4fc75f8810fa76a9db62ca238f67959a16e87bdff0398b0ae2823f35f4afa9d9

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 04:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5d0913fce5eb524ddfd13585d1d8df80N.exe
Size

94KB
MD5

5d0913fce5eb524ddfd13585d1d8df80
SHA1

3d72e9e67457019b7fabb7a6884958370762a859
SHA256

4fc75f8810fa76a9db62ca238f67959a16e87bdff0398b0ae2823f35f4afa9d9
SHA512

01ed6def7edaf4d153eeff912017e017f8b2a48c1f92a816655f3faf75f19f4410af63528dbcabe97e86d178299082c7c74542d0a5c2e7cbe503783ca64b004f
SSDEEP

1536:BYUb5NE3yZIp+6HO5J4ggpMFSvIKEu0dX4j2dAcVt:BYUb5QoJ4g+FXQ

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	woyime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wmhna.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wuruy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wiumyui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	weuqvbpdu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wtbqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wlrve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wjybm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wdiv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	whxxb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wcjdn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wicxkx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wsg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wcdoq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wwosdbc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wuiu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wtkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wxjtxcu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wcms.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wrwwhg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	woq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wysixro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wtokjft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wcmbd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wdms.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wqm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wnuffiv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	whfdekhu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wrsmtgxq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wkfsrmef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wnfr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wirhoqi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wxtwdo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wuuxu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wohmkn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wnqdrh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wflxgwj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wxue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wjfqjtr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wqgloj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wrpcioj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	winvhbd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	waneo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wjdvdn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wrpxwn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wgnwff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wjulcpe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wtxcrrr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wagno.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wbhqd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	whqj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wtnsnw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wqvyrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wscvaec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wryndpfqp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wqqi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	5d0913fce5eb524ddfd13585d1d8df80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wwgo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wrtdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wrjqbad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wgacqmj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wicjvv.exe

