wghyklx.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:524
        
        C:\Windows\SysWOW64\wsmqxd.exe
        
        "C:\Windows\system32\wsmqxd.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\wgttftwxm.exe
        
        "C:\Windows\system32\wgttftwxm.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\waadqbbnq.exe
        
        "C:\Windows\system32\waadqbbnq.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\wtxyah.exe
        
        "C:\Windows\system32\wtxyah.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\wwatbtis.exe
        
        "C:\Windows\system32\wwatbtis.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\wotkh.exe
        
        "C:\Windows\system32\wotkh.exe"
        63⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\wrm.exe
        
        "C:\Windows\system32\wrm.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\wciqc.exe
        
        "C:\Windows\system32\wciqc.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\wrftru.exe
        
        "C:\Windows\system32\wrftru.exe"
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\wwno.exe
        
        "C:\Windows\system32\wwno.exe"
        67⤵
        Checks computer location settings
        
        PID:4340
        
        C:\Windows\SysWOW64\whcu.exe
        
        "C:\Windows\system32\whcu.exe"
        68⤵
        Checks computer location settings
        
        PID:4352
        
        C:\Windows\SysWOW64\wpj.exe
        
        "C:\Windows\system32\wpj.exe"
        69⤵
        Checks computer location settings
        
        PID:2168
        
        C:\Windows\SysWOW64\whdguev.exe
        
        "C:\Windows\system32\whdguev.exe"
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\wqdvl.exe
        
        "C:\Windows\system32\wqdvl.exe"
        71⤵
        Checks computer location settings
        
        PID:2364
        
        C:\Windows\SysWOW64\wcpue.exe
        
        "C:\Windows\system32\wcpue.exe"
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5116
        
        C:\Windows\SysWOW64\weoj.exe
        
        "C:\Windows\system32\weoj.exe"
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:184
        
        C:\Windows\SysWOW64\wdvitd.exe
        
        "C:\Windows\system32\wdvitd.exe"
        74⤵
        Checks computer location settings
        
        PID:3708
        
        C:\Windows\SysWOW64\wtkye.exe
        
        "C:\Windows\system32\wtkye.exe"
        75⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\woquqo.exe
        
        "C:\Windows\system32\woquqo.exe"
        76⤵
        Checks computer location settings
        
        PID:2632
        
        C:\Windows\SysWOW64\wjxefw.exe
        
        "C:\Windows\system32\wjxefw.exe"
        77⤵
        Checks computer location settings
        
        PID:4796
        
        C:\Windows\SysWOW64\wwp.exe
        
        "C:\Windows\system32\wwp.exe"
        78⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjxefw.exe"
        78⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woquqo.exe"
        77⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtkye.exe"
        76⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvitd.exe"
        75⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weoj.exe"
        74⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcpue.exe"
        73⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqdvl.exe"
        72⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdguev.exe"
        71⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpj.exe"
        70⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whcu.exe"
        69⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwno.exe"
        68⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrftru.exe"
        67⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wciqc.exe"
        66⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrm.exe"
        65⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wotkh.exe"
        64⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwatbtis.exe"
        63⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxyah.exe"
        62⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waadqbbnq.exe"
        61⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgttftwxm.exe"
        60⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsmqxd.exe"
        59⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghyklx.exe"
        58⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wylnu.exe"
        57⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwfb.exe"
        56⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbli.exe"
        55⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weudym.exe"
        54⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwasi.exe"
        53⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxl.exe"
        52⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wff.exe"
        51⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wumbfqh.exe"
        50⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrqt.exe"
        49⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdii.exe"
        48⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvfqefyb.exe"
        47⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnpx.exe"
        46⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiohbs.exe"
        45⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuaoyf.exe"
        44⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnmqpiw.exe"
        43⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcfaj.exe"
        42⤵
        
