8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe
Size

95KB
MD5

dae0f5a372c4d81db2707d9a98a3436a
SHA1

44f049493d4c796359a6bf9de024d12128b7fbbd
SHA256

8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746
SHA512

50d00068e517f46170c67688e3c0ae3437c0eb7afb47a53cdc53f043f9997e4f27db24f8184e8ea43c32bd31b2b16cb27390138486f9969c47f8e7a40644524b
SSDEEP

1536:BYUb5NE3yZIp+6HO5J4ggpMFSvIKEu0dX4Ypki:BYUb5QoJ4g+FXOki

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wbntvt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wlwhet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wfuulsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wxjtxcu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wmsu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wtjoophh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wslerl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wlyrecb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wxfmmvk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wgftqp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wljxkl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wksvk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wnpl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcinb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wahvayl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wgiuqehy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wuebaeyn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wgiyf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wmyle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	whbqrdi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wmeuq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wikob.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wikggkt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wrg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wrvhkfjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wvibl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	whh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wfsa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wjolemd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wkfxc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wekwxd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wtsbui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	weeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	whfdo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wksswva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wwtjpc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wopje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wgavmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wbwwo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wuuxdlhr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wlnnkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wywihclh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wtgdmj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wckst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wsglmdnnw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wnxsb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wlfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wpswjcb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wybbwkv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wsrxiu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wsgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	whtmqni.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wpvxnq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wajvru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wmxpx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wsocwcmv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wdsbsbg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wgpx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wvbbqg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wmnj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wqdktl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wtjdql.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wgjphp.exe

