58c9a81f103a38283dfd69749c0d1886dc9dfde5f633ec4b2a8f57f939c38f05

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58c9a81f103a38283dfd69749c0d1886dc9dfde5f633ec4b2a8f57f939c38f05.exe
Size

447KB
MD5

6c174ad268701e2f55a6f94cddd36c66
SHA1

0fd8066ac8df6df126edc04fa8af26164267b303
SHA256

58c9a81f103a38283dfd69749c0d1886dc9dfde5f633ec4b2a8f57f939c38f05
SHA512

e27700946caa3cbefe1186df35556dbf7d62cf1d0bd3a017ffe5748eee462a2b1b4cca35b169ff225e5e59ecba06edc60084db495c9bc27a680a44b422b96e12
SSDEEP

12288:QT6SZhP46SCTbSwgS1IaPRJbDh4i0vm4OsKN5sTuGZ0:QThhP46SCTbSwgS1IaPRJbDh4i0vm4OJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wdqpsfwa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wxo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wbslr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wjefsnbt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wqlmvfqyy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wfomwbrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wmyu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wnwjxcg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wurgxreal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wtpauybv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wnqshd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wiesysd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wmsarr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wooudty.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wsrjthfds.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wsope.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wtsvbkos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	whrmqrbm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wwjye.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wwioalb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wgit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wyacd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wwyauvk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wdsuc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wxxeye.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	weekktq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wwbub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wisxgeihl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wcrsiwpi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wltawy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wkjxvnq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	waei.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wpmaenqp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wnjifa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wrebki.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wsdbeoe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wtlnrhu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wdpeqg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wocngj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wowhhkp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wmhk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wgfulo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	whvxqaxtc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wgeoqm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wrhfan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wvirhi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	58c9a81f103a38283dfd69749c0d1886dc9dfde5f633ec4b2a8f57f939c38f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wlnk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wmgatc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wdrhob.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wvkohs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wlnh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	whdcup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wumfpgp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wrgt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wukaacgm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wibjiol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wlxm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	weseisa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wgeonhow.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wxtxre.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wdjvojm.exe