        PID:324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1520
        42⤵
        Program crash
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjxpw.exe"
        41⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcigdt.exe"
        40⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfar.exe"
        39⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuskgb.exe"
        38⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkkub.exe"
        37⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjthx.exe"
        36⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgoecvhk.exe"
        35⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqlb.exe"
        34⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwxoxcun.exe"
        33⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfni.exe"
        32⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wypwblhy.exe"
        31⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtvs.exe"
        30⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqnkx.exe"
        29⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikwc.exe"
        28⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvhnj.exe"
        27⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1464
        27⤵
        Program crash
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbbdvp.exe"
        26⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wogig.exe"
        25⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqinwur.exe"
        24⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wulrgxrt.exe"
        23⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwuwylcd.exe"
        22⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsvsc.exe"
        21⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvuerc.exe"
        20⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkxut.exe"
        19⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimrkr.exe"
        18⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuxwic.exe"
        17⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgikos.exe"
        16⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whcpbxs.exe"
        15⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrqwrq.exe"
        14⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wukeua.exe"
        13⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrce.exe"
        12⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whf.exe"
        11⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wacvmpv.exe"
        10⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgccku.exe"
        9⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpeck.exe"
        8⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkiqe.exe"
        7⤵
        
        PID:3888
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgv.exe"
        6⤵
        
        PID:3376
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuo.exe"
        5⤵
        
        PID:1928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtpgovdph.exe"
      4⤵
      PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wievtvls.exe"
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 1468
    3⤵
    - Program crash
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\df90957ba6f50984691db34c361ed270.exe"
  2⤵
  PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3428 -ip 3428
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3428 -ip 3428
1⤵
PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2904 -ip 2904
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2372 -ip 2372
1⤵
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wacvmpv.exe

Filesize
268KB

MD5
e8c19ff124063024ee2a401a730075af

SHA1
7bcc2498766d28d781047a3ec13e77d890cefa0b

SHA256
833622569caee91e6c461e1489451426795b7a61353aa78b172f3caa67d05c73

SHA512
4cb3f63eb0eb838111d660bddb335ea57cd0994b4824b15c259a9b4ada237b350091e2e34c81c05a9aae95e40c5b604339b32a9fc994b1792a09fd5b2e222d4a

Download Submit
C:\Windows\SysWOW64\wbbdvp.exe

Filesize
269KB

MD5
9ca565d07fd37da9c3c7f6e64331b50c

SHA1
236741a07f5f87e3e85970b78d59ca3a8a6b328d

SHA256
15e5a63e15197bf1309363a0864594a5c57306d4b460dbef3c4422174f901e63

SHA512
aa763679313a68b43747bec47278051502eb8205cca75fbd824aa5723746bc6eea4f830534f4f5149b8375fb484ba1514306f419392cebbc892151f5fc8fdfb1

Download Submit
C:\Windows\SysWOW64\wfni.exe

Filesize
269KB

MD5
e6175453758cfdc63152759763717144

SHA1
67f189717c5d27766cde4c66a1efb41917ceda6c

SHA256
cc76c9100c2d6a4023efa20f8d0facbaf31f8ca8ffde8e6e891b0fd4c2509889

SHA512
76bfd95c3ff23f4019f5d801c54ae1b68a09926f02e7360ce8baf2b072188668129bb10f507da101e67f2b4904117da8e7d36068a33db0f50ea86bdb13c61bba

Download Submit
C:\Windows\SysWOW64\wgccku.exe

Filesize
268KB

MD5
106120d101f723f35b4ec3cbb9c244cb

SHA1
62c0c6b7df8d567a3f6348f95b958beea980135c

SHA256
84b3c5de6edc1d401498d44eacae1d63c8ca1dda3519deb178d469692395d2d7

SHA512
9d153d3895254a87f6152b15af89993229fb2e4a72364a4b0924d040618c07e51edd289e74e187aa54c5f3e04c4d3f0b30308177e549d3b7c27e729c8644c7a5

Download Submit
C:\Windows\SysWOW64\wgikos.exe

Filesize
269KB

MD5
78824a3747c966c31ac8f8a7dd18b341

SHA1
c50f7f6b018134830cf64e5ee994c41a9417e37b

SHA256
19026ae9bbe474afd08c9790ff2c8aff6544f8036a6f7352731539a75855bf96

SHA512
9801a64abc7a73b9761ec32af20d5316b1b297538d023adeba92db58ac064bd984ea1383394c8f1799203d2dbea6b61462ad770183c8333a2331dc7a39b68425

