d93462375781ed26ca9fef6fb1fc6a8f131df449be64e310399f41ca080d555a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d93462375781ed26ca9fef6fb1fc6a8f131df449be64e310399f41ca080d555a.exe
Size

356KB
MD5

c2df91f93f76c57a2010414220bd8a1f
SHA1

cfc327cdcb06812c20bfec96cd580258c90e346f
SHA256

d93462375781ed26ca9fef6fb1fc6a8f131df449be64e310399f41ca080d555a
SHA512

a74082056fc9e8815be35b109b830702af3cff752f19936ed0d173ddc7bb39fe04d4d23ae2db768c20160accf8b045774b507814f250de445d5548dbf3f111e2
SSDEEP

3072:+YUb5QoJ4g+CLi8HSpmWAVW9UNpZj6Iz1ZdW4SrO7FSVpEv4wD66ibA:+YwLTNV97h6SZI4z7FSVp84+28

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wrmtjif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	whyrd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	d93462375781ed26ca9fef6fb1fc6a8f131df449be64e310399f41ca080d555a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wuxccaaj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wpgp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wacnauh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wxolaswyw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wps.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wycfwopo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wvtcmwu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wqgrrw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wusvj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	woktndt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wpxfwf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wpsddq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wjwvj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wtxjs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wvjqwv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wdbtumk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wtaql.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wopslpq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wgsarhyh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wgm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wteikd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wvwfq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wqujr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wurakuc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wxs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wfnlrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wqolgia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wtyetjy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wjgacbyh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wprfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wqxan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmscglx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wrcaabc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	whhsp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wsixjnkg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wygo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wdbsbgpc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wyxr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmtqta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wiaadwbc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wqbtq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wre.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	woas.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wctgg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wqjortx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wgnt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	weoyflxwt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wjafirm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wirjunq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wojxcnwr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wttqbp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wtftxjjv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wtexys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wfevwn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wyp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wfoeiuc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wpjmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wxbdsj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wnfyicmu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wfarxaqm.exe

