8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe
Size

95KB
MD5

dae0f5a372c4d81db2707d9a98a3436a
SHA1

44f049493d4c796359a6bf9de024d12128b7fbbd
SHA256

8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746
SHA512

50d00068e517f46170c67688e3c0ae3437c0eb7afb47a53cdc53f043f9997e4f27db24f8184e8ea43c32bd31b2b16cb27390138486f9969c47f8e7a40644524b
SSDEEP

1536:BYUb5NE3yZIp+6HO5J4ggpMFSvIKEu0dX4Ypki:BYUb5QoJ4g+FXOki

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2320	wqxc.exe
2740	wutgeu.exe
1500	wfejqpste.exe
2352	wnmfsn.exe
1920	wfquewsvw.exe
2212	wviuug.exe
1704	waxxtmi.exe
1532	wvuvql.exe
2696	wevqg.exe
2604	wahrc.exe
2144	wlnxo.exe
2012	wgqddens.exe
3044	wsm.exe
2648	wwghmm.exe
2420	wuowygr.exe
2156	wmmycnnf.exe
1496	wlkrper.exe
3056	wuxsgbwua.exe
2704	wxfsrk.exe
2444	whb.exe
1064	wljf.exe
1788	wsqdbrpah.exe
2380	wfihbjbqi.exe
2840	wkelmo.exe
1672	wlpus.exe
2484	wfwtsvqh.exe
2636	wpcre.exe
652	wwtxoap.exe
1448	wfqlj.exe
2032	wiiwb.exe
2260	wrfkxi.exe
2428	wdkdqyoy.exe
2936	wgvolhlt.exe
572	wupmftdp.exe
2692	wgprskvp.exe
2724	wsoia.exe
1548	wiyge.exe
2008	wrusyp.exe
2856	wtctlxx.exe
400	wdecwha.exe
1960	wdtuxy.exe
892	wbvxdsdo.exe
940	wskxfgmo.exe
2548	wiuvjqsk.exe
2760	wvboei.exe
2656	wmgsunxl.exe
264	waxvufi.exe
2092	wukkkewq.exe
868	wgulyya.exe
1712	whrgk.exe
844	wwxvuwhij.exe
1704	wohhif.exe
2948	wjuuwefd.exe
3040	waluomti.exe
2324	waiocew.exe
2004	wdinanh.exe
1260	wgclka.exe
2964	woxwgau.exe
1600	weaheju.exe
2940	whjthw.exe
2248	wlqttfd.exe
2316	wydhxn.exe
2644	whjd.exe
1700	whgxnep.exe

