695fe7f8c65ea7554d6eccb2087378f71eb6c7602ec69ba7ee4a89136aca7204

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa3849a16fc3484586da3923d6ad58ae_JaffaCakes118.exe
Size

253KB
MD5

fa3849a16fc3484586da3923d6ad58ae
SHA1

0d6c5e8cedc7356fd4c9ce8d18dda16315dc76cf
SHA256

695fe7f8c65ea7554d6eccb2087378f71eb6c7602ec69ba7ee4a89136aca7204
SHA512

199c4b266b4cb6734e4070bcf8cb9d1c8516c21295935d2fa18771694244302c2f8452fee28900272617f27ab7137106d7ef62b99657cea9f0a447bd04f71bf7
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVp6:ZY7xh6SZI4z7FSVp6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wgnqb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wgttogsq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wsamw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	whweuil.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wxbypmu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wyqybdqdv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wgxb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	weccsttmy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wqxy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wms.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wrhrhegia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wlgafh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wgaiu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wctgg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wosbafqt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wuijxar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wggio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wvrtx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wjlamw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	walipas.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wjbgnl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wmnjxmoq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wybsyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wjxbytk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wblcdd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wsfccdt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wejab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	waex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wvjtuns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wjaci.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	welp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wvodnx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wcxhn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wpvbivgjr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wwqppkyq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wmuky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wcrsiwpi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wtgla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	weav.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wbmpvvxyu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wueyrra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wubat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wnshf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wtbpa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wunj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wrqptm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wagioia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wmuxb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wruxme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	weqps.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wxwgifx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wvvojhtax.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wvmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wiyxyqpp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wamx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wnpyw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wswubi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wtbqkv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wwnyis.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wldeeu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wqikn.exe

Executes dropped EXE 64 IoCs

pid	Process
548	wwnyis.exe
3276	wxwgifx.exe
3344	wmeimuy.exe
1120	wmuky.exe
3512	wjbgnl.exe
1384	wyouwyldo.exe
3748	wmuxb.exe
4220	wosbafqt.exe
3396	wgxb.exe
2468	wsfccdt.exe
436	wjvnflj.exe
4244	wgnqb.exe
4528	wuijxar.exe
2260	wagioia.exe
4400	wvvojhtax.exe
3584	wvmp.exe
1748	wvjtuns.exe
4812	wkqwye.exe
4252	wkls.exe
4932	wiyxyqpp.exe
2960	wamx.exe
3128	wubat.exe
2628	wlgafh.exe
4256	wldeeu.exe
4088	wnpyw.exe
3044	wcrsiwpi.exe
4812	wlyyvw.exe
1904	wruxme.exe
4968	weccsttmy.exe
4476	wjaci.exe
2848	wnshf.exe
4400	wggio.exe
1436	wswubi.exe
2908	wlluko.exe
4780	welp.exe
1992	wheljct.exe
2016	wtl.exe
3836	wtbpa.exe
3052	wunj.exe
4996	wtbqkv.exe
3736	wqxy.exe
3848	wjlyb.exe
2632	woixr.exe
4172	wgaiu.exe
2836	wtgla.exe
3404	wmnjxmoq.exe
1992	wqikn.exe
736	weav.exe
4656	wahqmjpcn.exe
3160	wwx.exe
3636	wgttogsq.exe
4080	wgj.exe
5112	wkxut.exe
1872	wehoki.exe
3884	wejab.exe
4252	whjjm.exe
2176	waex.exe
2372	weqps.exe
1364	wybsyc.exe
4292	waqul.exe
4040	wjxbytk.exe
3160	wvrtx.exe
4596	weehfka.exe
2452	wtaaeaplg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\weav.exe	wqikn.exe
File opened for modification	C:\Windows\SysWOW64\wsfccdt.exe	wgxb.exe
File created	C:\Windows\SysWOW64\wnpyw.exe	wldeeu.exe
File created	C:\Windows\SysWOW64\wjlyb.exe	wqxy.exe
File opened for modification	C:\Windows\SysWOW64\wahqmjpcn.exe	weav.exe
File created	C:\Windows\SysWOW64\wgj.exe	wgttogsq.exe
File created	C:\Windows\SysWOW64\wejab.exe	wehoki.exe
File opened for modification	C:\Windows\SysWOW64\wagioia.exe	wuijxar.exe
File created	C:\Windows\SysWOW64\wvjtuns.exe	wvmp.exe
File opened for modification	C:\Windows\SysWOW64\wruxme.exe	wlyyvw.exe
File opened for modification	C:\Windows\SysWOW64\wjxbytk.exe	waqul.exe
File created	C:\Windows\SysWOW64\wsamw.exe	wtaaeaplg.exe
File created	C:\Windows\SysWOW64\wsfccdt.exe	wgxb.exe
File created	C:\Windows\SysWOW64\wubat.exe	wamx.exe
File created	C:\Windows\SysWOW64\wtgla.exe	wgaiu.exe
File opened for modification	C:\Windows\SysWOW64\weafrvqjs.exe	wrhrhegia.exe
File created	C:\Windows\SysWOW64\wxwgifx.exe	wwnyis.exe
File created	C:\Windows\SysWOW64\wlluko.exe	wswubi.exe
File opened for modification	C:\Windows\SysWOW64\wheljct.exe	welp.exe
File created	C:\Windows\SysWOW64\wunj.exe	wtbpa.exe
File created	C:\Windows\SysWOW64\whweuil.exe	wsamw.exe
File created	C:\Windows\SysWOW64\wvodnx.exe	wdbqms.exe
File created	C:\Windows\SysWOW64\wxbypmu.exe	wcxhn.exe
File opened for modification	C:\Windows\SysWOW64\wiyxyqpp.exe	wkls.exe
File created	C:\Windows\SysWOW64\wggio.exe	wnshf.exe
File created	C:\Windows\SysWOW64\wgaiu.exe	woixr.exe
File opened for modification	C:\Windows\SysWOW64\wtgla.exe	wgaiu.exe
File created	C:\Windows\SysWOW64\wrqptm.exe	wek.exe
File opened for modification	C:\Windows\SysWOW64\wrhrhegia.exe	wrqptm.exe
File created	C:\Windows\SysWOW64\wueyrra.exe	wjlamw.exe
File opened for modification	C:\Windows\SysWOW64\wldeeu.exe	wlgafh.exe
File opened for modification	C:\Windows\SysWOW64\wnpyw.exe	wldeeu.exe
File created	C:\Windows\SysWOW64\wtbqkv.exe	wunj.exe
File opened for modification	C:\Windows\SysWOW64\wdbqms.exe	weafrvqjs.exe
File created	C:\Windows\SysWOW64\wpvbivgjr.exe	wqgxvej.exe
File opened for modification	C:\Windows\SysWOW64\wjlamw.exe	wwqppkyq.exe
File opened for modification	C:\Windows\SysWOW64\wmuky.exe	wmeimuy.exe
File opened for modification	C:\Windows\SysWOW64\wlgafh.exe	wubat.exe
File opened for modification	C:\Windows\SysWOW64\woixr.exe	wjlyb.exe
File opened for modification	C:\Windows\SysWOW64\wwx.exe	wahqmjpcn.exe
File created	C:\Windows\SysWOW64\wrhrhegia.exe	wrqptm.exe
File opened for modification	C:\Windows\SysWOW64\walipas.exe	wueyrra.exe
File created	C:\Windows\SysWOW64\wmeimuy.exe	wxwgifx.exe
File created	C:\Windows\SysWOW64\wlyyvw.exe	wcrsiwpi.exe
File created	C:\Windows\SysWOW64\wjaci.exe	weccsttmy.exe
File opened for modification	C:\Windows\SysWOW64\wlluko.exe	wswubi.exe
File opened for modification	C:\Windows\SysWOW64\wrqptm.exe	wek.exe
File opened for modification	C:\Windows\SysWOW64\wblcdd.exe	wvodnx.exe
File created	C:\Windows\SysWOW64\wvvojhtax.exe	wagioia.exe
File created	C:\Windows\SysWOW64\wvmp.exe	wvvojhtax.exe
File opened for modification	C:\Windows\SysWOW64\wvmp.exe	wvvojhtax.exe
File opened for modification	C:\Windows\SysWOW64\wubat.exe	wamx.exe
File created	C:\Windows\SysWOW64\wswubi.exe	wggio.exe
File opened for modification	C:\Windows\SysWOW64\wunj.exe	wtbpa.exe
File opened for modification	C:\Windows\SysWOW64\wwnyis.exe	fa3849a16fc3484586da3923d6ad58ae_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wgxb.exe	wosbafqt.exe
File created	C:\Windows\SysWOW64\wctgg.exe	woynhnbo.exe
File created	C:\Windows\SysWOW64\wek.exe	wms.exe
File created	C:\Windows\SysWOW64\wwqppkyq.exe	wae.exe
File created	C:\Windows\SysWOW64\wmuxb.exe	wyouwyldo.exe
File created	C:\Windows\SysWOW64\wkls.exe	wkqwye.exe
File created	C:\Windows\SysWOW64\wiyxyqpp.exe	wkls.exe
File opened for modification	C:\Windows\SysWOW64\wnshf.exe	wjaci.exe
File opened for modification	C:\Windows\SysWOW64\wgj.exe	wgttogsq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
2740	548	WerFault.exe	85
2296	3748	WerFault.exe	112
4152	4812	WerFault.exe	147
4644	4932	WerFault.exe	157
3044	4780	WerFault.exe	205
2640	4596	WerFault.exe	292
2848	3264	WerFault.exe	318
1712	3264	WerFault.exe	318
2256	4068	WerFault.exe	367