Executes dropped EXE 64 IoCs

pid	Process
2116	wxbdsj.exe
4440	wopslpq.exe
4848	wmscglx.exe
1080	wqjortx.exe
3708	wuxccaaj.exe
3232	wkvmtku.exe
2388	wmtqta.exe
552	wvbwh.exe
4688	wfoeiuc.exe
1608	wpsddq.exe
1428	wgnt.exe
5072	wtyetjy.exe
3444	wycfwopo.exe
332	wnfyicmu.exe
3944	wgsarhyh.exe
4784	wrcaabc.exe
4296	wgm.exe
1928	wteikd.exe
4196	wvwfq.exe
4432	wtftxjjv.exe
212	wiaadwbc.exe
1084	wtexys.exe
908	weoyflxwt.exe
3180	wfarxaqm.exe
4380	wxyeo.exe
2248	wqbtq.exe
4892	wjafirm.exe
3432	whhsp.exe
5064	wjwvj.exe
5080	wpjmt.exe
4428	wedryb.exe
5116	wpgp.exe
3492	wvtcmwu.exe
2440	wiatbn.exe
2716	wjwwy.exe
3992	wre.exe
2764	wsixjnkg.exe
2920	wqgrrw.exe
592	wacnauh.exe
3488	wxolaswyw.exe
5080	wirjunq.exe
2480	wrmtjif.exe
1016	wqujr.exe
1888	woadmilv.exe
3380	wusvj.exe
3868	wjgacbyh.exe
2056	wurakuc.exe
3948	woas.exe
436	wxs.exe
1760	wfevwn.exe
2360	wprfy.exe
3988	whyrd.exe
2944	wvioc.exe
1776	woktndt.exe
5088	wygo.exe
384	wdbsbgpc.exe
3452	wfnlrt.exe
1684	wtaql.exe
1244	wtxjs.exe
2968	wdb.exe
3952	wqolgia.exe
3520	wqxan.exe
3780	wyp.exe
2988	wvjqwv.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wjwwy.exe	wiatbn.exe
File opened for modification	C:\Windows\SysWOW64\woas.exe	wurakuc.exe
File created	C:\Windows\SysWOW64\wygo.exe	woktndt.exe
File opened for modification	C:\Windows\SysWOW64\wdbsbgpc.exe	wygo.exe
File opened for modification	C:\Windows\SysWOW64\wltnf.exe	wpxfwf.exe
File created	C:\Windows\SysWOW64\wgm.exe	wrcaabc.exe
File created	C:\Windows\SysWOW64\wteikd.exe	wgm.exe
File created	C:\Windows\SysWOW64\wre.exe	wjwwy.exe
File opened for modification	C:\Windows\SysWOW64\wgnt.exe	wpsddq.exe
File opened for modification	C:\Windows\SysWOW64\wvtcmwu.exe	wpgp.exe
File opened for modification	C:\Windows\SysWOW64\wfnlrt.exe	wdbsbgpc.exe
File opened for modification	C:\Windows\SysWOW64\wtyetjy.exe	wgnt.exe
File opened for modification	C:\Windows\SysWOW64\wtexys.exe	wiaadwbc.exe
File opened for modification	C:\Windows\SysWOW64\wxyeo.exe	wfarxaqm.exe
File opened for modification	C:\Windows\SysWOW64\wjgacbyh.exe	wusvj.exe
File opened for modification	C:\Windows\SysWOW64\wjwvj.exe	whhsp.exe
File opened for modification	C:\Windows\SysWOW64\wre.exe	wjwwy.exe
File created	C:\Windows\SysWOW64\wusvj.exe	woadmilv.exe
File created	C:\Windows\SysWOW64\wltnf.exe	wpxfwf.exe
File created	C:\Windows\SysWOW64\wtexys.exe	wiaadwbc.exe
File created	C:\Windows\SysWOW64\weoyflxwt.exe	wtexys.exe
File opened for modification	C:\Windows\SysWOW64\wqolgia.exe	wdb.exe
File created	C:\Windows\SysWOW64\wfevwn.exe	wxs.exe
File created	C:\Windows\SysWOW64\wfnlrt.exe	wdbsbgpc.exe
File opened for modification	C:\Windows\SysWOW64\wacnauh.exe	wqgrrw.exe
File opened for modification	C:\Windows\SysWOW64\wqujr.exe	wrmtjif.exe
File created	C:\Windows\SysWOW64\wdbsbgpc.exe	wygo.exe
File opened for modification	C:\Windows\SysWOW64\wqxan.exe	wqolgia.exe
File opened for modification	C:\Windows\SysWOW64\wnfyicmu.exe	wycfwopo.exe
File created	C:\Windows\SysWOW64\wvwfq.exe	wteikd.exe
File opened for modification	C:\Windows\SysWOW64\whhsp.exe	wjafirm.exe
File opened for modification	C:\Windows\SysWOW64\wxs.exe	woas.exe
File created	C:\Windows\SysWOW64\wvjqwv.exe	wyp.exe
File opened for modification	C:\Windows\SysWOW64\wvjqwv.exe	wyp.exe
File created	C:\Windows\SysWOW64\wpxfwf.exe	wyxr.exe
File opened for modification	C:\Windows\SysWOW64\wgsarhyh.exe	wnfyicmu.exe
File created	C:\Windows\SysWOW64\wrcaabc.exe	wgsarhyh.exe
File created	C:\Windows\SysWOW64\wyp.exe	wqxan.exe
File created	C:\Windows\SysWOW64\wojxcnwr.exe	wgxulkx.exe
File created	C:\Windows\SysWOW64\wfoeiuc.exe	wvbwh.exe
File opened for modification	C:\Windows\SysWOW64\wfevwn.exe	wxs.exe
File created	C:\Windows\SysWOW64\wpjmt.exe	wjwvj.exe
File opened for modification	C:\Windows\SysWOW64\wjwwy.exe	wiatbn.exe
File created	C:\Windows\SysWOW64\wsixjnkg.exe	wre.exe
File opened for modification	C:\Windows\SysWOW64\wdb.exe	wtxjs.exe
File opened for modification	C:\Windows\SysWOW64\wqjortx.exe	wmscglx.exe
File opened for modification	C:\Windows\SysWOW64\wvwfq.exe	wteikd.exe
File created	C:\Windows\SysWOW64\wirjunq.exe	wxolaswyw.exe
File opened for modification	C:\Windows\SysWOW64\wtxjs.exe	wtaql.exe
File created	C:\Windows\SysWOW64\wtyetjy.exe	wgnt.exe
File created	C:\Windows\SysWOW64\wacnauh.exe	wqgrrw.exe
File opened for modification	C:\Windows\SysWOW64\wedryb.exe	wpjmt.exe
File created	C:\Windows\SysWOW64\woktndt.exe	wvioc.exe
File created	C:\Windows\SysWOW64\wkvmtku.exe	wuxccaaj.exe
File created	C:\Windows\SysWOW64\wxyeo.exe	wfarxaqm.exe
File opened for modification	C:\Windows\SysWOW64\wiatbn.exe	wvtcmwu.exe
File opened for modification	C:\Windows\SysWOW64\wrmtjif.exe	wirjunq.exe
File created	C:\Windows\SysWOW64\woadmilv.exe	wqujr.exe
File opened for modification	C:\Windows\SysWOW64\wygo.exe	woktndt.exe
File created	C:\Windows\SysWOW64\wopslpq.exe	wxbdsj.exe
File opened for modification	C:\Windows\SysWOW64\wmtqta.exe	wkvmtku.exe
File created	C:\Windows\SysWOW64\wtxjs.exe	wtaql.exe
File opened for modification	C:\Windows\SysWOW64\wyxr.exe	wttqbp.exe
File created	C:\Windows\SysWOW64\woll.exe	wawh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
952	4440	WerFault.exe	97
5092	1928	WerFault.exe	149
3592	4432	WerFault.exe	157
1512	3492	WerFault.exe	199
2736	3488	WerFault.exe	222
4320	2480	WerFault.exe	230
1936	384	WerFault.exe	274
3992	2388	WerFault.exe	315

