020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe
Size

84KB
MD5

b637ddd656d25a63d680fc7563777bbd
SHA1

a1b251f73297e3684e4f1c8bc7b07f47c3dc6f46
SHA256

020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c
SHA512

69e69aebd5185ab0bf9cbe920a1b301089e9d751e1b9ab9385058146c3829c50d48bd8350cc3e8530a6af635ccdbe93abeb79add0945faabff02eb338ee2d38c
SSDEEP

1536:azUQz74LIvK/+Czax4IHVdmRvW1BDVwrVXwXaE:qUQz74TmFnmRvW1gXwqE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wpsbjtk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wephjt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wtfbsk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	waj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wybvyhk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	whicja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wgxxouf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wywhspha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wwifm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wncfxv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	worvbhr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wtqvv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wphakxqt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wdbx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wsusg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	warf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wmshg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wgcwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wdacpj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wnbvfufwp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wajhjmwxu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wfajqa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wvyfajemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wuxc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wvxvvlg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wwltqj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wany.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wrwxc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wqjvj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	whqdgkt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wswwl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wyxdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wvwq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wgdherss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wpmska.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wysrwqtqp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wbmpq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wwf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wkciuri.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wxs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wbtkuso.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wmqhvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wxcvkuw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	warxnmhiv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wlwvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wujj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wkstqb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wajvmn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wbpufb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	waqgw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wrkraok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wvqp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wfpxp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wbcdbxcwu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wvtmgn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wvhejf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wpqajq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wpdpsk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wdtdpl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wllmpk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wofmjmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wig.exe