Executes dropped EXE 64 IoCs

pid	Process
2248	wjfqjtr.exe
620	wxjtxcu.exe
1548	wlrve.exe
5008	wtxcrrr.exe
2876	wagno.exe
2352	wicjvv.exe
4288	woyime.exe
2552	wwgo.exe
4404	wcdoq.exe
1800	wuuxu.exe
4812	weptbqk.exe
1548	wrwwhg.exe
2684	wjdvdn.exe
3944	wok.exe
4508	wqvyrj.exe
1632	wrtdr.exe
1836	wjybm.exe
1568	wohmkn.exe
720	wkfsrmef.exe
4872	wcms.exe
3160	wqgloj.exe
5048	wnfr.exe
2924	wwosdbc.exe
4796	wdms.exe
1372	wmhna.exe
2540	wrpxwn.exe
960	wdiv.exe
220	wnqdrh.exe
4348	wbhqd.exe
4316	whqj.exe
4488	wuiu.exe
876	whxxb.exe
1632	wtkh.exe
1692	wuruy.exe
4196	wrpcioj.exe
4120	wscvaec.exe
1012	wcjdn.exe
5004	whfdekhu.exe
4064	wqm.exe
4756	wirhoqi.exe
460	wryndpfqp.exe
4376	woq.exe
3296	wtnsnw.exe
1568	wdtacvcn.exe
2108	wrsmtgxq.exe
872	wflxgwj.exe
3352	wphum.exe
2456	wicxkx.exe
1016	wxue.exe
3192	wysixro.exe
3892	wrjqbad.exe
4580	wsv.exe
2880	wgnwff.exe
4456	wxtwdo.exe
3468	wgacqmj.exe
4120	winvhbd.exe
3868	wnuffiv.exe
4776	wsg.exe
4752	wcmbd.exe
3484	wiumyui.exe
4080	wqqi.exe
4508	waneo.exe
1412	wjulcpe.exe
1692	wtbqr.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wnfr.exe	wqgloj.exe
File created	C:\Windows\SysWOW64\wgacqmj.exe	wxtwdo.exe
File opened for modification	C:\Windows\SysWOW64\wsv.exe	wrjqbad.exe
File opened for modification	C:\Windows\SysWOW64\witcf.exe	wmqmeac.exe
File created	C:\Windows\SysWOW64\wrtdr.exe	wqvyrj.exe
File created	C:\Windows\SysWOW64\wjybm.exe	wrtdr.exe
File opened for modification	C:\Windows\SysWOW64\wcms.exe	wkfsrmef.exe
File opened for modification	C:\Windows\SysWOW64\wqgloj.exe	wcms.exe
File opened for modification	C:\Windows\SysWOW64\wrsmtgxq.exe	wdtacvcn.exe
File created	C:\Windows\SysWOW64\wicxkx.exe	wphum.exe
File opened for modification	C:\Windows\SysWOW64\wgacqmj.exe	wxtwdo.exe
File created	C:\Windows\SysWOW64\wjdvdn.exe	wrwwhg.exe
File opened for modification	C:\Windows\SysWOW64\wwosdbc.exe	wnfr.exe
File created	C:\Windows\SysWOW64\whxxb.exe	wuiu.exe
File created	C:\Windows\SysWOW64\wryndpfqp.exe	wirhoqi.exe
File opened for modification	C:\Windows\SysWOW64\winvhbd.exe	wgacqmj.exe
File opened for modification	C:\Windows\SysWOW64\wtokjft.exe	wtbqr.exe
File opened for modification	C:\Windows\SysWOW64\wjfqjtr.exe	5d0913fce5eb524ddfd13585d1d8df80N.exe
File created	C:\Windows\SysWOW64\wrwwhg.exe	weptbqk.exe
File created	C:\Windows\SysWOW64\wcjdn.exe	wscvaec.exe
File created	C:\Windows\SysWOW64\wxtwdo.exe	wgnwff.exe
File created	C:\Windows\SysWOW64\wwosdbc.exe	wnfr.exe
File created	C:\Windows\SysWOW64\wrpcioj.exe	wuruy.exe
File created	C:\Windows\SysWOW64\wtnsnw.exe	woq.exe
File opened for modification	C:\Windows\SysWOW64\wflxgwj.exe	wrsmtgxq.exe
File created	C:\Windows\SysWOW64\wysixro.exe	wxue.exe
File created	C:\Windows\SysWOW64\wohmkn.exe	wjybm.exe
File created	C:\Windows\SysWOW64\wirhoqi.exe	wqm.exe
File created	C:\Windows\SysWOW64\wnuffiv.exe	winvhbd.exe
File created	C:\Windows\SysWOW64\wqqi.exe	wiumyui.exe
File opened for modification	C:\Windows\SysWOW64\wtbqr.exe	wjulcpe.exe
File created	C:\Windows\SysWOW64\wwgo.exe	woyime.exe
File opened for modification	C:\Windows\SysWOW64\whxxb.exe	wuiu.exe
File created	C:\Windows\SysWOW64\wcmbd.exe	wsg.exe
File opened for modification	C:\Windows\SysWOW64\wqqi.exe	wiumyui.exe
File created	C:\Windows\SysWOW64\whqj.exe	wbhqd.exe
File created	C:\Windows\SysWOW64\wuruy.exe	wtkh.exe
File opened for modification	C:\Windows\SysWOW64\wnuffiv.exe	winvhbd.exe
File created	C:\Windows\SysWOW64\wtokjft.exe	wtbqr.exe
File created	C:\Windows\SysWOW64\wjfqjtr.exe	5d0913fce5eb524ddfd13585d1d8df80N.exe
File created	C:\Windows\SysWOW64\woyime.exe	wicjvv.exe
File opened for modification	C:\Windows\SysWOW64\wscvaec.exe	wrpcioj.exe
File opened for modification	C:\Windows\SysWOW64\wicxkx.exe	wphum.exe
File opened for modification	C:\Windows\SysWOW64\wtxcrrr.exe	wlrve.exe
File created	C:\Windows\SysWOW64\wrsmtgxq.exe	wdtacvcn.exe
File opened for modification	C:\Windows\SysWOW64\wjdvdn.exe	wrwwhg.exe
File created	C:\Windows\SysWOW64\wnfr.exe	wqgloj.exe
File created	C:\Windows\SysWOW64\woq.exe	wryndpfqp.exe
File created	C:\Windows\SysWOW64\wiumyui.exe	wcmbd.exe
File created	C:\Windows\SysWOW64\waneo.exe	wqqi.exe
File created	C:\Windows\SysWOW64\wok.exe	wjdvdn.exe
File opened for modification	C:\Windows\SysWOW64\wok.exe	wjdvdn.exe
File opened for modification	C:\Windows\SysWOW64\wqvyrj.exe	wok.exe
File opened for modification	C:\Windows\SysWOW64\wohmkn.exe	wjybm.exe
File created	C:\Windows\SysWOW64\wxue.exe	wicxkx.exe
File created	C:\Windows\SysWOW64\wicjvv.exe	wagno.exe
File opened for modification	C:\Windows\SysWOW64\wicjvv.exe	wagno.exe
File opened for modification	C:\Windows\SysWOW64\wrwwhg.exe	weptbqk.exe
File created	C:\Windows\SysWOW64\wphum.exe	wflxgwj.exe
File created	C:\Windows\SysWOW64\wuuxu.exe	wcdoq.exe
File opened for modification	C:\Windows\SysWOW64\whqj.exe	wbhqd.exe
File opened for modification	C:\Windows\SysWOW64\weptbqk.exe	wuuxu.exe
File created	C:\Windows\SysWOW64\wqvyrj.exe	wok.exe
File opened for modification	C:\Windows\SysWOW64\wdiv.exe	wrpxwn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
2268	2248	WerFault.exe	89
3616	4812	WerFault.exe	130
4760	4872	WerFault.exe	161
5004	4348	WerFault.exe	190
528	876	WerFault.exe	202
2208	876	WerFault.exe	202
620	4756	WerFault.exe	230
3688	4756	WerFault.exe	230
4772	3352	WerFault.exe	255
4212	3352	WerFault.exe	255
3488	2880	WerFault.exe	277
4332	4456	WerFault.exe	280
2416	3868	WerFault.exe	293