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 2116	5048	d93462375781ed26ca9fef6fb1fc6a8f131df449be64e310399f41ca080d555a.exe	91
PID 5048 wrote to memory of 2116	5048	d93462375781ed26ca9fef6fb1fc6a8f131df449be64e310399f41ca080d555a.exe	91
PID 5048 wrote to memory of 2116	5048	d93462375781ed26ca9fef6fb1fc6a8f131df449be64e310399f41ca080d555a.exe	91
PID 5048 wrote to memory of 3980	5048	d93462375781ed26ca9fef6fb1fc6a8f131df449be64e310399f41ca080d555a.exe	93
PID 5048 wrote to memory of 3980	5048	d93462375781ed26ca9fef6fb1fc6a8f131df449be64e310399f41ca080d555a.exe	93
PID 5048 wrote to memory of 3980	5048	d93462375781ed26ca9fef6fb1fc6a8f131df449be64e310399f41ca080d555a.exe	93
PID 2116 wrote to memory of 4440	2116	wxbdsj.exe	97
PID 2116 wrote to memory of 4440	2116	wxbdsj.exe	97
PID 2116 wrote to memory of 4440	2116	wxbdsj.exe	97
PID 2116 wrote to memory of 1468	2116	wxbdsj.exe	98
PID 2116 wrote to memory of 1468	2116	wxbdsj.exe	98
PID 2116 wrote to memory of 1468	2116	wxbdsj.exe	98
PID 4440 wrote to memory of 4848	4440	wopslpq.exe	100
PID 4440 wrote to memory of 4848	4440	wopslpq.exe	100
PID 4440 wrote to memory of 4848	4440	wopslpq.exe	100
PID 4440 wrote to memory of 4920	4440	wopslpq.exe	101
PID 4440 wrote to memory of 4920	4440	wopslpq.exe	101
PID 4440 wrote to memory of 4920	4440	wopslpq.exe	101
PID 4848 wrote to memory of 1080	4848	wmscglx.exe	105
PID 4848 wrote to memory of 1080	4848	wmscglx.exe	105
PID 4848 wrote to memory of 1080	4848	wmscglx.exe	105
PID 4848 wrote to memory of 1152	4848	wmscglx.exe	106
PID 4848 wrote to memory of 1152	4848	wmscglx.exe	106
PID 4848 wrote to memory of 1152	4848	wmscglx.exe	106
PID 1080 wrote to memory of 3708	1080	wqjortx.exe	108
PID 1080 wrote to memory of 3708	1080	wqjortx.exe	108
PID 1080 wrote to memory of 3708	1080	wqjortx.exe	108
PID 1080 wrote to memory of 1960	1080	wqjortx.exe	109
PID 1080 wrote to memory of 1960	1080	wqjortx.exe	109
PID 1080 wrote to memory of 1960	1080	wqjortx.exe	109
PID 3708 wrote to memory of 3232	3708	wuxccaaj.exe	111
PID 3708 wrote to memory of 3232	3708	wuxccaaj.exe	111
PID 3708 wrote to memory of 3232	3708	wuxccaaj.exe	111
PID 3708 wrote to memory of 2868	3708	wuxccaaj.exe	112
PID 3708 wrote to memory of 2868	3708	wuxccaaj.exe	112
PID 3708 wrote to memory of 2868	3708	wuxccaaj.exe	112
PID 3232 wrote to memory of 2388	3232	wkvmtku.exe	114
PID 3232 wrote to memory of 2388	3232	wkvmtku.exe	114
PID 3232 wrote to memory of 2388	3232	wkvmtku.exe	114
PID 3232 wrote to memory of 3896	3232	wkvmtku.exe	115
PID 3232 wrote to memory of 3896	3232	wkvmtku.exe	115
PID 3232 wrote to memory of 3896	3232	wkvmtku.exe	115
PID 2388 wrote to memory of 552	2388	wmtqta.exe	117
PID 2388 wrote to memory of 552	2388	wmtqta.exe	117
PID 2388 wrote to memory of 552	2388	wmtqta.exe	117
PID 2388 wrote to memory of 2972	2388	wmtqta.exe	118
PID 2388 wrote to memory of 2972	2388	wmtqta.exe	118
PID 2388 wrote to memory of 2972	2388	wmtqta.exe	118
PID 552 wrote to memory of 4688	552	wvbwh.exe	120
PID 552 wrote to memory of 4688	552	wvbwh.exe	120
PID 552 wrote to memory of 4688	552	wvbwh.exe	120
PID 552 wrote to memory of 1452	552	wvbwh.exe	121
PID 552 wrote to memory of 1452	552	wvbwh.exe	121
PID 552 wrote to memory of 1452	552	wvbwh.exe	121
PID 4688 wrote to memory of 1608	4688	wfoeiuc.exe	123
PID 4688 wrote to memory of 1608	4688	wfoeiuc.exe	123
PID 4688 wrote to memory of 1608	4688	wfoeiuc.exe	123
PID 4688 wrote to memory of 2116	4688	wfoeiuc.exe	124
PID 4688 wrote to memory of 2116	4688	wfoeiuc.exe	124
PID 4688 wrote to memory of 2116	4688	wfoeiuc.exe	124
PID 1608 wrote to memory of 1428	1608	wpsddq.exe	126
PID 1608 wrote to memory of 1428	1608	wpsddq.exe	126
PID 1608 wrote to memory of 1428	1608	wpsddq.exe	126
PID 1608 wrote to memory of 4980	1608	wpsddq.exe	127

C:\Users\Admin\AppData\Local\Temp\d93462375781ed26ca9fef6fb1fc6a8f131df449be64e310399f41ca080d555a.exe
"C:\Users\Admin\AppData\Local\Temp\d93462375781ed26ca9fef6fb1fc6a8f131df449be64e310399f41ca080d555a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\SysWOW64\wxbdsj.exe
  "C:\Windows\system32\wxbdsj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\wopslpq.exe
    "C:\Windows\system32\wopslpq.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\SysWOW64\wmscglx.exe
      "C:\Windows\system32\wmscglx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4848
    - - C:\Windows\SysWOW64\wqjortx.exe
        
        "C:\Windows\system32\wqjortx.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1080
      - C:\Windows\SysWOW64\wuxccaaj.exe
        
        "C:\Windows\system32\wuxccaaj.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\wkvmtku.exe
        
        "C:\Windows\system32\wkvmtku.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\wmtqta.exe
        
        "C:\Windows\system32\wmtqta.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\wvbwh.exe
        
        "C:\Windows\system32\wvbwh.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\wfoeiuc.exe
        
        "C:\Windows\system32\wfoeiuc.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\wpsddq.exe
        
        "C:\Windows\system32\wpsddq.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\wgnt.exe
        
        "C:\Windows\system32\wgnt.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\wtyetjy.exe
        
        "C:\Windows\system32\wtyetjy.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\wycfwopo.exe
        