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 548	3736	fa3849a16fc3484586da3923d6ad58ae_JaffaCakes118.exe	85
PID 3736 wrote to memory of 548	3736	fa3849a16fc3484586da3923d6ad58ae_JaffaCakes118.exe	85
PID 3736 wrote to memory of 548	3736	fa3849a16fc3484586da3923d6ad58ae_JaffaCakes118.exe	85
PID 3736 wrote to memory of 2068	3736	fa3849a16fc3484586da3923d6ad58ae_JaffaCakes118.exe	87
PID 3736 wrote to memory of 2068	3736	fa3849a16fc3484586da3923d6ad58ae_JaffaCakes118.exe	87
PID 3736 wrote to memory of 2068	3736	fa3849a16fc3484586da3923d6ad58ae_JaffaCakes118.exe	87
PID 548 wrote to memory of 3276	548	wwnyis.exe	89
PID 548 wrote to memory of 3276	548	wwnyis.exe	89
PID 548 wrote to memory of 3276	548	wwnyis.exe	89
PID 548 wrote to memory of 4504	548	wwnyis.exe	90
PID 548 wrote to memory of 4504	548	wwnyis.exe	90
PID 548 wrote to memory of 4504	548	wwnyis.exe	90
PID 3276 wrote to memory of 3344	3276	wxwgifx.exe	99
PID 3276 wrote to memory of 3344	3276	wxwgifx.exe	99
PID 3276 wrote to memory of 3344	3276	wxwgifx.exe	99
PID 3276 wrote to memory of 4160	3276	wxwgifx.exe	100
PID 3276 wrote to memory of 4160	3276	wxwgifx.exe	100
PID 3276 wrote to memory of 4160	3276	wxwgifx.exe	100
PID 3344 wrote to memory of 1120	3344	wmeimuy.exe	102
PID 3344 wrote to memory of 1120	3344	wmeimuy.exe	102
PID 3344 wrote to memory of 1120	3344	wmeimuy.exe	102
PID 3344 wrote to memory of 4592	3344	wmeimuy.exe	103
PID 3344 wrote to memory of 4592	3344	wmeimuy.exe	103
PID 3344 wrote to memory of 4592	3344	wmeimuy.exe	103
PID 1120 wrote to memory of 3512	1120	wmuky.exe	106
PID 1120 wrote to memory of 3512	1120	wmuky.exe	106
PID 1120 wrote to memory of 3512	1120	wmuky.exe	106
PID 1120 wrote to memory of 2372	1120	wmuky.exe	107
PID 1120 wrote to memory of 2372	1120	wmuky.exe	107
PID 1120 wrote to memory of 2372	1120	wmuky.exe	107
PID 3512 wrote to memory of 1384	3512	wjbgnl.exe	109
PID 3512 wrote to memory of 1384	3512	wjbgnl.exe	109
PID 3512 wrote to memory of 1384	3512	wjbgnl.exe	109
PID 3512 wrote to memory of 5008	3512	wjbgnl.exe	110
PID 3512 wrote to memory of 5008	3512	wjbgnl.exe	110
PID 3512 wrote to memory of 5008	3512	wjbgnl.exe	110
PID 1384 wrote to memory of 3748	1384	wyouwyldo.exe	112
PID 1384 wrote to memory of 3748	1384	wyouwyldo.exe	112
PID 1384 wrote to memory of 3748	1384	wyouwyldo.exe	112
PID 1384 wrote to memory of 1180	1384	wyouwyldo.exe	113
PID 1384 wrote to memory of 1180	1384	wyouwyldo.exe	113
PID 1384 wrote to memory of 1180	1384	wyouwyldo.exe	113
PID 3748 wrote to memory of 4220	3748	wmuxb.exe	115
PID 3748 wrote to memory of 4220	3748	wmuxb.exe	115
PID 3748 wrote to memory of 4220	3748	wmuxb.exe	115
PID 3748 wrote to memory of 2068	3748	wmuxb.exe	116
PID 3748 wrote to memory of 2068	3748	wmuxb.exe	116
PID 3748 wrote to memory of 2068	3748	wmuxb.exe	116
PID 4220 wrote to memory of 3396	4220	wosbafqt.exe	120
PID 4220 wrote to memory of 3396	4220	wosbafqt.exe	120
PID 4220 wrote to memory of 3396	4220	wosbafqt.exe	120
PID 4220 wrote to memory of 3848	4220	wosbafqt.exe	121
PID 4220 wrote to memory of 3848	4220	wosbafqt.exe	121
PID 4220 wrote to memory of 3848	4220	wosbafqt.exe	121
PID 3396 wrote to memory of 2468	3396	wgxb.exe	123
PID 3396 wrote to memory of 2468	3396	wgxb.exe	123
PID 3396 wrote to memory of 2468	3396	wgxb.exe	123
PID 3396 wrote to memory of 4436	3396	wgxb.exe	124
PID 3396 wrote to memory of 4436	3396	wgxb.exe	124
PID 3396 wrote to memory of 4436	3396	wgxb.exe	124
PID 2468 wrote to memory of 436	2468	wsfccdt.exe	126
PID 2468 wrote to memory of 436	2468	wsfccdt.exe	126
PID 2468 wrote to memory of 436	2468	wsfccdt.exe	126
PID 2468 wrote to memory of 1976	2468	wsfccdt.exe	127

