226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcf

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe
Size

106KB
MD5

fc99ae7c1213311b0f5ba99ffa3c5e00
SHA1

c0bd744f6482babf491c48e3f44b22ab24b53bd7
SHA256

226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcf
SHA512

e9b1606aae354bcc1500c66c8c5f49a107d6cdb92d6f19b86e6bea109505d6a6dd0112a15f6996b82064197eb14b5b8472b07099fdf14661a266885582b1b2f7
SSDEEP

1536:2zfXIsxrhzk2nfsW3ou3yWW2dvcW6eHcBwUi6vWE0Dl27b58XBdqaMGxuA1B:yfjxrhzk2nfsWhP7dvavi6vWEbh8XT

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2728	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
1812	wndcml.exe
2716	wyes.exe
664	wrjgn.exe
2856	wijecbdr.exe
2576	wfec.exe
3028	wjuni.exe
884	wmmbjd.exe
2464	wikupf.exe
2812	wiqat.exe
2872	wmsvbol.exe
1708	wjggbo.exe
892	wfsqa.exe
848	wci.exe
2580	wxmkkt.exe
868	wcxiffav.exe
1208	wqbo.exe
2268	wxpwhc.exe
2348	wqqwwlsr.exe
2808	wugixaswb.exe
2848	whgvovhvq.exe
2700	wuwa.exe
2640	wttqvkpj.exe
2064	wlbdpwsgd.exe
1748	wugpivlv.exe
1496	wev.exe
2136	wvjlk.exe
2760	weldjpj.exe
2628	wjiqxbqyi.exe
2972	wbkuxk.exe
2132	wjmmxocc.exe
1664	wkleuifeu.exe
2936	wcnivq.exe
1736	wxmdcteis.exe
1584	wlmqrouhh.exe
1812	whuaesa.exe
2852	wpure.exe
2216	wwlavcpa.exe
2300	wxjpsusb.exe
844	wmmycnnf.exe
772	whlsjonq.exe
1716	wexeipb.exe
2880	wrohrmgaq.exe
3068	wdpwijxyf.exe
2588	wigijv.exe
1864	wdstjxjb.exe
1904	warooyjn.exe
328	wvyvbbo.exe
884	weneshqw.exe
2124	wacp.exe
2304	wgkmo.exe
2812	wjpojfkpn.exe
2664	wjoffy.exe
744	wys.exe
3048	wxcotkvj.exe
1040	wigyllp.exe
2500	wnkpn.exe
2260	woqtqnnb.exe
2124	wfxglapyl.exe
2268	wdrhfvo.exe
912	wflqjlok.exe
1864	witnewf.exe
916	woyoxjs.exe
2340	wwpwq.exe
2272	wvyxvh.exe