Executes dropped EXE 64 IoCs

pid	Process
636	wxjtxcu.exe
1684	wbl.exe
4140	wajvru.exe
4396	wfsa.exe
4696	wsgs.exe
5008	wdsbsbg.exe
1676	wmsu.exe
4024	wmxpx.exe
636	whtmqni.exe
4500	wmyle.exe
4488	wlfg.exe
4396	wmayg.exe
3596	wuuxdlhr.exe
2872	whbqrdi.exe
4188	wtjdql.exe
3192	wgiuqehy.exe
1872	wgpx.exe
2596	wbntvt.exe
540	wpswjcb.exe
2216	wuebaeyn.exe
3524	wekwxd.exe
3668	wywihclh.exe
764	wksswva.exe
4268	wjolemd.exe
3960	wcinb.exe
980	wybbwkv.exe
4772	wrg.exe
3992	wgiyf.exe
4956	wtgdmj.exe
4764	wls.exe
1528	wlnnkc.exe
2480	wrvhkfjg.exe
4068	wahvayl.exe
1328	wvibl.exe
2320	wksvk.exe
540	wpvxnq.exe
4772	whh.exe
660	wgjphp.exe
2412	wopje.exe
4392	wgftqp.exe
4876	wckst.exe
2204	wnpl.exe
2600	wtsbui.exe
4480	wdoascgqt.exe
1708	wwtjpc.exe
3808	wljxkl.exe
3356	weeb.exe
1300	wmeuq.exe
676	wtjoophh.exe
3656	wvbbqg.exe
3984	wsglmdnnw.exe
2320	wikob.exe
4692	wslerl.exe
4764	wmnj.exe
1356	wlyrecb.exe
3068	wgavmd.exe
4268	wsrxiu.exe
4536	wlwhet.exe
4480	wikggkt.exe
1196	wxfmmvk.exe
4656	wnxsb.exe
4672	whfdo.exe
1968	wsocwcmv.exe
1528	wfuulsm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wvibl.exe	wahvayl.exe
File opened for modification	C:\Windows\SysWOW64\wekwxd.exe	wuebaeyn.exe
File created	C:\Windows\SysWOW64\wgpx.exe	wgiuqehy.exe
File opened for modification	C:\Windows\SysWOW64\wopje.exe	wgjphp.exe
File created	C:\Windows\SysWOW64\wkfxc.exe	wfuulsm.exe
File created	C:\Windows\SysWOW64\wdhc.exe	wqdktl.exe
File created	C:\Windows\SysWOW64\wmyle.exe	whtmqni.exe
File created	C:\Windows\SysWOW64\wjolemd.exe	wksswva.exe
File created	C:\Windows\SysWOW64\wtgdmj.exe	wgiyf.exe
File opened for modification	C:\Windows\SysWOW64\wljxkl.exe	wwtjpc.exe
File opened for modification	C:\Windows\SysWOW64\wmnj.exe	wslerl.exe
File opened for modification	C:\Windows\SysWOW64\wgpx.exe	wgiuqehy.exe
File created	C:\Windows\SysWOW64\whtmqni.exe	wmxpx.exe
File opened for modification	C:\Windows\SysWOW64\wywihclh.exe	wekwxd.exe
File created	C:\Windows\SysWOW64\wsglmdnnw.exe	wvbbqg.exe
File created	C:\Windows\SysWOW64\wmxpx.exe	wmsu.exe
File created	C:\Windows\SysWOW64\wekwxd.exe	wuebaeyn.exe
File created	C:\Windows\SysWOW64\wgiyf.exe	wrg.exe
File opened for modification	C:\Windows\SysWOW64\wckst.exe	wgftqp.exe
File opened for modification	C:\Windows\SysWOW64\wbl.exe	wxjtxcu.exe
File created	C:\Windows\SysWOW64\wmnj.exe	wslerl.exe
File created	C:\Windows\SysWOW64\wybbwkv.exe	wcinb.exe
File opened for modification	C:\Windows\SysWOW64\wvbbqg.exe	wtjoophh.exe
File opened for modification	C:\Windows\SysWOW64\wsocwcmv.exe	whfdo.exe
File opened for modification	C:\Windows\SysWOW64\wfuulsm.exe	wsocwcmv.exe
File created	C:\Windows\SysWOW64\wopje.exe	wgjphp.exe
File opened for modification	C:\Windows\SysWOW64\wpswjcb.exe	wbntvt.exe
File opened for modification	C:\Windows\SysWOW64\wksswva.exe	wywihclh.exe
File opened for modification	C:\Windows\SysWOW64\wahvayl.exe	wrvhkfjg.exe
File created	C:\Windows\SysWOW64\wajvru.exe	wbl.exe
File opened for modification	C:\Windows\SysWOW64\wjolemd.exe	wksswva.exe
File opened for modification	C:\Windows\SysWOW64\wxfmmvk.exe	wikggkt.exe
File opened for modification	C:\Windows\SysWOW64\whtmqni.exe	wmxpx.exe
File created	C:\Windows\SysWOW64\wgiuqehy.exe	wtjdql.exe
File opened for modification	C:\Windows\SysWOW64\wslerl.exe	wikob.exe
File created	C:\Windows\SysWOW64\wqdktl.exe	wbwwo.exe
File created	C:\Windows\SysWOW64\wmsu.exe	wdsbsbg.exe
File opened for modification	C:\Windows\SysWOW64\wikggkt.exe	wlwhet.exe
File opened for modification	C:\Windows\SysWOW64\wwtjpc.exe	wdoascgqt.exe
File created	C:\Windows\SysWOW64\whh.exe	wpvxnq.exe
File opened for modification	C:\Windows\SysWOW64\wgavmd.exe	wlyrecb.exe
File opened for modification	C:\Windows\SysWOW64\whfdo.exe	wnxsb.exe
File opened for modification	C:\Windows\SysWOW64\wdhc.exe	wqdktl.exe
File opened for modification	C:\Windows\SysWOW64\wmeuq.exe	weeb.exe
File created	C:\Windows\SysWOW64\wlfg.exe	wmyle.exe
File created	C:\Windows\SysWOW64\wuuxdlhr.exe	wmayg.exe
File opened for modification	C:\Windows\SysWOW64\wbntvt.exe	wgpx.exe
File opened for modification	C:\Windows\SysWOW64\wuebaeyn.exe	wpswjcb.exe
File opened for modification	C:\Windows\SysWOW64\wgiyf.exe	wrg.exe
File created	C:\Windows\SysWOW64\wsrxiu.exe	wgavmd.exe
File created	C:\Windows\SysWOW64\wbl.exe	wxjtxcu.exe
File opened for modification	C:\Windows\SysWOW64\wtsbui.exe	wnpl.exe
File opened for modification	C:\Windows\SysWOW64\weeb.exe	wljxkl.exe
File opened for modification	C:\Windows\SysWOW64\wikob.exe	wsglmdnnw.exe
File created	C:\Windows\SysWOW64\wlwhet.exe	wsrxiu.exe
File opened for modification	C:\Windows\SysWOW64\wkfxc.exe	wfuulsm.exe
File opened for modification	C:\Windows\SysWOW64\wtjdql.exe	whbqrdi.exe
File created	C:\Windows\SysWOW64\wuebaeyn.exe	wpswjcb.exe
File opened for modification	C:\Windows\SysWOW64\wybbwkv.exe	wcinb.exe
File created	C:\Windows\SysWOW64\wgjphp.exe	whh.exe
File created	C:\Windows\SysWOW64\wgftqp.exe	wopje.exe
File created	C:\Windows\SysWOW64\wmeuq.exe	weeb.exe
File opened for modification	C:\Windows\SysWOW64\wxjtxcu.exe	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe
File opened for modification	C:\Windows\SysWOW64\wmayg.exe	wlfg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4788	636	WerFault.exe	87
2724	4140	WerFault.exe	101
1716	540	WerFault.exe	157
4528	4392	WerFault.exe	224
3820	3656	WerFault.exe	264
3068	1528	WerFault.exe	308
3816	1528	WerFault.exe	308