Download Submit
C:\Windows\SysWOW64\wgtvs.exe

Filesize
269KB

MD5
24c68490674d42a998e274ebadcb3287

SHA1
17bc7b57ee46348f0972d4dab50474c3a786c2dd

SHA256
74505733ac8b716c793b1c8cac854071e182c26a9ce7b06571177fecc839576b

SHA512
999d25062eeb4043512fc2e877cfea430d48b123fc663b464d59152e0dea7e9051e4495cbabc5cbc2e21fd17e0caac7a7dd75f9659e990fa101cb26ae3038de0

Download Submit
C:\Windows\SysWOW64\wgv.exe

Filesize
268KB

MD5
5aa26f523adfb0d7f57b7ab230ed1800

SHA1
9b64ff39fff50ff0a73e5c27a6652031d2861759

SHA256
e7e8b8021a2ed6d24327a2619e42df91b7c13d78ab6e667a747ba4144114b1a5

SHA512
cff5efb34d31322768b065842e9e6c03b4ad3925b8d645c489dde81134184b9701d6789a551b319b9af721618321958bff5089fe653fd782848fb090299de304

Download Submit
C:\Windows\SysWOW64\whcpbxs.exe

Filesize
269KB

MD5
0db8bb0e40f6798dc346006bb15bd330

SHA1
f8e69682dc8bad75ba8346fdcd5e15c7d34733e4

SHA256
1c5970d45d099488a89319f7b4a061bda6f242dea0b750a3b04be2f2e598d5e9

SHA512
07ecfb3f9f3b06ea7e262ffa1d8b131aefcfe73d32666dee03d72407c673d4808fbe41216ebc03d5e15f223af281eadabd7e9013c62b493b58e6437ade46026e

Download Submit
C:\Windows\SysWOW64\whf.exe

Filesize
268KB

MD5
7cef6935ce08bef3d07d181ebbab63d7

SHA1
0f4fb12d5c6a6a638dcedcc826da1ad4a5bd6598

SHA256
e5b47a824f7aea8add39f7ad6530743d532505b39cdce70f83035dcb60a7ebf8

SHA512
a6a4e96337a0613ffedf6b6cf1b38da57bb5288d5f3880c8456a86538da5f1b6980053b6a47295d4481e620b9e5ae3d3fc42e80c81565567038013481b514540

Download Submit
C:\Windows\SysWOW64\wievtvls.exe

Filesize
268KB

MD5
f6f1f0ea8662dc970a3b83beb2db99f3

SHA1
192369d008a9d4e5298afa6884667fc8008d1e3b

SHA256
0cc72ab0c07051716c30625fb22deaa4c4bdee8e1c32654920a394c1dd4829a6

SHA512
af304cacacb61f7274758eb048a0f8f98b02d8918de3a0496d984fd402500ccc7642101a2d3885bf1617cf68afd3482b567f9819166fc6475b131b0601f61a0e

Download Submit
C:\Windows\SysWOW64\wikwc.exe

Filesize
269KB

MD5
31c072b217abdff1a8e2774c4308f087

SHA1
e4ba1a667e9c1376a114dc74b5f2a89c4d4b0dcd

SHA256
0d3bf6e47357cd7ad6c23a766a844188c8ea0967e5c02f1a4b463bffbeccf82f

SHA512
5fed4c9bfb726210c45866defea9926f4f84b342b46301be61cf9ae6b5077fbcbe8b7a7a4274c96f7bbdd0594e343f950b03113c5dae18ac39688d400459ee30

Download Submit
C:\Windows\SysWOW64\wimrkr.exe

Filesize
269KB

MD5
1f74465698f409b2539fe98059a73264

SHA1
515b8afe6298664fe566497e1853b70efe95bfec

SHA256
d24b8b6786a20e53735c13967d41cb140ceec3a86035fae0c2f70a72a44b0ff9

SHA512
49c67b93795b9297b4b3d36b849dade63e47562ca4d2798d21c5ac583aca550b6909f898552cd22c18bde2c9c9175dbc8441b558046ae232721c7f3a571b2d92