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrwwhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqgloj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wflxgwj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvhbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcmbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuuxu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wirhoqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmqmeac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d0913fce5eb524ddfd13585d1d8df80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnfr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whfdekhu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrtdr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuruy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wryndpfqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgnwff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wicxkx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmhna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiumyui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wagno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wphum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjybm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkfsrmef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcms.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjulcpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscvaec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wohmkn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2248	1448	5d0913fce5eb524ddfd13585d1d8df80N.exe	89
PID 1448 wrote to memory of 2248	1448	5d0913fce5eb524ddfd13585d1d8df80N.exe	89
PID 1448 wrote to memory of 2248	1448	5d0913fce5eb524ddfd13585d1d8df80N.exe	89
PID 1448 wrote to memory of 4756	1448	5d0913fce5eb524ddfd13585d1d8df80N.exe	91
PID 1448 wrote to memory of 4756	1448	5d0913fce5eb524ddfd13585d1d8df80N.exe	91
PID 1448 wrote to memory of 4756	1448	5d0913fce5eb524ddfd13585d1d8df80N.exe	91
PID 2248 wrote to memory of 620	2248	wjfqjtr.exe	95
PID 2248 wrote to memory of 620	2248	wjfqjtr.exe	95
PID 2248 wrote to memory of 620	2248	wjfqjtr.exe	95
PID 2248 wrote to memory of 3696	2248	wjfqjtr.exe	96
PID 2248 wrote to memory of 3696	2248	wjfqjtr.exe	96
PID 2248 wrote to memory of 3696	2248	wjfqjtr.exe	96
PID 620 wrote to memory of 1548	620	wxjtxcu.exe	103
PID 620 wrote to memory of 1548	620	wxjtxcu.exe	103
PID 620 wrote to memory of 1548	620	wxjtxcu.exe	103
PID 620 wrote to memory of 3092	620	wxjtxcu.exe	104
PID 620 wrote to memory of 3092	620	wxjtxcu.exe	104
PID 620 wrote to memory of 3092	620	wxjtxcu.exe	104
PID 1548 wrote to memory of 5008	1548	wlrve.exe	106
PID 1548 wrote to memory of 5008	1548	wlrve.exe	106
PID 1548 wrote to memory of 5008	1548	wlrve.exe	106
PID 1548 wrote to memory of 744	1548	wlrve.exe	107
PID 1548 wrote to memory of 744	1548	wlrve.exe	107
PID 1548 wrote to memory of 744	1548	wlrve.exe	107
PID 5008 wrote to memory of 2876	5008	wtxcrrr.exe	110
PID 5008 wrote to memory of 2876	5008	wtxcrrr.exe	110
PID 5008 wrote to memory of 2876	5008	wtxcrrr.exe	110
PID 5008 wrote to memory of 1532	5008	wtxcrrr.exe	111
PID 5008 wrote to memory of 1532	5008	wtxcrrr.exe	111
PID 5008 wrote to memory of 1532	5008	wtxcrrr.exe	111
PID 2876 wrote to memory of 2352	2876	wagno.exe	113
PID 2876 wrote to memory of 2352	2876	wagno.exe	113
PID 2876 wrote to memory of 2352	2876	wagno.exe	113
PID 2876 wrote to memory of 4352	2876	wagno.exe	115
PID 2876 wrote to memory of 4352	2876	wagno.exe	115
PID 2876 wrote to memory of 4352	2876	wagno.exe	115
PID 2352 wrote to memory of 4288	2352	wicjvv.exe	118
PID 2352 wrote to memory of 4288	2352	wicjvv.exe	118
PID 2352 wrote to memory of 4288	2352	wicjvv.exe	118
PID 2352 wrote to memory of 1004	2352	wicjvv.exe	119
PID 2352 wrote to memory of 1004	2352	wicjvv.exe	119
PID 2352 wrote to memory of 1004	2352	wicjvv.exe	119
PID 4288 wrote to memory of 2552	4288	woyime.exe	121
PID 4288 wrote to memory of 2552	4288	woyime.exe	121
PID 4288 wrote to memory of 2552	4288	woyime.exe	121
PID 4288 wrote to memory of 3928	4288	woyime.exe	122
PID 4288 wrote to memory of 3928	4288	woyime.exe	122
PID 4288 wrote to memory of 3928	4288	woyime.exe	122
PID 2552 wrote to memory of 4404	2552	wwgo.exe	124
PID 2552 wrote to memory of 4404	2552	wwgo.exe	124
PID 2552 wrote to memory of 4404	2552	wwgo.exe	124
PID 2552 wrote to memory of 5076	2552	wwgo.exe	125
PID 2552 wrote to memory of 5076	2552	wwgo.exe	125
PID 2552 wrote to memory of 5076	2552	wwgo.exe	125
PID 4404 wrote to memory of 1800	4404	wcdoq.exe	127
PID 4404 wrote to memory of 1800	4404	wcdoq.exe	127
PID 4404 wrote to memory of 1800	4404	wcdoq.exe	127
PID 4404 wrote to memory of 3968	4404	wcdoq.exe	128
PID 4404 wrote to memory of 3968	4404	wcdoq.exe	128
PID 4404 wrote to memory of 3968	4404	wcdoq.exe	128
PID 1800 wrote to memory of 4812	1800	wuuxu.exe	130
PID 1800 wrote to memory of 4812	1800	wuuxu.exe	130
PID 1800 wrote to memory of 4812	1800	wuuxu.exe	130
PID 1800 wrote to memory of 1164	1800	wuuxu.exe	131

C:\Users\Admin\AppData\Local\Temp\5d0913fce5eb524ddfd13585d1d8df80N.exe
"C:\Users\Admin\AppData\Local\Temp\5d0913fce5eb524ddfd13585d1d8df80N.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\wjfqjtr.exe
  "C:\Windows\system32\wjfqjtr.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\wxjtxcu.exe
    "C:\Windows\system32\wxjtxcu.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Windows\SysWOW64\wlrve.exe
      "C:\Windows\system32\wlrve.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Windows\SysWOW64\wtxcrrr.exe
        
        "C:\Windows\system32\wtxcrrr.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5008
      - C:\Windows\SysWOW64\wagno.exe
        
        "C:\Windows\system32\wagno.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\wicjvv.exe
        