Executes dropped EXE 64 IoCs

pid	Process
2368	wywhspha.exe
1676	wrfdwpt.exe
5036	wyf.exe
5084	wvxvvlg.exe
4272	wbtkuso.exe
3512	wllmpk.exe
1900	wgcwd.exe
3792	waemdl.exe
316	wbpufb.exe
5020	waqgw.exe
3808	wany.exe
1776	waj.exe
2340	wwltqj.exe
784	wmqhvr.exe
2288	wagno.exe
3148	wajhjmwxu.exe
1612	whqdgkt.exe
2656	wofmjmx.exe
2464	wybvyhk.exe
2092	wbmpq.exe
448	wxcvkuw.exe
2308	wvtmgn.exe
4228	wrkraok.exe
3876	warxnmhiv.exe
2716	wswwl.exe
2000	wvhejf.exe
1208	worvbhr.exe
4968	wvqp.exe
936	wrs.exe
2312	wfajqa.exe
1212	wvyfajemp.exe
4912	wyxdr.exe
1964	wpmska.exe
816	wqjvj.exe
5000	wfpxp.exe
3688	wphakxqt.exe
4348	wpqajq.exe
1688	wwifm.exe
2824	wig.exe
3680	wtqvv.exe
4176	wlwvr.exe
4788	wujj.exe
5100	wtgchdp.exe
3420	wdbx.exe
432	wpsbjtk.exe
2696	wdacpj.exe
448	wwf.exe
3556	wsusg.exe
2540	wysrwqtqp.exe
1868	wgdherss.exe
1384	wkstqb.exe
1708	wkciuri.exe
3056	warf.exe
2344	wvwq.exe
3016	wuxc.exe
4572	wbcdbxcwu.exe
760	wxs.exe
1844	wmshg.exe
3108	whicja.exe
548	wjcvol.exe
1016	wncfxv.exe
1708	wajvmn.exe
3320	wephjt.exe
4692	wpdpsk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wncfxv.exe	wjcvol.exe
File created	C:\Windows\SysWOW64\wdtdpl.exe	wpdpsk.exe
File created	C:\Windows\SysWOW64\wgxxouf.exe	wnbvfufwp.exe
File created	C:\Windows\SysWOW64\wfajqa.exe	wrs.exe
File opened for modification	C:\Windows\SysWOW64\wpqajq.exe	wphakxqt.exe
File opened for modification	C:\Windows\SysWOW64\wtqvv.exe	wig.exe
File created	C:\Windows\SysWOW64\wgdherss.exe	wysrwqtqp.exe
File opened for modification	C:\Windows\SysWOW64\wkstqb.exe	wgdherss.exe
File created	C:\Windows\SysWOW64\wujj.exe	wlwvr.exe
File created	C:\Windows\SysWOW64\wephjt.exe	wajvmn.exe
File opened for modification	C:\Windows\SysWOW64\wtfbsk.exe	wgxxouf.exe
File created	C:\Windows\SysWOW64\wllmpk.exe	wbtkuso.exe
File created	C:\Windows\SysWOW64\wajhjmwxu.exe	wagno.exe
File created	C:\Windows\SysWOW64\wrkraok.exe	wvtmgn.exe
File opened for modification	C:\Windows\SysWOW64\wpmska.exe	wyxdr.exe
File created	C:\Windows\SysWOW64\wpqajq.exe	wphakxqt.exe
File created	C:\Windows\SysWOW64\wbtkuso.exe	wvxvvlg.exe
File created	C:\Windows\SysWOW64\wphakxqt.exe	wfpxp.exe
File opened for modification	C:\Windows\SysWOW64\wwf.exe	wdacpj.exe
File opened for modification	C:\Windows\SysWOW64\wybvyhk.exe	wofmjmx.exe
File opened for modification	C:\Windows\SysWOW64\wrkraok.exe	wvtmgn.exe
File opened for modification	C:\Windows\SysWOW64\warxnmhiv.exe	wrkraok.exe
File created	C:\Windows\SysWOW64\wvxvvlg.exe	wyf.exe
File created	C:\Windows\SysWOW64\wbpufb.exe	waemdl.exe
File opened for modification	C:\Windows\SysWOW64\wany.exe	waqgw.exe
File opened for modification	C:\Windows\SysWOW64\waj.exe	wany.exe
File created	C:\Windows\SysWOW64\wwltqj.exe	waj.exe
File created	C:\Windows\SysWOW64\wig.exe	wwifm.exe
File opened for modification	C:\Windows\SysWOW64\wpsbjtk.exe	wdbx.exe
File opened for modification	C:\Windows\SysWOW64\wysrwqtqp.exe	wsusg.exe
File created	C:\Windows\SysWOW64\wajvmn.exe	wncfxv.exe
File created	C:\Windows\SysWOW64\wrwxc.exe	wdtdpl.exe
File opened for modification	C:\Windows\SysWOW64\wbpufb.exe	waemdl.exe
File created	C:\Windows\SysWOW64\wvtmgn.exe	wxcvkuw.exe
File created	C:\Windows\SysWOW64\worvbhr.exe	wvhejf.exe
File created	C:\Windows\SysWOW64\whey.exe	wcgpme.exe
File created	C:\Windows\SysWOW64\wyf.exe	wrfdwpt.exe
File opened for modification	C:\Windows\SysWOW64\wyf.exe	wrfdwpt.exe
File created	C:\Windows\SysWOW64\wofmjmx.exe	whqdgkt.exe
File created	C:\Windows\SysWOW64\wyxdr.exe	wvyfajemp.exe
File opened for modification	C:\Windows\SysWOW64\wvqp.exe	worvbhr.exe
File created	C:\Windows\SysWOW64\wfpxp.exe	wqjvj.exe
File opened for modification	C:\Windows\SysWOW64\wdbx.exe	wtgchdp.exe
File opened for modification	C:\Windows\SysWOW64\wcgpme.exe	wtfbsk.exe
File opened for modification	C:\Windows\SysWOW64\wgcwd.exe	wllmpk.exe
File opened for modification	C:\Windows\SysWOW64\worvbhr.exe	wvhejf.exe
File created	C:\Windows\SysWOW64\wqjvj.exe	wpmska.exe
File opened for modification	C:\Windows\SysWOW64\wajvmn.exe	wncfxv.exe
File opened for modification	C:\Windows\SysWOW64\wywhspha.exe	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe
File opened for modification	C:\Windows\SysWOW64\wllmpk.exe	wbtkuso.exe
File opened for modification	C:\Windows\SysWOW64\whey.exe	wcgpme.exe
File created	C:\Windows\SysWOW64\wsgm.exe	whey.exe
File opened for modification	C:\Windows\SysWOW64\wbtkuso.exe	wvxvvlg.exe
File opened for modification	C:\Windows\SysWOW64\wvtmgn.exe	wxcvkuw.exe
File opened for modification	C:\Windows\SysWOW64\wswwl.exe	warxnmhiv.exe
File opened for modification	C:\Windows\SysWOW64\wlwvr.exe	wtqvv.exe
File created	C:\Windows\SysWOW64\wtgchdp.exe	wujj.exe
File opened for modification	C:\Windows\SysWOW64\wvhejf.exe	wswwl.exe
File opened for modification	C:\Windows\SysWOW64\wujj.exe	wlwvr.exe
File opened for modification	C:\Windows\SysWOW64\wgdherss.exe	wysrwqtqp.exe
File created	C:\Windows\SysWOW64\wpdpsk.exe	wephjt.exe
File created	C:\Windows\SysWOW64\wgcwd.exe	wllmpk.exe
File opened for modification	C:\Windows\SysWOW64\wbmpq.exe	wybvyhk.exe
File opened for modification	C:\Windows\SysWOW64\wxcvkuw.exe	wbmpq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
2628	3872	WerFault.exe	82
4540	3808	WerFault.exe	128
3560	2464	WerFault.exe	157
2292	1964	WerFault.exe	202
4072	4348	WerFault.exe	216
1096	3420	WerFault.exe	239
1960	1384	WerFault.exe	266
1332	548	WerFault.exe	299
3708	4692	WerFault.exe	313