Download Submit
C:\Windows\SysWOW64\wkiqe.exe

Filesize
268KB

MD5
a59b3e9f0ebb80879b07683a7632691b

SHA1
60db6e15e171cdb76ed88259384c5bfdb5661b11

SHA256
892304e7b2c8af2631d794a6f2686c696f9248c64a9ed52656817e983a9e1003

SHA512
e5b21faed123f6e85abeea2b0087eefe26f575fea7968d3baecd31121205c68390b9593a3c1f919486d9b7c75b943575ac8b3309874d16f4946b57910da26c5b

Download Submit
C:\Windows\SysWOW64\wkxut.exe

Filesize
269KB

MD5
b62d5496a475861ff9a93b74d7f79c46

SHA1
4d9d6dc7fffb50d54c5b9167daedf8d620fa42af

SHA256
94e68983dd3c7780d4330f594f2252e27f42640cb7d3b5d0079f8dc13203ee74

SHA512
73bf6dd393282c95ddc0d6bd423cd0857032a8396e6081bb69d637db1814dd99c5b0024afb25de9950ccdc6c4bc868be11f72c24bdcbd973bdea1297ebc0888a

Download Submit
C:\Windows\SysWOW64\wnwuwylcd.exe

Filesize
269KB

MD5
d19279863ea08760c79a618819834ba3

SHA1
64d8b40f96a666daca09462be706894c1eb85094

SHA256
49f9bf0ab4acc437d7c09a6ec02519745508cbeb9ff0404e4440df1736c4e153

SHA512
2c1a923f485e7de9b1ca2c7d420aec88d531f588de05c3d2c0dd850b0955b60bf504be71a8f48815582b41050fe891f6bc7ebd5cd6cfc2478c5a29f06bae43dd

Download Submit
C:\Windows\SysWOW64\wogig.exe

Filesize
269KB

MD5
3b4eff6c4475a69af91b4f3a3a9e0ca4

SHA1
6d68362107544e235979a7de4a99279822513e02

SHA256
0c631f225369b74d879b488a9ecab90fede5db09290e1771982de845f38fad01

SHA512
a62b3d5bc5e1224ec83c0883cd7189f64e443c28f0e6c39b4ad6aea302ec33bfd41694928c3f1ee39069b82c14d3dc8131b60f67193e069061a4c251d3221bc9

Download Submit
C:\Windows\SysWOW64\wpeck.exe

Filesize
268KB

MD5
5b0fa500f4db0ac4db62875646e80876

SHA1
db39a3c2037a2c3f547ef7a465c0cf57bef69fec

SHA256
4864a598c9c7a48eff14df3fbfdaa06c53768ed3a044bc12d265b8ff98519d30

SHA512
96ebfc1b435120178cbf94779af7c5635e608faa8aeff9afb10a6a8790d4aea9307445f97b2fd87068560b0b47318a7456135858a46e67d342368ec273854166

Download Submit
C:\Windows\SysWOW64\wqinwur.exe

Filesize
269KB

MD5
e83ced9c22523fff3b57c215400d83d8

SHA1
2302aceb98e8aa3721cbede6baa95d3e4b46b68f

SHA256
df0cff566dc45ea3fc6fca632684e7a2dd241262b4844bd7a1deca600189524c

SHA512
fdf730bb6b4a5ea844503032723899cd62cf921c7c4a219ce5c57347a7542d8ae9fd3922630d4582436c7554bef2574c9f1aa6b79a6892554cda9ffe10f16980

Download Submit
C:\Windows\SysWOW64\wqlb.exe

Filesize
269KB

MD5
6462620bf6f65b3cd5674e4d4ee26694

SHA1
2f0ae27cb4e970a9f99fa020fcf74555da20e0da

SHA256
dbbdf55c5b30064a5a2739810547066b9da1c1f53e31de2634ebccad8d604b58

SHA512
93030543c8773543e618808bb11f7dc0ae13254eb05a25cd5a95d287ca6d1211cf573d44b8b396414fffc1181feb6c9fe2994e134c0d0cf445818e6b363ae66a