Loads dropped DLL 64 IoCs

pid	Process
3020	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe
3020	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe
3020	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe
3020	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe
2320	wqxc.exe
2320	wqxc.exe
2320	wqxc.exe
2320	wqxc.exe
2740	wutgeu.exe
2740	wutgeu.exe
2740	wutgeu.exe
2740	wutgeu.exe
1500	wfejqpste.exe
1500	wfejqpste.exe
1500	wfejqpste.exe
1500	wfejqpste.exe
2352	wnmfsn.exe
2352	wnmfsn.exe
2352	wnmfsn.exe
2352	wnmfsn.exe
1920	wfquewsvw.exe
1920	wfquewsvw.exe
1920	wfquewsvw.exe
1920	wfquewsvw.exe
2212	wviuug.exe
2212	wviuug.exe
2212	wviuug.exe
2212	wviuug.exe
1704	waxxtmi.exe
1704	waxxtmi.exe
1704	waxxtmi.exe
1704	waxxtmi.exe
1532	wvuvql.exe
1532	wvuvql.exe
1532	wvuvql.exe
1532	wvuvql.exe
2696	wevqg.exe
2696	wevqg.exe
2696	wevqg.exe
2696	wevqg.exe
2604	wahrc.exe
2604	wahrc.exe
2604	wahrc.exe
2604	wahrc.exe
2144	wlnxo.exe
2144	wlnxo.exe
2144	wlnxo.exe
2144	wlnxo.exe
2012	wgqddens.exe
2012	wgqddens.exe
2012	wgqddens.exe
2012	wgqddens.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3044	wsm.exe
3044	wsm.exe
3044	wsm.exe
3044	wsm.exe
2648	wwghmm.exe
2648	wwghmm.exe
2648	wwghmm.exe
2648	wwghmm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wupmftdp.exe	wgvolhlt.exe
File created	C:\Windows\SysWOW64\woxwgau.exe	wgclka.exe
File opened for modification	C:\Windows\SysWOW64\wwghmm.exe	wsm.exe
File created	C:\Windows\SysWOW64\wuxsgbwua.exe	wlkrper.exe
File created	C:\Windows\SysWOW64\wupmftdp.exe	wgvolhlt.exe
File opened for modification	C:\Windows\SysWOW64\wjuuwefd.exe	wohhif.exe
File opened for modification	C:\Windows\SysWOW64\woxwgau.exe	wgclka.exe
File opened for modification	C:\Windows\SysWOW64\whgxnep.exe	whjd.exe
File created	C:\Windows\SysWOW64\waxxtmi.exe	wviuug.exe
File opened for modification	C:\Windows\SysWOW64\wiiwb.exe	wfqlj.exe
File created	C:\Windows\SysWOW64\wpcre.exe	wfwtsvqh.exe
File opened for modification	C:\Windows\SysWOW64\wiyge.exe	wsoia.exe
File created	C:\Windows\SysWOW64\wskxfgmo.exe	wbvxdsdo.exe
File opened for modification	C:\Windows\SysWOW64\waxvufi.exe	wmgsunxl.exe
File created	C:\Windows\SysWOW64\wgclka.exe	wdinanh.exe
File created	C:\Windows\SysWOW64\wvuvql.exe	waxxtmi.exe
File opened for modification	C:\Windows\SysWOW64\wuxsgbwua.exe	wlkrper.exe
File created	C:\Windows\SysWOW64\whjthw.exe	weaheju.exe
File opened for modification	C:\Windows\SysWOW64\wvc.exe	wugsbkl.exe
File created	C:\Windows\SysWOW64\wmgsunxl.exe	wvboei.exe
File created	C:\Windows\SysWOW64\wwxvuwhij.exe	whrgk.exe
File created	C:\Windows\SysWOW64\waluomti.exe	wjuuwefd.exe
File created	C:\Windows\SysWOW64\wmmycnnf.exe	wuowygr.exe
File opened for modification	C:\Windows\SysWOW64\wrusyp.exe	wiyge.exe
File created	C:\Windows\SysWOW64\wohhif.exe	wwxvuwhij.exe
File created	C:\Windows\SysWOW64\whgxnep.exe	whjd.exe
File opened for modification	C:\Windows\SysWOW64\whb.exe	wxfsrk.exe
File opened for modification	C:\Windows\SysWOW64\wkelmo.exe	wfihbjbqi.exe
File created	C:\Windows\SysWOW64\wfwtsvqh.exe	wlpus.exe
File opened for modification	C:\Windows\SysWOW64\wfwtsvqh.exe	wlpus.exe
File created	C:\Windows\SysWOW64\wwtxoap.exe	wpcre.exe
File created	C:\Windows\SysWOW64\wiiwb.exe	wfqlj.exe
File created	C:\Windows\SysWOW64\wevqg.exe	wvuvql.exe
File created	C:\Windows\SysWOW64\wlkrper.exe	wmmycnnf.exe
File created	C:\Windows\SysWOW64\whrgk.exe	wgulyya.exe
File created	C:\Windows\SysWOW64\wdinanh.exe	waiocew.exe
File created	C:\Windows\SysWOW64\wrfkxi.exe	wiiwb.exe
File created	C:\Windows\SysWOW64\wdtuxy.exe	wdecwha.exe
File opened for modification	C:\Windows\SysWOW64\wljf.exe	whb.exe
File created	C:\Windows\SysWOW64\wlpus.exe	wkelmo.exe
File created	C:\Windows\SysWOW64\wuowygr.exe	wwghmm.exe
File created	C:\Windows\SysWOW64\whb.exe	wxfsrk.exe
File created	C:\Windows\SysWOW64\wfihbjbqi.exe	wsqdbrpah.exe
File opened for modification	C:\Windows\SysWOW64\wfihbjbqi.exe	wsqdbrpah.exe
File created	C:\Windows\SysWOW64\wsoia.exe	wgprskvp.exe
File opened for modification	C:\Windows\SysWOW64\wukkkewq.exe	waxvufi.exe
File created	C:\Windows\SysWOW64\wgqddens.exe	wlnxo.exe
File opened for modification	C:\Windows\SysWOW64\wgqddens.exe	wlnxo.exe
File created	C:\Windows\SysWOW64\whjd.exe	wydhxn.exe
File created	C:\Windows\SysWOW64\wkehmiuv.exe	wsyrc.exe
File created	C:\Windows\SysWOW64\wjuuwefd.exe	wohhif.exe
File created	C:\Windows\SysWOW64\wydhxn.exe	wlqttfd.exe
File created	C:\Windows\SysWOW64\wiuvjqsk.exe	wskxfgmo.exe
File opened for modification	C:\Windows\SysWOW64\wydhxn.exe	wlqttfd.exe
File opened for modification	C:\Windows\SysWOW64\wnunq.exe	wgjhued.exe
File opened for modification	C:\Windows\SysWOW64\wugsbkl.exe	wbwyg.exe
File opened for modification	C:\Windows\SysWOW64\waxxtmi.exe	wviuug.exe
File opened for modification	C:\Windows\SysWOW64\wlkrper.exe	wmmycnnf.exe
File opened for modification	C:\Windows\SysWOW64\wevqg.exe	wvuvql.exe
File created	C:\Windows\SysWOW64\wjjhja.exe	wslg.exe
File opened for modification	C:\Windows\SysWOW64\wdtuxy.exe	wdecwha.exe
File opened for modification	C:\Windows\SysWOW64\wfquewsvw.exe	wnmfsn.exe
File created	C:\Windows\SysWOW64\wsqdbrpah.exe	wljf.exe
File opened for modification	C:\Windows\SysWOW64\wlpus.exe	wkelmo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3000	2012	WerFault.exe	64