Loads dropped DLL 64 IoCs

pid	Process
3060	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe
3060	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe
3060	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe
3060	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe
1812	wndcml.exe
1812	wndcml.exe
1812	wndcml.exe
1812	wndcml.exe
2716	wyes.exe
2716	wyes.exe
2716	wyes.exe
2716	wyes.exe
664	wrjgn.exe
664	wrjgn.exe
664	wrjgn.exe
664	wrjgn.exe
2856	wijecbdr.exe
2856	wijecbdr.exe
2856	wijecbdr.exe
2856	wijecbdr.exe
2576	wfec.exe
2576	wfec.exe
2576	wfec.exe
2576	wfec.exe
3028	wjuni.exe
3028	wjuni.exe
3028	wjuni.exe
3028	wjuni.exe
884	wmmbjd.exe
884	wmmbjd.exe
884	wmmbjd.exe
884	wmmbjd.exe
2464	wikupf.exe
2464	wikupf.exe
2464	wikupf.exe
2464	wikupf.exe
2812	wiqat.exe
2812	wiqat.exe
2812	wiqat.exe
2812	wiqat.exe
2872	wmsvbol.exe
2872	wmsvbol.exe
2872	wmsvbol.exe
2872	wmsvbol.exe
1708	wjggbo.exe
1708	wjggbo.exe
1708	wjggbo.exe
1708	wjggbo.exe
892	wfsqa.exe
892	wfsqa.exe
892	wfsqa.exe
892	wfsqa.exe
848	wci.exe
848	wci.exe
848	wci.exe
848	wci.exe
2580	wxmkkt.exe
2580	wxmkkt.exe
2580	wxmkkt.exe
2580	wxmkkt.exe
868	wcxiffav.exe
868	wcxiffav.exe
868	wcxiffav.exe
868	wcxiffav.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wiqat.exe	wikupf.exe
File created	C:\Windows\SysWOW64\wxpwhc.exe	wqbo.exe
File created	C:\Windows\SysWOW64\wjiqxbqyi.exe	weldjpj.exe
File opened for modification	C:\Windows\SysWOW64\wrdxe.exe	woccvqi.exe
File opened for modification	C:\Windows\SysWOW64\wfdnwjv.exe	wccspvluv.exe
File created	C:\Windows\SysWOW64\wmmbjd.exe	wjuni.exe
File opened for modification	C:\Windows\SysWOW64\wxpwhc.exe	wqbo.exe
File opened for modification	C:\Windows\SysWOW64\wexeipb.exe	whlsjonq.exe
File created	C:\Windows\SysWOW64\wikupf.exe	wmmbjd.exe
File opened for modification	C:\Windows\SysWOW64\wmmycnnf.exe	wxjpsusb.exe
File opened for modification	C:\Windows\SysWOW64\wfsqa.exe	wjggbo.exe
File opened for modification	C:\Windows\SysWOW64\whuaesa.exe	wlmqrouhh.exe
File opened for modification	C:\Windows\SysWOW64\wtlvjn.exe	wiaylqdxp.exe
File opened for modification	C:\Windows\SysWOW64\wflqjlok.exe	wdrhfvo.exe
File created	C:\Windows\SysWOW64\wqhun.exe	wogbglr.exe
File created	C:\Windows\SysWOW64\wjuni.exe	wfec.exe
File created	C:\Windows\SysWOW64\wys.exe	wjoffy.exe
File created	C:\Windows\SysWOW64\wvlhug.exe	wnkpvck.exe
File created	C:\Windows\SysWOW64\wvsmxcgbm.exe	wvlhug.exe
File created	C:\Windows\SysWOW64\wgwclcqvf.exe	wnblquw.exe
File opened for modification	C:\Windows\SysWOW64\wigijv.exe	wdpwijxyf.exe
File created	C:\Windows\SysWOW64\weneshqw.exe	wvyvbbo.exe
File opened for modification	C:\Windows\SysWOW64\wnkpvck.exe	wqxevbuq.exe
File created	C:\Windows\SysWOW64\wogbglr.exe	wvsmxcgbm.exe
File created	C:\Windows\SysWOW64\wiaylqdxp.exe	woxskhdf.exe