Download Submit
C:\Windows\SysWOW64\wqnkx.exe

Filesize
269KB

MD5
a54e847b873d38c608ae79494d85f1cb

SHA1
8d351c069e626507aa915e650b2c461023f102fd

SHA256
8f0c42a76ecadf739bb9f855d093067b89aab6ccade5049a5bb6c72517180088

SHA512
17653f84f374581591f7dac27bdce351cbd4857c7e57ad38aa80c5a2511c0e8f339452eb54f4ffde1cfa4e77f688646490a92bbf29d0b41f28fb3a0c579d0693

Download Submit
C:\Windows\SysWOW64\wrce.exe

Filesize
268KB

MD5
79270b65420a9b8230a2f6008725327e

SHA1
c65a7604ae5381b0c09e9b0d2e84bee60d39e162

SHA256
246fd74dc0d02ca8721119091a98fd22e7a09f4864d772902286542099a3d5bb

SHA512
31514c389e6b6c303228eaeafb2580424d54d3e23c4563a2151f48b2a2dc44465036c56ad300653df06472bdac588d9d1b1eb17dda7fec5245947a6e4d76779c

Download Submit
C:\Windows\SysWOW64\wrqwrq.exe

Filesize
268KB

MD5
f67438bb029bb56626f41b36676fd3ba

SHA1
d3d9a1a6ecb8fa2aed4c73f21e8168b4b1f0be3d

SHA256
74e7e0cbbe71627db4489237b0d9e08337b680e9f1864c961f8522a2b4dff130

SHA512
13fe0788b7e1e496e1250e4febbf30071537180295692b56de12e0202f72f65050ad835f66ea21088ba347624834db6b578104cde1d4b2cb618cfca7af6a7b5f

Download Submit
C:\Windows\SysWOW64\wsvsc.exe

Filesize
269KB

MD5
67b358c3a90ef966d68732c7e6052c56

SHA1
450f97a6b13234fdd22ae9719365afa1ad44bd13

SHA256
8afa282de985683a31da134e02a863d2017075a2b45a678e1a880ae626fa98d7

SHA512
3034d0697104101037732163f5c30db2a1e98109337c7f26be5bf9b1c97bcc7f689e64ec52863e00603f3576db09d5c0981e81e5240784f6b3c2af7111e0bf2c

Download Submit
C:\Windows\SysWOW64\wtpgovdph.exe

Filesize
268KB

MD5
fa6a45f1732b4f037a82bf59c0eff793

SHA1
53485226d9e94dcda3b0c625548bf1371e2868ff

SHA256
62513cfe2a0e0d35c1a1f43ecb7ab3519e90355f46cfa3acfb57d2b8d724008c

SHA512
d5050c958c831c5faa7a8a120fe2aa8fb871f963baeb3d333a3df8f11cfe578ab6966ec432f9e76b0076d8d6a4f379e76219b6897b6d7653a745b9513fbeddea

Download Submit
C:\Windows\SysWOW64\wukeua.exe

Filesize
268KB

MD5
828062bf6581add1d65737e88c84a215

SHA1
5a6c1b5ac99634e45067a37a9d005fe8db6d12f4

SHA256
93b699e13d1c480ff1b37f82febbf397e8ccf48d5ca7925159dfea6060ba9b18

SHA512
b9dc27d903699bd579a9ba3741826248b54f31d461d5c74495525eab78c7c831f475f22a6c353acbf2d51edcc07071b9df0fa5bb168fca46ad27df1a6ebf194a

Download Submit
C:\Windows\SysWOW64\wulrgxrt.exe

Filesize
269KB

MD5
19f5b77322fb3487d813275fcd5c7505

SHA1
0073f45876d97bfb517e0d72dbbcd090d92b1f67

SHA256
7dbdfc13395296f6aa945ff3bf02aa08e7938ca272cdeb81f3f77c18841db6bc

SHA512
74b09f55d6a3329ea7d2d24e795ec842be53571ad79048b9a91b6744bb1b8f6e15fb4cb1d72ac6d6bcab5807fb992a63abb56a904468f916b6bac78c688dbcd0