        "C:\Windows\system32\wycfwopo.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3444
        
        C:\Windows\SysWOW64\wnfyicmu.exe
        
        "C:\Windows\system32\wnfyicmu.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:332
        
        C:\Windows\SysWOW64\wgsarhyh.exe
        
        "C:\Windows\system32\wgsarhyh.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\wrcaabc.exe
        
        "C:\Windows\system32\wrcaabc.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\wgm.exe
        
        "C:\Windows\system32\wgm.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\wteikd.exe
        
        "C:\Windows\system32\wteikd.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\wvwfq.exe
        
        "C:\Windows\system32\wvwfq.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\wtftxjjv.exe
        
        "C:\Windows\system32\wtftxjjv.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\wiaadwbc.exe
        
        "C:\Windows\system32\wiaadwbc.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\wtexys.exe
        
        "C:\Windows\system32\wtexys.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\weoyflxwt.exe
        
        "C:\Windows\system32\weoyflxwt.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\wfarxaqm.exe
        
        "C:\Windows\system32\wfarxaqm.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3180
        
        C:\Windows\SysWOW64\wxyeo.exe
        
        "C:\Windows\system32\wxyeo.exe"
        26⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\wqbtq.exe
        
        "C:\Windows\system32\wqbtq.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\wjafirm.exe
        
        "C:\Windows\system32\wjafirm.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\whhsp.exe
        
        "C:\Windows\system32\whhsp.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\wjwvj.exe
        
        "C:\Windows\system32\wjwvj.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\wpjmt.exe
        
        "C:\Windows\system32\wpjmt.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\wedryb.exe
        
        "C:\Windows\system32\wedryb.exe"
        32⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\wpgp.exe
        
        "C:\Windows\system32\wpgp.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5116
        
        C:\Windows\SysWOW64\wvtcmwu.exe
        
        "C:\Windows\system32\wvtcmwu.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\wiatbn.exe
        
        "C:\Windows\system32\wiatbn.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\wjwwy.exe
        
        "C:\Windows\system32\wjwwy.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\wre.exe
        
        "C:\Windows\system32\wre.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\wsixjnkg.exe
        
        "C:\Windows\system32\wsixjnkg.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\wqgrrw.exe
        
        "C:\Windows\system32\wqgrrw.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\wacnauh.exe
        
        "C:\Windows\system32\wacnauh.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:592
        
        C:\Windows\SysWOW64\wxolaswyw.exe
        
        "C:\Windows\system32\wxolaswyw.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\wirjunq.exe
        
        "C:\Windows\system32\wirjunq.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\wrmtjif.exe
        
        "C:\Windows\system32\wrmtjif.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\wqujr.exe
        
        "C:\Windows\system32\wqujr.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\woadmilv.exe
        
        "C:\Windows\system32\woadmilv.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\wusvj.exe
        
        "C:\Windows\system32\wusvj.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\wjgacbyh.exe
        
        "C:\Windows\system32\wjgacbyh.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\wurakuc.exe
        
        "C:\Windows\system32\wurakuc.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\woas.exe
        
        "C:\Windows\system32\woas.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\wxs.exe
        
        "C:\Windows\system32\wxs.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\wfevwn.exe
        
        "C:\Windows\system32\wfevwn.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\wprfy.exe
        
        "C:\Windows\system32\wprfy.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\whyrd.exe
        
        "C:\Windows\system32\whyrd.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\wvioc.exe
        
        "C:\Windows\system32\wvioc.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\woktndt.exe
        
        "C:\Windows\system32\woktndt.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\wygo.exe
        
        "C:\Windows\system32\wygo.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\wdbsbgpc.exe
        
        "C:\Windows\system32\wdbsbgpc.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:384
        
        C:\Windows\SysWOW64\wfnlrt.exe
        
        "C:\Windows\system32\wfnlrt.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\wtaql.exe
        
        "C:\Windows\system32\wtaql.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\wtxjs.exe
        
        "C:\Windows\system32\wtxjs.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1244
        
        C:\Windows\SysWOW64\wdb.exe
        
        "C:\Windows\system32\wdb.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\wqolgia.exe
        
        "C:\Windows\system32\wqolgia.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\wqxan.exe
        
        "C:\Windows\system32\wqxan.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\wyp.exe
        
        "C:\Windows\system32\wyp.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\wvjqwv.exe
        
        "C:\Windows\system32\wvjqwv.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\wctgg.exe
        
        "C:\Windows\system32\wctgg.exe"
        66⤵
        Checks computer location settings
        
        PID:3988
        
        C:\Windows\SysWOW64\wdbtumk.exe
        
        "C:\Windows\system32\wdbtumk.exe"
        67⤵
        Checks computer location settings
        
        PID:484
        
        C:\Windows\SysWOW64\wps.exe
        
        "C:\Windows\system32\wps.exe"
        68⤵
        Checks computer location settings
        
        PID:5008
        
        C:\Windows\SysWOW64\wgxulkx.exe
        
        "C:\Windows\system32\wgxulkx.exe"
        69⤵
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\wojxcnwr.exe
        
        "C:\Windows\system32\wojxcnwr.exe"
        70⤵
        Checks computer location settings
        
        PID:2388
        
        C:\Windows\SysWOW64\wttqbp.exe
        
        "C:\Windows\system32\wttqbp.exe"
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\wyxr.exe
        
        "C:\Windows\system32\wyxr.exe"
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\wpxfwf.exe
        
        "C:\Windows\system32\wpxfwf.exe"
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\wltnf.exe
        
        "C:\Windows\system32\wltnf.exe"
        74⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\wawh.exe
        