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2320	3020	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe	31
PID 3020 wrote to memory of 2320	3020	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe	31
PID 3020 wrote to memory of 2320	3020	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe	31
PID 3020 wrote to memory of 2320	3020	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe	31
PID 3020 wrote to memory of 2700	3020	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe	32
PID 3020 wrote to memory of 2700	3020	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe	32
PID 3020 wrote to memory of 2700	3020	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe	32
PID 3020 wrote to memory of 2700	3020	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe	32
PID 2320 wrote to memory of 2740	2320	wqxc.exe	34
PID 2320 wrote to memory of 2740	2320	wqxc.exe	34
PID 2320 wrote to memory of 2740	2320	wqxc.exe	34
PID 2320 wrote to memory of 2740	2320	wqxc.exe	34
PID 2320 wrote to memory of 2544	2320	wqxc.exe	35
PID 2320 wrote to memory of 2544	2320	wqxc.exe	35
PID 2320 wrote to memory of 2544	2320	wqxc.exe	35
PID 2320 wrote to memory of 2544	2320	wqxc.exe	35
PID 2740 wrote to memory of 1500	2740	wutgeu.exe	37
PID 2740 wrote to memory of 1500	2740	wutgeu.exe	37
PID 2740 wrote to memory of 1500	2740	wutgeu.exe	37
PID 2740 wrote to memory of 1500	2740	wutgeu.exe	37
PID 2740 wrote to memory of 1900	2740	wutgeu.exe	38
PID 2740 wrote to memory of 1900	2740	wutgeu.exe	38
PID 2740 wrote to memory of 1900	2740	wutgeu.exe	38
PID 2740 wrote to memory of 1900	2740	wutgeu.exe	38
PID 1500 wrote to memory of 2352	1500	wfejqpste.exe	40
PID 1500 wrote to memory of 2352	1500	wfejqpste.exe	40
PID 1500 wrote to memory of 2352	1500	wfejqpste.exe	40
PID 1500 wrote to memory of 2352	1500	wfejqpste.exe	40
PID 1500 wrote to memory of 2536	1500	wfejqpste.exe	41
PID 1500 wrote to memory of 2536	1500	wfejqpste.exe	41
PID 1500 wrote to memory of 2536	1500	wfejqpste.exe	41
PID 1500 wrote to memory of 2536	1500	wfejqpste.exe	41
PID 2352 wrote to memory of 1920	2352	wnmfsn.exe	43
PID 2352 wrote to memory of 1920	2352	wnmfsn.exe	43
PID 2352 wrote to memory of 1920	2352	wnmfsn.exe	43
PID 2352 wrote to memory of 1920	2352	wnmfsn.exe	43
PID 2352 wrote to memory of 2648	2352	wnmfsn.exe	44
PID 2352 wrote to memory of 2648	2352	wnmfsn.exe	44
PID 2352 wrote to memory of 2648	2352	wnmfsn.exe	44
PID 2352 wrote to memory of 2648	2352	wnmfsn.exe	44
PID 1920 wrote to memory of 2212	1920	wfquewsvw.exe	46
PID 1920 wrote to memory of 2212	1920	wfquewsvw.exe	46
PID 1920 wrote to memory of 2212	1920	wfquewsvw.exe	46
PID 1920 wrote to memory of 2212	1920	wfquewsvw.exe	46
PID 1920 wrote to memory of 1640	1920	wfquewsvw.exe	47
PID 1920 wrote to memory of 1640	1920	wfquewsvw.exe	47
PID 1920 wrote to memory of 1640	1920	wfquewsvw.exe	47
PID 1920 wrote to memory of 1640	1920	wfquewsvw.exe	47
PID 2212 wrote to memory of 1704	2212	wviuug.exe	49
PID 2212 wrote to memory of 1704	2212	wviuug.exe	49
PID 2212 wrote to memory of 1704	2212	wviuug.exe	49
PID 2212 wrote to memory of 1704	2212	wviuug.exe	49
PID 2212 wrote to memory of 2868	2212	wviuug.exe	50
PID 2212 wrote to memory of 2868	2212	wviuug.exe	50
PID 2212 wrote to memory of 2868	2212	wviuug.exe	50
PID 2212 wrote to memory of 2868	2212	wviuug.exe	50
PID 1704 wrote to memory of 1532	1704	waxxtmi.exe	52
PID 1704 wrote to memory of 1532	1704	waxxtmi.exe	52
PID 1704 wrote to memory of 1532	1704	waxxtmi.exe	52
PID 1704 wrote to memory of 1532	1704	waxxtmi.exe	52
PID 1704 wrote to memory of 1524	1704	waxxtmi.exe	53
PID 1704 wrote to memory of 1524	1704	waxxtmi.exe	53
PID 1704 wrote to memory of 1524	1704	waxxtmi.exe	53
PID 1704 wrote to memory of 1524	1704	waxxtmi.exe	53