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 2368	3872	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe	87
PID 3872 wrote to memory of 2368	3872	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe	87
PID 3872 wrote to memory of 2368	3872	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe	87
PID 3872 wrote to memory of 768	3872	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe	89
PID 3872 wrote to memory of 768	3872	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe	89
PID 3872 wrote to memory of 768	3872	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe	89
PID 2368 wrote to memory of 1676	2368	wywhspha.exe	98
PID 2368 wrote to memory of 1676	2368	wywhspha.exe	98
PID 2368 wrote to memory of 1676	2368	wywhspha.exe	98
PID 2368 wrote to memory of 2460	2368	wywhspha.exe	99
PID 2368 wrote to memory of 2460	2368	wywhspha.exe	99
PID 2368 wrote to memory of 2460	2368	wywhspha.exe	99
PID 1676 wrote to memory of 5036	1676	wrfdwpt.exe	101
PID 1676 wrote to memory of 5036	1676	wrfdwpt.exe	101
PID 1676 wrote to memory of 5036	1676	wrfdwpt.exe	101
PID 1676 wrote to memory of 3124	1676	wrfdwpt.exe	102
PID 1676 wrote to memory of 3124	1676	wrfdwpt.exe	102
PID 1676 wrote to memory of 3124	1676	wrfdwpt.exe	102
PID 5036 wrote to memory of 5084	5036	wyf.exe	105
PID 5036 wrote to memory of 5084	5036	wyf.exe	105
PID 5036 wrote to memory of 5084	5036	wyf.exe	105
PID 5036 wrote to memory of 2344	5036	wyf.exe	106
PID 5036 wrote to memory of 2344	5036	wyf.exe	106
PID 5036 wrote to memory of 2344	5036	wyf.exe	106
PID 5084 wrote to memory of 4272	5084	wvxvvlg.exe	110
PID 5084 wrote to memory of 4272	5084	wvxvvlg.exe	110
PID 5084 wrote to memory of 4272	5084	wvxvvlg.exe	110
PID 5084 wrote to memory of 1148	5084	wvxvvlg.exe	111
PID 5084 wrote to memory of 1148	5084	wvxvvlg.exe	111
PID 5084 wrote to memory of 1148	5084	wvxvvlg.exe	111
PID 4272 wrote to memory of 3512	4272	wbtkuso.exe	113
PID 4272 wrote to memory of 3512	4272	wbtkuso.exe	113
PID 4272 wrote to memory of 3512	4272	wbtkuso.exe	113
PID 4272 wrote to memory of 2292	4272	wbtkuso.exe	114
PID 4272 wrote to memory of 2292	4272	wbtkuso.exe	114
PID 4272 wrote to memory of 2292	4272	wbtkuso.exe	114
PID 3512 wrote to memory of 1900	3512	wllmpk.exe	116
PID 3512 wrote to memory of 1900	3512	wllmpk.exe	116
PID 3512 wrote to memory of 1900	3512	wllmpk.exe	116
PID 3512 wrote to memory of 4172	3512	wllmpk.exe	117
PID 3512 wrote to memory of 4172	3512	wllmpk.exe	117
PID 3512 wrote to memory of 4172	3512	wllmpk.exe	117
PID 1900 wrote to memory of 3792	1900	wgcwd.exe	119
PID 1900 wrote to memory of 3792	1900	wgcwd.exe	119
PID 1900 wrote to memory of 3792	1900	wgcwd.exe	119
PID 1900 wrote to memory of 1756	1900	wgcwd.exe	120
PID 1900 wrote to memory of 1756	1900	wgcwd.exe	120
PID 1900 wrote to memory of 1756	1900	wgcwd.exe	120
PID 3792 wrote to memory of 316	3792	waemdl.exe	122
PID 3792 wrote to memory of 316	3792	waemdl.exe	122
PID 3792 wrote to memory of 316	3792	waemdl.exe	122
PID 3792 wrote to memory of 4544	3792	waemdl.exe	123
PID 3792 wrote to memory of 4544	3792	waemdl.exe	123
PID 3792 wrote to memory of 4544	3792	waemdl.exe	123
PID 316 wrote to memory of 5020	316	wbpufb.exe	125
PID 316 wrote to memory of 5020	316	wbpufb.exe	125
PID 316 wrote to memory of 5020	316	wbpufb.exe	125
PID 316 wrote to memory of 4228	316	wbpufb.exe	126
PID 316 wrote to memory of 4228	316	wbpufb.exe	126
PID 316 wrote to memory of 4228	316	wbpufb.exe	126
PID 5020 wrote to memory of 3808	5020	waqgw.exe	128
PID 5020 wrote to memory of 3808	5020	waqgw.exe	128
PID 5020 wrote to memory of 3808	5020	waqgw.exe	128
PID 5020 wrote to memory of 4320	5020	waqgw.exe	129

C:\Users\Admin\AppData\Local\Temp\020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe
"C:\Users\Admin\AppData\Local\Temp\020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Windows\SysWOW64\wywhspha.exe
  "C:\Windows\system32\wywhspha.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\wrfdwpt.exe
    "C:\Windows\system32\wrfdwpt.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\SysWOW64\wyf.exe
      "C:\Windows\system32\wyf.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\SysWOW64\wvxvvlg.exe
        
        "C:\Windows\system32\wvxvvlg.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5084
      - C:\Windows\SysWOW64\wbtkuso.exe
        
        "C:\Windows\system32\wbtkuso.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\wllmpk.exe
        
        "C:\Windows\system32\wllmpk.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\wgcwd.exe
        
        "C:\Windows\system32\wgcwd.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\waemdl.exe
        
        "C:\Windows\system32\waemdl.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\wbpufb.exe
        
        "C:\Windows\system32\wbpufb.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\waqgw.exe
        
        "C:\Windows\system32\waqgw.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\wany.exe
        
        "C:\Windows\system32\wany.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\waj.exe
        
        "C:\Windows\system32\waj.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\wwltqj.exe
        
        "C:\Windows\system32\wwltqj.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SysWOW64\wmqhvr.exe
        
        "C:\Windows\system32\wmqhvr.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:784
        
        C:\Windows\SysWOW64\wagno.exe
        
        "C:\Windows\system32\wagno.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\wajhjmwxu.exe
        
        "C:\Windows\system32\wajhjmwxu.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\whqdgkt.exe
        
        "C:\Windows\system32\whqdgkt.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\wofmjmx.exe
        
        "C:\Windows\system32\wofmjmx.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\wybvyhk.exe
        
        "C:\Windows\system32\wybvyhk.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\wbmpq.exe
        
        "C:\Windows\system32\wbmpq.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\wxcvkuw.exe
        