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 636	2900	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe	87
PID 2900 wrote to memory of 636	2900	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe	87
PID 2900 wrote to memory of 636	2900	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe	87
PID 2900 wrote to memory of 4372	2900	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe	89
PID 2900 wrote to memory of 4372	2900	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe	89
PID 2900 wrote to memory of 4372	2900	8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe	89
PID 636 wrote to memory of 1684	636	wxjtxcu.exe	95
PID 636 wrote to memory of 1684	636	wxjtxcu.exe	95
PID 636 wrote to memory of 1684	636	wxjtxcu.exe	95
PID 636 wrote to memory of 3604	636	wxjtxcu.exe	96
PID 636 wrote to memory of 3604	636	wxjtxcu.exe	96
PID 636 wrote to memory of 3604	636	wxjtxcu.exe	96
PID 1684 wrote to memory of 4140	1684	wbl.exe	101
PID 1684 wrote to memory of 4140	1684	wbl.exe	101
PID 1684 wrote to memory of 4140	1684	wbl.exe	101
PID 1684 wrote to memory of 4320	1684	wbl.exe	102
PID 1684 wrote to memory of 4320	1684	wbl.exe	102
PID 1684 wrote to memory of 4320	1684	wbl.exe	102
PID 4140 wrote to memory of 4396	4140	wajvru.exe	105
PID 4140 wrote to memory of 4396	4140	wajvru.exe	105
PID 4140 wrote to memory of 4396	4140	wajvru.exe	105
PID 4140 wrote to memory of 456	4140	wajvru.exe	106
PID 4140 wrote to memory of 456	4140	wajvru.exe	106
PID 4140 wrote to memory of 456	4140	wajvru.exe	106
PID 4396 wrote to memory of 4696	4396	wfsa.exe	111
PID 4396 wrote to memory of 4696	4396	wfsa.exe	111
PID 4396 wrote to memory of 4696	4396	wfsa.exe	111
PID 4396 wrote to memory of 4668	4396	wfsa.exe	112
PID 4396 wrote to memory of 4668	4396	wfsa.exe	112
PID 4396 wrote to memory of 4668	4396	wfsa.exe	112
PID 4696 wrote to memory of 5008	4696	wsgs.exe	115
PID 4696 wrote to memory of 5008	4696	wsgs.exe	115
PID 4696 wrote to memory of 5008	4696	wsgs.exe	115
PID 4696 wrote to memory of 3184	4696	wsgs.exe	116
PID 4696 wrote to memory of 3184	4696	wsgs.exe	116
PID 4696 wrote to memory of 3184	4696	wsgs.exe	116
PID 5008 wrote to memory of 1676	5008	wdsbsbg.exe	118
PID 5008 wrote to memory of 1676	5008	wdsbsbg.exe	118
PID 5008 wrote to memory of 1676	5008	wdsbsbg.exe	118
PID 5008 wrote to memory of 2496	5008	wdsbsbg.exe	119
PID 5008 wrote to memory of 2496	5008	wdsbsbg.exe	119
PID 5008 wrote to memory of 2496	5008	wdsbsbg.exe	119
PID 1676 wrote to memory of 4024	1676	wmsu.exe	121
PID 1676 wrote to memory of 4024	1676	wmsu.exe	121
PID 1676 wrote to memory of 4024	1676	wmsu.exe	121
PID 1676 wrote to memory of 4276	1676	wmsu.exe	122
PID 1676 wrote to memory of 4276	1676	wmsu.exe	122
PID 1676 wrote to memory of 4276	1676	wmsu.exe	122
PID 4024 wrote to memory of 636	4024	wmxpx.exe	124
PID 4024 wrote to memory of 636	4024	wmxpx.exe	124
PID 4024 wrote to memory of 636	4024	wmxpx.exe	124
PID 4024 wrote to memory of 1116	4024	wmxpx.exe	125
PID 4024 wrote to memory of 1116	4024	wmxpx.exe	125
PID 4024 wrote to memory of 1116	4024	wmxpx.exe	125
PID 636 wrote to memory of 4500	636	whtmqni.exe	127
PID 636 wrote to memory of 4500	636	whtmqni.exe	127
PID 636 wrote to memory of 4500	636	whtmqni.exe	127
PID 636 wrote to memory of 4392	636	whtmqni.exe	128
PID 636 wrote to memory of 4392	636	whtmqni.exe	128
PID 636 wrote to memory of 4392	636	whtmqni.exe	128
PID 4500 wrote to memory of 4488	4500	wmyle.exe	130
PID 4500 wrote to memory of 4488	4500	wmyle.exe	130
PID 4500 wrote to memory of 4488	4500	wmyle.exe	130
PID 4500 wrote to memory of 1804	4500	wmyle.exe	131

C:\Users\Admin\AppData\Local\Temp\8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe
"C:\Users\Admin\AppData\Local\Temp\8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\wxjtxcu.exe
  "C:\Windows\system32\wxjtxcu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\wbl.exe
    "C:\Windows\system32\wbl.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\SysWOW64\wajvru.exe
      "C:\Windows\system32\wajvru.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4140
    - - C:\Windows\SysWOW64\wfsa.exe
        
        "C:\Windows\system32\wfsa.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4396
      - C:\Windows\SysWOW64\wsgs.exe
        
        "C:\Windows\system32\wsgs.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\wdsbsbg.exe
        
        "C:\Windows\system32\wdsbsbg.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\wmsu.exe
        
        "C:\Windows\system32\wmsu.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\wmxpx.exe
        
        "C:\Windows\system32\wmxpx.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\whtmqni.exe
        
        "C:\Windows\system32\whtmqni.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\wmyle.exe
        
        "C:\Windows\system32\wmyle.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\wlfg.exe
        
        "C:\Windows\system32\wlfg.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\wmayg.exe
        
        "C:\Windows\system32\wmayg.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\wuuxdlhr.exe
        
        "C:\Windows\system32\wuuxdlhr.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\whbqrdi.exe
        
        "C:\Windows\system32\whbqrdi.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\wtjdql.exe
        
        "C:\Windows\system32\wtjdql.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\wgiuqehy.exe
        
        "C:\Windows\system32\wgiuqehy.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\wgpx.exe
        
        "C:\Windows\system32\wgpx.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\wbntvt.exe
        
        "C:\Windows\system32\wbntvt.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\wpswjcb.exe
        
        "C:\Windows\system32\wpswjcb.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\wuebaeyn.exe
        
        "C:\Windows\system32\wuebaeyn.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\wekwxd.exe
        