C:\Users\Admin\AppData\Local\Temp\8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe
"C:\Users\Admin\AppData\Local\Temp\8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\SysWOW64\wqxc.exe
  "C:\Windows\system32\wqxc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\wutgeu.exe
    "C:\Windows\system32\wutgeu.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\wfejqpste.exe
      "C:\Windows\system32\wfejqpste.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\SysWOW64\wnmfsn.exe
        
        "C:\Windows\system32\wnmfsn.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Windows\SysWOW64\wfquewsvw.exe
        
        "C:\Windows\system32\wfquewsvw.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\wviuug.exe
        
        "C:\Windows\system32\wviuug.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\waxxtmi.exe
        
        "C:\Windows\system32\waxxtmi.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\wvuvql.exe
        
        "C:\Windows\system32\wvuvql.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\wevqg.exe
        
        "C:\Windows\system32\wevqg.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2696
        
        C:\Windows\SysWOW64\wahrc.exe
        
        "C:\Windows\system32\wahrc.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2604
        
        C:\Windows\SysWOW64\wlnxo.exe
        
        "C:\Windows\system32\wlnxo.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\wgqddens.exe
        
        "C:\Windows\system32\wgqddens.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2012
        
        C:\Windows\SysWOW64\wsm.exe
        
        "C:\Windows\system32\wsm.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\wwghmm.exe
        
        "C:\Windows\system32\wwghmm.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2648
        
        C:\Windows\SysWOW64\wuowygr.exe
        
        "C:\Windows\system32\wuowygr.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\wmmycnnf.exe
        
        "C:\Windows\system32\wmmycnnf.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\wlkrper.exe
        
        "C:\Windows\system32\wlkrper.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\wuxsgbwua.exe
        
        "C:\Windows\system32\wuxsgbwua.exe"
        19⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\wxfsrk.exe
        
        "C:\Windows\system32\wxfsrk.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\whb.exe
        
        "C:\Windows\system32\whb.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\wljf.exe
        
        "C:\Windows\system32\wljf.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\wsqdbrpah.exe
        
        "C:\Windows\system32\wsqdbrpah.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\wfihbjbqi.exe
        
        "C:\Windows\system32\wfihbjbqi.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\wkelmo.exe
        
        "C:\Windows\system32\wkelmo.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\wlpus.exe
        
        "C:\Windows\system32\wlpus.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\wfwtsvqh.exe
        
        "C:\Windows\system32\wfwtsvqh.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\wpcre.exe
        
        "C:\Windows\system32\wpcre.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\wwtxoap.exe
        
        "C:\Windows\system32\wwtxoap.exe"
        29⤵
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\SysWOW64\wfqlj.exe
        
        "C:\Windows\system32\wfqlj.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\wiiwb.exe
        
        "C:\Windows\system32\wiiwb.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\wrfkxi.exe
        
        "C:\Windows\system32\wrfkxi.exe"
        32⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\wdkdqyoy.exe
        
        "C:\Windows\system32\wdkdqyoy.exe"
        33⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\wgvolhlt.exe
        
        "C:\Windows\system32\wgvolhlt.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\wupmftdp.exe
        
        "C:\Windows\system32\wupmftdp.exe"
        35⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\wgprskvp.exe
        
        "C:\Windows\system32\wgprskvp.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\wsoia.exe
        
        "C:\Windows\system32\wsoia.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\wiyge.exe
        
        "C:\Windows\system32\wiyge.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\wrusyp.exe
        
        "C:\Windows\system32\wrusyp.exe"
        39⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\wtctlxx.exe
        
        "C:\Windows\system32\wtctlxx.exe"
        40⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\wdecwha.exe
        
        "C:\Windows\system32\wdecwha.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\wdtuxy.exe
        
        "C:\Windows\system32\wdtuxy.exe"
        42⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\wbvxdsdo.exe
        
        "C:\Windows\system32\wbvxdsdo.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:892
        
        C:\Windows\SysWOW64\wskxfgmo.exe
        
        "C:\Windows\system32\wskxfgmo.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\wiuvjqsk.exe
        