C:\Users\Admin\AppData\Local\Temp\fa3849a16fc3484586da3923d6ad58ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa3849a16fc3484586da3923d6ad58ae_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Windows\SysWOW64\wwnyis.exe
  "C:\Windows\system32\wwnyis.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\wxwgifx.exe
    "C:\Windows\system32\wxwgifx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Windows\SysWOW64\wmeimuy.exe
      "C:\Windows\system32\wmeimuy.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3344
    - - C:\Windows\SysWOW64\wmuky.exe
        
        "C:\Windows\system32\wmuky.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Windows\SysWOW64\wjbgnl.exe
        
        "C:\Windows\system32\wjbgnl.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\wyouwyldo.exe
        
        "C:\Windows\system32\wyouwyldo.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\wmuxb.exe
        
        "C:\Windows\system32\wmuxb.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\wosbafqt.exe
        
        "C:\Windows\system32\wosbafqt.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\wgxb.exe
        
        "C:\Windows\system32\wgxb.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\wsfccdt.exe
        
        "C:\Windows\system32\wsfccdt.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\wjvnflj.exe
        
        "C:\Windows\system32\wjvnflj.exe"
        12⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\wgnqb.exe
        
        "C:\Windows\system32\wgnqb.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\wuijxar.exe
        
        "C:\Windows\system32\wuijxar.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\wagioia.exe
        
        "C:\Windows\system32\wagioia.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\wvvojhtax.exe
        
        "C:\Windows\system32\wvvojhtax.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\wvmp.exe
        
        "C:\Windows\system32\wvmp.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\wvjtuns.exe
        
        "C:\Windows\system32\wvjtuns.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\wkqwye.exe
        
        "C:\Windows\system32\wkqwye.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\wkls.exe
        
        "C:\Windows\system32\wkls.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\wiyxyqpp.exe
        
        "C:\Windows\system32\wiyxyqpp.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\wamx.exe
        
        "C:\Windows\system32\wamx.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\wubat.exe
        
        "C:\Windows\system32\wubat.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\wlgafh.exe
        
        "C:\Windows\system32\wlgafh.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2628
        
        C:\Windows\SysWOW64\wldeeu.exe
        
        "C:\Windows\system32\wldeeu.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\wnpyw.exe
        
        "C:\Windows\system32\wnpyw.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\wcrsiwpi.exe
        
        "C:\Windows\system32\wcrsiwpi.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\wlyyvw.exe
        
        "C:\Windows\system32\wlyyvw.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\wruxme.exe
        
        "C:\Windows\system32\wruxme.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\weccsttmy.exe
        
        "C:\Windows\system32\weccsttmy.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\wjaci.exe
        
        "C:\Windows\system32\wjaci.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\wnshf.exe
        
