4b8f92aa6a002e641841214c6aff942cf2f44cbfb4ef570817a547638c277461

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b8f92aa6a002e641841214c6aff942cf2f44cbfb4ef570817a547638c277461.exe
Size

42KB
MD5

7534978911e4c25ea1911cfa2533ff3b
SHA1

e61c511c1bd3bb92af2a5858afa7196bce09b3a6
SHA256

4b8f92aa6a002e641841214c6aff942cf2f44cbfb4ef570817a547638c277461
SHA512

178f40305d30d6e4b190f6c2bd5dca36776597ddd2e0fae48edae4421a83844dd6578a101fda133ed16faef3aee059e0d2ba46af2493a93b8930243b44739fc8
SSDEEP

768:yiYoIfHbL8KatMHv+7dwwaleRp2OuyamBlabCY787fsBANeje:XbyYt7LagG3N13oDWAN7

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1836-0-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000700000002328e-5.dat	UPX
behavioral2/memory/1836-10-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000400000002296c-18.dat	UPX
behavioral2/memory/2108-20-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/memory/4600-21-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x0006000000022974-29.dat	UPX
behavioral2/memory/2108-32-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000b00000002334c-40.dat	UPX
behavioral2/memory/4580-43-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000d000000023357-51.dat	UPX
behavioral2/memory/1316-53-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x0007000000022974-61.dat	UPX
behavioral2/memory/1824-63-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/memory/2280-65-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000b000000023369-73.dat	UPX
behavioral2/memory/1824-76-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x0010000000023358-85.dat	UPX
behavioral2/memory/2640-87-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000a000000023370-95.dat	UPX
behavioral2/memory/4752-98-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000c000000023369-106.dat	UPX
behavioral2/memory/220-109-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x0011000000023358-117.dat	UPX
behavioral2/memory/4332-119-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000b000000023370-127.dat	UPX
behavioral2/memory/4968-129-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/memory/4696-130-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000f000000023369-138.dat	UPX
behavioral2/memory/4208-140-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/memory/4968-142-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000d000000023372-150.dat	UPX
behavioral2/memory/4208-153-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000c000000023370-161.dat	UPX
behavioral2/memory/3348-163-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/memory/4144-165-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x0010000000023369-173.dat	UPX
behavioral2/memory/4336-175-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/memory/3348-177-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000e000000023372-186.dat	UPX
behavioral2/memory/4336-187-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000d000000023370-195.dat	UPX
behavioral2/memory/5040-198-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x0011000000023369-206.dat	UPX
behavioral2/memory/4440-209-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000e000000023375-217.dat	UPX
behavioral2/memory/4696-220-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000d000000023379-228.dat	UPX
behavioral2/memory/3088-231-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000c0000000233ef-239.dat	UPX
behavioral2/memory/4744-241-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/memory/2108-243-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000d0000000233f4-251.dat	UPX
behavioral2/memory/4744-254-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000e000000023379-262.dat	UPX
behavioral2/memory/4860-265-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000d0000000233ef-274.dat	UPX
behavioral2/memory/432-276-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000e0000000233f4-284.dat	UPX
behavioral2/memory/2004-287-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000f000000023379-295.dat	UPX
behavioral2/memory/4468-297-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/memory/3768-298-0x0000000000400000-0x000000000041A000-memory.dmp	UPX
behavioral2/files/0x000e0000000233ef-306.dat	UPX

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wlnllgwvq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	whacfghp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wnhcxdfjl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wfni.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wqpwk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	4b8f92aa6a002e641841214c6aff942cf2f44cbfb4ef570817a547638c277461.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wyli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	whj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wbmpvvxyu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wiwuguqv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wsxnylp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wqqmuq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wjspq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wwfql.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wefbmve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wvdioxo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wykw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wbgxv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	waplwi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wphgtlnw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wiscav.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wfygc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wcdxch.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wkxui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	weqpq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wkcq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wstjxvl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wbpkqw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wtbm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wvqtja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wyfiptr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wsohpa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wrao.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wbjdjums.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wgewknec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wtxuldlr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wcqneno.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wtopiatj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wkun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wafaxt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wnkuu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wbmkmnqv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wibt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	whp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wxpegfs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wpshbc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wirkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wrtdh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wlhoxg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wjaj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wsevtm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wxvrifwj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wiffcn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wyicdor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wndj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	woogyqi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wcyykf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wgmrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wsjfrdgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wertpl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wjcpy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wpc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wtrohwa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wqqglajb.exe