File created	C:\Windows\SysWOW64\wcrsuq.exe	wtlvjn.exe
File created	C:\Windows\SysWOW64\wacp.exe	weneshqw.exe
File created	C:\Windows\SysWOW64\wflqjlok.exe	wdrhfvo.exe
File created	C:\Windows\SysWOW64\wjioswj.exe	wfdnwjv.exe
File opened for modification	C:\Windows\SysWOW64\wvjlk.exe	wev.exe
File created	C:\Windows\SysWOW64\wevuixtl.exe	weegxbatl.exe
File created	C:\Windows\SysWOW64\warooyjn.exe	wdstjxjb.exe
File created	C:\Windows\SysWOW64\woqtqnnb.exe	wnkpn.exe
File opened for modification	C:\Windows\SysWOW64\wxlal.exe	wqjimxo.exe
File opened for modification	C:\Windows\SysWOW64\wugpivlv.exe	wlbdpwsgd.exe
File opened for modification	C:\Windows\SysWOW64\weldjpj.exe	wvjlk.exe
File created	C:\Windows\SysWOW64\wxjpsusb.exe	wwlavcpa.exe
File opened for modification	C:\Windows\SysWOW64\wgkmo.exe	wacp.exe
File created	C:\Windows\SysWOW64\wdrhfvo.exe	wfxglapyl.exe
File opened for modification	C:\Windows\SysWOW64\wwpwq.exe	woyoxjs.exe
File created	C:\Windows\SysWOW64\wnnysna.exe	wukur.exe
File opened for modification	C:\Windows\SysWOW64\wttqvkpj.exe	wuwa.exe
File created	C:\Windows\SysWOW64\whuaesa.exe	wlmqrouhh.exe
File opened for modification	C:\Windows\SysWOW64\wmmbjd.exe	wjuni.exe
File created	C:\Windows\SysWOW64\wtqsj.exe	wcrsuq.exe
File created	C:\Windows\SysWOW64\woyoxjs.exe	witnewf.exe
File created	C:\Windows\SysWOW64\wfmxyexc.exe	wsqsclkhc.exe
File opened for modification	C:\Windows\SysWOW64\wacb.exe	wtsfne.exe
File created	C:\Windows\SysWOW64\whgvovhvq.exe	wugixaswb.exe
File created	C:\Windows\SysWOW64\wjoffy.exe	wjpojfkpn.exe
File opened for modification	C:\Windows\SysWOW64\wdpwijxyf.exe	wrohrmgaq.exe
File opened for modification	C:\Windows\SysWOW64\wukur.exe	wxlal.exe
File created	C:\Windows\SysWOW64\wlmqrouhh.exe	wxmdcteis.exe
File opened for modification	C:\Windows\SysWOW64\wlmqrouhh.exe	wxmdcteis.exe
File opened for modification	C:\Windows\SysWOW64\warooyjn.exe	wdstjxjb.exe
File opened for modification	C:\Windows\SysWOW64\wqxevbuq.exe	wacb.exe
File opened for modification	C:\Windows\SysWOW64\wogbglr.exe	wvsmxcgbm.exe
File opened for modification	C:\Windows\SysWOW64\wugixaswb.exe	wqqwwlsr.exe
File created	C:\Windows\SysWOW64\wigijv.exe	wdpwijxyf.exe
File opened for modification	C:\Windows\SysWOW64\wpbxn.exe	wunmoj.exe
File opened for modification	C:\Windows\SysWOW64\wvsmxcgbm.exe	wvlhug.exe
File opened for modification	C:\Windows\SysWOW64\wiqat.exe	wikupf.exe
File opened for modification	C:\Windows\SysWOW64\wdstjxjb.exe	wigijv.exe
File created	C:\Windows\SysWOW64\wjbjkgi.exe	wevuixtl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
2408	868	WerFault.exe	73
2988	2848	WerFault.exe	89
792	1748	WerFault.exe	102
824	2664	WerFault.exe	187
2544	2340	WerFault.exe	221
1476	496	WerFault.exe	297
1600	2860	WerFault.exe	310
1752	2216	WerFault.exe	344