        "C:\Windows\system32\wnshf.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\wggio.exe
        
        "C:\Windows\system32\wggio.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\wswubi.exe
        
        "C:\Windows\system32\wswubi.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\wlluko.exe
        
        "C:\Windows\system32\wlluko.exe"
        35⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\welp.exe
        
        "C:\Windows\system32\welp.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\wheljct.exe
        
        "C:\Windows\system32\wheljct.exe"
        37⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\wtl.exe
        
        "C:\Windows\system32\wtl.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\wtbpa.exe
        
        "C:\Windows\system32\wtbpa.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\wunj.exe
        
        "C:\Windows\system32\wunj.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\wtbqkv.exe
        
        "C:\Windows\system32\wtbqkv.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\wqxy.exe
        
        "C:\Windows\system32\wqxy.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3736
        
        C:\Windows\SysWOW64\wjlyb.exe
        
        "C:\Windows\system32\wjlyb.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\woixr.exe
        
        "C:\Windows\system32\woixr.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\wgaiu.exe
        
        "C:\Windows\system32\wgaiu.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4172
        
        C:\Windows\SysWOW64\wtgla.exe
        
        "C:\Windows\system32\wtgla.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\wmnjxmoq.exe
        
        "C:\Windows\system32\wmnjxmoq.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3404
        
        C:\Windows\SysWOW64\wqikn.exe
        
        "C:\Windows\system32\wqikn.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\weav.exe
        
        "C:\Windows\system32\weav.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:736
        
        C:\Windows\SysWOW64\wahqmjpcn.exe
        
        "C:\Windows\system32\wahqmjpcn.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\wwx.exe
        
        "C:\Windows\system32\wwx.exe"
        51⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\wgttogsq.exe
        
        "C:\Windows\system32\wgttogsq.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\wgj.exe
        
        "C:\Windows\system32\wgj.exe"
        53⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\wkxut.exe
        
        "C:\Windows\system32\wkxut.exe"
        54⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\wehoki.exe
        
        "C:\Windows\system32\wehoki.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\wejab.exe
        
        "C:\Windows\system32\wejab.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\whjjm.exe
        
        "C:\Windows\system32\whjjm.exe"
        57⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\waex.exe
        
        "C:\Windows\system32\waex.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\weqps.exe
        
        "C:\Windows\system32\weqps.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\wybsyc.exe
        
        "C:\Windows\system32\wybsyc.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\waqul.exe
        
        "C:\Windows\system32\waqul.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\wjxbytk.exe
        
        "C:\Windows\system32\wjxbytk.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\wvrtx.exe
        
        "C:\Windows\system32\wvrtx.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\weehfka.exe
        
        "C:\Windows\system32\weehfka.exe"
        64⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\wtaaeaplg.exe
        
        "C:\Windows\system32\wtaaeaplg.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\wsamw.exe
        
        "C:\Windows\system32\wsamw.exe"
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:724
        
        C:\Windows\SysWOW64\whweuil.exe
        
        "C:\Windows\system32\whweuil.exe"
        67⤵
        Checks computer location settings
        
        PID:2900
        
        C:\Windows\SysWOW64\wms.exe
        
        "C:\Windows\system32\wms.exe"
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\wek.exe
        
        "C:\Windows\system32\wek.exe"
        69⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:684
        
        C:\Windows\SysWOW64\wrqptm.exe
        
        "C:\Windows\system32\wrqptm.exe"
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\wrhrhegia.exe
        
        "C:\Windows\system32\wrhrhegia.exe"
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:900
        
        C:\Windows\SysWOW64\weafrvqjs.exe
        
        "C:\Windows\system32\weafrvqjs.exe"
        72⤵
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\wdbqms.exe
        
        "C:\Windows\system32\wdbqms.exe"
        73⤵
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\wvodnx.exe
        
        "C:\Windows\system32\wvodnx.exe"
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\wblcdd.exe
        
        "C:\Windows\system32\wblcdd.exe"
        75⤵
        Checks computer location settings
        
        PID:660
        
        C:\Windows\SysWOW64\wbmpvvxyu.exe
        
        "C:\Windows\system32\wbmpvvxyu.exe"
        76⤵
        Checks computer location settings
        
        PID:3292
        
        C:\Windows\SysWOW64\wcxhn.exe
        
        "C:\Windows\system32\wcxhn.exe"
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\wxbypmu.exe
        
        "C:\Windows\system32\wxbypmu.exe"
        78⤵
        Checks computer location settings
        
        PID:2108
        
        C:\Windows\SysWOW64\wyqybdqdv.exe
        
        "C:\Windows\system32\wyqybdqdv.exe"
        79⤵
        Checks computer location settings
        
        PID:4780
        
        C:\Windows\SysWOW64\wqgxvej.exe
        
        "C:\Windows\system32\wqgxvej.exe"
        80⤵
        Drops file in System32 directory
        
        PID:4532
        
        C:\Windows\SysWOW64\wpvbivgjr.exe
        
        "C:\Windows\system32\wpvbivgjr.exe"
        81⤵
        Checks computer location settings
        
        PID:4544
        
        C:\Windows\SysWOW64\wenmtmpkk.exe
        
        "C:\Windows\system32\wenmtmpkk.exe"
        82⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\wae.exe
        
        "C:\Windows\system32\wae.exe"
        83⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\wwqppkyq.exe
        
        "C:\Windows\system32\wwqppkyq.exe"
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\wjlamw.exe
        
        "C:\Windows\system32\wjlamw.exe"
        85⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\wueyrra.exe
        
        "C:\Windows\system32\wueyrra.exe"
        86⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4040
        
        C:\Windows\SysWOW64\walipas.exe
        
        "C:\Windows\system32\walipas.exe"
        87⤵
        Checks computer location settings
        
        PID:4068
        
        C:\Windows\SysWOW64\woynhnbo.exe
        
        "C:\Windows\system32\woynhnbo.exe"
        88⤵
        Drops file in System32 directory
        