Executes dropped EXE 64 IoCs

pid	Process
4600	wqqmuq.exe
2108	wokl.exe
4580	wjspq.exe
1316	wocxo.exe
2280	wbmkmnqv.exe
1824	wxsean.exe
2640	wjcpy.exe
4752	wosncpao.exe
220	wcdxch.exe
4332	wkxui.exe
4696	wpvuynxh.exe
4968	wibt.exe
4208	wlnllgwvq.exe
4144	wbjdjums.exe
3348	wijjlvbge.exe
4336	wjaj.exe
5040	weqpq.exe
4440	werb.exe
4696	wkcq.exe
3088	wsevtm.exe
2108	wcvl.exe
4744	wstjxvl.exe
4860	wxvrifwj.exe
432	wpc.exe
2004	wtrohwa.exe
3768	wgjbtn.exe
4468	whacfghp.exe
3544	whp.exe
2600	wiffcn.exe
1316	whgrv.exe
1856	wyli.exe
3196	wqqglajb.exe
3528	wvnhc.exe
3992	wvdioxo.exe
1176	wveufr.exe
3088	wbpkqw.exe
2108	wxryq.exe
4792	wyicdor.exe
1316	wgewknec.exe
4448	wykw.exe
4932	wndj.exe
1696	wnhcxdfjl.exe
2224	wtxuldlr.exe
4880	wcyykf.exe
64	wxpegfs.exe
4268	wcmfulb.exe
3888	wpshbc.exe
1676	whj.exe
2004	wvqtja.exe
4224	wviuvrlmv.exe
3924	wjdnth.exe
5044	wcqneno.exe
2560	wvgxhvdm.exe
4960	wedtos.exe
3196	wyfiptr.exe
4764	wnmltl.exe
4952	woipua.exe
2596	woogyqi.exe
1176	wtopiatj.exe
2600	wkun.exe
4888	wybqlyx.exe
2368	wccxuii.exe
4408	wgmrt.exe
1564	wafaxt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1836-0-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000700000002328e-5.dat	upx
behavioral2/memory/1836-10-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000400000002296c-18.dat	upx
behavioral2/memory/2108-20-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4600-21-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0006000000022974-29.dat	upx
behavioral2/memory/2108-32-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000b00000002334c-40.dat	upx
behavioral2/memory/4580-43-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000d000000023357-51.dat	upx
behavioral2/memory/1316-53-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0007000000022974-61.dat	upx
behavioral2/memory/1824-63-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2280-65-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000b000000023369-73.dat	upx
behavioral2/memory/1824-76-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0010000000023358-85.dat	upx
behavioral2/memory/2640-87-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000a000000023370-95.dat	upx
behavioral2/memory/4752-98-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000c000000023369-106.dat	upx
behavioral2/memory/220-109-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0011000000023358-117.dat	upx
behavioral2/memory/4332-119-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000b000000023370-127.dat	upx
behavioral2/memory/4968-129-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4696-130-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000f000000023369-138.dat	upx
behavioral2/memory/4208-140-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4968-142-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000d000000023372-150.dat	upx
behavioral2/memory/4208-153-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000c000000023370-161.dat	upx
behavioral2/memory/3348-163-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4144-165-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0010000000023369-173.dat	upx
behavioral2/memory/4336-175-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3348-177-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000e000000023372-186.dat	upx
behavioral2/memory/4336-187-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000d000000023370-195.dat	upx
behavioral2/memory/5040-198-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0011000000023369-206.dat	upx
behavioral2/memory/4440-209-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000e000000023375-217.dat	upx
behavioral2/memory/4696-220-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000d000000023379-228.dat	upx
behavioral2/memory/3088-231-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000c0000000233ef-239.dat	upx
behavioral2/memory/4744-241-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2108-243-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000d0000000233f4-251.dat	upx
behavioral2/memory/4744-254-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000e000000023379-262.dat	upx
behavioral2/memory/4860-265-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000d0000000233ef-274.dat	upx
behavioral2/memory/432-276-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000e0000000233f4-284.dat	upx
behavioral2/memory/2004-287-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000f000000023379-295.dat	upx
behavioral2/memory/4468-297-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3768-298-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000e0000000233ef-306.dat	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wcmfulb.exe	wxpegfs.exe
File opened for modification	C:\Windows\SysWOW64\wpshbc.exe	wcmfulb.exe
File created	C:\Windows\SysWOW64\wrao.exe	wafaxt.exe
File created	C:\Windows\SysWOW64\wijjlvbge.exe	wbjdjums.exe
File opened for modification	C:\Windows\SysWOW64\wkcq.exe	werb.exe
File created	C:\Windows\SysWOW64\wxvrifwj.exe	wstjxvl.exe
File opened for modification	C:\Windows\SysWOW64\wgjbtn.exe	wtrohwa.exe
File opened for modification	C:\Windows\SysWOW64\wykw.exe	wgewknec.exe
File created	C:\Windows\SysWOW64\wnpuia.exe	wrao.exe
File opened for modification	C:\Windows\SysWOW64\wqpwk.exe	wsy.exe
File created	C:\Windows\SysWOW64\wiwuguqv.exe	wqpwk.exe
File opened for modification	C:\Windows\SysWOW64\wkxui.exe	wcdxch.exe
File created	C:\Windows\SysWOW64\wxpegfs.exe	wcyykf.exe
File created	C:\Windows\SysWOW64\wyfiptr.exe	wedtos.exe
File opened for modification	C:\Windows\SysWOW64\wybqlyx.exe	wkun.exe
File opened for modification	C:\Windows\SysWOW64\wrao.exe	wafaxt.exe
File created	C:\Windows\SysWOW64\wcvl.exe	wsevtm.exe
File created	C:\Windows\SysWOW64\wstjxvl.exe	wcvl.exe
File opened for modification	C:\Windows\SysWOW64\wjdnth.exe	wviuvrlmv.exe
File created	C:\Windows\SysWOW64\wrtdh.exe	wlhoxg.exe
File created	C:\Windows\SysWOW64\wokl.exe	wqqmuq.exe
File created	C:\Windows\SysWOW64\wxsean.exe	wbmkmnqv.exe
File created	C:\Windows\SysWOW64\wkcq.exe	werb.exe
File opened for modification	C:\Windows\SysWOW64\wndj.exe	wykw.exe
File created	C:\Windows\SysWOW64\wtbm.exe	wbgxv.exe
File opened for modification	C:\Windows\SysWOW64\wmynom.exe	wphgtlnw.exe
File opened for modification	C:\Windows\SysWOW64\werb.exe	weqpq.exe
File opened for modification	C:\Windows\SysWOW64\wstjxvl.exe	wcvl.exe
File created	C:\Windows\SysWOW64\wpc.exe	wxvrifwj.exe
File opened for modification	C:\Windows\SysWOW64\wirkj.exe	wnpuia.exe
File opened for modification	C:\Windows\SysWOW64\wbmpvvxyu.exe	waplwi.exe
File created	C:\Windows\SysWOW64\wiffcn.exe	whp.exe
File opened for modification	C:\Windows\SysWOW64\wvqtja.exe	whj.exe
File created	C:\Windows\SysWOW64\wtrohwa.exe	wpc.exe
File opened for modification	C:\Windows\SysWOW64\wafaxt.exe	wgmrt.exe
File opened for modification	C:\Windows\SysWOW64\wrtdh.exe	wlhoxg.exe
File opened for modification	C:\Windows\SysWOW64\wosncpao.exe	wjcpy.exe
File created	C:\Windows\SysWOW64\wveufr.exe	wvdioxo.exe
File created	C:\Windows\SysWOW64\wxryq.exe	wbpkqw.exe
File created	C:\Windows\SysWOW64\wcyykf.exe	wtxuldlr.exe
File opened for modification	C:\Windows\SysWOW64\wtopiatj.exe	woogyqi.exe
File opened for modification	C:\Windows\SysWOW64\wefbmve.exe	wisem.exe
File created	C:\Windows\SysWOW64\wqqmuq.exe	4b8f92aa6a002e641841214c6aff942cf2f44cbfb4ef570817a547638c277461.exe
File created	C:\Windows\SysWOW64\wjcpy.exe	wxsean.exe
File created	C:\Windows\SysWOW64\woipua.exe	wnmltl.exe
File created	C:\Windows\SysWOW64\wbgxv.exe	wwfql.exe
File created	C:\Windows\SysWOW64\wfygc.exe	whipphh.exe
File created	C:\Windows\SysWOW64\wkxui.exe	wcdxch.exe
File created	C:\Windows\SysWOW64\wykw.exe	wgewknec.exe
File opened for modification	C:\Windows\SysWOW64\wtxuldlr.exe	wnhcxdfjl.exe
File created	C:\Windows\SysWOW64\wnkuu.exe	wsjfrdgi.exe
File created	C:\Windows\SysWOW64\wbjlrdx.exe	wgeped.exe
File created	C:\Windows\SysWOW64\wccxuii.exe	wybqlyx.exe
File opened for modification	C:\Windows\SysWOW64\wfni.exe	wsohpa.exe
File created	C:\Windows\SysWOW64\woocpb.exe	wiscav.exe
File opened for modification	C:\Windows\SysWOW64\wpvuynxh.exe	wkxui.exe
File opened for modification	C:\Windows\SysWOW64\wiffcn.exe	whp.exe
File opened for modification	C:\Windows\SysWOW64\wqqglajb.exe	wyli.exe
File opened for modification	C:\Windows\SysWOW64\wvdioxo.exe	wvnhc.exe
File created	C:\Windows\SysWOW64\wvgxhvdm.exe	wcqneno.exe
File opened for modification	C:\Windows\SysWOW64\wisem.exe	wxlxwyr.exe
File opened for modification	C:\Windows\SysWOW64\whacfghp.exe	wgjbtn.exe
File opened for modification	C:\Windows\SysWOW64\wbpkqw.exe	wveufr.exe
File created	C:\Windows\SysWOW64\wirkj.exe	wnpuia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
4752	4600	WerFault.exe	85
4960	2280	WerFault.exe	109
4952	4696	WerFault.exe	131
2720	4440	WerFault.exe	154
1108	3528	WerFault.exe	203
3912	1176	WerFault.exe	211
5072	2224	WerFault.exe	238
684	4880	WerFault.exe	241
5008	4880	WerFault.exe	241
4452	4880	WerFault.exe	241
668	2560	WerFault.exe	276
4460	2560	WerFault.exe	276
3156	1564	WerFault.exe	319
3936	4428	WerFault.exe	389
1836	2328	WerFault.exe	392