        "C:\Windows\system32\wekwxd.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\wywihclh.exe
        
        "C:\Windows\system32\wywihclh.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\wksswva.exe
        
        "C:\Windows\system32\wksswva.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\wjolemd.exe
        
        "C:\Windows\system32\wjolemd.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\wcinb.exe
        
        "C:\Windows\system32\wcinb.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\wybbwkv.exe
        
        "C:\Windows\system32\wybbwkv.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:980
        
        C:\Windows\SysWOW64\wrg.exe
        
        "C:\Windows\system32\wrg.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\wgiyf.exe
        
        "C:\Windows\system32\wgiyf.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\wtgdmj.exe
        
        "C:\Windows\system32\wtgdmj.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\wls.exe
        
        "C:\Windows\system32\wls.exe"
        31⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\wlnnkc.exe
        
        "C:\Windows\system32\wlnnkc.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\wrvhkfjg.exe
        
        "C:\Windows\system32\wrvhkfjg.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\wahvayl.exe
        
        "C:\Windows\system32\wahvayl.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\wvibl.exe
        
        "C:\Windows\system32\wvibl.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\wksvk.exe
        
        "C:\Windows\system32\wksvk.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\wpvxnq.exe
        
        "C:\Windows\system32\wpvxnq.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\whh.exe
        
        "C:\Windows\system32\whh.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\wgjphp.exe
        
        "C:\Windows\system32\wgjphp.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:660
        
        C:\Windows\SysWOW64\wopje.exe
        
        "C:\Windows\system32\wopje.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\wgftqp.exe
        
        "C:\Windows\system32\wgftqp.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\wckst.exe
        
        "C:\Windows\system32\wckst.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\wnpl.exe
        
        "C:\Windows\system32\wnpl.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\wtsbui.exe
        
        "C:\Windows\system32\wtsbui.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\wdoascgqt.exe
        
        "C:\Windows\system32\wdoascgqt.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\wwtjpc.exe
        
        "C:\Windows\system32\wwtjpc.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\wljxkl.exe
        
        "C:\Windows\system32\wljxkl.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\weeb.exe
        
        "C:\Windows\system32\weeb.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\wmeuq.exe
        
        "C:\Windows\system32\wmeuq.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\wtjoophh.exe
        
        "C:\Windows\system32\wtjoophh.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\wvbbqg.exe
        
        "C:\Windows\system32\wvbbqg.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\wsglmdnnw.exe
        
        "C:\Windows\system32\wsglmdnnw.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\wikob.exe
        
        "C:\Windows\system32\wikob.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\wslerl.exe
        
        "C:\Windows\system32\wslerl.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\wmnj.exe
        
        "C:\Windows\system32\wmnj.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\wlyrecb.exe
        
        "C:\Windows\system32\wlyrecb.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\wgavmd.exe
        
        "C:\Windows\system32\wgavmd.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\wsrxiu.exe
        
        "C:\Windows\system32\wsrxiu.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\wlwhet.exe
        
        "C:\Windows\system32\wlwhet.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\wikggkt.exe
        
        "C:\Windows\system32\wikggkt.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\wxfmmvk.exe
        
        "C:\Windows\system32\wxfmmvk.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\SysWOW64\wnxsb.exe
        
        "C:\Windows\system32\wnxsb.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\whfdo.exe
        
        "C:\Windows\system32\whfdo.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\wsocwcmv.exe
        
        "C:\Windows\system32\wsocwcmv.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\wfuulsm.exe
        
        "C:\Windows\system32\wfuulsm.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\wkfxc.exe
        
        "C:\Windows\system32\wkfxc.exe"
        66⤵
        Checks computer location settings
        
        PID:1396
        
        C:\Windows\SysWOW64\wbwwo.exe
        
        "C:\Windows\system32\wbwwo.exe"
        67⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1120
        
        C:\Windows\SysWOW64\wqdktl.exe
        
        "C:\Windows\system32\wqdktl.exe"
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\wdhc.exe
        
        "C:\Windows\system32\wdhc.exe"
        69⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqdktl.exe"
        69⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwwo.exe"
        68⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkfxc.exe"
        67⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfuulsm.exe"
        66⤵
        
        PID:380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1568
        66⤵
        Program crash
        
        PID:3068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1564
        66⤵
        Program crash
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsocwcmv.exe"
        65⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whfdo.exe"
        64⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnxsb.exe"
        63⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxfmmvk.exe"
        62⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikggkt.exe"
        61⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwhet.exe"
        60⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsrxiu.exe"
        59⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgavmd.exe"
        58⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyrecb.exe"
        57⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmnj.exe"
        56⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wslerl.exe"
        55⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikob.exe"
        54⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsglmdnnw.exe"
        53⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvbbqg.exe"
        52⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 1256
        52⤵
        Program crash
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtjoophh.exe"
        51⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmeuq.exe"
        50⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weeb.exe"
        49⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wljxkl.exe"
        48⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwtjpc.exe"
        47⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdoascgqt.exe"
        46⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsbui.exe"
        45⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnpl.exe"
        44⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckst.exe"
        43⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgftqp.exe"
        42⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1252
        42⤵
        Program crash
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wopje.exe"
        41⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgjphp.exe"
        40⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whh.exe"
        39⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvxnq.exe"
        38⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wksvk.exe"
        37⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvibl.exe"
        36⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahvayl.exe"
        35⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrvhkfjg.exe"
        34⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnnkc.exe"
        33⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wls.exe"
        32⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtgdmj.exe"
        31⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgiyf.exe"
        30⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrg.exe"
        29⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybbwkv.exe"
        28⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcinb.exe"
        27⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjolemd.exe"
        26⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wksswva.exe"
        25⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywihclh.exe"
        24⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekwxd.exe"
        23⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuebaeyn.exe"
        22⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpswjcb.exe"
        21⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1688
        21⤵
        Program crash
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbntvt.exe"
        20⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgpx.exe"
        19⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgiuqehy.exe"
        18⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtjdql.exe"
        17⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whbqrdi.exe"
        16⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuuxdlhr.exe"
        15⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmayg.exe"
        14⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfg.exe"
        13⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmyle.exe"
        12⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whtmqni.exe"
        11⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmxpx.exe"
        10⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmsu.exe"
        9⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdsbsbg.exe"
        8⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsgs.exe"
        7⤵
        