        "C:\Windows\system32\wawh.exe"
        75⤵
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wltnf.exe"
        75⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpxfwf.exe"
        74⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxr.exe"
        73⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wttqbp.exe"
        72⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wojxcnwr.exe"
        71⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1684
        71⤵
        Program crash
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxulkx.exe"
        70⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wps.exe"
        69⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbtumk.exe"
        68⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctgg.exe"
        67⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvjqwv.exe"
        66⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyp.exe"
        65⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqxan.exe"
        64⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqolgia.exe"
        63⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdb.exe"
        62⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxjs.exe"
        61⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtaql.exe"
        60⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfnlrt.exe"
        59⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbsbgpc.exe"
        58⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 1636
        58⤵
        Program crash
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wygo.exe"
        57⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woktndt.exe"
        56⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvioc.exe"
        55⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whyrd.exe"
        54⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wprfy.exe"
        53⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfevwn.exe"
        52⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxs.exe"
        51⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woas.exe"
        50⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wurakuc.exe"
        49⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjgacbyh.exe"
        48⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wusvj.exe"
        47⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woadmilv.exe"
        46⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqujr.exe"
        45⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrmtjif.exe"
        44⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1396
        44⤵
        Program crash
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirjunq.exe"
        43⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxolaswyw.exe"
        42⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1536
        42⤵
        Program crash
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wacnauh.exe"
        41⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgrrw.exe"
        40⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsixjnkg.exe"
        39⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wre.exe"
        38⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwwy.exe"
        37⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiatbn.exe"
        36⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtcmwu.exe"
        35⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1680
        35⤵
        Program crash
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpgp.exe"
        34⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wedryb.exe"
        33⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpjmt.exe"
        32⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwvj.exe"
        31⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whhsp.exe"
        30⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjafirm.exe"
        29⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqbtq.exe"
        28⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxyeo.exe"
        27⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfarxaqm.exe"
        26⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weoyflxwt.exe"
        25⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtexys.exe"
        24⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiaadwbc.exe"
        23⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtftxjjv.exe"
        22⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 116
        22⤵
        Program crash
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvwfq.exe"
        21⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wteikd.exe"
        20⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1356
        20⤵
        Program crash
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgm.exe"
        19⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrcaabc.exe"
        18⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsarhyh.exe"
        17⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnfyicmu.exe"
        16⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wycfwopo.exe"
        15⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtyetjy.exe"
        14⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgnt.exe"
        13⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpsddq.exe"
        12⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfoeiuc.exe"
        11⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvbwh.exe"
        10⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmtqta.exe"
        9⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvmtku.exe"
        8⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuxccaaj.exe"
        7⤵
        
        PID:2868
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqjortx.exe"
        6⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmscglx.exe"
        5⤵
        
        PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wopslpq.exe"
      4⤵
      PID:4920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1280
      4⤵
      Program crash
      PID:952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxbdsj.exe"
    3⤵
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\d93462375781ed26ca9fef6fb1fc6a8f131df449be64e310399f41ca080d555a.exe"
  2⤵
  PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4440 -ip 4440
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1928 -ip 1928
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4432 -ip 4432
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3492 -ip 3492
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3488 -ip 3488
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2480 -ip 2480
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 384 -ip 384
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2388 -ip 2388
1⤵
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wedryb.exe

Filesize
357KB

MD5
c7484a432d556e05343f5b91229ff85d

SHA1
6a0fe645a0375dd6f9307c47c507bcc2b86771f6

SHA256
e6c2caea490a759e485209fdd23ae8555f5731b63b1d4cfac84eaaf108c8ea13

SHA512
27538d23aef730bb6e22cd852e4aa474f16828b83eb7de4594678afe45387304eb276ee2a696297d139bd9e76e2d3d76defddc5f41b6724220a4554f03f55937

Download Submit
C:\Windows\SysWOW64\weoyflxwt.exe

Filesize
357KB

MD5
010d240d441a74663cb9034d4fca77f1

SHA1
3c6665a3b83720ae69a81146e3b309be7ec72dde

SHA256
4f7d4d6536879a4b1a82fc6fad8a160f96ead22115d90ce8f34b3076bade4e6c

SHA512
fa4fa2675ba032dd773247ea35fd5b91717e63235aa4e2f548182df11a94997c915a4537f6154632cdacee710e85b97742d9812a430dd6509993689731a12266

Download Submit
C:\Windows\SysWOW64\wfarxaqm.exe

Filesize
357KB

MD5
c92829b10e250d0fa91f06e16db2a140

SHA1
a8f2850ac97c77fd50cb3f36f0a5c3d37735ad8f

SHA256
49f71add2032bac156c2c2db4b0431faa2ec79ed7a988cc9af6e613b0d8f8b15

SHA512
4b358908f22a3bab2c69d501a6825a3503a0b9dfaca51d388817a5af017cdd6cf42aca4e9dfca4e5e0de3bb56ce00165f12f4a5e8b468400540bb5adf2ee96ca

Download Submit
C:\Windows\SysWOW64\wfoeiuc.exe

Filesize
357KB

MD5
c6a54e2c911ff7f1e49aaa2eb0cdfc05

SHA1
4d661bd98f591780f31093e0f98ba1d77ea62b61

SHA256
d91e1bd6d697b8d7ac445d940c3083772f4dd1fa2da5b4de161b6a56cebc6e1e

SHA512
ef1ee876d28b8213487cd3877563d21e3e017c1f5be1e93144c5a90c11671e1b2c0e38a088e4c9fc407678e52569f33194b9803d057e168485aba32aea52af62