Executes dropped EXE 64 IoCs

pid	Process
1508	wurgxreal.exe
4780	wim.exe
2108	whpywa.exe
4496	waei.exe
2280	wsrjthfds.exe
4616	wibjiol.exe
2848	wanj.exe
868	wtpauybv.exe
1536	wmdb.exe
1292	wlxm.exe
2388	wnjfcn.exe
2868	wnqshd.exe
2496	wgfurih.exe
2592	wdqpsfwa.exe
3628	weekktq.exe
4976	wwbub.exe
2064	wtosdx.exe
2972	wltqyf.exe
656	wisxgeihl.exe
400	wiesysd.exe
4272	wcrsiwpi.exe
2368	wxo.exe
4828	wwjye.exe
2168	wgfulo.exe
5072	wfoirf.exe
4344	wdafscgk.exe
2712	wsdbeoe.exe
2232	wwyauvk.exe
4420	wwioalb.exe
3324	weseisa.exe
4236	wbslr.exe
820	wfxunw.exe
4880	wdsuc.exe
4352	wdjvojm.exe
1936	wmjbojcxq.exe
3000	wtlnrhu.exe
2096	whvxqaxtc.exe
832	whna.exe
4296	wlnh.exe
3284	wmsarr.exe
1744	wus.exe
3828	wgeoqm.exe
2752	wsnyq.exe
3500	wdpeqg.exe
3976	whdcup.exe
3308	wltawy.exe
1536	wlnk.exe
4408	wplksyfm.exe
408	wsope.exe
3396	wocngj.exe
3028	wtsvbkos.exe
804	wiuqnxmb.exe
1932	wjefsnbt.exe
4520	wooudty.exe
3628	wowhhkp.exe
1516	wmyu.exe
3904	wrhfan.exe
364	wnemglnb.exe
4244	whrmqrbm.exe
1720	wumfpgp.exe
3800	wqlmvfqyy.exe
2448	wnwjxcg.exe
960	wrgt.exe
4892	wmhk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wdafscgk.exe	wfoirf.exe
File opened for modification	C:\Windows\SysWOW64\wfxunw.exe	wbslr.exe
File opened for modification	C:\Windows\SysWOW64\wtlnrhu.exe	wmjbojcxq.exe
File opened for modification	C:\Windows\SysWOW64\whna.exe	whvxqaxtc.exe
File created	C:\Windows\SysWOW64\wwbub.exe	weekktq.exe
File created	C:\Windows\SysWOW64\wiesysd.exe	wisxgeihl.exe
File opened for modification	C:\Windows\SysWOW64\wcrsiwpi.exe	wiesysd.exe
File created	C:\Windows\SysWOW64\wdpeqg.exe	wsnyq.exe
File created	C:\Windows\SysWOW64\wsope.exe	wplksyfm.exe
File opened for modification	C:\Windows\SysWOW64\wpmaenqp.exe	wxayuje.exe
File created	C:\Windows\SysWOW64\wltqyf.exe	wtosdx.exe
File created	C:\Windows\SysWOW64\wnjifa.exe	wfomwbrs.exe
File opened for modification	C:\Windows\SysWOW64\wxayuje.exe	wcfmh.exe
File opened for modification	C:\Windows\SysWOW64\wnqshd.exe	wnjfcn.exe
File created	C:\Windows\SysWOW64\wbslr.exe	weseisa.exe
File created	C:\Windows\SysWOW64\wgeoqm.exe	wus.exe
File created	C:\Windows\SysWOW64\wnqshd.exe	wnjfcn.exe
File opened for modification	C:\Windows\SysWOW64\wwbub.exe	weekktq.exe
File created	C:\Windows\SysWOW64\wgfulo.exe	wwjye.exe
File created	C:\Windows\SysWOW64\wowhhkp.exe	wooudty.exe
File created	C:\Windows\SysWOW64\wrgt.exe	wnwjxcg.exe
File opened for modification	C:\Windows\SysWOW64\wvirhi.exe	wvkohs.exe
File created	C:\Windows\SysWOW64\wubr.exe	wpkk.exe
File opened for modification	C:\Windows\SysWOW64\wibjiol.exe	wsrjthfds.exe
File created	C:\Windows\SysWOW64\weekktq.exe	wdqpsfwa.exe
File created	C:\Windows\SysWOW64\wfoirf.exe	wgfulo.exe
File opened for modification	C:\Windows\SysWOW64\wtsvbkos.exe	wocngj.exe
File opened for modification	C:\Windows\SysWOW64\wowhhkp.exe	wooudty.exe
File opened for modification	C:\Windows\SysWOW64\whrmqrbm.exe	wnemglnb.exe
File created	C:\Windows\SysWOW64\wqpuu.exe	wmhk.exe
File created	C:\Windows\SysWOW64\wpmaenqp.exe	wxayuje.exe
File created	C:\Windows\SysWOW64\waei.exe	whpywa.exe
File opened for modification	C:\Windows\SysWOW64\wxxeye.exe	wwoquo.exe
File created	C:\Windows\SysWOW64\wmjbojcxq.exe	wdjvojm.exe
File opened for modification	C:\Windows\SysWOW64\wwbke.exe	wqpuu.exe
File opened for modification	C:\Windows\SysWOW64\wmgatc.exe	wkjxvnq.exe
File opened for modification	C:\Windows\SysWOW64\wfomwbrs.exe	wcbion.exe
File opened for modification	C:\Windows\SysWOW64\wvkohs.exe	wgit.exe
File opened for modification	C:\Windows\SysWOW64\wltqyf.exe	wtosdx.exe
File created	C:\Windows\SysWOW64\wnjfcn.exe	wlxm.exe
File opened for modification	C:\Windows\SysWOW64\wnjfcn.exe	wlxm.exe
File opened for modification	C:\Windows\SysWOW64\wsdbeoe.exe	wdafscgk.exe
File opened for modification	C:\Windows\SysWOW64\wbslr.exe	weseisa.exe
File created	C:\Windows\SysWOW64\wdjvojm.exe	wdsuc.exe
File created	C:\Windows\SysWOW64\wyacd.exe	wgncuveo.exe
File created	C:\Windows\SysWOW64\wanj.exe	wibjiol.exe
File created	C:\Windows\SysWOW64\wdqpsfwa.exe	wgfurih.exe
File created	C:\Windows\SysWOW64\wfxunw.exe	wbslr.exe
File created	C:\Windows\SysWOW64\wjefsnbt.exe	wiuqnxmb.exe
File created	C:\Windows\SysWOW64\wwoquo.exe	wrebki.exe
File created	C:\Windows\SysWOW64\wvkohs.exe	wgit.exe
File created	C:\Windows\SysWOW64\whpywa.exe	wim.exe
File created	C:\Windows\SysWOW64\wisxgeihl.exe	wltqyf.exe
File opened for modification	C:\Windows\SysWOW64\wwyauvk.exe	wsdbeoe.exe
File opened for modification	C:\Windows\SysWOW64\wrhfan.exe	wmyu.exe
File created	C:\Windows\SysWOW64\wnemglnb.exe	wrhfan.exe
File opened for modification	C:\Windows\SysWOW64\wqpuu.exe	wmhk.exe
File opened for modification	C:\Windows\SysWOW64\wgeonhow.exe	wvirhi.exe
File created	C:\Windows\SysWOW64\wpkk.exe	wyacd.exe
File opened for modification	C:\Windows\SysWOW64\wtosdx.exe	wwbub.exe
File opened for modification	C:\Windows\SysWOW64\wgeoqm.exe	wus.exe
File created	C:\Windows\SysWOW64\whdcup.exe	wdpeqg.exe
File created	C:\Windows\SysWOW64\wqlmvfqyy.exe	wumfpgp.exe
File opened for modification	C:\Windows\SysWOW64\wdrhob.exe	wukaacgm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
452	1508	WerFault.exe	85
2212	2108	WerFault.exe	95
2296	1292	WerFault.exe	118
116	3324	WerFault.exe	183
2112	1516	WerFault.exe	264
2748	4892	WerFault.exe	290
1276	4232	WerFault.exe	304
3988	4416	WerFault.exe	321
748	3496	WerFault.exe	356