        "C:\Windows\system32\wiuvjqsk.exe"
        45⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\wvboei.exe
        
        "C:\Windows\system32\wvboei.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\wmgsunxl.exe
        
        "C:\Windows\system32\wmgsunxl.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\waxvufi.exe
        
        "C:\Windows\system32\waxvufi.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:264
        
        C:\Windows\SysWOW64\wukkkewq.exe
        
        "C:\Windows\system32\wukkkewq.exe"
        49⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\wgulyya.exe
        
        "C:\Windows\system32\wgulyya.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\whrgk.exe
        
        "C:\Windows\system32\whrgk.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\wwxvuwhij.exe
        
        "C:\Windows\system32\wwxvuwhij.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\wohhif.exe
        
        "C:\Windows\system32\wohhif.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\wjuuwefd.exe
        
        "C:\Windows\system32\wjuuwefd.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\waluomti.exe
        
        "C:\Windows\system32\waluomti.exe"
        55⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\waiocew.exe
        
        "C:\Windows\system32\waiocew.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\wdinanh.exe
        
        "C:\Windows\system32\wdinanh.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\wgclka.exe
        
        "C:\Windows\system32\wgclka.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1260
        
        C:\Windows\SysWOW64\woxwgau.exe
        
        "C:\Windows\system32\woxwgau.exe"
        59⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\weaheju.exe
        
        "C:\Windows\system32\weaheju.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\whjthw.exe
        
        "C:\Windows\system32\whjthw.exe"
        61⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\wlqttfd.exe
        
        "C:\Windows\system32\wlqttfd.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\wydhxn.exe
        
        "C:\Windows\system32\wydhxn.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\whjd.exe
        
        "C:\Windows\system32\whjd.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\whgxnep.exe
        
        "C:\Windows\system32\whgxnep.exe"
        65⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\wrgrbqn.exe
        
        "C:\Windows\system32\wrgrbqn.exe"
        66⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\wsyrc.exe
        
        "C:\Windows\system32\wsyrc.exe"
        67⤵
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\wkehmiuv.exe
        
        "C:\Windows\system32\wkehmiuv.exe"
        68⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\wgjhued.exe
        
        "C:\Windows\system32\wgjhued.exe"
        69⤵
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\wnunq.exe
        
        "C:\Windows\system32\wnunq.exe"
        70⤵
        
        PID:448
        
        C:\Windows\SysWOW64\wdlbrrpqs.exe
        
        "C:\Windows\system32\wdlbrrpqs.exe"
        71⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\wodfrkbg.exe
        
        "C:\Windows\system32\wodfrkbg.exe"
        72⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\wslg.exe
        
        "C:\Windows\system32\wslg.exe"
        73⤵
        Drops file in System32 directory
        
        PID:2820
        
        C:\Windows\SysWOW64\wjjhja.exe
        
        "C:\Windows\system32\wjjhja.exe"
        74⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\wbwyg.exe
        
        "C:\Windows\system32\wbwyg.exe"
        75⤵
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\wugsbkl.exe
        
        "C:\Windows\system32\wugsbkl.exe"
        76⤵
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\wvc.exe
        
        "C:\Windows\system32\wvc.exe"
        77⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugsbkl.exe"
        77⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwyg.exe"
        76⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjjhja.exe"
        75⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wslg.exe"
        74⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wodfrkbg.exe"
        73⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdlbrrpqs.exe"
        72⤵
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnunq.exe"
        71⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgjhued.exe"
        70⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkehmiuv.exe"
        69⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsyrc.exe"
        68⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrgrbqn.exe"
        67⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whgxnep.exe"
        66⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whjd.exe"
        65⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydhxn.exe"
        64⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqttfd.exe"
        63⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whjthw.exe"
        62⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weaheju.exe"
        61⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxwgau.exe"
        60⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgclka.exe"
        59⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdinanh.exe"
        58⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waiocew.exe"
        57⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waluomti.exe"
        56⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjuuwefd.exe"
        55⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohhif.exe"
        54⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwxvuwhij.exe"
        53⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whrgk.exe"
        52⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgulyya.exe"
        51⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wukkkewq.exe"
        50⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waxvufi.exe"
        49⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmgsunxl.exe"
        48⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvboei.exe"
        47⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiuvjqsk.exe"
        46⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wskxfgmo.exe"
        45⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvxdsdo.exe"
        44⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdtuxy.exe"
        43⤵
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdecwha.exe"
        42⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtctlxx.exe"
        41⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrusyp.exe"
        40⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiyge.exe"
        39⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsoia.exe"
        38⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgprskvp.exe"
        37⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wupmftdp.exe"
        36⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgvolhlt.exe"
        35⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdkdqyoy.exe"
        34⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrfkxi.exe"
        33⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiiwb.exe"
        32⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfqlj.exe"
        31⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwtxoap.exe"
        30⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpcre.exe"
        29⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfwtsvqh.exe"
        28⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlpus.exe"
        27⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkelmo.exe"
        26⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfihbjbqi.exe"
        25⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsqdbrpah.exe"
        24⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wljf.exe"
        23⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whb.exe"
        22⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxfsrk.exe"
        21⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuxsgbwua.exe"
        20⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkrper.exe"
        19⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmycnnf.exe"
        18⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuowygr.exe"
        17⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwghmm.exe"
        16⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsm.exe"
        15⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqddens.exe"
        14⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 852
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnxo.exe"
        13⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahrc.exe"
        12⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wevqg.exe"
        11⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvuvql.exe"
        10⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waxxtmi.exe"
        9⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wviuug.exe"
        8⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfquewsvw.exe"
        7⤵
        