        "C:\Windows\system32\wxcvkuw.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\wvtmgn.exe
        
        "C:\Windows\system32\wvtmgn.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\wrkraok.exe
        
        "C:\Windows\system32\wrkraok.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\warxnmhiv.exe
        
        "C:\Windows\system32\warxnmhiv.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\wswwl.exe
        
        "C:\Windows\system32\wswwl.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\wvhejf.exe
        
        "C:\Windows\system32\wvhejf.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\worvbhr.exe
        
        "C:\Windows\system32\worvbhr.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\wvqp.exe
        
        "C:\Windows\system32\wvqp.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\wrs.exe
        
        "C:\Windows\system32\wrs.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\wfajqa.exe
        
        "C:\Windows\system32\wfajqa.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\wvyfajemp.exe
        
        "C:\Windows\system32\wvyfajemp.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\wyxdr.exe
        
        "C:\Windows\system32\wyxdr.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\wpmska.exe
        
        "C:\Windows\system32\wpmska.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\wqjvj.exe
        
        "C:\Windows\system32\wqjvj.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:816
        
        C:\Windows\SysWOW64\wfpxp.exe
        
        "C:\Windows\system32\wfpxp.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\wphakxqt.exe
        
        "C:\Windows\system32\wphakxqt.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\wpqajq.exe
        
        "C:\Windows\system32\wpqajq.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\wwifm.exe
        
        "C:\Windows\system32\wwifm.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\wig.exe
        
        "C:\Windows\system32\wig.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\wtqvv.exe
        
        "C:\Windows\system32\wtqvv.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\wlwvr.exe
        
        "C:\Windows\system32\wlwvr.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\wujj.exe
        
        "C:\Windows\system32\wujj.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\SysWOW64\wtgchdp.exe
        
        "C:\Windows\system32\wtgchdp.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\wdbx.exe
        
        "C:\Windows\system32\wdbx.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\wpsbjtk.exe
        
        "C:\Windows\system32\wpsbjtk.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\wdacpj.exe
        
        "C:\Windows\system32\wdacpj.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\wwf.exe
        
        "C:\Windows\system32\wwf.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\wsusg.exe
        
        "C:\Windows\system32\wsusg.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\wysrwqtqp.exe
        
        "C:\Windows\system32\wysrwqtqp.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\wgdherss.exe
        
        "C:\Windows\system32\wgdherss.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\wkstqb.exe
        
        "C:\Windows\system32\wkstqb.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\wkciuri.exe
        
        "C:\Windows\system32\wkciuri.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\warf.exe
        
        "C:\Windows\system32\warf.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\wvwq.exe
        
        "C:\Windows\system32\wvwq.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\wuxc.exe
        
        "C:\Windows\system32\wuxc.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\wbcdbxcwu.exe
        
        "C:\Windows\system32\wbcdbxcwu.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\wxs.exe
        
        "C:\Windows\system32\wxs.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\wmshg.exe
        
        "C:\Windows\system32\wmshg.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\whicja.exe
        
        "C:\Windows\system32\whicja.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\wjcvol.exe
        
        "C:\Windows\system32\wjcvol.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\wncfxv.exe
        
        "C:\Windows\system32\wncfxv.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\wajvmn.exe
        
        "C:\Windows\system32\wajvmn.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\wephjt.exe
        
        "C:\Windows\system32\wephjt.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\wpdpsk.exe
        
        "C:\Windows\system32\wpdpsk.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\wdtdpl.exe
        
        "C:\Windows\system32\wdtdpl.exe"
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\wrwxc.exe
        
        "C:\Windows\system32\wrwxc.exe"
        67⤵
        Checks computer location settings
        
        PID:2648
        
        C:\Windows\SysWOW64\wnbvfufwp.exe
        
        "C:\Windows\system32\wnbvfufwp.exe"
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\wgxxouf.exe
        
        "C:\Windows\system32\wgxxouf.exe"
        69⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4136
        
        C:\Windows\SysWOW64\wtfbsk.exe
        
        "C:\Windows\system32\wtfbsk.exe"
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\wcgpme.exe
        
        "C:\Windows\system32\wcgpme.exe"
        71⤵
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\whey.exe
        
        "C:\Windows\system32\whey.exe"
        72⤵
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcgpme.exe"
        72⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtfbsk.exe"
        71⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxxouf.exe"
        70⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbvfufwp.exe"
        69⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwxc.exe"
        68⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdtdpl.exe"
        67⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpdpsk.exe"
        66⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1472
        66⤵
        Program crash
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wephjt.exe"
        65⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wajvmn.exe"
        64⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wncfxv.exe"
        63⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjcvol.exe"
        62⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 116
        62⤵
        Program crash
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whicja.exe"
        61⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmshg.exe"
        60⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxs.exe"
        59⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbcdbxcwu.exe"
        58⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuxc.exe"
        57⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvwq.exe"
        56⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warf.exe"
        55⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkciuri.exe"
        54⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkstqb.exe"
        53⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1096
        53⤵
        Program crash
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgdherss.exe"
        52⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wysrwqtqp.exe"
        51⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsusg.exe"
        50⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwf.exe"
        49⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdacpj.exe"
        48⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpsbjtk.exe"
        47⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbx.exe"
        46⤵
        