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 1508	2996	58c9a81f103a38283dfd69749c0d1886dc9dfde5f633ec4b2a8f57f939c38f05.exe	85
PID 2996 wrote to memory of 1508	2996	58c9a81f103a38283dfd69749c0d1886dc9dfde5f633ec4b2a8f57f939c38f05.exe	85
PID 2996 wrote to memory of 1508	2996	58c9a81f103a38283dfd69749c0d1886dc9dfde5f633ec4b2a8f57f939c38f05.exe	85
PID 2996 wrote to memory of 3460	2996	58c9a81f103a38283dfd69749c0d1886dc9dfde5f633ec4b2a8f57f939c38f05.exe	87
PID 2996 wrote to memory of 3460	2996	58c9a81f103a38283dfd69749c0d1886dc9dfde5f633ec4b2a8f57f939c38f05.exe	87
PID 2996 wrote to memory of 3460	2996	58c9a81f103a38283dfd69749c0d1886dc9dfde5f633ec4b2a8f57f939c38f05.exe	87
PID 1508 wrote to memory of 4780	1508	wurgxreal.exe	89
PID 1508 wrote to memory of 4780	1508	wurgxreal.exe	89
PID 1508 wrote to memory of 4780	1508	wurgxreal.exe	89
PID 1508 wrote to memory of 4804	1508	wurgxreal.exe	90
PID 1508 wrote to memory of 4804	1508	wurgxreal.exe	90
PID 1508 wrote to memory of 4804	1508	wurgxreal.exe	90
PID 4780 wrote to memory of 2108	4780	wim.exe	95
PID 4780 wrote to memory of 2108	4780	wim.exe	95
PID 4780 wrote to memory of 2108	4780	wim.exe	95
PID 4780 wrote to memory of 2148	4780	wim.exe	96
PID 4780 wrote to memory of 2148	4780	wim.exe	96
PID 4780 wrote to memory of 2148	4780	wim.exe	96
PID 2108 wrote to memory of 4496	2108	whpywa.exe	98
PID 2108 wrote to memory of 4496	2108	whpywa.exe	98
PID 2108 wrote to memory of 4496	2108	whpywa.exe	98
PID 2108 wrote to memory of 736	2108	whpywa.exe	99
PID 2108 wrote to memory of 736	2108	whpywa.exe	99
PID 2108 wrote to memory of 736	2108	whpywa.exe	99
PID 4496 wrote to memory of 2280	4496	waei.exe	103
PID 4496 wrote to memory of 2280	4496	waei.exe	103
PID 4496 wrote to memory of 2280	4496	waei.exe	103
PID 4496 wrote to memory of 3488	4496	waei.exe	104
PID 4496 wrote to memory of 3488	4496	waei.exe	104
PID 4496 wrote to memory of 3488	4496	waei.exe	104
PID 2280 wrote to memory of 4616	2280	wsrjthfds.exe	106
PID 2280 wrote to memory of 4616	2280	wsrjthfds.exe	106
PID 2280 wrote to memory of 4616	2280	wsrjthfds.exe	106
PID 2280 wrote to memory of 616	2280	wsrjthfds.exe	107
PID 2280 wrote to memory of 616	2280	wsrjthfds.exe	107
PID 2280 wrote to memory of 616	2280	wsrjthfds.exe	107
PID 4616 wrote to memory of 2848	4616	wibjiol.exe	109
PID 4616 wrote to memory of 2848	4616	wibjiol.exe	109
PID 4616 wrote to memory of 2848	4616	wibjiol.exe	109
PID 4616 wrote to memory of 4876	4616	wibjiol.exe	110
PID 4616 wrote to memory of 4876	4616	wibjiol.exe	110
PID 4616 wrote to memory of 4876	4616	wibjiol.exe	110
PID 2848 wrote to memory of 868	2848	wanj.exe	112
PID 2848 wrote to memory of 868	2848	wanj.exe	112
PID 2848 wrote to memory of 868	2848	wanj.exe	112
PID 2848 wrote to memory of 2400	2848	wanj.exe	113
PID 2848 wrote to memory of 2400	2848	wanj.exe	113
PID 2848 wrote to memory of 2400	2848	wanj.exe	113
PID 868 wrote to memory of 1536	868	wtpauybv.exe	115
PID 868 wrote to memory of 1536	868	wtpauybv.exe	115
PID 868 wrote to memory of 1536	868	wtpauybv.exe	115
PID 868 wrote to memory of 3452	868	wtpauybv.exe	116
PID 868 wrote to memory of 3452	868	wtpauybv.exe	116
PID 868 wrote to memory of 3452	868	wtpauybv.exe	116
PID 1536 wrote to memory of 1292	1536	wmdb.exe	118
PID 1536 wrote to memory of 1292	1536	wmdb.exe	118
PID 1536 wrote to memory of 1292	1536	wmdb.exe	118
PID 1536 wrote to memory of 1420	1536	wmdb.exe	119
PID 1536 wrote to memory of 1420	1536	wmdb.exe	119
PID 1536 wrote to memory of 1420	1536	wmdb.exe	119
PID 1292 wrote to memory of 2388	1292	wlxm.exe	121
PID 1292 wrote to memory of 2388	1292	wlxm.exe	121
PID 1292 wrote to memory of 2388	1292	wlxm.exe	121
PID 1292 wrote to memory of 2820	1292	wlxm.exe	122

C:\Users\Admin\AppData\Local\Temp\58c9a81f103a38283dfd69749c0d1886dc9dfde5f633ec4b2a8f57f939c38f05.exe
"C:\Users\Admin\AppData\Local\Temp\58c9a81f103a38283dfd69749c0d1886dc9dfde5f633ec4b2a8f57f939c38f05.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\wurgxreal.exe
  "C:\Windows\system32\wurgxreal.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\wim.exe
    "C:\Windows\system32\wim.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\SysWOW64\whpywa.exe
      "C:\Windows\system32\whpywa.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\SysWOW64\waei.exe
        
        "C:\Windows\system32\waei.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - C:\Windows\SysWOW64\wsrjthfds.exe
        
        "C:\Windows\system32\wsrjthfds.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\wibjiol.exe
        
        "C:\Windows\system32\wibjiol.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\wanj.exe
        
        "C:\Windows\system32\wanj.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\wtpauybv.exe
        
        "C:\Windows\system32\wtpauybv.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\wmdb.exe
        
        "C:\Windows\system32\wmdb.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\wlxm.exe
        
        "C:\Windows\system32\wlxm.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\wnjfcn.exe
        
        "C:\Windows\system32\wnjfcn.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\wnqshd.exe
        
        "C:\Windows\system32\wnqshd.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\wgfurih.exe
        
        "C:\Windows\system32\wgfurih.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\wdqpsfwa.exe
        
        "C:\Windows\system32\wdqpsfwa.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\weekktq.exe
        
        "C:\Windows\system32\weekktq.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\wwbub.exe
        
        "C:\Windows\system32\wwbub.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\wtosdx.exe
        
        "C:\Windows\system32\wtosdx.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\wltqyf.exe
        
        "C:\Windows\system32\wltqyf.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\wisxgeihl.exe
        
        "C:\Windows\system32\wisxgeihl.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:656
        
        C:\Windows\SysWOW64\wiesysd.exe
        
        "C:\Windows\system32\wiesysd.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\wcrsiwpi.exe
        
        "C:\Windows\system32\wcrsiwpi.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\wxo.exe
        
        "C:\Windows\system32\wxo.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\wwjye.exe
        
        "C:\Windows\system32\wwjye.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\wgfulo.exe
        
        "C:\Windows\system32\wgfulo.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\wfoirf.exe
        
        "C:\Windows\system32\wfoirf.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\wdafscgk.exe
        