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 4600	1836	4b8f92aa6a002e641841214c6aff942cf2f44cbfb4ef570817a547638c277461.exe	85
PID 1836 wrote to memory of 4600	1836	4b8f92aa6a002e641841214c6aff942cf2f44cbfb4ef570817a547638c277461.exe	85
PID 1836 wrote to memory of 4600	1836	4b8f92aa6a002e641841214c6aff942cf2f44cbfb4ef570817a547638c277461.exe	85
PID 1836 wrote to memory of 1356	1836	4b8f92aa6a002e641841214c6aff942cf2f44cbfb4ef570817a547638c277461.exe	87
PID 1836 wrote to memory of 1356	1836	4b8f92aa6a002e641841214c6aff942cf2f44cbfb4ef570817a547638c277461.exe	87
PID 1836 wrote to memory of 1356	1836	4b8f92aa6a002e641841214c6aff942cf2f44cbfb4ef570817a547638c277461.exe	87
PID 4600 wrote to memory of 2108	4600	wqqmuq.exe	94
PID 4600 wrote to memory of 2108	4600	wqqmuq.exe	94
PID 4600 wrote to memory of 2108	4600	wqqmuq.exe	94
PID 4600 wrote to memory of 3088	4600	wqqmuq.exe	95
PID 4600 wrote to memory of 3088	4600	wqqmuq.exe	95
PID 4600 wrote to memory of 3088	4600	wqqmuq.exe	95
PID 2108 wrote to memory of 4580	2108	wokl.exe	102
PID 2108 wrote to memory of 4580	2108	wokl.exe	102
PID 2108 wrote to memory of 4580	2108	wokl.exe	102
PID 2108 wrote to memory of 2900	2108	wokl.exe	103
PID 2108 wrote to memory of 2900	2108	wokl.exe	103
PID 2108 wrote to memory of 2900	2108	wokl.exe	103
PID 4580 wrote to memory of 1316	4580	wjspq.exe	106
PID 4580 wrote to memory of 1316	4580	wjspq.exe	106
PID 4580 wrote to memory of 1316	4580	wjspq.exe	106
PID 4580 wrote to memory of 776	4580	wjspq.exe	107
PID 4580 wrote to memory of 776	4580	wjspq.exe	107
PID 4580 wrote to memory of 776	4580	wjspq.exe	107
PID 1316 wrote to memory of 2280	1316	wocxo.exe	109
PID 1316 wrote to memory of 2280	1316	wocxo.exe	109
PID 1316 wrote to memory of 2280	1316	wocxo.exe	109
PID 1316 wrote to memory of 4576	1316	wocxo.exe	110
PID 1316 wrote to memory of 4576	1316	wocxo.exe	110
PID 1316 wrote to memory of 4576	1316	wocxo.exe	110
PID 2280 wrote to memory of 1824	2280	wbmkmnqv.exe	113
PID 2280 wrote to memory of 1824	2280	wbmkmnqv.exe	113
PID 2280 wrote to memory of 1824	2280	wbmkmnqv.exe	113
PID 2280 wrote to memory of 3416	2280	wbmkmnqv.exe	115
PID 2280 wrote to memory of 3416	2280	wbmkmnqv.exe	115
PID 2280 wrote to memory of 3416	2280	wbmkmnqv.exe	115
PID 1824 wrote to memory of 2640	1824	wxsean.exe	119
PID 1824 wrote to memory of 2640	1824	wxsean.exe	119
PID 1824 wrote to memory of 2640	1824	wxsean.exe	119
PID 1824 wrote to memory of 3032	1824	wxsean.exe	120
PID 1824 wrote to memory of 3032	1824	wxsean.exe	120
PID 1824 wrote to memory of 3032	1824	wxsean.exe	120
PID 2640 wrote to memory of 4752	2640	wjcpy.exe	122
PID 2640 wrote to memory of 4752	2640	wjcpy.exe	122
PID 2640 wrote to memory of 4752	2640	wjcpy.exe	122
PID 2640 wrote to memory of 116	2640	wjcpy.exe	123
PID 2640 wrote to memory of 116	2640	wjcpy.exe	123
PID 2640 wrote to memory of 116	2640	wjcpy.exe	123
PID 4752 wrote to memory of 220	4752	wosncpao.exe	125
PID 4752 wrote to memory of 220	4752	wosncpao.exe	125
PID 4752 wrote to memory of 220	4752	wosncpao.exe	125
PID 4752 wrote to memory of 3772	4752	wosncpao.exe	126
PID 4752 wrote to memory of 3772	4752	wosncpao.exe	126
PID 4752 wrote to memory of 3772	4752	wosncpao.exe	126
PID 220 wrote to memory of 4332	220	wcdxch.exe	128
PID 220 wrote to memory of 4332	220	wcdxch.exe	128
PID 220 wrote to memory of 4332	220	wcdxch.exe	128
PID 220 wrote to memory of 4324	220	wcdxch.exe	129
PID 220 wrote to memory of 4324	220	wcdxch.exe	129
PID 220 wrote to memory of 4324	220	wcdxch.exe	129
PID 4332 wrote to memory of 4696	4332	wkxui.exe	131
PID 4332 wrote to memory of 4696	4332	wkxui.exe	131
PID 4332 wrote to memory of 4696	4332	wkxui.exe	131
PID 4332 wrote to memory of 1196	4332	wkxui.exe	132