        PID:1640
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnmfsn.exe"
        6⤵
        
        PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfejqpste.exe"
        5⤵
        
        PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wutgeu.exe"
      4⤵
      PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqxc.exe"
    3⤵
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe"
  2⤵
  - Deletes itself
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LVWB66N3.txt

Filesize
98B

MD5
369268f5d64e2d04010df825304f380b

SHA1
3730c952e02b2d89bc7ee85f9e5516de7c92d8e9

SHA256
2ecbb599267cd377a21c8d26940cca8a0d190fcac85c1fd52e4a0205c6c3b47c

SHA512
0c5b2a7fd58ee3efc54e8cc404381ab0683d9f32adee53edddee5e4c0f9477c75c608bcacb3c1c423b698f906fc6487f9b2a01e60e1761a05a10b81910f52c1a

Download Submit
C:\Windows\SysWOW64\waxxtmi.exe

Filesize
95KB

MD5
983922d6af81832721ff2b24d0b6ae65

SHA1
0b2e02237e742322020b2878d276221e88b654c4

SHA256
c03bdc354e75608b386d9940e51d97adb2d8c4b2ffb297bedb4dde70fb83f3c0

SHA512
c4fee68751cfd9878daeb0ec9902e8ca21885074000ae5da3550a86bd1d629bc54349eac38be1287c6830f07e8cb2d56a9bffc2d95c23208963eadac3b9fff68

Download Submit
C:\Windows\SysWOW64\wnmfsn.exe

Filesize
95KB

MD5
4b01e3301fe580ef12c35ccb34b5291a

SHA1
bc59e73d4a0814a64a27f6d555148350414f42fd

SHA256
d3d6bef29db29f6a74427fe87a6fa4fadbeac8a3f88629259848857b934afc88

SHA512
2fa2953664f8e70e8a43576626bdf71d33dd5061fb82bf2779ba4a1f3827e247cbe114ef01727117a993ffa323973891674a4dcd3dcd3425955b2a5a2116ea5f

Download Submit
\Windows\SysWOW64\wahrc.exe

Filesize
95KB

MD5
6665cd8ba718ff0cbbe0518cf1fd381d

SHA1
d5b086c9dae7c659b3a953edc00259193cd32e96

SHA256
de072076ae47328674f8ca8180eaabb8e1b3a579d76b454dcec176000734d991

SHA512
996beaab45957049f75fa89c820654bf24552352e5cca02ffb9e33776e7a551efb0d22c0c5d162f7a81149327f2149a5c16810883028a77bdce8bebe463538dc

Download Submit
\Windows\SysWOW64\wevqg.exe

Filesize
95KB

MD5
045c0a16dacb26a48c3f69b7af450561

SHA1
7ded317e6ed5310d7b2b04f7ccf9fa0758942c04

SHA256
73547aaff39499964d3ab8ae7ffabb03b7869f45c73fe79256f4ad7d744ebd48

SHA512
f5677715951c4c31fa306babbf3067aced4f0cc7a2f18b9a6022d50b5bc39481404bff01e2120d38fd74112e9a8d392c036a7f65694d8e7c1beee91122677398

Download Submit
\Windows\SysWOW64\wfejqpste.exe

Filesize
95KB

MD5
67b637a9d1e08272e0605cecca2ae7c0

SHA1
9024c63b606884e5f72b343e89eb3300af21321f

SHA256
1231ed97f3fef4c76f1a5166a8776ded8a463b200f834b95468ff69b1cc514c6

SHA512
be94ec3bc0086aa7271239795a0be3336a92c0416b298c0d82feb1949b705d47a1fb5f8a20d1b784f201ff892e2120e4d8ea3125d7a353a03892f3762f3a2c58

Download Submit
\Windows\SysWOW64\wfquewsvw.exe

Filesize
95KB

MD5
33e977419c02b12af167114f044f7cc8

SHA1
a3de28237d19cc89b8bc865b390a8fa0c65dd07c

SHA256
83846c1cfd569404d3f2c35bead4ec6e12106bdc404f51406275c21a37134c84

SHA512
b6229db4fc2dc55118f6bab197fa5d83dce176f3995381eb77c30fd1b86085ddd40746b0193f29b2154b6d50b9661486cb18d298c8b27de9d45f857f52566888