        PID:572
        
        C:\Windows\SysWOW64\wctgg.exe
        
        "C:\Windows\system32\wctgg.exe"
        89⤵
        Checks computer location settings
        
        PID:644
        
        C:\Windows\SysWOW64\wkcmtcmj.exe
        
        "C:\Windows\system32\wkcmtcmj.exe"
        90⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctgg.exe"
        90⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woynhnbo.exe"
        89⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\walipas.exe"
        88⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1420
        88⤵
        Program crash
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wueyrra.exe"
        87⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjlamw.exe"
        86⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwqppkyq.exe"
        85⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wae.exe"
        84⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wenmtmpkk.exe"
        83⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvbivgjr.exe"
        82⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgxvej.exe"
        81⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyqybdqdv.exe"
        80⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxbypmu.exe"
        79⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcxhn.exe"
        78⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbmpvvxyu.exe"
        77⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wblcdd.exe"
        76⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvodnx.exe"
        75⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbqms.exe"
        74⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weafrvqjs.exe"
        73⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 116
        73⤵
        Program crash
        
        PID:2848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 1344
        73⤵
        Program crash
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhrhegia.exe"
        72⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrqptm.exe"
        71⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wek.exe"
        70⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wms.exe"
        69⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whweuil.exe"
        68⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsamw.exe"
        67⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtaaeaplg.exe"
        66⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weehfka.exe"
        65⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1536
        65⤵
        Program crash
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvrtx.exe"
        64⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjxbytk.exe"
        63⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waqul.exe"
        62⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybsyc.exe"
        61⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weqps.exe"
        60⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waex.exe"
        59⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whjjm.exe"
        58⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wejab.exe"
        57⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wehoki.exe"
        56⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkxut.exe"
        55⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgj.exe"
        54⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgttogsq.exe"
        53⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwx.exe"
        52⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahqmjpcn.exe"
        51⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weav.exe"
        50⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqikn.exe"
        49⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmnjxmoq.exe"
        48⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtgla.exe"
        47⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgaiu.exe"
        46⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woixr.exe"
        45⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjlyb.exe"
        44⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqxy.exe"
        43⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtbqkv.exe"
        42⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunj.exe"
        41⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtbpa.exe"
        40⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtl.exe"
        39⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wheljct.exe"
        38⤵
        
        PID:496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\welp.exe"
        37⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 1716
        37⤵
        Program crash
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlluko.exe"
        36⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wswubi.exe"
        35⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wggio.exe"
        34⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnshf.exe"
        33⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjaci.exe"
        32⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weccsttmy.exe"
        31⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wruxme.exe"
        30⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyyvw.exe"
        29⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcrsiwpi.exe"
        28⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnpyw.exe"
        27⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wldeeu.exe"
        26⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlgafh.exe"
        25⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wubat.exe"
        24⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wamx.exe"
        23⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiyxyqpp.exe"
        22⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1448
        22⤵
        Program crash
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkls.exe"
        21⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkqwye.exe"
        20⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1280
        20⤵
        Program crash
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvjtuns.exe"
        19⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvmp.exe"
        18⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvvojhtax.exe"
        17⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wagioia.exe"
        16⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuijxar.exe"
        15⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgnqb.exe"
        14⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjvnflj.exe"
        13⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsfccdt.exe"
        12⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxb.exe"
        11⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wosbafqt.exe"
        10⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmuxb.exe"
        9⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1352
        9⤵
        Program crash
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyouwyldo.exe"
        8⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjbgnl.exe"
        7⤵
        
        PID:5008
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmuky.exe"
        6⤵
        
        PID:2372
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmeimuy.exe"
        5⤵
        
        PID:4592
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwgifx.exe"
      4⤵
      PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwnyis.exe"
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1280
    3⤵
    - Program crash
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\fa3849a16fc3484586da3923d6ad58ae_JaffaCakes118.exe"
  2⤵
  PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 548 -ip 548
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3748 -ip 3748
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4812 -ip 4812
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4932 -ip 4932
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4780 -ip 4780
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4596 -ip 4596
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3264 -ip 3264
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3264 -ip 3264
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4068 -ip 4068
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6O2ZN5Q\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Windows\SysWOW64\wagioia.exe

Filesize
254KB

MD5
b06439564e2a57781c99d807c6a99dff

SHA1
439757469df84128122221e511918a83e9bd2d28

SHA256
87a3e7bf291143f16013a0ae35a0e81b176935695671ff0990ae38727cd7d9d8

SHA512
385b19576ea4d9d189c84d1ccd4b28e060c38de5b7bfc545f1f90690475815a28dadaf2f8e521031ea21e6107b75c0afa9028f576888b0acb7d855b996c75bc1

Download Submit
C:\Windows\SysWOW64\wamx.exe

Filesize
254KB

MD5
51cfcf7cf0ace865598382c9df9931e3

SHA1
aeefaac9074a7e118b3d51348ca6dbdc4e9f2db7

SHA256
8b233277c371bae89d76c9d8c6addd3e5a4cd2b0ccd1428f3a4359ff6e1b8d31

SHA512
bded25e63ecad6034cc38a7fcdbc0d0b3c799d644a4a204c0b11974d1d7d8b1d4dd5feff055ee558633346ad7b8583e73a58fe321c8fc51195c4b33840c54fa5

Download Submit
C:\Windows\SysWOW64\wcrsiwpi.exe

Filesize
254KB

MD5
bfea74c4a1e9db6fa3b67498751ce2fe

SHA1
05a4b45b498db3a52cd63b1500e058030d36e540

SHA256
4a533f3d1f0f5cfbfde8c1904c0adc7091f76aa12181ca171206fbf92becba2e

SHA512
be2e341c390eed583dc7c86ec1bd307d052e82977fb6818b3c3dc5fb704618e62106187591dc257e7b701f7aabe6e64f5a67ab63c8574a69ae23a939a8029c40