        "C:\Windows\system32\wicjvv.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\woyime.exe
        
        "C:\Windows\system32\woyime.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\wwgo.exe
        
        "C:\Windows\system32\wwgo.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\wcdoq.exe
        
        "C:\Windows\system32\wcdoq.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\wuuxu.exe
        
        "C:\Windows\system32\wuuxu.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\weptbqk.exe
        
        "C:\Windows\system32\weptbqk.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\wrwwhg.exe
        
        "C:\Windows\system32\wrwwhg.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\wjdvdn.exe
        
        "C:\Windows\system32\wjdvdn.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\wok.exe
        
        "C:\Windows\system32\wok.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\wqvyrj.exe
        
        "C:\Windows\system32\wqvyrj.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\wrtdr.exe
        
        "C:\Windows\system32\wrtdr.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\wjybm.exe
        
        "C:\Windows\system32\wjybm.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\wohmkn.exe
        
        "C:\Windows\system32\wohmkn.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\wkfsrmef.exe
        
        "C:\Windows\system32\wkfsrmef.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Windows\SysWOW64\wcms.exe
        
        "C:\Windows\system32\wcms.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\wqgloj.exe
        
        "C:\Windows\system32\wqgloj.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\wnfr.exe
        
        "C:\Windows\system32\wnfr.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\wwosdbc.exe
        
        "C:\Windows\system32\wwosdbc.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\wdms.exe
        
        "C:\Windows\system32\wdms.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\wmhna.exe
        
        "C:\Windows\system32\wmhna.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\wrpxwn.exe
        
        "C:\Windows\system32\wrpxwn.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\wdiv.exe
        
        "C:\Windows\system32\wdiv.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\wnqdrh.exe
        
        "C:\Windows\system32\wnqdrh.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\wbhqd.exe
        
        "C:\Windows\system32\wbhqd.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\whqj.exe
        
        "C:\Windows\system32\whqj.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\wuiu.exe
        
        "C:\Windows\system32\wuiu.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\whxxb.exe
        
        "C:\Windows\system32\whxxb.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\wtkh.exe
        
        "C:\Windows\system32\wtkh.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\wuruy.exe
        
        "C:\Windows\system32\wuruy.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\wrpcioj.exe
        
        "C:\Windows\system32\wrpcioj.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\wscvaec.exe
        
        "C:\Windows\system32\wscvaec.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\wcjdn.exe
        
        "C:\Windows\system32\wcjdn.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\whfdekhu.exe
        
        "C:\Windows\system32\whfdekhu.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\wqm.exe
        
        "C:\Windows\system32\wqm.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\wirhoqi.exe
        
        "C:\Windows\system32\wirhoqi.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\wryndpfqp.exe
        
        "C:\Windows\system32\wryndpfqp.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:460
        
        C:\Windows\SysWOW64\woq.exe
        
        "C:\Windows\system32\woq.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\wtnsnw.exe
        
        "C:\Windows\system32\wtnsnw.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\wdtacvcn.exe
        
        "C:\Windows\system32\wdtacvcn.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\wrsmtgxq.exe
        
        "C:\Windows\system32\wrsmtgxq.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\wflxgwj.exe
        
        "C:\Windows\system32\wflxgwj.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\wphum.exe
        
        "C:\Windows\system32\wphum.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\wicxkx.exe
        
        "C:\Windows\system32\wicxkx.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\wxue.exe
        
        "C:\Windows\system32\wxue.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\wysixro.exe
        
        "C:\Windows\system32\wysixro.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\wrjqbad.exe
        
        "C:\Windows\system32\wrjqbad.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\wsv.exe
        
        "C:\Windows\system32\wsv.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\wgnwff.exe
        
        "C:\Windows\system32\wgnwff.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\wxtwdo.exe
        
        "C:\Windows\system32\wxtwdo.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\wgacqmj.exe
        
        "C:\Windows\system32\wgacqmj.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\winvhbd.exe
        
        "C:\Windows\system32\winvhbd.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\wnuffiv.exe
        
        "C:\Windows\system32\wnuffiv.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\wsg.exe
        
        "C:\Windows\system32\wsg.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\wcmbd.exe
        
        "C:\Windows\system32\wcmbd.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\wiumyui.exe
        
        "C:\Windows\system32\wiumyui.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\wqqi.exe
        
        "C:\Windows\system32\wqqi.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\waneo.exe
        
        "C:\Windows\system32\waneo.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\wjulcpe.exe
        
        "C:\Windows\system32\wjulcpe.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\wtbqr.exe
        
        "C:\Windows\system32\wtbqr.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\wtokjft.exe
        
        "C:\Windows\system32\wtokjft.exe"
        66⤵
        Checks computer location settings
        
        PID:3832
        
        C:\Windows\SysWOW64\weuqvbpdu.exe
        
        "C:\Windows\system32\weuqvbpdu.exe"
        67⤵
        Checks computer location settings
        
        PID:4996
        
        C:\Windows\SysWOW64\wmqmeac.exe
        
        "C:\Windows\system32\wmqmeac.exe"
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weuqvbpdu.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtokjft.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtbqr.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjulcpe.exe"
        65⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waneo.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqi.exe"
        63⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiumyui.exe"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcmbd.exe"
        61⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsg.exe"
        60⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnuffiv.exe"
        59⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1532
        59⤵
        Program crash
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winvhbd.exe"
        58⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgacqmj.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxtwdo.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 116
        56⤵
        Program crash
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgnwff.exe"
        55⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1536
        55⤵
        Program crash
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsv.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjqbad.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wysixro.exe"
        52⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxue.exe"
        51⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wicxkx.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphum.exe"
        49⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 116
        49⤵
        Program crash
        