        "C:\Windows\system32\wdafscgk.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\wsdbeoe.exe
        
        "C:\Windows\system32\wsdbeoe.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\wwyauvk.exe
        
        "C:\Windows\system32\wwyauvk.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\wwioalb.exe
        
        "C:\Windows\system32\wwioalb.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\weseisa.exe
        
        "C:\Windows\system32\weseisa.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3324
        
        C:\Windows\SysWOW64\wbslr.exe
        
        "C:\Windows\system32\wbslr.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4236
        
        C:\Windows\SysWOW64\wfxunw.exe
        
        "C:\Windows\system32\wfxunw.exe"
        33⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Windows\SysWOW64\wdsuc.exe
        
        "C:\Windows\system32\wdsuc.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\wdjvojm.exe
        
        "C:\Windows\system32\wdjvojm.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\wmjbojcxq.exe
        
        "C:\Windows\system32\wmjbojcxq.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\wtlnrhu.exe
        
        "C:\Windows\system32\wtlnrhu.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\whvxqaxtc.exe
        
        "C:\Windows\system32\whvxqaxtc.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\whna.exe
        
        "C:\Windows\system32\whna.exe"
        39⤵
        Executes dropped EXE
        
        PID:832
        
        C:\Windows\SysWOW64\wlnh.exe
        
        "C:\Windows\system32\wlnh.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\wmsarr.exe
        
        "C:\Windows\system32\wmsarr.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3284
        
        C:\Windows\SysWOW64\wus.exe
        
        "C:\Windows\system32\wus.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\wgeoqm.exe
        
        "C:\Windows\system32\wgeoqm.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\wsnyq.exe
        
        "C:\Windows\system32\wsnyq.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\wdpeqg.exe
        
        "C:\Windows\system32\wdpeqg.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\whdcup.exe
        
        "C:\Windows\system32\whdcup.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\wltawy.exe
        
        "C:\Windows\system32\wltawy.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\wlnk.exe
        
        "C:\Windows\system32\wlnk.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\wplksyfm.exe
        
        "C:\Windows\system32\wplksyfm.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\wsope.exe
        
        "C:\Windows\system32\wsope.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\wocngj.exe
        
        "C:\Windows\system32\wocngj.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\wtsvbkos.exe
        
        "C:\Windows\system32\wtsvbkos.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\wiuqnxmb.exe
        
        "C:\Windows\system32\wiuqnxmb.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:804
        
        C:\Windows\SysWOW64\wjefsnbt.exe
        
        "C:\Windows\system32\wjefsnbt.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\wooudty.exe
        
        "C:\Windows\system32\wooudty.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\wowhhkp.exe
        
        "C:\Windows\system32\wowhhkp.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\wmyu.exe
        
        "C:\Windows\system32\wmyu.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\wrhfan.exe
        
        "C:\Windows\system32\wrhfan.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\wnemglnb.exe
        
        "C:\Windows\system32\wnemglnb.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:364
        
        C:\Windows\SysWOW64\whrmqrbm.exe
        
        "C:\Windows\system32\whrmqrbm.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\wumfpgp.exe
        
        "C:\Windows\system32\wumfpgp.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\wqlmvfqyy.exe
        
        "C:\Windows\system32\wqlmvfqyy.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\wnwjxcg.exe
        
        "C:\Windows\system32\wnwjxcg.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\wrgt.exe
        
        "C:\Windows\system32\wrgt.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\wmhk.exe
        
        "C:\Windows\system32\wmhk.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\wqpuu.exe
        
        "C:\Windows\system32\wqpuu.exe"
        66⤵
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\wwbke.exe
        
        "C:\Windows\system32\wwbke.exe"
        67⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\wcfmh.exe
        
        "C:\Windows\system32\wcfmh.exe"
        68⤵
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\wxayuje.exe
        
        "C:\Windows\system32\wxayuje.exe"
        69⤵
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\wpmaenqp.exe
        
        "C:\Windows\system32\wpmaenqp.exe"
        70⤵
        Checks computer location settings
        
        PID:5100
        
        C:\Windows\SysWOW64\wkjxvnq.exe
        
        "C:\Windows\system32\wkjxvnq.exe"
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\wmgatc.exe
        
        "C:\Windows\system32\wmgatc.exe"
        72⤵
        Checks computer location settings
        
        PID:824
        
        C:\Windows\SysWOW64\wrebki.exe
        
        "C:\Windows\system32\wrebki.exe"
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\wwoquo.exe
        
        "C:\Windows\system32\wwoquo.exe"
        74⤵
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\wxxeye.exe
        
        "C:\Windows\system32\wxxeye.exe"
        75⤵
        Checks computer location settings
        
        PID:1828
        
        C:\Windows\SysWOW64\wukaacgm.exe
        
        "C:\Windows\system32\wukaacgm.exe"
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\wdrhob.exe
        
        "C:\Windows\system32\wdrhob.exe"
        77⤵
        Checks computer location settings
        
        PID:1012
        
        C:\Windows\SysWOW64\wxtxre.exe
        
        "C:\Windows\system32\wxtxre.exe"
        78⤵
        Checks computer location settings
        
        PID:3212
        
        C:\Windows\SysWOW64\wcbion.exe
        
        "C:\Windows\system32\wcbion.exe"
        79⤵
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\wfomwbrs.exe
        
        "C:\Windows\system32\wfomwbrs.exe"
        80⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\wnjifa.exe
        
        "C:\Windows\system32\wnjifa.exe"
        81⤵
        Checks computer location settings
        
        PID:2932
        
        C:\Windows\SysWOW64\wgit.exe
        
        "C:\Windows\system32\wgit.exe"
        82⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\wvkohs.exe
        
        "C:\Windows\system32\wvkohs.exe"
        83⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\wvirhi.exe
        
        "C:\Windows\system32\wvirhi.exe"
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\wgeonhow.exe
        
        "C:\Windows\system32\wgeonhow.exe"
        85⤵
        Checks computer location settings
        