        PID:548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 1412
        46⤵
        Program crash
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtgchdp.exe"
        45⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujj.exe"
        44⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwvr.exe"
        43⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtqvv.exe"
        42⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wig.exe"
        41⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwifm.exe"
        40⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpqajq.exe"
        39⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1680
        39⤵
        Program crash
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphakxqt.exe"
        38⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfpxp.exe"
        37⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqjvj.exe"
        36⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpmska.exe"
        35⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 116
        35⤵
        Program crash
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxdr.exe"
        34⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvyfajemp.exe"
        33⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfajqa.exe"
        32⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrs.exe"
        31⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqp.exe"
        30⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\worvbhr.exe"
        29⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvhejf.exe"
        28⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wswwl.exe"
        27⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warxnmhiv.exe"
        26⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkraok.exe"
        25⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtmgn.exe"
        24⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxcvkuw.exe"
        23⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbmpq.exe"
        22⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybvyhk.exe"
        21⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1536
        21⤵
        Program crash
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofmjmx.exe"
        20⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whqdgkt.exe"
        19⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wajhjmwxu.exe"
        18⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wagno.exe"
        17⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmqhvr.exe"
        16⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwltqj.exe"
        15⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waj.exe"
        14⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wany.exe"
        13⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1084
        13⤵
        Program crash
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waqgw.exe"
        12⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpufb.exe"
        11⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waemdl.exe"
        10⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgcwd.exe"
        9⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllmpk.exe"
        8⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbtkuso.exe"
        7⤵
        
        PID:2292
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvxvvlg.exe"
        6⤵
        
        PID:1148
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyf.exe"
        5⤵
        
        PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrfdwpt.exe"
      4⤵
      PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywhspha.exe"
    3⤵
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe"
  2⤵
  PID:768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 1372
  2⤵
  - Program crash
  PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3872 -ip 3872
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3808 -ip 3808
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2464 -ip 2464
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1964 -ip 1964
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4348 -ip 4348
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3420 -ip 3420
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1384 -ip 1384
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 548 -ip 548
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4692 -ip 4692
1⤵
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\waemdl.exe

Filesize
84KB

MD5
85383e25bccd768856f81b2c68585751

SHA1
6a418ac9faeff1c33cf4cdb3cf285e1b83ed689e

SHA256
4d455deba8fcad9ad050d8e16ab320d160632a016c75bb5eb35f09945934bb75

SHA512
0c63c8e63661534a580604b4c40cd4154439b52d1c4c4454d9a9f08873cfae077a26df4cc8ea39838574c9fe2d1e70bea2e9a467c78b325a3fc937523b389e45

Download Submit
C:\Windows\SysWOW64\wagno.exe

Filesize
85KB

MD5
25c43fb98d550e71bc35ffd633506634

SHA1
16d76ba32cfa169374fde9629d548c0d1e0a71b9

SHA256
2d0b55e128d7b43eac6211e9eda3b8bd6cd56a3531390e86da327cb9606e28fe

SHA512
ffa4bd195d3c8b86d07970e365278f08da944ee4f9097470c863c3d0f280c976e812eaca07486a83b4a6297b365ec89b79b8132c1dee7c2275560140e54474c2

Download Submit
C:\Windows\SysWOW64\waj.exe

Filesize
85KB

MD5
f07cd0ba7a9cc127fd40ac761e6a3457

SHA1
451a8595d3ad0f77bbe82eed2985ac10239de190

SHA256
47d14fb25ddbdf8ec5d827a5a0f9c429d46eb60d185c42da3b0e307dd4fc06d0

SHA512
998220fb25e428fd57c7c956267b79fc17b66f47d672759bbdb3d3316a0d29bf59d96e49f2f877c02d71d24c044511876193760073a0daf0da159e7bc02d06fe

Download Submit
C:\Windows\SysWOW64\wajhjmwxu.exe

Filesize
85KB

MD5
a162a67740e8c644b839bccf48aa51f7

SHA1
66546aa49e3989821d812144d2d6ddb5485cadc1

SHA256
34c4e811a76974f205fb272b3c7a0a59713c55a3c4bd39c516f4f6d85302585e

SHA512
35e3da34cf6799915b5ffac027baed3c48a6d8eeb9ac5475ecc87b6deff257229663f971a9481f09d8f3c67a41a782eda7fe0ef1ddd738e2fc760bc0c6c088dc

Download Submit
C:\Windows\SysWOW64\wany.exe

Filesize
84KB

MD5
0807dc624f9f57e42782128be391579e

SHA1
f7323a5ea56cf49cca94ed6992feda6c65265048

SHA256
03b5b728b68532e334a4774845dfc07babb2a355725942bdfbea0c702e4b74bd

SHA512
cf4b96083a98b21d3efc7ec29a195aa2eeafd5cc03518272cff2fe6d10ed3ffb9fb0041ff4f7fd507f71bca5837950c080432c1b7d8c4c74635f9b327eb71864

Download Submit
C:\Windows\SysWOW64\waqgw.exe

Filesize
84KB

MD5
7d19ed4c11c02bdf8e590a3c4c24ca52

SHA1
272947b4ec1912694558800d120a0abeaf381711

SHA256
9623c7e92eb9b5cd31836322a211e1428ab32dce4de4cc9678e57ad29ded9a15

SHA512
a25738f511c804a4b5b307c5604230e3a16b1888f08b3238934faedbad7f9d7a3d0e1f9cb7e4c100b6ca8bb6d97aa94e38accc577db42dea333acc2549f010e2