        PID:3184
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfsa.exe"
        6⤵
        
        PID:4668
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wajvru.exe"
        5⤵
        
        PID:456
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1688
        5⤵
        Program crash
        
        PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbl.exe"
      4⤵
      PID:4320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxjtxcu.exe"
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1464
    3⤵
    - Program crash
    PID:4788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\8063da591fdc8644ffd733525a1aa4facec01f731c4875c8f435bf1cc2b46746.exe"
  2⤵
  PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 636 -ip 636
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4140 -ip 4140
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 540 -ip 540
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 540 -ip 540
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4392 -ip 4392
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3656 -ip 3656
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1528 -ip 1528
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1528 -ip 1528
1⤵
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wajvru.exe

Filesize
95KB

MD5
bf1db3680c5cb04d8b4154881be40ed2

SHA1
b73aca576f70d0b3fd373fa218da85868190fd55

SHA256
7282f7133c49423b1dbaff3ec6cf40e3edff2e22dda8e7ce91ec6870eb074722

SHA512
5240769e4884f6fdc0974adef5f4da1b9b2d1df1cbf82815de083f6abfe3a3166ad1ad0b8564f8de2cfb5922a269e1a464d078bcdab64ecad275b94ecee9c6da

Download Submit
C:\Windows\SysWOW64\wbl.exe

Filesize
95KB

MD5
c24232530f0f1c36b6f774acc18ae921

SHA1
7905a2ad953e0e1339061d772da86aea507b78ff

SHA256
211f04f8aa07379584c74c8dfa5511c96f2aeca5b90aeb69de2280683bf7829a

SHA512
f056a16231e4d5a817c10471ad58ff25468dcd3858b0f9e48899b163f664acc96f9972b5348c6c6ef270134dcd906ee6a801c63b57c09b110a9a4d5e36c52260

Download Submit
C:\Windows\SysWOW64\wbntvt.exe

Filesize
96KB

MD5
794a90f32b7b9cd61d384a6b2f5e2a65

SHA1
ddf4755ac978aeb8695f0d858d4c1390538d5291

SHA256
8c17e8c54d814a0afa67c0b50e73452eeaef38bac0ee8a0a5dd86e6a40641816

SHA512
58c2d2f479520f3a553c9e6eec4e9774e04638a924126b37895a26f4b372027a6c37f693922017d58a1bed3726372613270c4c3f048f179f4fe4ffe086f3a1fe

Download Submit
C:\Windows\SysWOW64\wcinb.exe

Filesize
96KB

MD5
9637552b8c9953505bcbd093ac17d6e6

SHA1
52e3725c5b35f0dbdf81ed25dec06eb907c09094

SHA256
b46f3e01658e11c31806510dc32cc72ccadf2c54a0252233b7609b4fd6e0bc39

SHA512
90b15374a5e2685fe933caa86d40910c5a8e54ae156019da64bf461be9b70939c348cc106e7108513e0a97aeb08641aa245bcacf29bcab57397709642b72d281

Download Submit
C:\Windows\SysWOW64\wdsbsbg.exe

Filesize
95KB

MD5
46e3ac0dcf95c811d6f2a1055e82b90d

SHA1
9a3119ca1eefcc04bfc9b84021d7de6c50787feb

SHA256
be235e4b71af482286458a9b1cd9c2bd28a01a203e0b2490f356d8715dd15be4

SHA512
5c9f26bbb06b4caeedccdeb0470e2cc0e5db8026a239bea28913b3087a464c72cecf651b836333d0500bed8dbc4af4fc2a00b73ca2505ed9b509d8b6124c0b4a

Download Submit
C:\Windows\SysWOW64\wekwxd.exe

Filesize
96KB

MD5
343529643eb94106c9d9e0054c5bfa86

SHA1
a24b58293ad7414c7a22a2ddfc628babd873e362

SHA256
288b78d5bd4b3628deeadd3865469b6bacf2323b7774c1d8bee291a5edab4a67

SHA512
22cea3c3ff59433aad92318ab2b7440c7a9b3bac00c8650be4bcb8d356332df2d615f921351c469887a753714f52aa34c0c2cc22d7ea152acfbe744a8fdd3dd6

Download Submit
C:\Windows\SysWOW64\wfsa.exe

Filesize
95KB

MD5
e8c87194cfa83c3e04a94c93e4c968a2

SHA1
7706b8141407bb2fdc2dcadaa6a4f7cffd01558e

SHA256
d8f49b4ea2013f1c1b858ba95619df2f24480bf2393e65e37ace92060c646484

SHA512
bc8b8d4289264371359c7878f55e39d5c2f3dc11409cdb43ceaa16135acae3b28abbcedf6f1e72ee0be9977d5398ca46b2342b222f9df40fcb16201114a986aa