        PID:4772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1536
        49⤵
        Program crash
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wflxgwj.exe"
        48⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrsmtgxq.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdtacvcn.exe"
        46⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtnsnw.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woq.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryndpfqp.exe"
        43⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirhoqi.exe"
        42⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 1684
        42⤵
        Program crash
        
        PID:620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 1448
        42⤵
        Program crash
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqm.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whfdekhu.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjdn.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wscvaec.exe"
        38⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrpcioj.exe"
        37⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuruy.exe"
        36⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtkh.exe"
        35⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxxb.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1264
        34⤵
        Program crash
        
        PID:528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1660
        34⤵
        Program crash
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuiu.exe"
        33⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whqj.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhqd.exe"
        31⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1692
        31⤵
        Program crash
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqdrh.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdiv.exe"
        29⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrpxwn.exe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmhna.exe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdms.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwosdbc.exe"
        25⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnfr.exe"
        24⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgloj.exe"
        23⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcms.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1692
        22⤵
        Program crash
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkfsrmef.exe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohmkn.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjybm.exe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtdr.exe"
        18⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqvyrj.exe"
        17⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wok.exe"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdvdn.exe"
        15⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwwhg.exe"
        14⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weptbqk.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1644
        13⤵
        Program crash
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuuxu.exe"
        12⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcdoq.exe"
        11⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwgo.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woyime.exe"
        9⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wicjvv.exe"
        8⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wagno.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxcrrr.exe"
        6⤵
        
        PID:1532
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrve.exe"
        5⤵
        
        PID:744
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxjtxcu.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjfqjtr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 412
    3⤵
    - Program crash
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\5d0913fce5eb524ddfd13585d1d8df80N.exe"
  2⤵
  PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2248 -ip 2248
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4812 -ip 4812
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4872 -ip 4872
1⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4348 -ip 4348
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4348 -ip 4348
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 876 -ip 876
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 876 -ip 876
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4756 -ip 4756
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4756 -ip 4756
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3352 -ip 3352
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3352 -ip 3352
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2880 -ip 2880
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4456 -ip 4456
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3868 -ip 3868
1⤵
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wagno.exe

Filesize
94KB

MD5
75eaaad1c2aea2b74f69a71091d63e10

SHA1
1db2fbf2b1ddc2e554940c8e8d4d91050b3cea95

SHA256
7f2066028015f6d95c122457b284e5fb44acc696ed206ed649b514b007f74a73

SHA512
53f194f899e8e686a6d1fc51b80d9c8a412a8729743c4c3ef030cb43e90b7619f1206987914ea4423d9d2cf36a6a10b442510a34f0bc8b7c75ad27a18754d2ec

Download Submit
C:\Windows\SysWOW64\wbhqd.exe

Filesize
95KB

MD5
d082cc18f880a5d159ca6bf6a7820f77

SHA1
852b11a94a43e7fafebb887bcb065e01e6672b1e

SHA256
8e2d7a5dc4c48f047b9344ea9c7641d1f5014371ed0715dc012d603f65d2960d

SHA512
3f9cc2cd3b8e9c178094c6e9c89e7015d8278a02dbdfed8c2b06f1c834e47c552956b431cc789a2e7ff6ef50d996221f09443bc44e386379cd3205224afaa500

Download Submit
C:\Windows\SysWOW64\wcdoq.exe

Filesize
94KB

MD5
72da12e4c66e024f541224e6eda8bf12

SHA1
0578f45fda49c1048e7b1258a879205afb22e5e0

SHA256
b4e27b40e101c13f40cb81ff7acc097e82af307aa6def218eafee906567da005

SHA512
0374f523336a56f95df76db9b4df25cb9bee24a98a76ccb3cae1c989e4fd658eca16eee9bf9609639082f0ede75682f0934533ea2bfc6cd0b55a414063acd8ae

Download Submit
C:\Windows\SysWOW64\wcms.exe

Filesize
95KB

MD5
86bb28c29d7ce44fe57564b044ec3329

SHA1
246b13eee5632ad384b627048272169226965820

SHA256
a9731093bac31be8e8180b66260a57a4de1930fa9dbe310b455a046e52fe6a5a

SHA512
33e42e0a589a603b6355e9e609352b32735d301be5b60dfae516ca40d22a9bbbe1faa2db3cf935516b35620a92e720538f74342e7ba8ad643f5110c28558f179

Download Submit
C:\Windows\SysWOW64\wdiv.exe

Filesize
95KB

MD5
e2bfed27abe2dc50e51f9ce3a886f601

SHA1
9cb9570372fb9a8131cc1edf315627acf39e613b

SHA256
52bf6e2febbb12278d3458784a5e86179dbf87c068e30578664ea6c5ae95f17d

SHA512
83a7881abc4db69b4b5ff17dc0bbe0bff9c2893da1a9c9e28b52ca95c8ff6a19fcdcd518f0d9e9560dc1a88bcf63ce0c7f31ca18029072de4a8dfb98ab88ff75

Download Submit
C:\Windows\SysWOW64\wdms.exe

Filesize
95KB

MD5
2157631509dd7ff982c80c81fc40c9b6

SHA1
7e71bc253d94ff11c33498db0bab384cf3d0ca74

SHA256
419c57be4eaf7f0ef1cdc74defdd58c3352af1c7e6f802570b27ba8125271330

SHA512
13f0d65e757d0eed8ba88471a4e4f7726a26eaaaee18487e80f66612bdfda3d1672f4eee430b271f37cf73802501964eea82973db19233e79ae6a1d1e528413d