Download Submit
C:\Windows\SysWOW64\weccsttmy.exe

Filesize
254KB

MD5
8961bc15e3e33b14a23003bad9be6c70

SHA1
169cc8179b66c311cca8145e40a13a186e378f80

SHA256
a6e74466b0ee76aeaa8cb8f941ba0328bc9e65570976971fc72c3198b8dfdea3

SHA512
dbab0b90c3fcdc28b10b528eb8e45dc9686dd256a79916030552e06dd954363df020457480c795d25585ec8ff5e55031516e302dd5db66cc4421744bb5aa392c

Download Submit
C:\Windows\SysWOW64\wggio.exe

Filesize
254KB

MD5
1c023e02ef31f4e947cc33dbc644cc0d

SHA1
94ae36e40046efb9ddb9ca10d8128ea32eba718d

SHA256
f6b54076c449d14a6d9b4791bc01f2a760380ae011bf3502e7fcccdfb596e108

SHA512
ba6a813d2fd28073b87a403747ae4122319d1c47890a98c86c85d93a854e5344734376462dbc3b084b7b53b67ea0baa7ce5eccee9a6fad7483862153fcedcc02

Download Submit
C:\Windows\SysWOW64\wgnqb.exe

Filesize
254KB

MD5
ad0da8a1e1e324554ed4102ab9b7355f

SHA1
62dcd253427deac20850b9aa937ea90dd67f80cd

SHA256
6983543549547d63022714c5f5eea34bf74eaed2ea1394567607c8bc311836e4

SHA512
ff6cb043cbc204c809d2ba31c0302de56514c78750e8b00fc9a7aca389649c0c1985367674b811aac4640b84cdb7edb952f8b5a98b0e33a17e223f69040b8275

Download Submit
C:\Windows\SysWOW64\wgxb.exe

Filesize
254KB

MD5
ddb3dc5f0625916cdcde3d7a752391d6

SHA1
5292e05f967889393d876a66d10edb1daf32fe90

SHA256
b7f8e3b38be6610a732d7b3976a91a6e495475b4b66f483c8d6ab13d89add2dc

SHA512
51ea84511ceeec3a1733c7b4e247e073942459f3c95ceee67335fa023d7d2761e8244f4e71258b73bc3b418ba51e0e60f45874e631d92543d33ae422cf0f8e17

Download Submit
C:\Windows\SysWOW64\wiyxyqpp.exe

Filesize
254KB

MD5
464088afb189decd949f4a92202910de

SHA1
e1705508727786c50b242fb5a78413ba75bb73de

SHA256
5350f97bba8434c8e4da1d8eb43bf4e787d29ed9703f573021a57b9db42a88ba

SHA512
a648b762ae35d8103c405bbbcd04984b1990257031bdc79a3fef4ca73a18723e4af0d289f02860764d3b6ade8d6c571ccd59e26e78ce16b687710f3d8d2247dd

Download Submit
C:\Windows\SysWOW64\wjaci.exe

Filesize
254KB

MD5
b68f931f4988915c218c262ffef5bf89

SHA1
5b6efca4c338c66e40ab41f63cd25311d5af0fdb

SHA256
5c5724b8201516e231ae3371a0ee409e83c9ee5a013f6fda9159d5a1e5b0da54

SHA512
a8cf351f5a44ae33353007e8698223e55b2af89dbdfa03abb33e22b94a55e00dd3b31263a703d540ca790f211ffad5aeb566d3eea6367daaaa534e0f8a4f38b6

Download Submit
C:\Windows\SysWOW64\wjbgnl.exe

Filesize
254KB

MD5
37403ed4a4530648833e2000329b4169

SHA1
d3765d301a410d5171cb1f4c4cdd95eab7faf4a0

SHA256
bf1c1025b180779def57e962744e5cab7df18beea689632b5bb5fec8b2f6c4ae

SHA512
478fd543309506bb3a72aca5681006c711c67def3109f20ef01898d5ffeaedda386a316ca3b73f260543f90d923bb0dbd82961072fb0a17f7e739c7565f12647

Download Submit
C:\Windows\SysWOW64\wjvnflj.exe

Filesize
254KB

MD5
0bdf157293ab8c4919b5ebe7d088a361

SHA1
567893a7670c0e6ac19814418b98ef6066909e35

SHA256
dcd0a89ab9f8549d7251dcfb65ebd83b5baff5a71ffacc1c17adf4c6b7897e44

SHA512
4627d7719cfe2bb137c34dc736a4b856415c8fd6edfa339735d0b7f3a110991113d303f366bf9f36157a7b9c55692f50376d586d43b0ad5a9b6277da06f37657

Download Submit
C:\Windows\SysWOW64\wkls.exe

Filesize
254KB

MD5
3cba662b867f509db4d91492cbf80f52

SHA1
dc9b0e0dd1210c7d8a7e0ce5861980eede95db37

SHA256
dc6f54cc2428589f618cf186c4e66646209c7f51dfdb3d215e7755b8628624b6

SHA512
0cf03b7c50850cf9aefae9f13279ef5c82eb3afad459ebe95d1853285880f28ba4086ccbaa0078993a3a3a40fe1647a5510af4db193f5e461546cb71595ba2c5

Download Submit
C:\Windows\SysWOW64\wkqwye.exe

Filesize
254KB

MD5
d2f6f9a0815e942be9dc5bee7b56a443

SHA1
8722fb63698223161359a08af42ad4494b2293a6

SHA256
24ab470b945d7a8cb7691483c2b33ccaa3310bb1039f45a5e07035b00d34c652

SHA512
c1ffa46842777501a15b5f791c48195d3dc3483b70f66b5ed7bd176ea63efc72dbc0ee19c292f1383a465b3d1bd9b39435c997b445d7f7b9e0a19fae62e9d530