Download Submit
C:\Windows\SysWOW64\wgiuqehy.exe

Filesize
96KB

MD5
439fbdfdf0e3f654a2694d4b8fd63f71

SHA1
6aa5dfcad9e61c5cff731c8e11e814d6415c4c26

SHA256
d48879e9177527c57dcafea871dc33ef5d1587cd0d9e08b3a92c065cbe3820ac

SHA512
f561b0cff10f38f7018fc67d20bc573ecafef1cc4a80dafe60361c596a55765e13b9af08f5f1cd41670351bb76f31d8c1b31e48ecf27aa4f079ee73f797cfac4

Download Submit
C:\Windows\SysWOW64\wgiyf.exe

Filesize
96KB

MD5
66118be8d5f24754183198dd6a75ac1b

SHA1
e4b677361bdd6403448e50efc364f046b4adeba2

SHA256
3e725b5a86875a956daa09af06022fafa3c8fb12a5f7dd59cea0d6433bce1967

SHA512
b4ad53f183193e0c46a055b84d19ed602aec0893d35b30b462b8da0499e18f22aa4d1ebddec289f84f1f0887d97e3e102ab19d31d6eb5a657a2b2b16716e1f55

Download Submit
C:\Windows\SysWOW64\wgpx.exe

Filesize
96KB

MD5
eab78839734d2f8b942e83d0283fe996

SHA1
f911fe18b748e3551950874a75aeac7ea6fc38f6

SHA256
451371d2e6e8288ca35a2eddf96a4aeb8cd9a94f2b5a0e05d9bf011b9070b791

SHA512
2eac3599d043aa88005d545b3d4f86fb02552055ed1917ac35d1e460fdd84c35507b1976972442b93da5916c66e57ff39d8f9fbfe7ff204e34d7f0424ec7230d

Download Submit
C:\Windows\SysWOW64\whbqrdi.exe

Filesize
95KB

MD5
166a2a44b1cda235bb6f3504ff6573c8

SHA1
f84c3730ee3bbf56053f02c7d28c5366f959003c

SHA256
95a64f290e9607c3dfc7beab0715dcb6a12e07c6845b4b9f43efa6c3d636dec6

SHA512
e260ffd3845bc6ba4731ab0044e2887df964fa0fc9337d4f2104fd84c51cfec58b058f440ce739ce1f19ea930fee8295eff59e0ae2c67536e7f2f55bd787f9d7

Download Submit
C:\Windows\SysWOW64\whtmqni.exe

Filesize
95KB

MD5
c7db6f78b9c26ce8543faf73de6088e8

SHA1
00f0699ab7749d3f3d5afd8b5e946ff933605f08

SHA256
365ad17f082bb9b57b083c9e1e18a05474f9f1fadcd68844984a3ee7691b60b4

SHA512
e7a861ef173f4ddff3da2c50832b1ea552426a3655d6fc479c9a597ff78d0fa82c313ca925a3dc196a5abbd4f14afde5888cabe4ca2214efa1fff7413e2648d7

Download Submit
C:\Windows\SysWOW64\wjolemd.exe

Filesize
96KB

MD5
b991c040e3e9a4ef97a9e22858ba5496

SHA1
74e3e8b383ab3956c137718b00830eb7a3e1af04

SHA256
2822dedd8b707280079c82c0a3a0fe2be053ffac623dcefade5d3948e3732673

SHA512
ad5f4aba32f8a0e29fdaaf367d7f2a7a1c08015c7b3a39bc011d1539afe408bd54a2719ff3f0cf650e434dcc3edc10b23b62ecf7459b3542e5018664b910d0bb

Download Submit
C:\Windows\SysWOW64\wksswva.exe

Filesize
96KB

MD5
026849bcff30a0ffdfba25cd76c63c01

SHA1
3eb994b77ca9680f2fcd6e84c65c90f8e0f2d9c7

SHA256
e21e8633528f8b9c79f8c4621118c729d30981df6aa8c98fab4f8e199f50b6aa

SHA512
485ec0b7eaac5ebe7144994601a836d934c772857c7fa14f16962d1527555eb1298aa7e99862cf6edd0ba73fb4e9774151ce4ead81eb484e369c361dd2e01ba9

Download Submit
C:\Windows\SysWOW64\wlfg.exe

Filesize
95KB

MD5
0042bca35829156fca924cf229107e34

SHA1
4121ad05b351bc46624629be77511816e3dd6df4

SHA256
7fbc225b598cd77d18685e2ed059f87d0288b51693c484949cdbd869e730df16

SHA512
b802b25e704272ffe12c8838c014c806dc630a2e4fdd7023aece2a275eea87c6d2dfaabba09cee0d2c74c52e89a31a51465dd9571a5100cf18c67d045c367d55

Download Submit
C:\Windows\SysWOW64\wlnnkc.exe

Filesize
96KB

MD5
dad0e66499b8af0bab42909d13fb38cc

SHA1
4630a3e7ae28616458413acbb4dd68575da62baa

SHA256
87ba53c45165eb3ed2da3655ee57e79f620ffb7554a2e150bf39fcbd3da9f51b

SHA512
883d66abf33e4124e2480789a2557b8cb440a783e3d1c9e40551787dfc8090152b9f8852f3e665997d2c42e08a587c6cde7281b7c5cdf614a52ce8ed46a68439