Download Submit
\Windows\SysWOW64\wlnxo.exe

Filesize
95KB

MD5
6e15c0ac0525a29c4c7cfebc85c52271

SHA1
9c1380f5f8e431c3946bd1ef198edef3dc62f9cb

SHA256
aedb2196506db2b7bef5d15ed92a6866b2dfdabb6f7eeffa91c5c9cd45a529b9

SHA512
cf233d567ee8967d2eedc4d19eb9d21f3055a0688fa39f196a7cc00b0e38295375fd5412c8cadb4cf4f3399d53e53f395d0ef4da3518e6f7dc49d594dc313df0

Download Submit
\Windows\SysWOW64\wqxc.exe

Filesize
95KB

MD5
4db2d8b99467a2abf147ed1acb472875

SHA1
d7415ac9bca70fc895918ad9b41f3149a2ec4260

SHA256
86f780d771de4c2b04591fa7e036db0e3751a0dd8579793a39432fb9ab6b4a9b

SHA512
3d1eb569ed76af74a417cceab8c4966b4c6b92bd1f4db8d867903832444a3fff3ccf2cf28184722cc9b9770bda1be558417a5c1999847fd4f9b09f0210303e4e

Download Submit
\Windows\SysWOW64\wutgeu.exe

Filesize
95KB

MD5
ccd8732842c1d5791c251a6eed26406d

SHA1
b1d51dd7e6e93177960e2e43539a87e7fb7f9365

SHA256
7f9c9da9d44b7aae5eaf95b5a41c86e64ea32dfbcf5d95adcd2031327ce3393e

SHA512
61736c204568d60df484eb7bde4e0ebc551283aaa50ceadbfc5ed5aadd7ceb1a47e3a55da18e059797c36aeeee06975aee32cbbddc33c5e54de3e82f0a1f5cc1

Download Submit
\Windows\SysWOW64\wviuug.exe

Filesize
95KB

MD5
ae78f293db3432ac44b016c18cc08eac

SHA1
61293c7089c781ccb832d0911ea78ddba9bc7cf8

SHA256
cb35ee776eb011ffc7a2e9ad3c9b9e066b7312386f19f6cb66396c3db1c4c7e2

SHA512
10952272021ecf526b4dbd2676fa3970d2a45da6a509d3f6745f986601f53662951c6919d4912ee444a179c439c70bffafd5856ea7ee15f740ec7db54c0a404b

Download Submit
\Windows\SysWOW64\wvuvql.exe

Filesize
95KB

MD5
55a2a6f46926521a289c5f6106929afb

SHA1
702de0c8e64bcb2ae1fdea6dea7e5f0c58581abb

SHA256
2ef525a9d9a5bbc8ea7a979ec5b7baabc667f8f72fcdca08a35fcde0e79b2b19

SHA512
54d085044193546ea850bd0e89b84f76b4b89977e820c21ecb477f1ac4025fbf4af9a3d769da00df51fe189e25761cb4187adb78f152f4b41843acf70a61b191

Download Submit
memory/1064-390-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1064-403-0x0000000002640000-0x0000000002657000-memory.dmp

Filesize
92KB

Download
memory/1496-343-0x0000000003C20000-0x0000000003C37000-memory.dmp

Filesize
92KB

Download
memory/1496-342-0x0000000003C20000-0x0000000003C37000-memory.dmp

Filesize
92KB

Download
memory/1496-340-0x0000000003C20000-0x0000000003C37000-memory.dmp

Filesize
92KB

Download
memory/1496-344-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1496-327-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1496-341-0x0000000003C20000-0x0000000003C37000-memory.dmp

Filesize
92KB

Download
memory/1500-86-0x0000000003DA0000-0x0000000003DB7000-memory.dmp

Filesize
92KB

Download
memory/1500-84-0x0000000003DA0000-0x0000000003DB7000-memory.dmp

Filesize
92KB

Download
memory/1500-85-0x0000000003DA0000-0x0000000003DB7000-memory.dmp

Filesize
92KB

Download
memory/1500-83-0x0000000003DA0000-0x0000000003DB7000-memory.dmp

Filesize
92KB

Download
memory/1500-87-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1500-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1532-194-0x0000000003510000-0x0000000003527000-memory.dmp

Filesize
92KB

Download
memory/1532-198-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1532-196-0x00000000035E0000-0x00000000035F7000-memory.dmp

Filesize
92KB

Download
memory/1532-176-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1532-195-0x0000000003510000-0x0000000003527000-memory.dmp