Download Submit
C:\Windows\SysWOW64\wgm.exe

Filesize
357KB

MD5
73159cc2f8ee83cc774206693f1163df

SHA1
a2d210784b7522932219d42a125974cdf9dc0036

SHA256
89e0c0543a102378b97dff211fe13c08db3981e047b8ce0081421a88f4b8cbf1

SHA512
657e86bb866bf7362b35943070380a353997b8e4edf1ab17188f027cc094eb54379bd21c4dd99e7a85c57fc4b1a4a3755b9ddb04ae0be007121d68035082d0ee

Download Submit
C:\Windows\SysWOW64\wgnt.exe

Filesize
357KB

MD5
edcee3dd563688bafad7dbbc486406dd

SHA1
59016ec466d15b3f042925f2d95db4105b653baf

SHA256
57d1f5ef9db8b2a1c519290fc6de67010c5e9e75d9b1bf7a4360299e9d0809c5

SHA512
7d6721223e417803139120274a74ed5cc4accae1767a8dcb62466f82f75418afa5bb9d71329e2a9c429ece6a1dd8a836b83696920d10a1f8a77ff019d2c4602f

Download Submit
C:\Windows\SysWOW64\wgsarhyh.exe

Filesize
357KB

MD5
fd94cd7574e2b17b15a748ce7975c131

SHA1
dd9e6024112f01f9f6027a0ef56229f0a18e8edf

SHA256
3b9b20e6188aabb67bac2e6e3e54ecce819dd86b2ad4f40c937f2b96634bdd62

SHA512
f7e62e0c55e472026ebd3d9deba5b3f56932b155065d9f2c1f40c9cc67cf7347c34d113d28197ffc4f02052d9d31f5190f5d9294047cc82cbd93d35b44cfbbf4

Download Submit
C:\Windows\SysWOW64\whhsp.exe

Filesize
357KB

MD5
ef0d423e27547f795b616e0e77db87f5

SHA1
d468e1ba78d7591f522bf2ff57a0c0a472d87b70

SHA256
eea2fa8ed0ef501ea9ab81096d24e17c1d547b8c3726f3195e75dc31f97f3239

SHA512
11d1b932d79d1ebc6b7837239389f0ca08a3e363715e673fd5fa4b3dfbdf42008568cde9f8561dbf0ed08548ce9f8af9303b84bec2287ef55bb6a7736f2fb686

Download Submit
C:\Windows\SysWOW64\wiaadwbc.exe

Filesize
357KB

MD5
6332451b560efdd365d776bd652de3af

SHA1
5f5079e0179831b2117659261c5eee8fb9f318d2

SHA256
2e7820a9c7d0f8bc20ca8cc38882f873ceb0c39d6b7a717d7703850beceeaeec

SHA512
536d3cb6053dedd44584a385dfd1fba072192246df1bda25102c343571ca5964d59c397111317f0ea1e945218c0fc8c313f099ef00ccf0aa275c9b8b23f28860

Download Submit
C:\Windows\SysWOW64\wjafirm.exe

Filesize
357KB

MD5
3a5241e538bd3e853650ec71dc0fb3f3

SHA1
0869a121849fed207e02956b229ddf62571cb7bc

SHA256
11473011ccb960e24ee0dda62468f1f8bd5c8b485197c65d92107d4a19c9fc98

SHA512
8bb2204dc88a4929e4147ef8fbf7d5a204d89763a5d48fc7f0e765acae07e5f1036e315e57b0d09f03bd7094cb489100d609e00b6883dfd0a853d2d279d0c859

Download Submit
C:\Windows\SysWOW64\wjwvj.exe

Filesize
357KB

MD5
c4ec5711b60096042adc8fb4280cd8ec

SHA1
22e280a37461632cec8db4329fb9b7f5fde7d1ea

SHA256
c1f781503b3b6af876f1076e812aa85465623474790f5605f56362bbc1d90ce2

SHA512
4a6bfb522b328aaa61896dfdf8bc77d909662b399e3ec96624321e8a84acd32c2ae73d1cc25ada0a875b145a9cd007a4a86fa53ecbf685292a3d21978139680e

Download Submit
C:\Windows\SysWOW64\wkvmtku.exe

Filesize
357KB

MD5
83a645fa9ae4493fbebe30d2369c1ce3

SHA1
60dcd774b616c0bf2074a8f13043146c42219edf

SHA256
72099e31406e7bddf5b5e352f72cff83b0dd27e9b3ea0f633a045facc722352c

SHA512
72db046a569c88676426c0c9a187ab491c8abcd7785f80408f388710c4ddf7b5406947cf915ee64693755515d5959bdb7f15f5c59b4ef3b947971165d40b0491

Download Submit
C:\Windows\SysWOW64\wmscglx.exe

Filesize
357KB

MD5
00b22feaf903effc93cb7e1bf17c5159

SHA1
407cecb80f3c8659e896aa278b2be6d5eed9afc1

SHA256
e8c4673706cfcc187208333a20458383263fa10a4fda16bc19e831f60f655e11

SHA512
b55fc5937db94af51895994be6deb7c179d97f01c73c2959ae8e3030b85cd4239ddeeb9116d99587eab9eecbc0130ab040b64004ac8a9638097b206eab2689ad

Download Submit
C:\Windows\SysWOW64\wmtqta.exe

Filesize
357KB

MD5
a3ddf0a500339ac66603da717a431961

SHA1
5f2680826e0d15d62bf4ebc4a4fffd560654cc3e

SHA256
f23c180063a97b45669d980b3736fcb4776b9789172f8dee53af3490c3e8bea2

SHA512
e3a7d22478a34744fd4002133b0deb75e27c64e56fa2f81b91a1850458d696a333453732c7c736f169c1f382f3269f449e75c8b5990fed15a2a9012bc09fc8de