Download Submit
C:\Windows\SysWOW64\wls.exe

Filesize
96KB

MD5
624d5fb024ea8cfd6881d905d3352d88

SHA1
65c8d41ee9e60865eaa91d63a5be4399c0aabe12

SHA256
d839c228ff0a4957fd3b50af714d71294b5d5ba450b64bf91a8b04bd08b17153

SHA512
48f6999a1600237fb1b55f0045d760d52b6df928c6322b433f736e601a0957c2e5e0d61e7b9ae93b5ff74b0e22a077a279fa379632da190266913af3e8e4a127

Download Submit
C:\Windows\SysWOW64\wmayg.exe

Filesize
95KB

MD5
637ac9921e16e34bf1bbcf6e2ef8caeb

SHA1
ce4dacee69cf915c5a7dd3b7e14d83f2d1c7ed9a

SHA256
f02e8adf1a075f03e70a96537c4ccde2f0bc99172bf3a9f37c88879d03384587

SHA512
a24fd91d760f88b48a027e3de83452c7f288a42b8e5d1e1262bf403de8a8e1d538f527112b7329a53bbb6e257e03b642b6c0989a3b953be9d221754f70d3e52f

Download Submit
C:\Windows\SysWOW64\wmsu.exe

Filesize
95KB

MD5
1d87ccd36b199b23af3dadd17fb51469

SHA1
e9257de8c301437c5f078a9d0736bc64fbe031c2

SHA256
b7c746ebe17fadcc9e6a5d63a115d99d66b22abe4caea38c042f3fd21a9ea605

SHA512
670e171180e227f13e945403b2900cef7f5f3a176747ac362f51e5beb6935a5a3905a558bb7f0ecf5eaef10cabb4de8a6051414d669f29d2d4688d0e9d712d0b

Download Submit
C:\Windows\SysWOW64\wmxpx.exe

Filesize
95KB

MD5
b5d4f4b00298e94e385631fa6a5eabc3

SHA1
589881c9af3be69963a24606f5e3e9cb7fbe3a30

SHA256
3b205327690e21f51a41455c5f256f30eda5db593eba6b4097696e07ac66b92d

SHA512
19bc53a7e224cb6f237d780d886e94a57f77b27e6c98985fb800d3926ba51f0538c70c69c0830cd21676ebc8e42b5f8803aaca3f289d61e92b79eb9d75d985f6

Download Submit
C:\Windows\SysWOW64\wmyle.exe

Filesize
95KB

MD5
4453613424ab3e68796d04f94acd2ed7

SHA1
6d0802c3e5b1d2fe1077c56dcd834ae22066a670

SHA256
2b5abe5866a50a19e6d71d1349fe05325e32053c8fd9dea4c3cb6b135cdf5309

SHA512
07c7eabf22b5b1ecd1dd184f89e6f9c7898328a43e88a53c8f1169612f709d8ba9c58eaf3d91e541a42d935e98e9ac5f1e39fe0d9362e0a80fa2f1797114e1a3

Download Submit
C:\Windows\SysWOW64\wpswjcb.exe

Filesize
96KB

MD5
ff9ca832ac0590ac6b999a1950d5c848

SHA1
111a99810141ec63f85ade762a2b420a9bb14b44

SHA256
f5163bf696f99ba4d003ac9c32f15e7bc612118c77571423d573b167df9a15d8

SHA512
671a2ddbe5ff87b9aa6889102cf945aa696af6f8fe49297c859caa776ef03fe8d3f835e566a55958a8a58149cec2e4bcab00ac54e7f4e8faa84deeed56279c7e

Download Submit
C:\Windows\SysWOW64\wrg.exe

Filesize
96KB

MD5
5cac9716067f3f768b8c5456f5b4c613

SHA1
3d86f93786fbefc94c74fcb094bebdc56f29f3b6

SHA256
fb10d237f12aebb236315b3f68e26d067d631c77df6e54eea6ede7bcddb56fd7

SHA512
13f81c27e5be88915a0e9edb46576401e8c8b794ce21101c55c7b5361116979686f45d9cb29eaa596a37e0189b5505d849fc5de810575bca6821419b61de7998

Download Submit
C:\Windows\SysWOW64\wrvhkfjg.exe

Filesize
96KB

MD5
5e48a9fd88c34320e3c5530d31a9f2bf

SHA1
9647bccffa532924a87729b353b4bcc265f0afb2

SHA256
4b408f427a39fdf47b1905fd6949fc3bdb05d084c5bb4732cd4a8512e53546e9

SHA512
09e1b7a6565d9d2cc007d3ccef2fdefb89f92efb66ea88303f8fd6aae5a7db74a40d181899fefebd264595223b6230950118f50b881d7a00c32611215b60f29a

Download Submit
C:\Windows\SysWOW64\wsgs.exe

Filesize
95KB

MD5
36f59eb208e8c39ad9027a7c0d500446

SHA1
c0ad3a29be91161b31870d082e6aeb3a4cd719b3

SHA256
16b99e9b2d6ef7f30e616e720b19f1d2e9dcc184819e20a34ffaf569bab138d7

SHA512
496e51f6ab48b1f3d7bf2a97cb0dfa00ac257e0b1de7f952663ceec435f44325f52438b0656592e6569e8b887467a1fdf5abe20424bc9e9a159033712a496b19