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxpwhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrdxe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjdja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmmbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	witnewf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgrh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqqwwlsr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wugpivlv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdwiug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnblquw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woxskhdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcnivq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wijecbdr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwpwq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmmycnnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkobrp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcrsuq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wogbglr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wacb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuwa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woyoxjs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcijwekt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wigyllp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woqtqnnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfdnwjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wefpqty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wugixaswb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpure.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsvbol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1812	3060	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe	30
PID 3060 wrote to memory of 1812	3060	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe	30
PID 3060 wrote to memory of 1812	3060	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe	30
PID 3060 wrote to memory of 1812	3060	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe	30
PID 3060 wrote to memory of 2728	3060	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe	31
PID 3060 wrote to memory of 2728	3060	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe	31
PID 3060 wrote to memory of 2728	3060	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe	31
PID 3060 wrote to memory of 2728	3060	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe	31
PID 1812 wrote to memory of 2716	1812	wndcml.exe	33
PID 1812 wrote to memory of 2716	1812	wndcml.exe	33
PID 1812 wrote to memory of 2716	1812	wndcml.exe	33
PID 1812 wrote to memory of 2716	1812	wndcml.exe	33
PID 1812 wrote to memory of 2768	1812	wndcml.exe	34
PID 1812 wrote to memory of 2768	1812	wndcml.exe	34
PID 1812 wrote to memory of 2768	1812	wndcml.exe	34
PID 1812 wrote to memory of 2768	1812	wndcml.exe	34
PID 2716 wrote to memory of 664	2716	wyes.exe	36
PID 2716 wrote to memory of 664	2716	wyes.exe	36
PID 2716 wrote to memory of 664	2716	wyes.exe	36
PID 2716 wrote to memory of 664	2716	wyes.exe	36
PID 2716 wrote to memory of 2952	2716	wyes.exe	37
PID 2716 wrote to memory of 2952	2716	wyes.exe	37
PID 2716 wrote to memory of 2952	2716	wyes.exe	37
PID 2716 wrote to memory of 2952	2716	wyes.exe	37
PID 664 wrote to memory of 2856	664	wrjgn.exe	39
PID 664 wrote to memory of 2856	664	wrjgn.exe	39
PID 664 wrote to memory of 2856	664	wrjgn.exe	39
PID 664 wrote to memory of 2856	664	wrjgn.exe	39
PID 664 wrote to memory of 1296	664	wrjgn.exe	40
PID 664 wrote to memory of 1296	664	wrjgn.exe	40
PID 664 wrote to memory of 1296	664	wrjgn.exe	40
PID 664 wrote to memory of 1296	664	wrjgn.exe	40
PID 2856 wrote to memory of 2576	2856	wijecbdr.exe	42
PID 2856 wrote to memory of 2576	2856	wijecbdr.exe	42
PID 2856 wrote to memory of 2576	2856	wijecbdr.exe	42
PID 2856 wrote to memory of 2576	2856	wijecbdr.exe	42
PID 2856 wrote to memory of 2384	2856	wijecbdr.exe	43
PID 2856 wrote to memory of 2384	2856	wijecbdr.exe	43
PID 2856 wrote to memory of 2384	2856	wijecbdr.exe	43
PID 2856 wrote to memory of 2384	2856	wijecbdr.exe	43
PID 2576 wrote to memory of 3028	2576	wfec.exe	45
PID 2576 wrote to memory of 3028	2576	wfec.exe	45
PID 2576 wrote to memory of 3028	2576	wfec.exe	45
PID 2576 wrote to memory of 3028	2576	wfec.exe	45
PID 2576 wrote to memory of 1544	2576	wfec.exe	46
PID 2576 wrote to memory of 1544	2576	wfec.exe	46
PID 2576 wrote to memory of 1544	2576	wfec.exe	46
PID 2576 wrote to memory of 1544	2576	wfec.exe	46
PID 3028 wrote to memory of 884	3028	wjuni.exe	48
PID 3028 wrote to memory of 884	3028	wjuni.exe	48
PID 3028 wrote to memory of 884	3028	wjuni.exe	48
PID 3028 wrote to memory of 884	3028	wjuni.exe	48
PID 3028 wrote to memory of 2472	3028	wjuni.exe	49
PID 3028 wrote to memory of 2472	3028	wjuni.exe	49
PID 3028 wrote to memory of 2472	3028	wjuni.exe	49
PID 3028 wrote to memory of 2472	3028	wjuni.exe	49
PID 884 wrote to memory of 2464	884	wmmbjd.exe	52
PID 884 wrote to memory of 2464	884	wmmbjd.exe	52
PID 884 wrote to memory of 2464	884	wmmbjd.exe	52
PID 884 wrote to memory of 2464	884	wmmbjd.exe	52
PID 884 wrote to memory of 2008	884	wmmbjd.exe	53
PID 884 wrote to memory of 2008	884	wmmbjd.exe	53
PID 884 wrote to memory of 2008	884	wmmbjd.exe	53
PID 884 wrote to memory of 2008	884	wmmbjd.exe	53