Download Submit
C:\Windows\SysWOW64\warxnmhiv.exe

Filesize
85KB

MD5
397f1182d8ee60ea100b3be26f0960c1

SHA1
b1556c5b82fc4d83dd791e41755fb26efdcacfd5

SHA256
2d62c2d36ba2fb45feddf3d2d22e2dcf1af7769742e7cac3c003b1edb20fdc17

SHA512
17cfe30a540cbc97d9bd62c0558859769fb24172fbda9e2ebc5af04107596b96517af811c471509a290791e01fc0a2f3abd67b5c7ad7366d8e9b150990f7e80b

Download Submit
C:\Windows\SysWOW64\wbmpq.exe

Filesize
85KB

MD5
8c265a80fa4d177f7ee94f112be2f870

SHA1
d83810f2b8dff3b4ee820be4b98dc7bc269c4438

SHA256
1a6eddf335a559a9af722183d318133e893ff6d24592041afd12a764c8cc82d8

SHA512
b6188db067cb244ad0e53d7f27ccc5c27a8e4338fe0814df7f87496b5ece5c7df798e0f01e7c129db98b0e5399ef0b9722d87963108be96d255e8505c02247a7

Download Submit
C:\Windows\SysWOW64\wbpufb.exe

Filesize
84KB

MD5
068bd04ee8186a495e01817fd4beb752

SHA1
e8a64a451ca89a9e3cc8573e4dcf2a8f74436e6e

SHA256
baf53decb967324e21f2e6d712f657c336879559c967c69557335578094f1157

SHA512
94f6bb4bfc5b2c21ff1f1bb2d58fd625eb1305949e98003b259450140da10a006497b8d32a74f3a4b9987d10b05947dbc36043fba1b90235418a8931aeee7a98

Download Submit
C:\Windows\SysWOW64\wbtkuso.exe

Filesize
84KB

MD5
6542e1e7ba8b0b19ac4e8aa2f55c7c50

SHA1
e4bf8ac1663fde9b0c91c8d7146a430e02701385

SHA256
37f5ea414def83d8d9f7d0d76abee4109a3604a33b715fdf53b6399055d8be60

SHA512
49ca7586ae7c2bacc8306726ea13c7534d04f600d9a6f60a9dfec22d829b223703086c11aabece8d67d020788f40526a22aed9dd07000e02251bf4bf8219e3f7

Download Submit
C:\Windows\SysWOW64\wfajqa.exe

Filesize
85KB

MD5
5326ee47c9ee909e6f661cdad185e8c0

SHA1
47c62b380952ad71e29dd6e1c5cf05d6d40a3a4d

SHA256
16275b3b17edcd736c953f3606cd8e0acf7cc3fea8556d4a872aee39e4568702

SHA512
83b77150442e6a971265ef6ac95b602ee5e98e1dd20b05e43266e6d65d1eb774a371bb4db0f76f6acfdb1d43291e0d78aafeedc002132b36087f5d75cb4f58b7

Download Submit
C:\Windows\SysWOW64\wgcwd.exe

Filesize
84KB

MD5
f58eed8bc2caaaee99ec98427b6e42d7

SHA1
5867be8330c6461488bf25d8eb501d91db00f291

SHA256
3d75e5575c184c0327a24d7b44dd0b91720a7cba7e3b241cbc8a08b90522299e

SHA512
683246393bcf7319694b01c2ea257802502b3e77a7479158e0405ba9e83a5d775588a0b32e735b7f00950493e8e4909547f3d9e9b7b60b4cb3117273e8bddced

Download Submit
C:\Windows\SysWOW64\whqdgkt.exe

Filesize
85KB

MD5
16046d186c2cf90a0f46b2a3cae2dc9e

SHA1
20b2f1162a9d6ca895735ea0a63bbb129e89303a

SHA256
26b67ff3eb8dece2bda66000fb16c0dd7c2123e352e7e3bd8d1856964d3ead92

SHA512
26d3a14482b2669db214a6a56bbf1bfd01723baa9ab2a5094d36bfec566df91a7f73a00e12c915a9898fa0df93941f188d92aa8cf4750261503fbaa25650bf30

Download Submit
C:\Windows\SysWOW64\wllmpk.exe

Filesize
84KB

MD5
b18ee828d5e9d6cbe4b4366bda90dd10

SHA1
9f0963ed9acc87aaf2f4e8715491b788f4686115

SHA256
0ed12a5e66cb0226607e10c9e7ec64068f7fca868575666868a3e0e49d364932

SHA512
5dad5316f6b2ac11968aa93c42f9084c931c7496e7e1336b90ad7059eabf8de86d28e71107fbfbd02536f3efa4affc012becfa605c34ab763f455c8dff28a071

Download Submit
C:\Windows\SysWOW64\wmqhvr.exe

Filesize
85KB

MD5
67a223107a86a99a6c9ec3adfb0bc88e

SHA1
e83deb18645f942bfea9d860cd1db31a5a36cf4e

SHA256
847ec94e8cbb7c363ae63f19afde2c05a268608bebaf113d3c7ab1747bbf26c5

SHA512
11c3cbcdd9b93f356f9217bde7300a41cb929b01336e81d4d03629f908074195afa88bd71f76c131b9ccfd49fcef2d60a6472fec67d2ac7c043af75517112020

Download Submit
C:\Windows\SysWOW64\wofmjmx.exe

Filesize
85KB

MD5
4e14869f9c94915903047d318f133cbd

SHA1
1ce0ecfab4abac961f5456ca4f977ca9a92fb8cf

SHA256
3ef8d83a26c02103a9610b1c434f0e62eced813db4048bf0e6c44472ac3ce9a1

SHA512
34ee52103f7f6fb9667746c80dc1c2fd12f77ca13d716807ac7b060a1af1f351eeec0fb213b3ba55bb528422dc085cc51e43347420371fe0d6e9d64ebcd22f38