Download Submit
C:\Windows\SysWOW64\wldeeu.exe

Filesize
254KB

MD5
eca66caa56ee64ba2a999f8f43e3c81a

SHA1
11f0f387d7615a188d46cc9f3ea1934263093d0e

SHA256
0abec494bdef80811ea25209f9c7589ffa9732ec7631913d8c09fbd264208716

SHA512
f65b8cc7f741fccd18fa14015687db1fa09c2cb1f3c90b31162a78b0708a43b1dae8f85966191b7fd9d42964005e1d757e7d2ad2c9aba861ae2d5a7547df4aa0

Download Submit
C:\Windows\SysWOW64\wlgafh.exe

Filesize
254KB

MD5
6fee65563cc192dc957388afa6e365da

SHA1
a08f3ee28dfa0d96af7078f7ee8f5d84615c118e

SHA256
163026c335ebc6019d990c3b0e97f4eb2c7c199264ac41f96f58283f6f86f879

SHA512
8c23baff686a32b0ba3cc71ef0b9700b2f74d242a5e2826b2448907f987ff8cf3bb3cee1ef4a3378d1d81f40fcaee6a3391511b0d3eadb8bbf5e3f898733c661

Download Submit
C:\Windows\SysWOW64\wlyyvw.exe

Filesize
254KB

MD5
b391d3ec03fa4e105d44ac39542ce2d9

SHA1
184f2ca83e612f828b2571f272717ee5f1866563

SHA256
3664c9d679f5eee2399e4144bc7a8c546091654c87513af904133ff3199bc438

SHA512
c77c9868bbee3017328bd8a84b23f7c941d47148db1e43f1e51723762634e4757284a38915b503f405df7266efb45e8df7c71527a59acac9bf4eacd80c78709f

Download Submit
C:\Windows\SysWOW64\wmeimuy.exe

Filesize
254KB

MD5
6ba3b7f6f2c8da07bbd3194a781b466f

SHA1
3f010017b65720aad75e724dc70e307ad04a266f

SHA256
e94d3ce1e4e15719c940b542c3f16d0993647e88774b0b9d717dc66b7deb2f4d

SHA512
0030d125f77b29168d7aea31283553b70f0e367f2ee070c092220b531dc2b1b84d930a7c13f178f79322b4e10bcd824604adbe5d48e75a1b70249e35c316c33a

Download Submit
C:\Windows\SysWOW64\wmuky.exe

Filesize
254KB

MD5
6b852b72f977767a71f555128fd4b348

SHA1
207e1c9233bae2e1450e66de1ecb34804e6d7884

SHA256
eaf478f033c798aa657e02bb6eec2b729f1d84d45dcf27ff17dea57cf6456652

SHA512
2913751b5c9b6175e54ae1702074cc29077653787e575ef29a8d26381ffa6b1c7b141e57a4c19d352fe2ec405a1bb9cd50095f9ac42897db97a6c54322eb0b86

Download Submit
C:\Windows\SysWOW64\wmuxb.exe

Filesize
254KB

MD5
04b7d0813beda41f38ff37068e9ff507

SHA1
27a7d57133d645bcbd40ccbd81836d088feadf89

SHA256
ef252f8d277aa2ace1a44c28d9bc588e8c0e0bf90583db904f44b6dae2b711ea

SHA512
b4154f274b8b4cd8a0d053022ccc068c6d5215e0b2153e314e27a9cc1695d9119e31aee59a0623c5cb2dfd9a746ee84b0358f4205ea08f0136578501dc73d7df

Download Submit
C:\Windows\SysWOW64\wnpyw.exe

Filesize
254KB

MD5
152491a510ef3dd749285dd89ee859db

SHA1
2c1db8d9140ca78b2c429debab270438fe95e418

SHA256
74c75dc5f1c27de51cfcf153f700fbdb4d2971bcfc512631aa58e254b58b6f8a

SHA512
e3e6a90608d0e3a94c02cffd7ecf0e1f254ed043eb56daea1f00ac9aaea0cc14b6948be4f999c69da2e9aabe8ab1b721e4273fa01cbcb17ee706a553886875ed

Download Submit
C:\Windows\SysWOW64\wnshf.exe

Filesize
254KB

MD5
0dfc9606b9e660c1d0a53e36842791d7

SHA1
f3094b6c27919f550f3e4c2e74209de51b42d01f

SHA256
18b9833c578d6e96c51d55064a19c38e07e9f7a7a066d599f55f51bb654ffb83

SHA512
759d60f3404e734f0f04d71450d248ef5f25d808817ef31d99696aadb7778c3dcd6cbc482d22ad3535235579d2e6f2539b7b71dcde9833dd45c1aca93c491d0d

Download Submit
C:\Windows\SysWOW64\wosbafqt.exe

Filesize
254KB

MD5
978bc5f0629d24fa9e30a9c0465536b3

SHA1
357384816a670a991749d302aa114e8cacdbc85e

SHA256
dccc74c2ae5c4f3f965ea3bf32989bf1ec2d9ba3c68fd9d467388691b9c079df

SHA512
5a91aa3a21370f10ba22c09af810df6b3ef62c99117c93928a585e3f7c70d3869a8a562f153c031c6d1e70a72811c79c021b134166e81644c6bc75ff086fa8e7

Download Submit
C:\Windows\SysWOW64\wruxme.exe

Filesize
254KB

MD5
db01f1ca0f202ce985a410106e8307e2

SHA1
94bcb39653c7383be6589487d3aa5cc1b07c4e6b

SHA256
61c25ca480014bf121fa06c766575f41a69ecf0042d0888e7f3734f4b450cdb6

SHA512
c2ddb88c1e633f199d783822c016cb29c5cf9d66622c68897cc99a5beb359c0c53128d6fee53195c198c65c8b0846f0b4aeea0f47eb4214572e9e0165070fe36