C:\Users\Admin\AppData\Local\Temp\4b8f92aa6a002e641841214c6aff942cf2f44cbfb4ef570817a547638c277461.exe
"C:\Users\Admin\AppData\Local\Temp\4b8f92aa6a002e641841214c6aff942cf2f44cbfb4ef570817a547638c277461.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\SysWOW64\wqqmuq.exe
  "C:\Windows\system32\wqqmuq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\SysWOW64\wokl.exe
    "C:\Windows\system32\wokl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\SysWOW64\wjspq.exe
      "C:\Windows\system32\wjspq.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\SysWOW64\wocxo.exe
        
        "C:\Windows\system32\wocxo.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1316
      - C:\Windows\SysWOW64\wbmkmnqv.exe
        
        "C:\Windows\system32\wbmkmnqv.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\wxsean.exe
        
        "C:\Windows\system32\wxsean.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\wjcpy.exe
        
        "C:\Windows\system32\wjcpy.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\wosncpao.exe
        
        "C:\Windows\system32\wosncpao.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\wcdxch.exe
        
        "C:\Windows\system32\wcdxch.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\wkxui.exe
        
        "C:\Windows\system32\wkxui.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\wpvuynxh.exe
        
        "C:\Windows\system32\wpvuynxh.exe"
        12⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\wibt.exe
        
        "C:\Windows\system32\wibt.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\wlnllgwvq.exe
        
        "C:\Windows\system32\wlnllgwvq.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\wbjdjums.exe
        
        "C:\Windows\system32\wbjdjums.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\wijjlvbge.exe
        
        "C:\Windows\system32\wijjlvbge.exe"
        16⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\wjaj.exe
        
        "C:\Windows\system32\wjaj.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\weqpq.exe
        
        "C:\Windows\system32\weqpq.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\werb.exe
        
        "C:\Windows\system32\werb.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\wkcq.exe
        
        "C:\Windows\system32\wkcq.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\wsevtm.exe
        
        "C:\Windows\system32\wsevtm.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\wcvl.exe
        
        "C:\Windows\system32\wcvl.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\wstjxvl.exe
        
        "C:\Windows\system32\wstjxvl.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\wxvrifwj.exe
        
        "C:\Windows\system32\wxvrifwj.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\wpc.exe
        
        "C:\Windows\system32\wpc.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\wtrohwa.exe
        
        "C:\Windows\system32\wtrohwa.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\wgjbtn.exe
        
        "C:\Windows\system32\wgjbtn.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\whacfghp.exe
        
        "C:\Windows\system32\whacfghp.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\whp.exe
        
        "C:\Windows\system32\whp.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3544
        
        C:\Windows\SysWOW64\wiffcn.exe
        
        "C:\Windows\system32\wiffcn.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\whgrv.exe
        
        "C:\Windows\system32\whgrv.exe"
        31⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\wyli.exe
        
        "C:\Windows\system32\wyli.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\wqqglajb.exe
        
        "C:\Windows\system32\wqqglajb.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3196
        
        C:\Windows\SysWOW64\wvnhc.exe
        
        "C:\Windows\system32\wvnhc.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\wvdioxo.exe
        
        "C:\Windows\system32\wvdioxo.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\wveufr.exe
        
        "C:\Windows\system32\wveufr.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1176
        
        C:\Windows\SysWOW64\wbpkqw.exe
        
        "C:\Windows\system32\wbpkqw.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\wxryq.exe
        
        "C:\Windows\system32\wxryq.exe"
        38⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\wyicdor.exe
        
        "C:\Windows\system32\wyicdor.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\SysWOW64\wgewknec.exe
        
        "C:\Windows\system32\wgewknec.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\wykw.exe
        
        "C:\Windows\system32\wykw.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\wndj.exe
        
        "C:\Windows\system32\wndj.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\wnhcxdfjl.exe
        
        "C:\Windows\system32\wnhcxdfjl.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\wtxuldlr.exe
        
        "C:\Windows\system32\wtxuldlr.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\wcyykf.exe
        
        "C:\Windows\system32\wcyykf.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\wxpegfs.exe
        
        "C:\Windows\system32\wxpegfs.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\wcmfulb.exe
        
        "C:\Windows\system32\wcmfulb.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\wpshbc.exe
        
        "C:\Windows\system32\wpshbc.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3888
        
        C:\Windows\SysWOW64\whj.exe
        
        "C:\Windows\system32\whj.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\wvqtja.exe
        
        "C:\Windows\system32\wvqtja.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\wviuvrlmv.exe
        
        "C:\Windows\system32\wviuvrlmv.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\wjdnth.exe
        
        "C:\Windows\system32\wjdnth.exe"
        52⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\wcqneno.exe
        
        "C:\Windows\system32\wcqneno.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\wvgxhvdm.exe
        
        "C:\Windows\system32\wvgxhvdm.exe"
        54⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\wedtos.exe
        
        "C:\Windows\system32\wedtos.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\wyfiptr.exe
        
        "C:\Windows\system32\wyfiptr.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3196
        
        C:\Windows\SysWOW64\wnmltl.exe
        
        "C:\Windows\system32\wnmltl.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\woipua.exe
        
        "C:\Windows\system32\woipua.exe"
        58⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\woogyqi.exe
        
        "C:\Windows\system32\woogyqi.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\wtopiatj.exe
        
        "C:\Windows\system32\wtopiatj.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\wkun.exe
        
        "C:\Windows\system32\wkun.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\wybqlyx.exe
        
        "C:\Windows\system32\wybqlyx.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\wccxuii.exe
        
        "C:\Windows\system32\wccxuii.exe"
        63⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\wgmrt.exe
        
        "C:\Windows\system32\wgmrt.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\wafaxt.exe
        
        "C:\Windows\system32\wafaxt.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\wrao.exe
        
        "C:\Windows\system32\wrao.exe"
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\wnpuia.exe
        
        "C:\Windows\system32\wnpuia.exe"
        67⤵
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\wirkj.exe
        
        "C:\Windows\system32\wirkj.exe"
        68⤵
        Checks computer location settings
        
        PID:4356
        
        C:\Windows\SysWOW64\wsohpa.exe
        
        "C:\Windows\system32\wsohpa.exe"
        69⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\wfni.exe
        
        "C:\Windows\system32\wfni.exe"
        70⤵
        Checks computer location settings
        
        PID:4768
        
        C:\Windows\SysWOW64\wwfql.exe
        
        "C:\Windows\system32\wwfql.exe"
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\wbgxv.exe
        
        "C:\Windows\system32\wbgxv.exe"
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\wtbm.exe
        
        "C:\Windows\system32\wtbm.exe"
        73⤵
        Checks computer location settings
        
        PID:3524
        
        C:\Windows\SysWOW64\whipphh.exe
        
        "C:\Windows\system32\whipphh.exe"
        74⤵
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\wfygc.exe
        