C:\Users\Admin\AppData\Local\Temp\226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe
"C:\Users\Admin\AppData\Local\Temp\226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\SysWOW64\wndcml.exe
  "C:\Windows\system32\wndcml.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\wyes.exe
    "C:\Windows\system32\wyes.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\wrjgn.exe
      "C:\Windows\system32\wrjgn.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:664
    - - C:\Windows\SysWOW64\wijecbdr.exe
        
        "C:\Windows\system32\wijecbdr.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\SysWOW64\wfec.exe
        
        "C:\Windows\system32\wfec.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\wjuni.exe
        
        "C:\Windows\system32\wjuni.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\wmmbjd.exe
        
        "C:\Windows\system32\wmmbjd.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\wikupf.exe
        
        "C:\Windows\system32\wikupf.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\wiqat.exe
        
        "C:\Windows\system32\wiqat.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2812
        
        C:\Windows\SysWOW64\wmsvbol.exe
        
        "C:\Windows\system32\wmsvbol.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\wjggbo.exe
        
        "C:\Windows\system32\wjggbo.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\wfsqa.exe
        
        "C:\Windows\system32\wfsqa.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:892
        
        C:\Windows\SysWOW64\wci.exe
        
        "C:\Windows\system32\wci.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:848
        
        C:\Windows\SysWOW64\wxmkkt.exe
        
        "C:\Windows\system32\wxmkkt.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2580
        
        C:\Windows\SysWOW64\wcxiffav.exe
        
        "C:\Windows\system32\wcxiffav.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:868
        
        C:\Windows\SysWOW64\wqbo.exe
        
        "C:\Windows\system32\wqbo.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\wxpwhc.exe
        
        "C:\Windows\system32\wxpwhc.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\wqqwwlsr.exe
        
        "C:\Windows\system32\wqqwwlsr.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\wugixaswb.exe
        
        "C:\Windows\system32\wugixaswb.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\whgvovhvq.exe
        
        "C:\Windows\system32\whgvovhvq.exe"
        21⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\wuwa.exe
        
        "C:\Windows\system32\wuwa.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\wttqvkpj.exe
        
        "C:\Windows\system32\wttqvkpj.exe"
        23⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\wlbdpwsgd.exe
        
        "C:\Windows\system32\wlbdpwsgd.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\wugpivlv.exe
        
        "C:\Windows\system32\wugpivlv.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\wev.exe
        
        "C:\Windows\system32\wev.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\wvjlk.exe
        
        "C:\Windows\system32\wvjlk.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\weldjpj.exe
        
        "C:\Windows\system32\weldjpj.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\wjiqxbqyi.exe
        
        "C:\Windows\system32\wjiqxbqyi.exe"
        29⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\wbkuxk.exe
        
        "C:\Windows\system32\wbkuxk.exe"
        30⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\wjmmxocc.exe
        
        "C:\Windows\system32\wjmmxocc.exe"
        31⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\wkleuifeu.exe
        
        "C:\Windows\system32\wkleuifeu.exe"
        32⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\wcnivq.exe
        
        "C:\Windows\system32\wcnivq.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\wxmdcteis.exe
        
        "C:\Windows\system32\wxmdcteis.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\wlmqrouhh.exe
        
        "C:\Windows\system32\wlmqrouhh.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\whuaesa.exe
        
        "C:\Windows\system32\whuaesa.exe"
        36⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\wpure.exe
        
        "C:\Windows\system32\wpure.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\wwlavcpa.exe
        
        "C:\Windows\system32\wwlavcpa.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\wxjpsusb.exe
        
        "C:\Windows\system32\wxjpsusb.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\SysWOW64\wmmycnnf.exe
        
        "C:\Windows\system32\wmmycnnf.exe"
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\whlsjonq.exe
        
        "C:\Windows\system32\whlsjonq.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\wexeipb.exe
        
        "C:\Windows\system32\wexeipb.exe"
        42⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\wrohrmgaq.exe
        
        "C:\Windows\system32\wrohrmgaq.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\wdpwijxyf.exe
        
        "C:\Windows\system32\wdpwijxyf.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\wigijv.exe
        
        "C:\Windows\system32\wigijv.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\wdstjxjb.exe
        
        "C:\Windows\system32\wdstjxjb.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\warooyjn.exe
        
        "C:\Windows\system32\warooyjn.exe"
        47⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\wvyvbbo.exe
        
        "C:\Windows\system32\wvyvbbo.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:328
        
        C:\Windows\SysWOW64\weneshqw.exe
        
        "C:\Windows\system32\weneshqw.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\wacp.exe
        
        "C:\Windows\system32\wacp.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\wgkmo.exe
        