Download Submit
C:\Windows\SysWOW64\wsfccdt.exe

Filesize
254KB

MD5
d852ab798e5ade1e85a110b8f84694e6

SHA1
543143964d785481615382222dbf2f9aded18a8b

SHA256
3485ef6354239ee8f94a498a22db187b7db5382acae2b84567dc7d5ef44d25b3

SHA512
3131099c01dd6dd2b8e3f0fb1c45baf7fea36b33a558ef3d79db4738d19c3aed11ff162ae6bd53e07eedf12c39b3a7240601a4dfc8c959f70abca8f3e9b4bf76

Download Submit
C:\Windows\SysWOW64\wubat.exe

Filesize
254KB

MD5
12b0f6016ba81f02276851bc67f69fd2

SHA1
b55a0ee5d1736b77ae37fd06f9d560844b27987b

SHA256
7f192b15c940a989df7be308ba98e027796af625310cd30f5f50127b5bac059e

SHA512
220d772ab9aaa6d421e7b6b1c7cd44c0bdaed9f99c89c6e3f50d28494964a4cd0179a096a83aeba2ba4ab786aee65d983204b6a8f5e3bc39dbeef7536754f713

Download Submit
C:\Windows\SysWOW64\wuijxar.exe

Filesize
254KB

MD5
f424d4a6bb925deea54ac32b04b55871

SHA1
2cc512e820b35c2487c34b8be2a964044b7c79bc

SHA256
46758ce0ac0cbd15157e1b7f715a026eb754f9ab06f3abbf5e1bd2c2445020b7

SHA512
3445ba52878c4424049f33dadbb4f2967faf93e53170638c823be3a2ca30bfd9665ce9acc2eaad55391edf2607782ad0351c61667a74af39e0883b59bee00f08

Download Submit
C:\Windows\SysWOW64\wvjtuns.exe

Filesize
254KB

MD5
dbcf1a68854d5837e0f0d24930547c95

SHA1
aa35a365c69e9198dcdb856e580142666ff249f1

SHA256
cd8123164fabb4524436077588366ed1ee3f9aa7fd48076ee67d64ab5ba20d19

SHA512
7317786aed14339a479b6e0aa050d372608f655c19d41df9051fc08bc9f5e3213cc85649c86efb7c3d3e6700a3c153987cdeea806f60c439a223cdb9630e530d

Download Submit
C:\Windows\SysWOW64\wvmp.exe

Filesize
254KB

MD5
57fe20098d086f04a36cbba5ee907dd7

SHA1
7856b167f9d892a1b6810ae04b720a75bbf026c6

SHA256
90ced160c7a2236500a3502cbf4982188544098cc1349715d311af444d28a1f2

SHA512
ca61f08ef291722c92d3024f6265bd2bcaf476df9cc22b63a01fa0f68e1d8e06104eda3386fd3d27e838c99df0e6940e9adeb6108e8e95a8ed717c1c8c182acc

Download Submit
C:\Windows\SysWOW64\wvvojhtax.exe

Filesize
254KB

MD5
636242d07b17d4d95da7ccd900c5d1fd

SHA1
ad12a9f941343796374fe75b4f8704ed96cb5275

SHA256
53221f337d9a11004a3381950f782b55839a831c0059e18feeb442d8ee9a2550

SHA512
a316c21cc58d8414c3ab0eaa300927253f2b605518f3c136ba908b9d8bfd833d3b6f014b836105f17c31c8bd19d3238298f652be1d4ba88aa296268ae3497fe2

Download Submit
C:\Windows\SysWOW64\wwnyis.exe

Filesize
253KB

MD5
92e6e28c4a6db034dccf2e348c6c7960

SHA1
cb6b842dda9af9cc51deb813b69d626eff4c5d29

SHA256
8d72d7a5e10547c5a6edbcc51b3735b190c3e603a1f043adc268f3cd7f478d8e

SHA512
fd0cd02a6087aee38bdd38325786b78528f0809eb62724dd6cddf99589bf556d1e2f990d6472e2ec50bcd430568a107fc69fb4ab1d8c91621dad554dd1fed2e0

Download Submit
C:\Windows\SysWOW64\wxwgifx.exe

Filesize
253KB

MD5
26e31e624137fee089d3c36a1a19856b

SHA1
930385335d1a834d74187ed7735789d3e80ceb87

SHA256
7905edfb5b4f28e9ac9db033cc15648053f43dfdad5cabf02f38f927841ed67c

SHA512
c4cb25a4db79a75c1e34b03b53945974970c2c963da49d1307dfd85a1a7877a95cfae7245e119ba7f4d874337be9a3ae3dab8ee35ea00e2fd128d4f416350358

Download Submit
C:\Windows\SysWOW64\wyouwyldo.exe

Filesize
254KB

MD5
44e85ac74ada2293b3f778e058b94d49

SHA1
cfacb97163e12666e9925864855837b71ad7ee28

SHA256
2a5c1c8ef53a11ed18832dc7f82a841a727beb3bec0f56a81b8e9bf644530cb8

SHA512
80a7effc65c5addc7a7e1ea9de6d49358af17ff19d48748f58fa588f01e6ea308efe80e33907852e28df5a79a5d0fadc1ff2c64415c55ebbcf0e7d55746b2763

Download Submit
memory/436-118-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/436-130-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/548-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1120-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1120-54-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-76-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1436-357-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1748-193-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1904-309-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1992-374-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1992-383-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2016-391-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2260-162-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2260-151-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2468-107-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2468-119-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2628-258-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2628-247-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2848-340-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-366-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-356-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2960-236-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3044-289-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3052-408-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3128-246-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3128-235-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3276-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3276-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3344-43-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3396-108-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3512-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3584-183-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3584-172-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3736-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3736-425-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3736-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3748-87-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3748-75-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3836-400-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3848-433-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4088-278-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4220-86-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4220-97-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4244-140-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4244-129-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4252-215-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4256-268-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4256-257-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4400-173-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4400-348-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4476-330-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4528-152-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4528-141-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4780-365-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4780-375-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4812-299-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4812-204-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4812-288-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4932-225-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4932-214-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4968-320-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4996-409-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4996-417-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download