        "C:\Windows\system32\wfygc.exe"
        75⤵
        Checks computer location settings
        
        PID:3888
        
        C:\Windows\SysWOW64\waplwi.exe
        
        "C:\Windows\system32\waplwi.exe"
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\wbmpvvxyu.exe
        
        "C:\Windows\system32\wbmpvvxyu.exe"
        77⤵
        Checks computer location settings
        
        PID:4752
        
        C:\Windows\SysWOW64\wphgtlnw.exe
        
        "C:\Windows\system32\wphgtlnw.exe"
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\wmynom.exe
        
        "C:\Windows\system32\wmynom.exe"
        79⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\wsy.exe
        
        "C:\Windows\system32\wsy.exe"
        80⤵
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\wqpwk.exe
        
        "C:\Windows\system32\wqpwk.exe"
        81⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\wiwuguqv.exe
        
        "C:\Windows\system32\wiwuguqv.exe"
        82⤵
        Checks computer location settings
        
        PID:4956
        
        C:\Windows\SysWOW64\wlhoxg.exe
        
        "C:\Windows\system32\wlhoxg.exe"
        83⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\wrtdh.exe
        
        "C:\Windows\system32\wrtdh.exe"
        84⤵
        Checks computer location settings
        
        PID:4764
        
        C:\Windows\SysWOW64\wsjfrdgi.exe
        
        "C:\Windows\system32\wsjfrdgi.exe"
        85⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\wnkuu.exe
        
        "C:\Windows\system32\wnkuu.exe"
        86⤵
        Checks computer location settings
        
        PID:3864
        
        C:\Windows\SysWOW64\wertpl.exe
        
        "C:\Windows\system32\wertpl.exe"
        87⤵
        Checks computer location settings
        
        PID:4428
        
        C:\Windows\SysWOW64\wiscav.exe
        
        "C:\Windows\system32\wiscav.exe"
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\woocpb.exe
        
        "C:\Windows\system32\woocpb.exe"
        89⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\wxlxwyr.exe
        
        "C:\Windows\system32\wxlxwyr.exe"
        90⤵
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\wisem.exe
        
        "C:\Windows\system32\wisem.exe"
        91⤵
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\wefbmve.exe
        
        "C:\Windows\system32\wefbmve.exe"
        92⤵
        Checks computer location settings
        
        PID:3604
        
        C:\Windows\SysWOW64\wsxnylp.exe
        
        "C:\Windows\system32\wsxnylp.exe"
        93⤵
        Checks computer location settings
        
        PID:5064
        
        C:\Windows\SysWOW64\wgeped.exe
        
        "C:\Windows\system32\wgeped.exe"
        94⤵
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxnylp.exe"
        94⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wefbmve.exe"
        93⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wisem.exe"
        92⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxlxwyr.exe"
        91⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woocpb.exe"
        90⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiscav.exe"
        89⤵
        
        PID:452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 116
        89⤵
        Program crash
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wertpl.exe"
        88⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1612
        88⤵
        Program crash
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnkuu.exe"
        87⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjfrdgi.exe"
        86⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtdh.exe"
        85⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlhoxg.exe"
        84⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiwuguqv.exe"
        83⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpwk.exe"
        82⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsy.exe"
        81⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmynom.exe"
        80⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphgtlnw.exe"
        79⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbmpvvxyu.exe"
        78⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waplwi.exe"
        77⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfygc.exe"
        76⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whipphh.exe"
        75⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtbm.exe"
        74⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbgxv.exe"
        73⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfql.exe"
        72⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfni.exe"
        71⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsohpa.exe"
        70⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirkj.exe"
        69⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnpuia.exe"
        68⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrao.exe"
        67⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wafaxt.exe"
        66⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1464
        66⤵
        Program crash
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgmrt.exe"
        65⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccxuii.exe"
        64⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybqlyx.exe"
        63⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkun.exe"
        62⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtopiatj.exe"
        61⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woogyqi.exe"
        60⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woipua.exe"
        59⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnmltl.exe"
        58⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyfiptr.exe"
        57⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wedtos.exe"
        56⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgxhvdm.exe"
        55⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 1536
        55⤵
        Program crash
        
        PID:668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 8
        55⤵
        Program crash
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcqneno.exe"
        54⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdnth.exe"
        53⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wviuvrlmv.exe"
        52⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqtja.exe"
        51⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whj.exe"
        50⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpshbc.exe"
        49⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcmfulb.exe"
        48⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpegfs.exe"
        47⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcyykf.exe"
        46⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 116
        46⤵
        Program crash
        
        PID:684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1692
        46⤵
        Program crash
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1728
        46⤵
        Program crash
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxuldlr.exe"
        45⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 116
        45⤵
        Program crash
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnhcxdfjl.exe"
        44⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wndj.exe"
        43⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wykw.exe"
        42⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgewknec.exe"
        41⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyicdor.exe"
        40⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxryq.exe"
        39⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpkqw.exe"
        38⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wveufr.exe"
        37⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1536
        37⤵
        Program crash
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdioxo.exe"
        36⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvnhc.exe"
        35⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 1684
        35⤵
        Program crash
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqglajb.exe"
        34⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyli.exe"
        33⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whgrv.exe"
        32⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiffcn.exe"
        31⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whp.exe"
        30⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whacfghp.exe"
        29⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgjbtn.exe"
        28⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtrohwa.exe"
        27⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpc.exe"
        26⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxvrifwj.exe"
        25⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wstjxvl.exe"
        24⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvl.exe"
        23⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsevtm.exe"
        22⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcq.exe"
        21⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\werb.exe"
        20⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1684
        20⤵
        Program crash
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weqpq.exe"
        19⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjaj.exe"
        18⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wijjlvbge.exe"
        17⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbjdjums.exe"
        16⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnllgwvq.exe"
        15⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibt.exe"
        14⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvuynxh.exe"
        13⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 536
        13⤵
        Program crash
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkxui.exe"
        12⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcdxch.exe"
        11⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wosncpao.exe"
        10⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjcpy.exe"
        9⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxsean.exe"
        8⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbmkmnqv.exe"
        7⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 116
        7⤵
        Program crash
        
        PID:4960
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wocxo.exe"
        6⤵
        
        PID:4576
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjspq.exe"
        5⤵
        
        PID:776
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wokl.exe"
      4⤵
      PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqmuq.exe"
    3⤵
    PID:3088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 8
    3⤵
    - Program crash
    PID:4752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\4b8f92aa6a002e641841214c6aff942cf2f44cbfb4ef570817a547638c277461.exe"
  2⤵
  PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4600 -ip 4600
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2280 -ip 2280
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4696 -ip 4696
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4440 -ip 4440
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3528 -ip 3528
1⤵
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1176 -ip 1176
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2224 -ip 2224
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4880 -ip 4880
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4880 -ip 4880
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4880 -ip 4880
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2560 -ip 2560
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2560 -ip 2560
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1564 -ip 1564
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4428 -ip 4428
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2328 -ip 2328
1⤵
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wbjdjums.exe