        PID:3496
        
        C:\Windows\SysWOW64\wgncuveo.exe
        
        "C:\Windows\system32\wgncuveo.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\wyacd.exe
        
        "C:\Windows\system32\wyacd.exe"
        87⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\wpkk.exe
        
        "C:\Windows\system32\wpkk.exe"
        88⤵
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyacd.exe"
        88⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgncuveo.exe"
        87⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgeonhow.exe"
        86⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1564
        86⤵
        Program crash
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvirhi.exe"
        85⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkohs.exe"
        84⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgit.exe"
        83⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnjifa.exe"
        82⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfomwbrs.exe"
        81⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcbion.exe"
        80⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxtxre.exe"
        79⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrhob.exe"
        78⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wukaacgm.exe"
        77⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxeye.exe"
        76⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwoquo.exe"
        75⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 1352
        75⤵
        Program crash
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrebki.exe"
        74⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmgatc.exe"
        73⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjxvnq.exe"
        72⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpmaenqp.exe"
        71⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxayuje.exe"
        70⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 116
        70⤵
        Program crash
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcfmh.exe"
        69⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbke.exe"
        68⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpuu.exe"
        67⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmhk.exe"
        66⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1700
        66⤵
        Program crash
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrgt.exe"
        65⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwjxcg.exe"
        64⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqlmvfqyy.exe"
        63⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wumfpgp.exe"
        62⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whrmqrbm.exe"
        61⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnemglnb.exe"
        60⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhfan.exe"
        59⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmyu.exe"
        58⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1668
        58⤵
        Program crash
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wowhhkp.exe"
        57⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wooudty.exe"
        56⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjefsnbt.exe"
        55⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiuqnxmb.exe"
        54⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsvbkos.exe"
        53⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wocngj.exe"
        52⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsope.exe"
        51⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wplksyfm.exe"
        50⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnk.exe"
        49⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wltawy.exe"
        48⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdcup.exe"
        47⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdpeqg.exe"
        46⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsnyq.exe"
        45⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgeoqm.exe"
        44⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wus.exe"
        43⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmsarr.exe"
        42⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnh.exe"
        41⤵
        
        PID:180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whna.exe"
        40⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whvxqaxtc.exe"
        39⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtlnrhu.exe"
        38⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmjbojcxq.exe"
        37⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdjvojm.exe"
        36⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdsuc.exe"
        35⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfxunw.exe"
        34⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbslr.exe"
        33⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weseisa.exe"
        32⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1708
        32⤵
        Program crash
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwioalb.exe"
        31⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwyauvk.exe"
        30⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsdbeoe.exe"
        29⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdafscgk.exe"
        28⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfoirf.exe"
        27⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgfulo.exe"
        26⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjye.exe"
        25⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxo.exe"
        24⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcrsiwpi.exe"
        23⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiesysd.exe"
        22⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wisxgeihl.exe"
        21⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wltqyf.exe"
        20⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtosdx.exe"
        19⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbub.exe"
        18⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weekktq.exe"
        17⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdqpsfwa.exe"
        16⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgfurih.exe"
        15⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqshd.exe"
        14⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnjfcn.exe"
        13⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlxm.exe"
        12⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 1448
        12⤵
        Program crash
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmdb.exe"
        11⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtpauybv.exe"
        10⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wanj.exe"
        9⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibjiol.exe"
        8⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsrjthfds.exe"
        7⤵
        
        PID:616
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waei.exe"
        6⤵
        
        PID:3488
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whpywa.exe"
        5⤵
        
        PID:736
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1704
        5⤵
        Program crash
        
        PID:2212
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wim.exe"
      4⤵
      PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wurgxreal.exe"
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1536
    3⤵
    - Program crash
    PID:452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\58c9a81f103a38283dfd69749c0d1886dc9dfde5f633ec4b2a8f57f939c38f05.exe"
  2⤵
  PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1508 -ip 1508
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2108 -ip 2108
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1292 -ip 1292
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3324 -ip 3324
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1516 -ip 1516
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4892 -ip 4892
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4232 -ip 4232
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4416 -ip 4416
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3496 -ip 3496
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YB09K3UP\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Windows\SysWOW64\waei.exe

Filesize
447KB

MD5
a289a3ad91388596ce16284d0344d8e0

SHA1
90c7c665c2a047af628acaffb3d179232405095a

SHA256
6930af7b840c129ca656e7d7fca52d6abc45919ea9baad0cfa10c7c09ad25818

SHA512
775957765c8c106c08e791e8f8cd12a3706c2d6c378a1e8c957a0a7a48b5eed2f9a65913136999d0d1883bf87f6d307dbba34661cb28892f0dffa7f613f3d343

Download Submit
C:\Windows\SysWOW64\wanj.exe

Filesize
447KB

MD5
4f653af5289e53e15d3ac68bf3ebbfb3

SHA1
7193aff5f39b2b3d08f161b11e61cbd186111300

SHA256
675850bf2ee4cbdcc0fda599079eec21e257463979be38e98d2c5a98d946e2bd

SHA512
b915fddb02c96dea2effd5f527ba91b3f02f5e411e140046ddefeac818d45bf578d0a0eee0ffe070df6ba80002301b7d482947c72fa8c29e072ae5a3831984b3

Download Submit
C:\Windows\SysWOW64\wbslr.exe

Filesize
448KB

MD5
8f29999016eaf62303e3c114dd8c4c44

SHA1
5a83ee57723251d17cc078c22edf16c940cb65f5

SHA256
693cc8e9386046828a09c1da9dbf47411b7c6657983baac2ddc6849f502a6692

SHA512
9fc51bbc8053e99450b50586380834c02cbd9eedeb0df2ab9c86a4f025781360d6c228302c77c651932e0ac9189e974e431bc2e3e568baed6169285b0eece534

Download Submit
C:\Windows\SysWOW64\wcrsiwpi.exe

Filesize
447KB

MD5
b8270ef57f593d3b50fbb72d8a7caa18

SHA1
b215b2e4cea08b082a129493422e80b62b9983cf

SHA256
a303f7dbd824ee5a17e8eabd65f38870e040901289950766cc71faf713730d8d

SHA512
ca4f68c7b66a7b65bf96371886397d9ad068c17d2ece89fc378ce6278ce7786edd23f65236e80de8338fa03c38667b4c5974e1fe903998acd0f1a864ce00354c