Download Submit
C:\Windows\SysWOW64\weptbqk.exe

Filesize
94KB

MD5
eb1d39101519b1fd24df256a2b400016

SHA1
83dd4ad4ed4a52f30e6a0146d4e5a45c717ac8e6

SHA256
d7ca796bca8c00ef87d2146b389ddc85ce638b7e5c39fae7cca893ecfe418f63

SHA512
1f9f8d13617e191761e135db5f10b69f3312193835eee4217dd1f55e64763eb41c04fae1ffdb4dd540c557ceb48d84ffcdd591defcdb59e9cc21abafed6d38a8

Download Submit
C:\Windows\SysWOW64\whqj.exe

Filesize
95KB

MD5
af6f142b088aedfeb07722ecccf8ecfe

SHA1
53608a30299fd90caf7cf0e8456eb21dbeb77284

SHA256
54f45997147fd4f61b5fad75dd856528d5170454846ff69008c7a96961c47416

SHA512
aca4b7715437e30f4cfc1575354e9a9ef1da769a4bbbd795c5cb4d726ddfce6d44eb9b4d3c01be887cab2dd0e76d87b57a86ac4db0386d3172d9174146664620

Download Submit
C:\Windows\SysWOW64\whxxb.exe

Filesize
95KB

MD5
66937849a7f8e781a578e7a447614750

SHA1
182026d5fb6f87b81d6037412114486d0db56b77

SHA256
82b522b1c716ea36e347cecbadb9e7d27351335fd7c56524881ef35362002ae5

SHA512
c39d52ec5f07984ca5f102c18d7cce33c831fc05db608de7cab2c8b42b560a2e65b83832a80c032f4938bc4ef029c5b4dd1228ee6fcc8cc36131dfa5f991921b

Download Submit
C:\Windows\SysWOW64\wicjvv.exe

Filesize
94KB

MD5
f1f46f5c1b3c0c6a24b9914896be9648

SHA1
d91f27239b80e07d929f4894865244dc7e2ee101

SHA256
b9eb4a6ae854e26ae8fd7d94e4f1bf972c5a2e46e7a56573895da14b69abd25a

SHA512
55e7f4b0918b26f3da86cac20531af55b5e327a1ae4525bdebc0e12e2098bfd0a480e20c061ea6c5617428c32be8b0c0a43d3f7adc79bab3e3daececd38f7f7c

Download Submit
C:\Windows\SysWOW64\wjdvdn.exe

Filesize
95KB

MD5
3951f9a46f88d55e9b860c3d73d895e7

SHA1
dfe070f27cac2dcbe63a09dd159ed254fd286265

SHA256
f2c061b54472dff93b272a794e0dafe06eabd6487eb1c73adcca54881eb0726a

SHA512
f87b4006f6f29a7b2efe5818e0958dab8aaf4ac4182b92f272d981ce031110ef18676093ad88517a28c557030bb68927f7fa3fe48fd0dd59a32c20c5a4b035de

Download Submit
C:\Windows\SysWOW64\wjfqjtr.exe

Filesize
94KB

MD5
d6d9edf6ff0033cfe285030fd99253b0

SHA1
87cfcb66520af0b5442e8ba8bd8b207d9fbd6bc2

SHA256
f8bd85b0ceafa7a7250253e962a6632c01025ee7101b22f275f5a015b04a0bd8

SHA512
3043b367a734db3e2dac438f8529679d534eb30c8cf69fd5ec77b1b39635b6d7a128dc759262b7115dbacd94505fef3a259154a1b94cad3830118d99eac7c1f7

Download Submit
C:\Windows\SysWOW64\wjybm.exe

Filesize
95KB

MD5
a255c9bd6137b1549e551a4b23d4d89f

SHA1
fb2747490ebb2f3152e8405b2a58a88550f38688

SHA256
96ebaa980b86e9c0701f6c2819fc588ed754c434858070cf6b7af6467f39cae7

SHA512
342c0453814b55ff345f02444afe6a286ba040f5e241f1fa4e59a0c03e8c94781a4551577cd871eff237d101474f339d946d914a01a0c6579b5d900df4ae68b8

Download Submit
C:\Windows\SysWOW64\wkfsrmef.exe

Filesize
95KB

MD5
4afe68920265eb67103f3de73057c812

SHA1
9d06187b9f0cd34802b4bbb350083bf7ab6dcb60

SHA256
285dc4d3054555716cb6fe942472163c9b66f1147c63b77d1f34821ab2254c55

SHA512
8687d09398154fcf1356c2ba8fd28f64b52b68173e87e8e34e16689279839396bfa148ac317e34f63c2ce6d7ff5900cdbb03ae7e9f65d0f6432d8ec17af78272

Download Submit
C:\Windows\SysWOW64\wlrve.exe

Filesize
94KB

MD5
a8d12e12bf4ddb7adbde87e854b454b2

SHA1
2228f033ec68a40091dd9442573e7eb0519a8a34

SHA256
0860392bf8a3675b4d6d689ced3f23c905b7869ec1850afd528ad07909df3994

SHA512
8d2784db5173d0fef77fd96d157bcb99f2fe2a571d7b9e7bb8c53d0aa71442b77b7f3052d03c6e0f061c225db393cbe0f8e34a8e2ba429ca8a283bd55503d51c