Filesize
43KB

MD5
abce5ff1f235ce70d965c5f3f13954aa

SHA1
e8bbc8840f838034a4aa05a0a28b9822ac264f83

SHA256
cc9b7a82aa6b0e5f262e95cbe03bb01f975378bc3ab78e540e0021f8773fe752

SHA512
762772fb8b2d77c065e5bd95335d39eaef073bed9273e020ce58f905278c27d5b04e86a6526f00c3bdda02d6c53d5fcfd4db9ecc01554b6e50b1948b8393dc89

Download Submit
C:\Windows\SysWOW64\wbmkmnqv.exe

Filesize
43KB

MD5
2be7bf4e6d7030324e8987d673e1cf1d

SHA1
f6f8a9837c23adee56fbb6f75cd87047039c6a75

SHA256
2ffd318d2f325e67e04a436b6897c39dd1fa2323c292f46acf32f3e1797013da

SHA512
c528c830b342fd2ae4ded2082f9182bffb529b3def3247a2fcb51e4a817ffcb913310e961b67d568f785662cb3472a408255071ef4f5a7eeaea55de166e58743

Download Submit
C:\Windows\SysWOW64\wcdxch.exe

Filesize
43KB

MD5
d04a5acb013ed8af4cbcabcc756c6d43

SHA1
6f6a093dba265bbcf6fc7164ea9ac8161383c60b

SHA256
8db59c99981ce6164dbf2452475758957019a523d1ae5678bdc41e880f283164

SHA512
fd82e9bbfea624f08f5556f2d3ad8bd81e124f638fa4fcdfe44644cf7cc1e7de30a3f4b6f63ec75bab0ef374b18d641eefd2b754957caa7f1ce877cbc86390be

Download Submit
C:\Windows\SysWOW64\wcvl.exe

Filesize
43KB

MD5
aebcc58f861f0cd0c651e67eae7ccfda

SHA1
914f2ccd81bd2046cb2532d5175ec379b8bbbf23

SHA256
3c8decd72f97c74fb458ea87e08967a932df56dea9bbadc93cc8a44aec90fd8d

SHA512
e45e5b14a954f8118986c9214660a8099daa22dae0c03a74a43a29c6f1e4995eff50298eb55a2d89fc39e988d3d913a1b85fa4d2f34e7219380d9f90c6bf439b

Download Submit
C:\Windows\SysWOW64\weqpq.exe

Filesize
43KB

MD5
56cb011e36f114a271b8701b3b543290

SHA1
44074cc10739198a5efe7e03543665c3a2e694e5

SHA256
d1ae35c4423578417e1fd3e17ef9dbb04f0388fff50321f1bf54e53c6378a7ce

SHA512
e147364379f9e78f7e693eefcd3f814cf02ee745816114f7c0ed7bb0082170fa75a774fcb66dc63f46c9dba9f233582a6f49bae47302cb3b587c8a718da1d493

Download Submit
C:\Windows\SysWOW64\werb.exe

Filesize
43KB

MD5
36438f00e6b6f591efa0d206cc10ca21

SHA1
cc2a4b8b59b79cdddfd4cc7ad02b17aa78ddac3f

SHA256
4139f6796a18116cd27b5c4e5a79aa8ee15c99fea7ca4c5717aa57eb2fecc18d

SHA512
af388a13385dbc1a2ff5a93993d4df3156c90b4b4cbd80004fb6f4ac4d6111f1fd24f2fe7e2ba1d40698099307fe3908f8732e2c1d8c4d83c38caef99a816386

Download Submit
C:\Windows\SysWOW64\wgjbtn.exe

Filesize
43KB

MD5
39c59ac00cdee72b3ed1acf138231a07

SHA1
299a6dca9e6637fa8957adb749635cb9fa2a5d7a

SHA256
76773d0622ac6a73d643a31fcd42cbf86eec1a4bc824aacf8db3436897c327c3

SHA512
dde19cd8176ae6fc524e3aeb8b5e21e754b515c503697359e7c119f35f5599e80051290351d8b5f55e66fc2f2eafd2be847ce454a012b813852664110c09bb58

Download Submit
C:\Windows\SysWOW64\whacfghp.exe

Filesize
43KB

MD5
2640cccd21207885ad76bf0c8ef6f530

SHA1
92c45852711c906c060289c6a8d277cecb28ce2e

SHA256
17a2002fcfb9595a5ec129a11f8db3bf105a8abfb82ff3fb1b654f44ab82b9fd

SHA512
45e907552e73025349a6fc348b1a0cc9f5f8648fba272df61e5f573a403d24b17dcfd186eb46d67492bf36be41fdc02c532adfdaa22276f7ea9212e5b4446a03

Download Submit
C:\Windows\SysWOW64\whgrv.exe

Filesize
43KB

MD5
2e16d5dd53dd438c8cd8eae61796c52b

SHA1
292a25f0d0bdfb71c0d4c170af15fca6a9590fba

SHA256
2ae9f833e1b13a44fa87fc40fd79be893f9770745b22d7067b28978f90e40e7e

SHA512
74b16132e27bc09e5e07cd2e868928fd93c18fee907fe03248d6ec383f538011fff11a880126682561df9affce8911e50ffdc01f7c46653fe2f6c10f935d9cfc

Download Submit
C:\Windows\SysWOW64\whp.exe

Filesize
43KB

MD5
3e834522f0191ae648cbcc9c0f1762b0

SHA1
7b2d0e040bd8d1e5fbbe12c123d3b9aba0078c72

SHA256
eacdd44f59c03f4fa8da5ff6860d5dd55931e6bab02c3e55e6b53a64bfbc0d8d

SHA512
8976a0ee670f349f6bebbf5afa63b23c34b4100a69fa0b147c7774fea629b2c41725dec7a7437152323768aec4c4e4253c0c92b8f9cabc8f23add702bad6f219

Download Submit
C:\Windows\SysWOW64\wibt.exe

Filesize
43KB

MD5
05f69c989058f39af80d8d7c27ab9289

SHA1
747b917534dc725c9c3024c963d179c337fd7369

SHA256
a4bd9d84f78af811afdb5b83bb72ef86b1a116a83aac24f345c7c0c4015f35d5

SHA512
012e7bcaa51f8b17fd77c5b3a71ce088dddc7bb5d0892353b832682f252c80e3dca8e1dc63525d7bb615901349701affedfc519fab0002d730241d6a0d00551a