Download Submit
C:\Windows\SysWOW64\wnfyicmu.exe

Filesize
357KB

MD5
4b6e3ed4d6a2463351296f26da40d99f

SHA1
f0f6916b4dad4bad1d73b1ab73ab0589ecd1f777

SHA256
b70b6302a70e697f4b2f5f3a39959aee81dc0319bdca081289f7e98b02cfa7b9

SHA512
7ab13617832629bdc5edf3eb35db2dfeae65dcbf912831d4d3470a0fea344323bc40175d4fd5128d31c2ab583de8d4d08be6303267ea9cea7df51751237aa8d9

Download Submit
C:\Windows\SysWOW64\wopslpq.exe

Filesize
356KB

MD5
a39d657738a87a1924abc35c759d2d9b

SHA1
79c1290adbc7622fc09354838e3ff19121a6e190

SHA256
99136eaac5c5997d39a2d09061f47c8e8659943b3950ce08cafa889b51837d8e

SHA512
b97e26d2343e7dbf757af80f0d9b73c580c7cd35e21c3c73e5bd60c34f9fcacbd285b2edb5b9d19235ad3090678660a74da77cac718f09b359f7352b0d763026

Download Submit
C:\Windows\SysWOW64\wpgp.exe

Filesize
357KB

MD5
e9633c8c43c73e1b745a14ce5c34d261

SHA1
e476f0947f8a1abc81f4e23ef68c5e716d939144

SHA256
5c1832fde3cb8b436ff3b3e03b25fcae81c4b3ddee3bb5844878b33817bbe7d9

SHA512
d9c378390571d2855f57924b5cb9a0a10eaf2f1b638b1b57ff8bae4c8cf6f1078c4199bd34a7c81bd5a092cd7c865e566af2ef66177e74cf82707a337c855b8a

Download Submit
C:\Windows\SysWOW64\wpjmt.exe

Filesize
357KB

MD5
2891c2262f1c448d057a3ead69cf7c99

SHA1
a2d54e0a3f69f065af6299ad52ac02e9019460ca

SHA256
a9ab182e63c98153be8b16395ded18fb4363de542163a933a33677eee381dbde

SHA512
7ecaa06102ed731e38517b24f4d8478e55e4e9636ee31b5afc62baa52ca875a02fcefe74a5b50e443899157a45da2b5a9a0cf7874d4031f6d2fb3e1dbacaf580

Download Submit
C:\Windows\SysWOW64\wpsddq.exe

Filesize
357KB

MD5
26204f17771b22d960354f2bd8c28d6f

SHA1
ee20beac481e283e79bb8ec7495a61e2451a5fae

SHA256
2c38ddbcc31b32c854e31b1daa4df3bd8c19c627f4f67caa118af79e0c7d79df

SHA512
875eadcd595e0208ef9b41acf5a336b9c270aeffc6f087074ee5a2cf810224be1a3df911e3ac2cc555aad95fde9a0cf20dfc920a5d6140a289ff7b93ab8caf5d

Download Submit
C:\Windows\SysWOW64\wqbtq.exe

Filesize
357KB

MD5
9e7ff5ed624b0e16873f5ec090b3d2a8

SHA1
ab30a7c4e62d5c28b465e2da0b4ae810a220eb76

SHA256
b347af40ce5f820644ea02868208fdc4b4836bfb6596690506dd515b74189667

SHA512
6cf22140040c52624da1f0fcf28581dca99c7ef1047fc16022356d0b329726779e6697e94ecaae266a924bb957353c6db25dd298170eee4502d9152dbe928e84

Download Submit
C:\Windows\SysWOW64\wqjortx.exe

Filesize
357KB

MD5
488b44629f8e9a0f2480ca4cec5e67da

SHA1
0c2a8304f139528e09392bc1fabe3a450d31d934

SHA256
efb7f98aa8d05c1a033c092922d91b0973a58e80f8650036e0ad22e6e5685a60

SHA512
0fd96e19caa0e2b5e77e56dc7a7b1e4e36abc48e32ffa21553189694f38b1f133f8999f350a086116cab14d9660a0b5f5be1c9da8ebcae8c5c0773a7e6462af4

Download Submit
C:\Windows\SysWOW64\wrcaabc.exe

Filesize
357KB

MD5
af40e9abba1dcb845952b3ac92a3a4ec

SHA1
d418323cd8d384a4d1d14fe211b8c5922622986f

SHA256
b6bae4f170d81f4c66adaebfc449b45732e62fc786af718bb313559ba4f0bde1

SHA512
58eb95ddaaf32f5bf889b5628c90a553df919564c4d8175837f4bbb54e724442ad15e4aa75cf21d66f3bda69b07225696f49cb607d94a16ff0bd64c3e0680f26

Download Submit
C:\Windows\SysWOW64\wteikd.exe

Filesize
357KB

MD5
77761514803553af8ba2295f214b9f1d

SHA1
66ed8ee1e0d5a1ee1ae3ed3666898d1280a9411e

SHA256
a2d06ab8bcdfe77b17a689a795ed2d8fe5751b791a055224dab03319fb3f0118

SHA512
08d8cf66e42ec78af1ba39ae52f6b2c48e23b6cbe78f643464eebafa329a183564252b754a6018c77ab8a0d2588bb3b6978dc3100fd65ce66f50d6f883715751

Download Submit
C:\Windows\SysWOW64\wtexys.exe

Filesize
357KB

MD5
bd81cf6db1d63372871f094a07faf4c6

SHA1
4a3f77372e254a66b8fdcff858985665420722e3

SHA256
6067f6ae3051ca49e6ff7b497068cce43975777d68f382242f16f2a1d33e7254

SHA512
eb6aec1396f91d986d17cd3b29c1e632dbf0a3b2b887b086e38f86ce9988cf16482a7873b6c1c7f9ab9ec98b5ccc4b1ecf357ad24e8c9f3e688a6d4409c6cb70