Download Submit
C:\Windows\SysWOW64\wdafscgk.exe

Filesize
447KB

MD5
092e1209461cd6330030cdbaae982e91

SHA1
f1e24ab85c78defe9ff48486bb6396b4052be56b

SHA256
a9220a757bd840274b5fbf8c33ee54a65c80bee87e05e92326b652435c242906

SHA512
1cd7d828dcd20c40aaa7d41be51f221397b339226782d496f972cfc4e60de4e532199ddb6d3a1e18ca266bb1f985074d73311d10dc8f88a7d724f0b213d64641

Download Submit
C:\Windows\SysWOW64\wdqpsfwa.exe

Filesize
447KB

MD5
d4d6c2471baccdcb7c631a78b790a5b8

SHA1
53051668ebd09d06ff687ecfc478832647da6e8c

SHA256
acca662d3a93dc44cb47b12a973265866ffb57004bac1af5151b0cb6a8db8567

SHA512
d06511f4d0339f8e302b49d8e741acd85eb828535ca637b3dc18695574486e1ae9dad3ef57fd97cbad7bf36ceebff2240846d35d95384f2484aea5a7980be8c7

Download Submit
C:\Windows\SysWOW64\weekktq.exe

Filesize
447KB

MD5
3d18ba4956418c5272cb848a04b14768

SHA1
d0e140ff3a4c3f5e11bb349ef04bf8c1745e2b28

SHA256
38f36fa9dbfdbe68671b2f56c4258d5e5ab3f9ddc6a2a3d3afa4f24be979cc6e

SHA512
5256866ebeaebd8f03ea4c0e44bc6a3d46ca32f173940fe10a56814b57b97e5dfd85db96cbf62107bb93a12056c3274c6428db433cd8fb5a4837cb0ca6537ba8

Download Submit
C:\Windows\SysWOW64\weseisa.exe

Filesize
448KB

MD5
bcaf7aebc9fc57836d5eff3e42d5bdb7

SHA1
8470a04eaf35829afe1bc99ab0e44fb65817ee42

SHA256
44f8e0ace982c986399012837a8ef1f1ee6522841021446166471529681adb18

SHA512
8eb886151cc0fbd1982c1715d49f524802a90e0f0d84f282a2b1944f999f7ea6d400f10e086da0fcd941b3d340243e24144c5f89d6759ffdc56a3776e01eab98

Download Submit
C:\Windows\SysWOW64\wfoirf.exe

Filesize
447KB

MD5
390e4de77ff3550626ac85e6c77b25e0

SHA1
a3de63b0f484139a3763d8ada4ba18c6f350e826

SHA256
10e7d29a47b557b4e1522e562becf6ea9884a5f844088bf86a1a4e7df04a0a44

SHA512
f4d1d7fa6ecbf9a66c405e9b020adc5ca7af01853260ac26bf4e8d111153e845bd6f2e34f45a1c2f2d00c6d14d69e726936222b06b7a24f213f3cb0dcac16623

Download Submit
C:\Windows\SysWOW64\wfxunw.exe

Filesize
448KB

MD5
e7e5e9684c3e84db00476798487522f8

SHA1
ff17b1394fd2980d9cb54c212239b9d41892dddf

SHA256
efd4abaacc9435704aca6cde2ba171b306a93100c5b026ddc05ea994de71a3ce

SHA512
b451e238a19ca4b7feb1aeafcdf1dd2faec76f74786f452e3c1a6c0df7c04717804ac23d08d330c7a234588ab4840d7a7c76e39da543fda6fcb11b33de170228

Download Submit
C:\Windows\SysWOW64\wgfulo.exe

Filesize
447KB

MD5
520d3222187390c769d51f1fd9b29773

SHA1
431cddd7fa3709b17d2c58b2d69d3b91a870cf61

SHA256
449569aa2d9d6d942a9e160303aa60b806bdd4d1cb9e760ff667f01a534fa344

SHA512
5b319fd3136bb441aa792cab11afa96cb9eee0a9f1c628fab3ee0ef3bd4d2686473c490e541d696521b099e1910f5cc4d9c6e4eb3c0e96ad4e1228b5e9f4b2d3

Download Submit
C:\Windows\SysWOW64\wgfurih.exe

Filesize
447KB

MD5
05ed8a3effc54fb78026ad7372d70157

SHA1
0d13b909e42ccb4ca9025025036d1e0c087fbabb

SHA256
6dfccb557d45cfd6f5ddd59ef5d34411b27b95cb8559b99ada9ad1d7241ec877

SHA512
ed6f307f23c18dcadf0edc040f4a77d6a4c28aca86f93ecc74090f6ebfa1da42da41660edf50c98d9761df5e271ce8c090f28811e92020461743ba43014b5eb6

Download Submit
C:\Windows\SysWOW64\whpywa.exe

Filesize
447KB

MD5
e01b9313566c38d766ff8fb3944d2411

SHA1
18376a983ce4f8bf660038712fd30bb01f280d98

SHA256
c989720a3d3b2de19dfbe6c05908036e862b29953fbb44060b7cdb48af633407

SHA512
696cfa937e745b5892e9874430e608501c00f13f3493dae6a5930ee5ac7c7e95c3ee6a4ddef14f05b38fcd97e29a98dfbbdf928b1c712b0c3c3297048dd06afe

Download Submit
C:\Windows\SysWOW64\wibjiol.exe

Filesize
447KB

MD5
698981947b62aec7bf9f2a47ffdee01f

SHA1
ae5181c73088ed8ca6e13f546034ddaf0541fb27

SHA256
5d44ea2b0c1d6edf6f9563891f0b3b6a51ba1fb43fe41da5149c9dbb815d879c

SHA512
095627e8bad020410613d96d0c841894d58ae48875eb23815480019c2c1c946bb9244d610e164dbf1cfa3ec2ca17ae181b04caeb4aefe3ae02412966c04203ad