Download Submit
C:\Windows\SysWOW64\wiffcn.exe

Filesize
43KB

MD5
0d70d61d25329d3e88807fd0568fe5ce

SHA1
35ae0a24d377deb58248b1cd441e03225d4fa0fd

SHA256
d5c0f03596f199d51ea1a85ca3b6695267895cac876cf8069de41c51fcd03299

SHA512
d27c727d9c09a7f35df2e90f3134bb7b039039355841d94688869cd4ab7aadcb7b1db3cb2a933dd433acbf5a81ba5850c9c6d4bf9c4d14e3377a159d6617c15f

Download Submit
C:\Windows\SysWOW64\wijjlvbge.exe

Filesize
43KB

MD5
6963c72b34613ab216026daeefd82741

SHA1
fd3977ce16ee9d96cd8df091b377da80fc68648e

SHA256
4d6f8c9e230a1dc1b21bd2bacf089164ead2ddc4ed17446ec253d1aebbb73a34

SHA512
883f7f1bc523414a140b266d882adf22c4ba1c69def730c2908f8422327683259c9426fa075300b1231da941bdcfe71f42948f377c0e743c3ac88021d6f28373

Download Submit
C:\Windows\SysWOW64\wjaj.exe

Filesize
43KB

MD5
7f15097ca83c46e889c3c8793927e3c8

SHA1
08a4977284e856e7a0b43eb15431b833f8e21a22

SHA256
162182fdc08167967af76acbec1574e84d81b45d843734d0d90df38a86e70e1c

SHA512
aa0c1720b40c3b047116125277049c17022db374f14ad825f68d36e78e35362512f1ff09fb42a56add9135c00cb983941a32015ed826ae6d168d4b33193c202a

Download Submit
C:\Windows\SysWOW64\wjcpy.exe

Filesize
43KB

MD5
31095bba35353dcada6d8fbb43adf993

SHA1
e1469d2a5a0c7440eeb8f34f875644df3e189b3e

SHA256
99e45054a92e987a53f1e482e330ac16478190fac0981bbd6d1f45ce2903dab1

SHA512
66372acebbbede3543785bbc91123f2a7bceeb4578f65c304d39b358b8cddc45b2cd6f6036a8a007eb840657f5f9c7ffd051daa723884c4a0b4cd0c0cfa544ae

Download Submit
C:\Windows\SysWOW64\wjspq.exe

Filesize
43KB

MD5
2a85b629f87748945f4142df14b55a1a

SHA1
d21075849cd4817e920cc469ff711a786b4853eb

SHA256
bc31d05a263f15a897aee8188ee39dc341ba7d5d9519035052c6f3b56fe72d6c

SHA512
25e7054f6c73b57c0c5256a3f9e9a163d9e07b9cc2ac31f86fb520e1ec1b25a7b41b21f02b7a50d5024b291f132792ea20af1dcf5abd38f0d34373330cb399cb

Download Submit
C:\Windows\SysWOW64\wkcq.exe

Filesize
43KB

MD5
39ba3de623a67cee58e0ccdbaf4b1e5a

SHA1
0dc46ac61140ef66b5942233e355f65435acea1d

SHA256
25b53eacb7ad444cf91bb97840cbed53d994041f537dc78ade70a4367854277c

SHA512
9a4b0fed13ee5d2693272f8a3982005b45e04dc846e5a507a5da39d5c85e9d5933ba4b9c3f433c21d6aea490814af61d0b3b0e037a6c7639db314f288a12391e

Download Submit
C:\Windows\SysWOW64\wkxui.exe

Filesize
43KB

MD5
42d04d0f32d8857ea736ad99dab4c258

SHA1
83f406439dffb294a91647e9dd277c044288af35

SHA256
65ffc7e1f0c0d84da282950815287e07f7710930bc79eab285616864c7c6c54d

SHA512
3a444847640ef1ba95556baebf94bb2726e99bd08f6598dc998526a0444b376cfaeab8d29628bb2109615687f7792071e1a88454e2ea3818c95e0683053bc664

Download Submit
C:\Windows\SysWOW64\wlnllgwvq.exe

Filesize
43KB

MD5
6d67f8e767b72e90d4d65e0efc4cbf77

SHA1
01408fd2961ed8e01011a7fa0331bdf31660ba83

SHA256
c3f964d5ce20bd2124ff8d65fcb7951e514034931a389d97ef8f4e2a946060fe

SHA512
f1248e84ca28e46d30585e922e7d3589db2b5622dedbefbfe2e01ae7e060de8c3fbef8a9e9cb50224bd507c2a0ff1bee7781f5df0dafd33642b5f76d5f2ac993

Download Submit
C:\Windows\SysWOW64\wocxo.exe

Filesize
43KB

MD5
85b42e23be84f2415fa7218cbba05e00

SHA1
af020b62822acdb7cf897c8a78bcd06c36a69727

SHA256
486ef45a0c0a65104a46e8a0f24b07a9bab5593521ed6412f8c47a70faa5ee32

SHA512
4828753af66e7f39757ee0256329d2cab63151888d656a917686bef549500aacdef9e20cbe1f81b506c71791e87878ae53a2531ee90bd93a4730977935d101fc

Download Submit
C:\Windows\SysWOW64\wokl.exe

Filesize
43KB

MD5
8a725a7166871f1498b441cd0f68c7da

SHA1
bde23232cd2221f1dfc52d330fb019b328dbef9e

SHA256
c873cc293bf1f880594903bf2c1957570e286ca425c2e07c42411fdb5dfb07be

SHA512
b3563f28b72384666b49a09cd65122f391731f532e8f91791a5e357b3b696459d56c0c7578360d7004b75845cc44df187c0ce6d1d132835670d0291ac2321e5f

Download Submit
C:\Windows\SysWOW64\wosncpao.exe

Filesize
43KB

MD5
c4ab2a16baf6f5182324e5a9ed8d6310

SHA1
bcb143526b2ae709eb87c8cd532d4d76aaedf267

SHA256
efd6c087bd583701cf14eda38a0c51aa8d209e02b06084eefb8b2ecdf9862145

SHA512
e31a36607e02c2bc4a84e99389601eeee3311a519fd708fb5afdb4610699ce7e6d512a7abf70ad9c081bbff27cbe4af552639792b40c3b0d629b2a18e644c972

Download Submit
C:\Windows\SysWOW64\wpc.exe

Filesize
43KB

MD5
35d95b16349e6a667ae6a7bf197c58be

SHA1
7ae1c26e456f288ca8be03c105395b71c131957e

SHA256
ca0212534b73055542dd21c1ba9ed56f850bd36b1c9529c2a50ac39003c10056

SHA512
34847adf9f9a5df2c665371bcefcfded3b7b7a4753ccf111ccc48213d8e2b1e70d5a2d08135314ccbc5978507b31e3f097a32ac7bb769a491d851795a3685009