Download Submit
C:\Windows\SysWOW64\wuo.exe

Filesize
268KB

MD5
be2186735a2a7ab7dff42d6707539852

SHA1
3243aa2b7357c20fa47281857f233086a329281d

SHA256
94f129cb90473c75f66b51fcbda67423fa2660804d55ea5d3d1f27070c813ca0

SHA512
7191028d046c2651ef0f019c12a65e14c71752faefe244fe2137be80b56192b7650724848d5afde0457719e3c267a2dac7838b1683228d02c00de6df33b090ec

Download Submit
C:\Windows\SysWOW64\wuxwic.exe

Filesize
269KB

MD5
acbc856fc4ff3d457f525fa04adfc2af

SHA1
66e8478f702c35c4e1d76812f5656f0d8598b191

SHA256
28bf3904b350793fd4fa309a4d99091ee469bcaf11494c31bc31792ada5a8dbd

SHA512
2e75c6f2cba1ec582ca1ec41173dcbc93c4f16d7a6715a5d8dae8325b5f2d68c1071555b114cb7093078d2a5018f2b74ce1036e72147f0de9d04565f017a3248

Download Submit
C:\Windows\SysWOW64\wvhnj.exe

Filesize
269KB

MD5
66810be953515ed1db8cb2fb709961ed

SHA1
ee1310586e72f09694db9290538c296f846a2003

SHA256
7d79646c4d2775b52c449fa211e4944b2376a5e7615db35e91a35d831a72f72a

SHA512
7b74ff559558aa523673416b1407b14709958d6087f07b557f348a865450e6605c81ebb377903ee93e89957854a89d52d67b2b6296cc8077d4699ddd68ac45a9

Download Submit
C:\Windows\SysWOW64\wvuerc.exe

Filesize
269KB

MD5
c7eb38c7ef44806aee566fd89ef7e116

SHA1
dd06f11011909d4853ba30eb523a424c2ca87dc1

SHA256
83d3c24234e5ee412836f57c627e02255957cc5f95119d317ccabf62338d7c3f

SHA512
2c1c24a901debb9f57aee518d6748f28da2694a3b1bd6cf1c7949672ea11d7c512f973bdf742be6c3a2ab4595b97a3f78bd8fab50571ce3f01acb801720292ba

Download Submit
C:\Windows\SysWOW64\wwxoxcun.exe

Filesize
269KB

MD5
2d8447bce989af796b1387f07abb357f

SHA1
8da4d196f4b57fd3d82dd3e704920279d05d752d

SHA256
d7be875638a4aa3a5b6d84d1ae932adac608423ead157e2ad16dcc55d17f8eb5

SHA512
2bb0c2b74e5d853f6f8aca3424a632891c2b6b93957131bd3409f8c7db57fb673a351d382446f9f961fe1d6958bfd6b78b574c56eb53530b424719ea6dc635fa

Download Submit
C:\Windows\SysWOW64\wypwblhy.exe

Filesize
269KB

MD5
d20698ee10871ca123929d8d58f26c57

SHA1
cf6d85f4a79d2b29aa9b1cd42c1b707a0f8ae6fb

SHA256
7a9dd7798743053aa690351db5bcebf3fd1051a2111ed58a9eb5a4b2118b3e05

SHA512
f9c343f20121298528c0da9636666e1e10ae4992699ce61e325ca72bd482801b41e31ab3b0ea0386707de9046a7e7e51cb736a54579531a42a33e2b36cde452f

Download Submit
memory/348-447-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/524-527-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/864-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/944-206-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1292-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1292-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1344-276-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1460-43-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1536-196-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1612-343-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1784-246-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2120-166-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2120-155-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2144-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2372-399-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2484-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2492-53-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2492-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2756-455-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2872-226-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2884-316-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2884-327-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2900-463-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2904-268-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2920-256-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2996-535-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3212-236-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3224-359-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3260-74-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3376-94-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3428-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3668-317-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3700-125-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3700-306-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3700-114-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3764-383-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3792-407-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3896-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3896-54-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3972-503-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4112-286-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4112-367-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4132-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4276-487-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4280-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4312-186-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4312-335-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4328-84-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4340-511-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4356-375-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4408-423-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4412-519-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4428-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4472-391-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4480-176-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4576-479-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4636-439-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-296-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4900-431-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4924-216-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4940-351-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4972-471-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4972-415-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5024-495-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download