        "C:\Windows\system32\wgkmo.exe"
        51⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\wjpojfkpn.exe
        
        "C:\Windows\system32\wjpojfkpn.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\wjoffy.exe
        
        "C:\Windows\system32\wjoffy.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\wys.exe
        
        "C:\Windows\system32\wys.exe"
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\wxcotkvj.exe
        
        "C:\Windows\system32\wxcotkvj.exe"
        55⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\wigyllp.exe
        
        "C:\Windows\system32\wigyllp.exe"
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\wnkpn.exe
        
        "C:\Windows\system32\wnkpn.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\woqtqnnb.exe
        
        "C:\Windows\system32\woqtqnnb.exe"
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\wfxglapyl.exe
        
        "C:\Windows\system32\wfxglapyl.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\wdrhfvo.exe
        
        "C:\Windows\system32\wdrhfvo.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\wflqjlok.exe
        
        "C:\Windows\system32\wflqjlok.exe"
        61⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\witnewf.exe
        
        "C:\Windows\system32\witnewf.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\woyoxjs.exe
        
        "C:\Windows\system32\woyoxjs.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\wwpwq.exe
        
        "C:\Windows\system32\wwpwq.exe"
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\wvyxvh.exe
        
        "C:\Windows\system32\wvyxvh.exe"
        65⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\woccvqi.exe
        
        "C:\Windows\system32\woccvqi.exe"
        66⤵
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\wrdxe.exe
        
        "C:\Windows\system32\wrdxe.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\wcijwekt.exe
        
        "C:\Windows\system32\wcijwekt.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\wxuuwfx.exe
        
        "C:\Windows\system32\wxuuwfx.exe"
        69⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\wunmoj.exe
        
        "C:\Windows\system32\wunmoj.exe"
        70⤵
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\wpbxn.exe
        
        "C:\Windows\system32\wpbxn.exe"
        71⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\weegxbatl.exe
        
        "C:\Windows\system32\weegxbatl.exe"
        72⤵
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\wevuixtl.exe
        
        "C:\Windows\system32\wevuixtl.exe"
        73⤵
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\wjbjkgi.exe
        
        "C:\Windows\system32\wjbjkgi.exe"
        74⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\wsqsclkhc.exe
        
        "C:\Windows\system32\wsqsclkhc.exe"
        75⤵
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\wfmxyexc.exe
        
        "C:\Windows\system32\wfmxyexc.exe"
        76⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\wjdja.exe
        
        "C:\Windows\system32\wjdja.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\wweyromh.exe
        
        "C:\Windows\system32\wweyromh.exe"
        78⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\wefpqty.exe
        
        "C:\Windows\system32\wefpqty.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\wwsey.exe
        
        "C:\Windows\system32\wwsey.exe"
        80⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\wovham.exe
        
        "C:\Windows\system32\wovham.exe"
        81⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\wkobrp.exe
        
        "C:\Windows\system32\wkobrp.exe"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\wccspvluv.exe
        
        "C:\Windows\system32\wccspvluv.exe"
        83⤵
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\wfdnwjv.exe
        
        "C:\Windows\system32\wfdnwjv.exe"
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\wjioswj.exe
        
        "C:\Windows\system32\wjioswj.exe"
        85⤵
        
        PID:632
        
        C:\Windows\SysWOW64\wxwhjopa.exe
        
        "C:\Windows\system32\wxwhjopa.exe"
        86⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\wcoskbohb.exe
        
        "C:\Windows\system32\wcoskbohb.exe"
        87⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\wsmramjc.exe
        
        "C:\Windows\system32\wsmramjc.exe"
        88⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\wmpvatjwh.exe
        
        "C:\Windows\system32\wmpvatjwh.exe"
        89⤵
        
        PID:496
        
        C:\Windows\SysWOW64\wdwiug.exe
        
        "C:\Windows\system32\wdwiug.exe"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\wlmpnknq.exe
        
        "C:\Windows\system32\wlmpnknq.exe"
        91⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\wikltmn.exe
        