Download Submit
C:\Windows\SysWOW64\wiesysd.exe

Filesize
447KB

MD5
0a186972ae2d9d179ba19486115df9a8

SHA1
b275d107bd1b7172198d960aac29772b52f0cb97

SHA256
1926f5cdbabdc59e2efc8f253e490d09f2df256aea7024ae8055fd243ff484f5

SHA512
56c8bf25a23f22f08d5ad4ce26b7719b0e941450cb1841905629c2ba005cb79b67634034ea9b7a5343cdd3b49c61237bed76a100a587391cfbf3b17a8431f22a

Download Submit
C:\Windows\SysWOW64\wim.exe

Filesize
447KB

MD5
2d55738bd240d9b866e2f825e96db632

SHA1
e99c44dee6f46ef19d8530d60cc732562ece9b70

SHA256
1e31f7f9f393e6fe780e5dc7e9b7afd963d58cf96435b3a3f85ebd1c4e16d676

SHA512
0712e04461e5291e1c5b70c93c863868bdd4000a655f8d5edc6be8db4ddde1c85badaad34ada7fdbd0c7b625d55e4523fbcdac96fc74b646012785d2ff1b8149

Download Submit
C:\Windows\SysWOW64\wisxgeihl.exe

Filesize
447KB

MD5
83eed5de1a6bbd1182dccc9c077c37da

SHA1
0ab22df8b1417bba3346e31f62dd91401f4ada4d

SHA256
0f12d3b3be9dafaaed69521c3efa56aeb44f6e57b24192156c670718f7cebe8b

SHA512
f919976279c6766a98696e34dfa3f0d1fefde201b2362d6948d817dc6fef416d450473f7e163d56503af4e663c5113bd1dc490432d09fea7aac6033758a0681d

Download Submit
C:\Windows\SysWOW64\wltqyf.exe

Filesize
447KB

MD5
97c14b2691ff57671e8767346405bc45

SHA1
94536b7e63542d56de076fa02ac6216dfe9ad45a

SHA256
81947a1b935201f7c4edbbc61150ca223d53760ccb66daabd2c9529e32651f18

SHA512
a57131fe611d26bc888b2e7575ba68c09ad6b293585bf11b9206251824d05b4a196942f5b50219411fe70baa59683dd7b567899b6d799078bd005cda2dfdcb1c

Download Submit
C:\Windows\SysWOW64\wlxm.exe

Filesize
447KB

MD5
0707bbfcb0b2e32b90bc888dcd25d23e

SHA1
763042498b1030b84d8ed0f6f062095e8427e281

SHA256
488f5ee262c2647c6893a45c5cef99dad8ebb53cc50a75907e93c8cc54348284

SHA512
86a9bf49011115049dc91b4d896e614298e42dba3c6f7be4d19a0ade9cc6679c4d1647ac111095a71cc95068193adf868cb8d5a1456eea3b2bbdedfb61bd8b88

Download Submit
C:\Windows\SysWOW64\wmdb.exe

Filesize
447KB

MD5
f0e5816841b356402c5773f3ec4d0335

SHA1
4945e80bf2f80b9901525bb09a9453c4eceaac90

SHA256
5a16e032bdcde7a89a84180dbfc1c57a2e2eb4f9ad4ca1360011222084fe5a13

SHA512
c4e2d3836c0e7fd34bf4dbdf5ab172e90866267b763070d9265f0d6b8c2976f9096ff66561c9dd9bcda8bccbb69502e17e657c4076bf4bd72c02b71057c23c76

Download Submit
C:\Windows\SysWOW64\wnjfcn.exe

Filesize
447KB

MD5
0cd09cd5d759bc9d2b8849ab744a63ec

SHA1
7b6cb0a90311d0493c609898c74c9e3ad479ab19

SHA256
f5030faf3cc7ea99702c00ffdb201633f19983c859c32ed8fd351fd03b5e65bf

SHA512
08f07f432adfc358b938a0e2345cf0e7fb15ce0e156678a30962b205d2d4973a87cc413c6b64ecd03d0eaa75da4712ce84ea79f397d4bedd33a837c28fef61c1

Download Submit
C:\Windows\SysWOW64\wnqshd.exe

Filesize
447KB

MD5
161d2896dd5ccfd1ae5d8bbf2260be21

SHA1
7a74be94f379a1f387303f87ac90882e0a7c2c53

SHA256
de257a28e67bb623513e52da2b692043f61e60407740b4fd1a1348ea4f909102

SHA512
68d2c93345e1524d780fa7813960cabc50b2f94bdbf2d956276ede440ff708b056e5bfdaa46dda55c1fa36611b90cbd30e5c20605817fa1802bc49b761e04e10

Download Submit
C:\Windows\SysWOW64\wsdbeoe.exe

Filesize
447KB

MD5
a58e3186ff512bfd0836301f211acff2

SHA1
514b9467cd79eb9cb27940821590ba6e35e14c44

SHA256
00d1b60d33b41a698caedb8b28392c504e9f2e83397ec497e97d6cb897224679

SHA512
3a7521c890e10bda32c98c9ebe223f976af67fa8db3bb1567be6d8e92fdea9e242cf54dc190e2a4c34a292372434f10668963309e4a72e2809a07da221ab23d0

Download Submit
C:\Windows\SysWOW64\wsrjthfds.exe

Filesize
447KB

MD5
1115adb2d2125396c0cb2f6d02074472

SHA1
4539840d11821dcdd398e67fafeb0a7a49db7eb5

SHA256
36198c62665f4b692ff882bd52dd08c82c111375249c07d2d0cd3a4e18fa2047

SHA512
b1fade14fc4a83a8a403db3299a8b1ccd9481c451a9218042129bb5e4f695d3b57439b01955af18eaeb6d96fc939e6d838ac9b5a640d24f42a3a97a2c4fd4848