Download Submit
C:\Windows\SysWOW64\wtgdmj.exe

Filesize
96KB

MD5
de8b7ceeaf2058ca7f136c43a5b0b853

SHA1
0ea45a4930429de08781a41009d3a19fae331ed2

SHA256
5efea9c1444d9e681d11596fbe8ea6ac7c47f5d3d728a627e1c24e83e01ab261

SHA512
40abf85872a7937a23857eb3b311ea67681f7579b350f39f37477d6b2e3032ea25f3703bb2c78004d06633543ae692c788c1c7ee48da118dbdd25e87617905cf

Download Submit
C:\Windows\SysWOW64\wtjdql.exe

Filesize
96KB

MD5
89856fa23f55d0c11f81db4539a899f9

SHA1
650915e91d94d1154c9507479a659487ea9e82cf

SHA256
a0cc5c9f8f56c234c207a214eb82e20c13df613afd6572070599b881408e5b9e

SHA512
8c0300de0677b9bd42aafeb4d15d1dd69a5ff12e0da91cc074fde44843e9557af84167670e810c28c1aba2351d18b923f9a2de88d0c5d9776eec9a87f84ab46b

Download Submit
C:\Windows\SysWOW64\wuebaeyn.exe

Filesize
96KB

MD5
c03eadba60c41160f25c062f557a5fcd

SHA1
ece8dafc70c1c52c51b50304a0e0210c8bdc6828

SHA256
9482beed0207ac51c0c676033e06fccab6af8df2dfb7fc12ffaa4fbf58609d2f

SHA512
46c612280e27d5282219ef1d683db008bb89bc3f237ce00e330f6422da7366a154649d8d33639674c05cfc05a9f452713676c986f18ca930ccfcee8400e6b051

Download Submit
C:\Windows\SysWOW64\wuuxdlhr.exe

Filesize
95KB

MD5
f908fe4f95324336c3360e6142d83bea

SHA1
c18dcd2500537470428866b1b33da347f1a51915

SHA256
e34c5c7569c2758664493bfebb3dc1a5398795851d5461cd730c0577a2870c02

SHA512
4664c1730435d56fa4e8e51a77ff75cd1be78896f116e4802bc1e8b9101cf6016d163eb1fa5ca44e903e58d89b091b7473021db113b953cf1fd3500ef0da3354

Download Submit
C:\Windows\SysWOW64\wxjtxcu.exe

Filesize
95KB

MD5
19ccc509355fa32c64a18d2d3204ddb9

SHA1
7eb4638466e78457de85a6f5b73cca299ad75e8a

SHA256
8b0f94e00e07333c1cb77e8e90c3b6534d1790f4be6f7126422cb884770c31e6

SHA512
8865caf9e79abd44a7bb882140fc899bc8ae75f265e9ea20d53412f31af19a530195d38406185f2734676770ecf6fd21d125ce7394ccc90250de4e491d76507b

Download Submit
C:\Windows\SysWOW64\wybbwkv.exe

Filesize
96KB

MD5
46d46eda4bae4d846c61a0d6637532c6

SHA1
c6332c955cc218f66296d57538f5756a2019bc3e

SHA256
02d14bd60997bc3e4fe9c5fc548a2848f083af28c00cd5de8841e3b0bbcad69d

SHA512
b0db31df1deac0bc424c6e1c6e1c424da446e8820deb4d524b85b9fc6076016c2ead3f73d351bc5b30a960fd42c99d79d48afe5975dddae535a5369a971d796d

Download Submit
C:\Windows\SysWOW64\wywihclh.exe

Filesize
96KB

MD5
b705249f3bcc41c40a2e2cdd2a39c804

SHA1
b4110835b1f476e089ba9e629213de05f4933f47

SHA256
01bf0c1be26adbbb2b907ad71ad01755bf96bf12e38c1195a17b0e43c66e7051

SHA512
391c3d3e9560fcf1f04a9228caf6216615b08151bb1138873ba0e0aa781e290d811b36c98eae4a132750ae71880c07f01ddc9bd62d5162f78feb0059bea822b1

Download Submit
memory/540-369-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/540-205-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/540-360-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/636-91-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/636-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/636-103-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/660-386-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/676-478-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/764-245-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/980-277-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/980-265-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1120-620-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1196-569-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1196-560-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1300-460-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1300-469-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1328-352-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1328-343-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1356-528-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1396-603-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1396-612-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1528-604-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1528-327-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1676-81-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1684-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-444-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1872-185-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1872-174-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1968-595-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1968-586-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-419-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2216-215-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2320-503-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2320-361-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2412-385-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2412-394-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2480-335-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2596-195-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2600-418-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2600-427-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2872-154-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2900-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2900-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3068-536-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3068-527-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3192-175-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3356-461-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3524-225-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3596-133-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3596-144-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3656-487-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3656-477-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3668-235-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3808-443-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3808-452-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3960-266-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3984-495-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3984-486-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3992-297-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4024-92-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4068-344-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4140-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4140-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4188-164-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4268-544-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4268-255-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4392-402-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4396-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4396-134-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4480-561-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4480-435-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4488-123-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4500-113-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4500-102-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4512-628-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4536-552-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4656-570-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4656-578-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4672-587-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-511-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4696-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4764-519-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4764-317-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4772-377-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4772-276-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4772-287-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4876-410-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4956-307-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5008-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download