Download Submit
C:\Windows\SysWOW64\worvbhr.exe

Filesize
85KB

MD5
698b41d8f70fcc0d8aaa1fad4e11dc80

SHA1
deeb0565e39115543d1c9486f5afd5e51d36b027

SHA256
834eafa78e05825bed08cd5abcb1c10f931fa91d5af05a4871c0f6850d152243

SHA512
edb906087f9a31bbb850b5c1bba1766942abb6c64ce49d65ee0c17d44a6cfdca96125744f0fce986ba2d4fb94967117e8affa7c6c582d6a3309c357219a33c27

Download Submit
C:\Windows\SysWOW64\wrfdwpt.exe

Filesize
84KB

MD5
0e4b32d6366cc83d383f1e7227f43046

SHA1
a9808c21e370b051a986ad7fa3e8aaf0dace4acc

SHA256
e9f6ab7309924198da41d39089354b4ef1ab47b11fca22fa8b7e849b53086922

SHA512
e1c08a3a819c316e7bcdfb767edd3e1b693a7f26dcad91f7167992de0cafd67d372b8829bd006eec3e2ce4741c2f7ecc43246c3aaac403085a527e1b48506d98

Download Submit
C:\Windows\SysWOW64\wrkraok.exe

Filesize
85KB

MD5
6acc1cf1148cf43abd89475b2a1ade21

SHA1
22f86e0fe1be5c5a791a2f3a85220f92bf29014f

SHA256
7151c26b4b20b06511dc27693978ff299d5ca6a22a84897c86eef6a64fc644a9

SHA512
7a8ecf4d46234ef63b84585128b832a34ec06e3dac2969d6911c2877818169e03538ed73b59719cb084f091cea9faa9ef186fcefdcaeb9cda90e913700b77fe8

Download Submit
C:\Windows\SysWOW64\wrs.exe

Filesize
85KB

MD5
7fea8f0fc7df5e964a7aa8766836a9fb

SHA1
25b50fc9fd14776fc0ee254b7e0fa2b607e4a759

SHA256
151a336168ce93dff79f10d2ceed4da5111acbaa9964fdfba0e1033d02e64812

SHA512
eddac3dd728b2a350819818a6d9ad2af3d014d3ad122c0e8481554c485d45b7fbbee4f6668726fd4abf15aa9deab61f4e3219ec32d1a77fec344aa603136f13b

Download Submit
C:\Windows\SysWOW64\wswwl.exe

Filesize
85KB

MD5
66c036052b10b1176224d05893347adc

SHA1
a80565b2389385f97c0f9e1b6f42217a0fb23caa

SHA256
8afecb757da5a9aa427c56979836346aa243792530c5ff08a02c7eb2fc7cef11

SHA512
d7f5e8726cc15d6dce63061cab07a82f8b876b1f8800db2a28af52d3bbed5322d647e8eeee3a8e8503ca756f24e41488ddeccfdc2bfd56dfa3b12c094384e69b

Download Submit
C:\Windows\SysWOW64\wvhejf.exe

Filesize
85KB

MD5
46f231be1328b1de1616b26fa9d3e682

SHA1
372dd36daf0c8902fff4abea52e5781e12030557

SHA256
8c234c40a4297302bb023774ed0795e1ab4cbb70060e9610e5a8f959393875ba

SHA512
d78b57a304fa541ac9b0e6f9289fda48c5438dc18b18ea29aa74f0170b7d872cfdb598b642b96ce7080aa3f5fcc1f8c5328817025e746861062b996c6c3f01d1

Download Submit
C:\Windows\SysWOW64\wvqp.exe

Filesize
85KB

MD5
9abd9764d2ae6f8b25a9ec7925d4dbdd

SHA1
eed04cf46a422e3f79ad22dae3d82c287d6ed0fc

SHA256
628ca9c737ca397279e3fdeda3a9644ab2f2f9274a523dba6d950a7a7f41800e

SHA512
e544e51a5be2a7c57c364df25c7ca3e3e5cd21cb8050d9ac9ec342ea40fc7c9de9510330702691850394d7defca57fcd535519b476cb5b4a78527d446136f47f

Download Submit
C:\Windows\SysWOW64\wvtmgn.exe

Filesize
85KB

MD5
84bbbebca3acdb7b6f5564f8c7390a21

SHA1
6b4d0f4da2f45ac341fd99fafe672d7752b5f92f

SHA256
819551241cbaa0409cf2b7c4a6ca56ea3259ec3eaebc0b5c1e87f1b3522f23cd

SHA512
88d3c125cd9e9eece859c844fd9cb1db73427fa2135fbba25ef89f2e909af1951eead56fad12618708a5de74a706540f61bd351737078cb61e27746ce8a33b92

Download Submit
C:\Windows\SysWOW64\wvxvvlg.exe

Filesize
84KB

MD5
f73af4fc0e5d6d0176707772aa18ad54

SHA1
397a3e0011d0950ebacb51c0ea635b8485a49b4e

SHA256
b2898799bbe9e270cc74dab3c2325e93811453d2c207ebfb4c422ff2d8f00540

SHA512
9a1c33135e5bf019c1a18209c4b61223e91a572510d5223a59fde8aa268f3d9a7ef1f929cfadb39b160e0a00de40bf37a153d30e35e600236df9008f9f342f23