Download Submit
C:\Windows\SysWOW64\wmhna.exe

Filesize
95KB

MD5
843c0e56b5916284e6e4b1d03effb1d2

SHA1
59ae5ecd345f51b1ed5fc4c7ca2407547b13fdf4

SHA256
c8a4e69a7a2897efc5bf0dc315179a9aa02da4f37d2378b3bc001087ad4cef6c

SHA512
eb5847cc99e6ce028df6a37266e55d0f8c844b9a1e2fe32921ea13fd27954f65ec252771d158dc6df0a04b54c48575416d50f813ca8080dfabc47f53ec718039

Download Submit
C:\Windows\SysWOW64\wnfr.exe

Filesize
95KB

MD5
932d3f943c1b6540bc4693ba568fdf6a

SHA1
5164d4989fc6bb7b19f91177d4f6c8e6da63e219

SHA256
6687f9aecd3c0fa5f6a76996526d555f8bfd7674bedb904b6f51a2c971bbc419

SHA512
42a5362ac5db61ec1647f39e2cb44096559d0750fae637b4ac65201002796fc306499d35393984c9ab9fb0a78cc91e36e340edfb33d16636347460bf3bf2c9c5

Download Submit
C:\Windows\SysWOW64\wnqdrh.exe

Filesize
95KB

MD5
f2d9717b54f560936efa76f2b06d6c95

SHA1
e8c7672bf94608b44077ee7ae487dc68e6b5011b

SHA256
df58a5aeacbfa52f13fe03bca6f1c178e9cd33ce5680fd4f7749ba9932319a19

SHA512
e7f9e08df6a1155c07a8b9f16126c67ebc6e7dbf91129989119577ec6f2099551adfe72b6e4568c4959f33b0bffb95fb82b73f750edb9c196c921f0d5f0b1031

Download Submit
C:\Windows\SysWOW64\wohmkn.exe

Filesize
95KB

MD5
96e6ad2a965ed378ab378b8967e4829a

SHA1
443b4ff6f8bb0393f78dee3667ff4f21e5cab549

SHA256
96a8c65932d1ebe5e3862bfbee6752356e4348fb49c8982a98212a780c0dfb7f

SHA512
c8c2a42a0aca9b7ec14ad638b3bb70814ea3de1880e94b4b83914cbfcf81fb500edf399576daa96d11ba1ab2e425b3749bf539df9aacf3ada36b7f95e6ec2fd5

Download Submit
C:\Windows\SysWOW64\wok.exe

Filesize
95KB

MD5
87aa6e839a70569138b3a1e07dc4ff2f

SHA1
d5dfba8d5c033e66fb440faf1eca4fc9569f8d9d

SHA256
3679e1b4a15303d011b848b602800976eb58531044d209df38e394f99d4050ce

SHA512
021787d49465c18a763a3d2692c398858f38852256971d881bdff631b8181a99b585a9f0ae084bdb83a93ee6b0f37d11a08bf9ac7069004d3a1b281ade467424

Download Submit
C:\Windows\SysWOW64\woyime.exe

Filesize
94KB

MD5
c7e46f7818b82c37ac1e140b7018e2b8

SHA1
5ef0c92e5395fe4b94e792111a1b70a73164c1cd

SHA256
934cb2bd10a63c1f9c951c212ecc5cf3c97782e823a1202bb9e6dbc201cb810c

SHA512
89b6eb16f4d1575a12660f666f45aea17ee8ece11155719b987ea6ae2910f0133c8eddc54c0191ee60ccfd3c12624fdb80e0d0dfd51d8e27da4884b484907c59

Download Submit
C:\Windows\SysWOW64\wqgloj.exe

Filesize
95KB

MD5
ee26708cf7d21a31f6baf670cf16b097

SHA1
9720e03c6ccbe50bbfbe49c0447aa3b007a1a4ac

SHA256
4e530be587122d4865ff8691125b2629deb36b4681c14f66833629cce82eca68

SHA512
b71492bc005815578ff76a498ff748e26023e3c65c48e0c54193fdb3652f23c8d4f1b41bc3a97d0efbf20ba5fde2ae83122c82b70170d5a0ea5e7dafa86ecc4a

Download Submit
C:\Windows\SysWOW64\wqvyrj.exe

Filesize
95KB

MD5
d84607afa229244fbdd6375bcfded2b4

SHA1
27d4d567f9c67692ce24c94e9333e895cd2ba814

SHA256
0e6f96b810c9cf3a096372fe1ecb3f9926cf45a2289b9c09e6604700e8aebc9a

SHA512
c950783d809f186c812398f6f8d4a5a2c0b891a8561bf920878cea09e7ed11242d229ddb06d6c22413519c2572fbe02ef85a7c59bd6e6c63c2d8aee3ce521a8d

Download Submit
C:\Windows\SysWOW64\wrpxwn.exe

Filesize
95KB

MD5
d087b797573676f76c6263045cb64f6e

SHA1
cffeaa7f28c6ed6c10613242d96b6ca21bef8233

SHA256
62faa5253f37ec337e59f919fd69ac7a970b67a82c959294333bcd8c804b8aaf

SHA512
3d3cfdd3c2ba0391bafe821dfed385f6cf427fde6a596b1515969e2486ddf44af5eb2e698aa64857fdea444828e2499aa3da03735ec495337433e249a3d8bb75