Download Submit
C:\Windows\SysWOW64\wpvuynxh.exe

Filesize
43KB

MD5
a4e18bdbf6d72e6cf5d9a252c3be6e77

SHA1
af5239b434045220eb94228238d5f8d267ebd23d

SHA256
3570874d3954caf22bf02c4ddfe9f1c57338e4ddc0f59e0624e8bb9086fbb77d

SHA512
70d8e39db25cd67b84ea63daebc72c0f35446a30cccb938adfae9bdae11601700725b1b5077ebf31ffcbfd0382d491c1984e0e7e88b22713b50c7749e5c7b4de

Download Submit
C:\Windows\SysWOW64\wqqglajb.exe

Filesize
43KB

MD5
de634e057d5534b426a02cd08abcd6c9

SHA1
8e4a68e79c7667f11481f0122ff00e916c8d6f59

SHA256
b7cec2cc17aa952de55ae999e51f8103b56bcd6437469e2c15d7533dcff3532b

SHA512
5d439b0a3135fd2251ea463a249583222ef9ec41799a3db305abc3f07f2b770c9a3e42d039a1725bcb9cb9c25c9808877ca4c91025a9a24f73d5bc869473d05a

Download Submit
C:\Windows\SysWOW64\wqqmuq.exe

Filesize
42KB

MD5
3dc0097aa661615b95dc6f6394dd3ca0

SHA1
cfc12d3fa1ab477b86d3913373430e5caa3d7a03

SHA256
f4ad3976ab6a7bf6a8e6949c618c080fee2b5fb6a53458bce71f4fe143f97cd3

SHA512
a23286908b702c3bf204602162d2b1ebb25a054b393c57c2d10dfda35925607be8fb0d659083fca06bb899a81d1d6468316c577921b4dcb430a9e88dc8758881

Download Submit
C:\Windows\SysWOW64\wsevtm.exe

Filesize
43KB

MD5
6cfc26b63da1fbc211e67fd18f3d4916

SHA1
d0139d2b7449f79bfd3476ffed52115caa11fc94

SHA256
42cfc1a64b8957cea0fe1b1d753cc45fcdac24fabedba31d5778c9c3b4506f2d

SHA512
0fa8c5ee75d862c9b8b62f28798110425059fbf6622ea617024fbb9cf6a79b0feb93ece349c870a5330a73cf7fa674a1f3eed2329932d1e81b30d70441a370ea

Download Submit
C:\Windows\SysWOW64\wstjxvl.exe

Filesize
43KB

MD5
ea1278e810c8b163a83ec3ea52b87895

SHA1
6ecfb5af71ba54df2bbf1164ec35793129658bce

SHA256
103f8f24fd078bad9c05ebbbe081506a43807baf97698b0f543bf2673c22ac60

SHA512
360091cbdc5c3a7a7e64d18050e5c5705b195d9ed18594c59958ead146013207c2321423734c0afca805c6ac15475a2604360ccb9be7cb7c4dccc5891cf9a835

Download Submit
C:\Windows\SysWOW64\wtrohwa.exe

Filesize
43KB

MD5
abf2b17f4771c9cd40749e5fdf01390f

SHA1
b42e31e72901b48af48e5ab7af86a65585a23abc

SHA256
a52b7f8835dd8a87cf413a2760a862d47b2761fb77698ff66545ee1d4e2febef

SHA512
6d5f5686994dfcc3a18371beb01369d15ed372e34fc7f3af60a87fe304eee8766210fa3bd68cb9b243aed9fe2fe0af3eced51e65d2be07481d986c19fc5fa700

Download Submit
C:\Windows\SysWOW64\wxsean.exe

Filesize
43KB

MD5
b1ce9883089a3c926a7532d3c0601edf

SHA1
7040fb5f4721e6804a72d97bc08e94bd8d4f12bf

SHA256
20f844db6a46a817e02dd0e7bc3046786299f846e3f8500967b8dc14626cc3fc

SHA512
a3d86f6fb14733f06d31c69577648c5114e744cda886ee9c82b5e2166106053bec65bd0f278381e48d13328c4176faa2a68c7a3b7692f0e30fb7b20a26ff29b4

Download Submit
C:\Windows\SysWOW64\wxvrifwj.exe

Filesize
43KB

MD5
35c08fa42aa8798ed5fffb8105b8fccd

SHA1
430475b4d7a8f5c2e7c2097cea3076ac1385d503

SHA256
5c225e888ba7dbaa5e318d1be92be7150b0d999b11fef31007efb2f2ef0519e6

SHA512
86e3bc03e2562818876fefe2ae33bd345dee7cf79df2b55ae0f0c5d3e9cbe0ba65629debfd08b864aceb9fda6e29aa2a1e7fa82599f2bf5c44793afda9657f2b

Download Submit
C:\Windows\SysWOW64\wyli.exe

Filesize
43KB

MD5
d8cb69c60347c7a191ed0285a8274937

SHA1
a21b368f53338d741c5221e4c806a78fee9ea8f1

SHA256
a28f86e1c3beea67b101be7bebdb3c1dcc07980676a52e641e4527323ef932e7

SHA512
40d94eef08beaba5303ea0bcc243da1fff62a325f29bca13a62d4c1b783c646eee8959b27c1965dcd0f8b6b84845f57c6827f7419980ee7d96aa46632c382016

Download Submit
memory/64-483-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/220-109-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/432-276-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1176-381-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1176-607-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1176-392-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1284-704-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1316-418-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1316-53-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1316-429-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1316-343-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1512-834-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1676-510-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1676-499-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1696-457-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1696-447-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1824-76-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1824-63-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1836-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1836-10-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1856-354-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2004-287-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2004-519-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2108-32-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2108-20-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2108-243-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2108-410-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2224-466-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2268-750-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2272-713-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2280-65-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2292-815-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2328-851-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2328-862-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2368-633-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2560-553-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2596-598-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2600-319-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2600-332-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2600-617-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2600-606-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2640-87-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3088-400-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3088-231-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3088-391-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3196-364-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3196-570-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3212-649-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3212-659-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3348-177-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3348-163-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3524-722-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3528-362-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3528-373-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3544-321-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3768-298-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3864-832-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3864-843-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3888-730-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3888-741-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3888-501-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3924-536-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3992-372-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3992-383-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4144-165-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4208-140-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4208-153-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4224-527-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4268-491-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4332-119-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4332-768-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4336-187-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4336-175-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4356-677-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4408-641-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4428-853-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4436-787-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4436-776-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4440-209-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4448-439-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4468-668-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4468-657-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4468-297-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4468-309-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4480-778-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4580-43-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4600-21-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4632-686-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4696-220-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4696-130-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4740-796-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4744-241-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4744-254-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4752-759-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4752-98-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4764-580-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4764-813-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4764-824-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4768-695-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4772-732-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4792-420-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4792-408-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4860-265-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4880-474-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4880-465-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4888-615-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4888-625-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4932-448-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4932-437-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4952-589-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4952-578-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4956-805-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4960-561-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4968-142-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4968-129-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5040-198-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5044-545-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download