Filesize
92KB

Download
memory/1704-172-0x0000000003AA0000-0x0000000003AB7000-memory.dmp

Filesize
92KB

Download
memory/1704-178-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1704-173-0x0000000004030000-0x0000000004047000-memory.dmp

Filesize
92KB

Download
memory/1704-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1704-174-0x0000000004030000-0x0000000004047000-memory.dmp

Filesize
92KB

Download
memory/1704-161-0x0000000003AA0000-0x0000000003AB7000-memory.dmp

Filesize
92KB

Download
memory/1920-119-0x0000000003B70000-0x0000000003B87000-memory.dmp

Filesize
92KB

Download
memory/1920-118-0x0000000003B70000-0x0000000003B87000-memory.dmp

Filesize
92KB

Download
memory/1920-128-0x0000000003B70000-0x0000000003B87000-memory.dmp

Filesize
92KB

Download
memory/1920-131-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2012-309-0x0000000003510000-0x0000000003527000-memory.dmp

Filesize
92KB

Download
memory/2012-311-0x0000000003510000-0x0000000003527000-memory.dmp

Filesize
92KB

Download
memory/2012-251-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2012-265-0x0000000003510000-0x0000000003527000-memory.dmp

Filesize
92KB

Download
memory/2012-264-0x0000000003510000-0x0000000003527000-memory.dmp

Filesize
92KB

Download
memory/2012-263-0x0000000003510000-0x0000000003527000-memory.dmp

Filesize
92KB

Download
memory/2012-294-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2012-310-0x0000000003510000-0x0000000003527000-memory.dmp

Filesize
92KB

Download
memory/2144-250-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2156-320-0x0000000003ED0000-0x0000000003EE7000-memory.dmp

Filesize
92KB

Download
memory/2156-326-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/2156-325-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/2156-324-0x0000000003ED0000-0x0000000003EE7000-memory.dmp

Filesize
92KB

Download
memory/2156-328-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2212-130-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2212-149-0x0000000004060000-0x0000000004077000-memory.dmp

Filesize
92KB

Download
memory/2212-150-0x0000000004060000-0x0000000004077000-memory.dmp

Filesize
92KB

Download
memory/2212-151-0x0000000004160000-0x0000000004177000-memory.dmp

Filesize
92KB

Download
memory/2212-152-0x0000000004160000-0x0000000004177000-memory.dmp

Filesize
92KB

Download
memory/2212-154-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2320-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2320-42-0x0000000000540000-0x0000000000557000-memory.dmp

Filesize
92KB

Download
memory/2320-41-0x0000000000540000-0x0000000000557000-memory.dmp

Filesize
92KB

Download
memory/2320-43-0x0000000003B90000-0x0000000003BA7000-memory.dmp

Filesize
92KB

Download
memory/2320-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2352-104-0x0000000003240000-0x0000000003257000-memory.dmp

Filesize
92KB

Download
memory/2352-105-0x0000000003240000-0x0000000003257000-memory.dmp

Filesize
92KB

Download
memory/2352-106-0x0000000003240000-0x0000000003257000-memory.dmp

Filesize
92KB

Download
memory/2352-108-0x0000000003240000-0x0000000003257000-memory.dmp

Filesize
92KB

Download
memory/2352-109-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2420-295-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2420-308-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2444-389-0x0000000004120000-0x0000000004137000-memory.dmp

Filesize
92KB

Download
memory/2444-388-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/2444-376-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2444-391-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2604-234-0x00000000032E0000-0x00000000032F7000-memory.dmp

Filesize
92KB

Download
memory/2604-217-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2604-237-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2604-236-0x0000000003630000-0x0000000003647000-memory.dmp

Filesize
92KB

Download
memory/2604-235-0x00000000032E0000-0x00000000032F7000-memory.dmp

Filesize
92KB

Download
memory/2648-284-0x0000000003570000-0x0000000003587000-memory.dmp

Filesize
92KB

Download
memory/2648-296-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2648-293-0x0000000003570000-0x0000000003587000-memory.dmp

Filesize
92KB

Download
memory/2648-288-0x0000000003570000-0x0000000003587000-memory.dmp

Filesize
92KB

Download
memory/2648-279-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2696-199-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2696-219-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2704-375-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2704-374-0x00000000032F0000-0x0000000003307000-memory.dmp

Filesize
92KB

Download
memory/2704-372-0x00000000032F0000-0x0000000003307000-memory.dmp

Filesize
92KB

Download
memory/2704-373-0x00000000032F0000-0x0000000003307000-memory.dmp

Filesize
92KB

Download
memory/2704-371-0x00000000032F0000-0x0000000003307000-memory.dmp

Filesize
92KB

Download
memory/2704-359-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2740-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2740-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3020-12-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/3020-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3020-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3020-7-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/3020-20-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/3020-19-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/3044-266-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3044-278-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3056-358-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3056-354-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/3056-353-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download