Download Submit
C:\Windows\SysWOW64\wrtdr.exe

Filesize
95KB

MD5
e0646645b2591db7658698ff9e2ec573

SHA1
c1ae9a5cadfbdd84ca1e3a90581e9b58261645be

SHA256
194db34631fb313548696f1dcfec53be2f88c0a59b3574fddf8126e1d375f191

SHA512
c30b2046e93a6b1fb7f51185afe85afb4a3227d8952e5ba8cc3a44beb68fd35b947c0401f8825435217a18307653f3986aba9edc2cb73194f1560d74c774a050

Download Submit
C:\Windows\SysWOW64\wrwwhg.exe

Filesize
94KB

MD5
4457fd9901a168b29f1307e507d22724

SHA1
a4234cf1386757e8c04a3c4947441d8c380264b7

SHA256
e839dea64751314af2b898c3a6afa283475a9f940eba79968a6570f020cb0aa9

SHA512
78a7b1fc04157c27041df8d9b05603cbc85a2da08c7dbcf94a7e590d7e3939107e138efd191c6bbccf3dc6d0138932e4e54a79196b21016e27496fdc99fa5b07

Download Submit
C:\Windows\SysWOW64\wtxcrrr.exe

Filesize
94KB

MD5
5073ce6795d0ac8f9b8b583c87ba98c9

SHA1
984cb8f3f4b12305eba32d98fc716b6f80fa99e6

SHA256
d917938c2b7050ef3915e2d462621832f6a6141f2ed2c3efc8f47ae668704728

SHA512
387c23e7435c6b3b975213d8f7b94eeff15af5c7d92bf0aa4458693eb9127cf6630eb10fd6aec17cb910b094d143cfad9657c14cc6037268615ff8fddd905e36

Download Submit
C:\Windows\SysWOW64\wuiu.exe

Filesize
95KB

MD5
ce279e8fb7b4da32e1f89238a63fc7ea

SHA1
83ba9126c918ce0ace2a40a10c94035a6dc5fbb0

SHA256
7f1053fb183ae610fc33753339592b7921b354e3307c2dbc13a2a71b2991316b

SHA512
1524702c9e4233de660d2686a7b69290e51098728e752b4b3fec688db9c9bb4a5f5036f66d29b965ed18ebc66953e774a461db00d9270a2b6be6d9ac3092e148

Download Submit
C:\Windows\SysWOW64\wuuxu.exe

Filesize
94KB

MD5
f604fa78864a12974067b70e717413ac

SHA1
79b235b9f677a125be0f05e23f9e0e1dfab6b6ab

SHA256
37a536cfacc7f75aeb0edd671b812b2bfe5c5bb3e12993db6509ae77020f330e

SHA512
0e7437a105fc44328d5da2ad3d7392cd7a8a41f61c436a2453bad07076b4440265dd22dced905dd84cab835a23f67ff02a46fbb956f7363192237426641bd958

Download Submit
C:\Windows\SysWOW64\wwgo.exe

Filesize
94KB

MD5
98711f8342c6a2eafd23a16a3c44374e

SHA1
686424d6f58119280dc27a7902e240dbce325547

SHA256
766004da6bc8d14738787bcb9bd15c94634d472896acf39722f6040906cfcb28

SHA512
50f949821467b87823ef9b66fcd511cb0da8235864c6a796e567a53cf476778de38e1a2e21f51676e56e5c3d88ca95504119ad424b4596a28f1de69c7d10b767

Download Submit
C:\Windows\SysWOW64\wwosdbc.exe

Filesize
95KB

MD5
c2faae61fe1e61cc007575c08483168f

SHA1
d144df2f8ebc1f1cb2f52278b37086e862eeb0cc

SHA256
5ce96fe97f98077fcea96f4c062b5e1116935a97ea1b9b2cf02a94751bbab033

SHA512
f6fd44220fd81380289194513de9c0ed08ae648d44a5b751fb40132da5ea5a3835d4bc910179a9bb9385cf8c8e404bfa40ab153f1cd330fd69cf3462a1d47851

Download Submit
C:\Windows\SysWOW64\wxjtxcu.exe

Filesize
94KB

MD5
6544d0d60e56a10a80908b177beaa90b

SHA1
09d11f8fde238544a392bb44ad90e4c620d86129

SHA256
0c0ab465b397c6083cc011ab47ccbb85b56e54f90dc7f3dafc86f431e99f2061

SHA512
c01a1484c8acd8ef7032af3f897254d6da3276521c8cdec837fa43de2120e02955b59f553cbbb96e4c509fad52c1aa461b1071a0d8446b312d616c576ea2336c

Download Submit
memory/220-292-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/460-402-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/620-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/720-201-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/872-442-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/876-330-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/960-282-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1012-370-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1016-466-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1372-262-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1412-578-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1448-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1448-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1548-130-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1548-40-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1568-191-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1568-426-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1632-338-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1632-171-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1692-586-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1692-346-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1800-110-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1836-181-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-434-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2248-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2352-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2456-458-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2540-272-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2552-90-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2684-140-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2876-60-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2880-498-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2924-241-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3160-221-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3192-474-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3296-418-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3352-450-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3468-514-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3484-554-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3832-594-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3868-530-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3892-482-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3944-150-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4064-386-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4080-562-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4120-522-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4120-362-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4196-354-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4288-80-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4316-312-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4348-302-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4376-410-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4404-100-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4456-506-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4488-322-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4508-570-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4508-161-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4580-490-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4752-546-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4756-394-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4776-538-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4796-251-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4812-120-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4872-211-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4996-602-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5004-378-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5008-50-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5048-231-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download