Download Submit
C:\Windows\SysWOW64\wvyfajemp.exe

Filesize
85KB

MD5
7429c962fd2bbc37c5b27a0edb82fc77

SHA1
fe69a3d035ca0d0caf52a2474cfb600764e3b36f

SHA256
994335ea83687083f7317ee1d3aa9c33baf046c70f09092b926a065ba6867a19

SHA512
c732b07baf94d90b78391c1b083a478fd2ba47f08182cebd2286e2748f36479d0d49ffc9268d902d7ec523a082c4c847cc8e5c3ea7bf739c385accbe5785d221

Download Submit
C:\Windows\SysWOW64\wwltqj.exe

Filesize
85KB

MD5
154aed622dda9f42f2067794ed7b3d30

SHA1
874db4cf6001505c974cf1e807a367655e0a5e5d

SHA256
240a41fe686f0bd20819fb684e888962b04926307b8d8d6e3877274b7c99c7a4

SHA512
5a4bda41f19f580d00a25931a59afb0a79385854394ee1a8839c19877b60cbd8938d32f5491eecd515a0391274b40e4412add3c34c68e0911f19c041ddb3e154

Download Submit
C:\Windows\SysWOW64\wxcvkuw.exe

Filesize
85KB

MD5
6d871d1ca47320e9b3fbb40bfba30850

SHA1
8a100b9ebe36b910af3db8dcf72b1b3a39a29c76

SHA256
946a072b4b16fc12ed132ece5e4fdbf516c2d359c683bba2993db4511986edd6

SHA512
120dc180a857584867f8d8bb134e2f28128ce246770ea378020305d017bb91d1adecdc2caadec6f646cc83b3a4c8bac65975a7910f17ff242dd9c5d0640a6b36

Download Submit
C:\Windows\SysWOW64\wybvyhk.exe

Filesize
85KB

MD5
bd55dd84476ba63e49210a780772f4b1

SHA1
9f3167d5f1d9f6ced4e8ac10272b3bb726b4e7af

SHA256
9914e25666fef9a6e1ce18cc8e656084186388a6cf6c8213a9617c4216383b71

SHA512
a2f56292a9b4addbcbafefc12d431ee654f797b5d77fed05dae1969b84975fb0d1937ab0a3b98e90b5ba86a4a0eca642f22aca90a83ff15ee3aa53be80d79744

Download Submit
C:\Windows\SysWOW64\wyf.exe

Filesize
84KB

MD5
b6161bbaadfc5b446624ba1d10a5cd58

SHA1
8b1b5443f10922451fafd1065e3ebcbede71eb6f

SHA256
bbe66b3d8cb290348ca1aac24234f4c7fd9fa3b62d4b7687ab98075862308c35

SHA512
88b9c304962e280bac550a32d6a2d9d3a1c5bd17f9053e81e19f2b6afef73fb143250ad699ef2f17f8d75ac7c70ae688bacb2c7a16555ac7f22a583c7550f367

Download Submit
C:\Windows\SysWOW64\wywhspha.exe

Filesize
84KB

MD5
964ec5c807588c449167dafc6d6ea19a

SHA1
267a951f1b66e6a29d8a52e98adf67ec145db9a7

SHA256
fd0e15e3446e588cdf81173a5ef9eba46fe34c0842c53e8fd3e9efd327d71e7a

SHA512
d0eca0b8c176449de08134ccf188d619c631c79f208566f0302495f06fb666d8d35329f6989c318551df574a9cc8b3ade4263bb3f17eb372c12d311cc61fa81e

Download Submit
C:\Windows\SysWOW64\wyxdr.exe

Filesize
85KB

MD5
01739beb47b77785771248564840d65a

SHA1
7fc59ab10aae819545660d1fe84e8b538b2c0683

SHA256
8acac3217e1a7fa41235d9332050ae123b23b9ed04410eeb7f826b3319a7c01c

SHA512
3bb3a8a8976a08569e086065c7df4fe51a04beaddcfeecb800298c10887c862d69b8c6b234af927a5ab2b75210bb0fd2dbb4aaea0f6f95d665f832094b052a40

Download Submit
memory/316-105-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/316-94-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/432-453-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/432-443-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/448-469-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/448-231-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/548-579-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/760-554-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/784-157-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/816-360-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/936-315-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1016-587-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1208-295-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1212-335-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-503-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1612-188-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1676-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1688-393-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-511-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-502-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-596-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1776-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1844-553-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1844-563-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1868-494-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1900-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1900-83-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1964-352-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1964-343-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2000-274-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2000-285-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2092-220-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2092-209-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2288-167-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2308-242-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2308-230-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2312-325-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2340-137-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2340-147-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2344-528-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2368-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2464-198-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2464-210-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2540-477-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2540-486-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2648-628-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2656-199-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2656-187-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2696-461-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2696-452-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2716-275-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2716-263-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2824-401-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3016-537-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3016-527-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3056-519-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3108-571-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3108-562-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3148-177-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3320-604-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3320-595-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3420-444-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3512-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3556-478-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3680-410-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3688-377-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3792-82-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3792-95-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3808-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3808-126-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3872-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3872-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3876-252-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3876-264-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4136-645-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4176-418-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4176-409-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4228-253-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4228-241-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4272-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4348-385-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4524-620-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4572-536-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4572-545-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-612-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4788-419-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4788-427-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4804-637-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4912-344-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4968-305-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5000-369-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5020-116-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5036-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5084-40-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5084-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5100-435-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download