Download Submit
C:\Windows\SysWOW64\wtosdx.exe

Filesize
447KB

MD5
4bb50d9c9b1e7f0f83b345adb4f98110

SHA1
9f6c6dbbec4c7b1f694b5208dd79ae171215d2b3

SHA256
a2c78ab430ba0ce042779f9e942e2c26ab9277959682c0b6942055fd5f626bd4

SHA512
3818a9d03f29c13ee5a66d02d576c06c66206fff0d2636b7390e1603a705575a6fc4cf7fda8598585a60bd6b932759dad309f4b1b8b04a8eae06077c8e4904a6

Download Submit
C:\Windows\SysWOW64\wtpauybv.exe

Filesize
447KB

MD5
126db3317ee0427f1e99d21218719873

SHA1
671cd0c2590a4c0bf4b8377922c588e411c696e9

SHA256
83a5beff1b48698ecae359f380788fd4539e3ab3abc5da2e98622bdf733e1fe1

SHA512
eeda9a6e773275bc23b356d9f1b8e9d953e06530202e1634a13c791d8ddeb85fb0c8ccad133eea9dc944f8127aa7423447274a017d2c7e98649f6493943a5fc3

Download Submit
C:\Windows\SysWOW64\wurgxreal.exe

Filesize
447KB

MD5
ba85626c1557af988c0a7c1a11ff45ca

SHA1
e628a7028ef1bc5baa62bf1b1b664168b2897981

SHA256
142e58f2f58590b11ca19902c818fcfeead8a7f7f8d0b561f57d437ca173574d

SHA512
a5856c0b161b8bda551b9443369807845f7d14a441529cc326b6024b1a4e8bde027734ad52fa3f27e7d9402a60ac8df657a00e8fec67f0c9e72a3e68b2fa9da8

Download Submit
C:\Windows\SysWOW64\wwbub.exe

Filesize
447KB

MD5
32589e167a1ee98b6e603cb84abbf875

SHA1
e5ad5e55f275e1aa3d56a7450116a91dca3ff618

SHA256
f16ea3d7c91943db130478c0d773976e0acea680a9d5f9b8c39fbc7f17f46022

SHA512
310879e6a6a9aaf6a26a66ed3b0758904d5a2a6f3fa228290d788b8a87138ed90672e34c6cfc668ba64a25af9b04564a846da9a9a763bb9c4f94fc55ab6ad951

Download Submit
C:\Windows\SysWOW64\wwioalb.exe

Filesize
447KB

MD5
c0dc821a9b64eca2934cb3792d1f560f

SHA1
2190a9fc82000070c774bfc5f6868fc89c4b32bc

SHA256
399a6cfa71884fef1c2d49bb9c3cd8f60c875ef843eec0b396679f2020706370

SHA512
fdaaf680b90de2e72489eee2f3b18421bc68c66441a6c51d6f952c2e92d2df2e4720aecbd8571afabfa472700ad6e79376d88e716a61d47b9cd264bcb4356c97

Download Submit
C:\Windows\SysWOW64\wwjye.exe

Filesize
447KB

MD5
eb7dccb656d256d14cb76de1b01e19d6

SHA1
0d47c028354c08459b2a4999cc4041d27977f141

SHA256
5ca0ec0634bba275eabc932180dcf970d14a499c2588fdb7ac14aeb8674d096a

SHA512
6e79f57b1fd92e6924fbddd80dfa5e62cfed5920749147245387a4b1169da7d563c2c6990b3c0b6aaff48c66ea21e6943086462cfa8dddf1775549e5fae404cb

Download Submit
C:\Windows\SysWOW64\wwyauvk.exe

Filesize
447KB

MD5
b00d3881318458affaff840351d6b646

SHA1
338989b47c9e9f8f8118bf4f2dbf63ea1eac269b

SHA256
15159befc80349ed213c02333cce9ef0a731e5efef0ee4b56564acc644886e4f

SHA512
98a381cc2aa8824ad2b625ef27d4fa63e4eb6c7917b453b859ab3912d824dddac9b47e4c8c8663cc7b6332255321195945af8877265359042f2d1aeff4b52abb

Download Submit
C:\Windows\SysWOW64\wxo.exe

Filesize
447KB

MD5
7959aa77609ac37a862e780741ce6027

SHA1
ce38829484790126b1ad64f9583d0482dceec475

SHA256
983f3864c178d4ca6a6ed4775ff315bc69ad8fced9bf355cea89a7e60a5ddb00

SHA512
da51207970cf5c2437c88a0a6f5008ddaf0f445d7e59740e7d730df09edc30356ea2225df6ff895d43aff04bc44d1032046b16b8d29c9b6dd546e8a5c3731baf

Download Submit
memory/364-563-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/400-219-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/408-489-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/408-479-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/656-197-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/656-208-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/804-515-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/804-505-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/820-333-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/820-343-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/832-393-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/868-94-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/960-598-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/960-607-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1292-115-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1292-105-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1508-22-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1516-547-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1536-104-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1536-471-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1536-462-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1720-571-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1720-581-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1744-420-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1744-411-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1932-523-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1932-514-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1936-359-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1936-368-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2064-187-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2096-385-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2096-376-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2108-42-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2168-260-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2232-291-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2232-302-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2280-62-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2368-240-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2388-125-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2448-599-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2448-590-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2496-135-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2496-146-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2592-156-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2712-292-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2752-436-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2848-73-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2848-83-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2868-136-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2972-186-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2972-198-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2996-10-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2996-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3000-377-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3028-506-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3284-402-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3284-412-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3308-453-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3308-463-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3324-323-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3396-488-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3396-497-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3500-444-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3628-539-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3628-166-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3800-589-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3800-580-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3828-428-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3904-555-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3976-454-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4236-334-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4236-322-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4244-572-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4272-229-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4272-218-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4296-394-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4296-403-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4344-270-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4344-281-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4352-360-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4408-480-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-312-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4496-52-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4520-531-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4616-72-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4780-32-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4780-21-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4828-239-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4828-250-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4880-351-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4880-342-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4892-608-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4892-617-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4976-176-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5056-616-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5072-271-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download