Download Submit
C:\Windows\SysWOW64\wtftxjjv.exe

Filesize
357KB

MD5
75efa2f6a2160c9642fac158c0aeb64b

SHA1
84e48d8ac25f5ebce69fac217a81a559dddd6475

SHA256
00bbac568f1e66aa7f22854c4bcc1df5e8c41f65a77ffde03bb35b5389ed9236

SHA512
45eb44a20918c2539e7f61f616da8cdcbf5dc6aa467b6e79c5e4187219c87ee8eccfba238d187d163a9b1331c6d428cfe792c2a8f610b0405202f4c48cbd5aae

Download Submit
C:\Windows\SysWOW64\wtyetjy.exe

Filesize
357KB

MD5
823385cedc4604412778826f9dbed714

SHA1
bc6f5f6ab22528b87d08ce675cc2197d6e71b022

SHA256
a49ef77ade966d27033d1613ebc761ee7f218ffa7660ee450efa6fbc821b5938

SHA512
c5adbae394de8ca86ae589f4ae48cedfff176053edb2b193013170621ef4c1e4741c725361524ca19b438ea64b72586b362c1b232ba2a9f3713ec3e79eb17878

Download Submit
C:\Windows\SysWOW64\wuxccaaj.exe

Filesize
357KB

MD5
66b889662bb43f2270941106da5782f7

SHA1
98cc78f75200dc872f8c31c0ae472ba023ee9962

SHA256
cc79b3ceffdc111bf3dd2d35c2d729b30944c6cf6a99e332a9e732bf67ca3a38

SHA512
4f1289e1939ce7950204c948c7e8ba6c8030c1a028de7e6be41a832cdc99291489c8dd18e08fc96f880800b9e98c089a0781d0430086b758423c308c429f300e

Download Submit
C:\Windows\SysWOW64\wvbwh.exe

Filesize
357KB

MD5
f57458bc7b4b0dbb5fc237c2b8d5bfa3

SHA1
4e828eab136a4f721b212be3a731dfcd146d7eb9

SHA256
fecb5b85dfe9d2cd1eb2590dbe4ca393d04bfdb0d904d2bec9c70622640b3ee7

SHA512
19bcab964685421c20e6956f4be5f9eeefe5ef0292e8c43145f40ca5f0b516c82bea25893caf4d1e3d7e88fe8549e3b3395267b28ccd904f8e5a949b710b0f00

Download Submit
C:\Windows\SysWOW64\wvwfq.exe

Filesize
357KB

MD5
73571396c1cad19446fcb47e1c817544

SHA1
83dbf25057ceb043b4f59e18fdb652540892c838

SHA256
30d1f75402f5714e4ecd86aded499b7c111a9e2b55361ef14d33ec61fa253daf

SHA512
281d11316bfd2b12f3bc58219017961e8fc5e4a4eb6d61ff10d2457ec5e6f3d58e3c5392b82f3cca9455e95249e41e8fb64ff854fa898c2ac4b07f32849ffd0b

Download Submit
C:\Windows\SysWOW64\wxbdsj.exe

Filesize
356KB

MD5
ea65c065414442e80586445db3950b0e

SHA1
7138928387ce8d3a3b5f75e88811fe340eb564df

SHA256
c08bc12d72581c0561d7a15f6279a522f07f66443ff14fcf50124812fe2bd38b

SHA512
80390a2096c728bc429c87b8ae2491ce96905d14c73a73d425cd60e302c8c21704d30aaf06861f5aad92f4f18f42a97cfa2446c0be9268b14464e0c228a678f7

Download Submit
C:\Windows\SysWOW64\wxyeo.exe

Filesize
357KB

MD5
81dfc8200ca9050806852ebd7cd217e3

SHA1
e0848d4f4ec6479b6332f051b9bd5b5947505592

SHA256
986c4b80de9a2c1630fa173247a3ccbedf4e26f53264ab4e0aed145ae4abda61

SHA512
a5fbcdfa43c1e670e08630fd21ef6d6fb54cbf6d4f894d281c3622ff28013946a587922cfbf6dd9b8155f61807410d3c94ee0de6f3d0a028b71f768053220d05

Download Submit
C:\Windows\SysWOW64\wycfwopo.exe

Filesize
357KB

MD5
2c89bc37cb31ba67c925cdfd124ef51e

SHA1
1ff45d3c4d1d575e5cf0adb9f41d7f287dc1599f

SHA256
099658e0687e51d1c2071f3536bad62cceeacf1298f28c118a67c507a265222f

SHA512
ac8bfd62a4d0543f5fd97b8cea0f82ce98eb5e2b2d7bcc088268fb2a757dad6bf6824dc54e2f099d8b66595b99f9692b7149061d4730861d49bac05e7ff13645

Download Submit
memory/212-235-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/332-160-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/332-148-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/552-95-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/552-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/592-406-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/908-257-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/908-245-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1080-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1084-246-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1428-116-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1428-128-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1608-117-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1928-192-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2116-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2116-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-288-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-277-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2388-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2440-366-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2440-357-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2480-425-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2716-374-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2764-390-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2920-398-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3180-256-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3180-267-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3232-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3232-74-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3432-309-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3444-149-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3488-416-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3488-407-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3492-358-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3492-348-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3708-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3708-52-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3944-159-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3944-171-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3992-382-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4196-214-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4296-181-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4296-193-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4380-278-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4428-340-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4432-213-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4432-225-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4440-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4688-105-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4784-170-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4784-182-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4848-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4848-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4892-298-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5048-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5048-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5064-320-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5064-308-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5072-138-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5080-319-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5080-330-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5080-415-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5080-424-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5116-349-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download