        "C:\Windows\system32\wikltmn.exe"
        92⤵
        
        PID:448
        
        C:\Windows\SysWOW64\wqcrmrnwf.exe
        
        "C:\Windows\system32\wqcrmrnwf.exe"
        93⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\wtsfne.exe
        
        "C:\Windows\system32\wtsfne.exe"
        94⤵
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\wacb.exe
        
        "C:\Windows\system32\wacb.exe"
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\wqxevbuq.exe
        
        "C:\Windows\system32\wqxevbuq.exe"
        96⤵
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\wnkpvck.exe
        
        "C:\Windows\system32\wnkpvck.exe"
        97⤵
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\wvlhug.exe
        
        "C:\Windows\system32\wvlhug.exe"
        98⤵
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\wvsmxcgbm.exe
        
        "C:\Windows\system32\wvsmxcgbm.exe"
        99⤵
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\wogbglr.exe
        
        "C:\Windows\system32\wogbglr.exe"
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\wqhun.exe
        
        "C:\Windows\system32\wqhun.exe"
        101⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\wqnbruj.exe
        
        "C:\Windows\system32\wqnbruj.exe"
        102⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\wnblquw.exe
        
        "C:\Windows\system32\wnblquw.exe"
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\wgwclcqvf.exe
        
        "C:\Windows\system32\wgwclcqvf.exe"
        104⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\woxskhdf.exe
        
        "C:\Windows\system32\woxskhdf.exe"
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\wiaylqdxp.exe
        
        "C:\Windows\system32\wiaylqdxp.exe"
        106⤵
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\wtlvjn.exe
        
        "C:\Windows\system32\wtlvjn.exe"
        107⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\wcrsuq.exe
        
        "C:\Windows\system32\wcrsuq.exe"
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\wtqsj.exe
        
        "C:\Windows\system32\wtqsj.exe"
        109⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\wgrh.exe
        
        "C:\Windows\system32\wgrh.exe"
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\wqjimxo.exe
        
        "C:\Windows\system32\wqjimxo.exe"
        111⤵
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\wxlal.exe
        
        "C:\Windows\system32\wxlal.exe"
        112⤵
        Drops file in System32 directory
        
        PID:2564
        
        C:\Windows\SysWOW64\wukur.exe
        
        "C:\Windows\system32\wukur.exe"
        113⤵
        Drops file in System32 directory
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxlal.exe"
        113⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqjimxo.exe"
        112⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrh.exe"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtqsj.exe"
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcrsuq.exe"
        109⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtlvjn.exe"
        108⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiaylqdxp.exe"
        107⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxskhdf.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwclcqvf.exe"
        105⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 180
        105⤵
        Program crash
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnblquw.exe"
        104⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqnbruj.exe"
        103⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqhun.exe"
        102⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wogbglr.exe"
        101⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvsmxcgbm.exe"
        100⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvlhug.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnkpvck.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqxevbuq.exe"
        97⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wacb.exe"
        96⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsfne.exe"
        95⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqcrmrnwf.exe"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 896
        94⤵
        Program crash
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikltmn.exe"
        93⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlmpnknq.exe"
        92⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdwiug.exe"
        91⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpvatjwh.exe"
        90⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 908
        90⤵
        Program crash
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsmramjc.exe"
        89⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcoskbohb.exe"
        88⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwhjopa.exe"
        87⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjioswj.exe"
        86⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfdnwjv.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccspvluv.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkobrp.exe"
        83⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovham.exe"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwsey.exe"
        81⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wefpqty.exe"
        80⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wweyromh.exe"
        79⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdja.exe"
        78⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfmxyexc.exe"
        77⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsqsclkhc.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjbjkgi.exe"
        75⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wevuixtl.exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weegxbatl.exe"
        73⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbxn.exe"
        72⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunmoj.exe"
        71⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxuuwfx.exe"
        70⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcijwekt.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrdxe.exe"
        68⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woccvqi.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvyxvh.exe"
        66⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwpwq.exe"
        65⤵
        
        PID:332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 796
        65⤵
        Program crash
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woyoxjs.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\witnewf.exe"
        63⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wflqjlok.exe"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrhfvo.exe"
        61⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfxglapyl.exe"
        60⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woqtqnnb.exe"
        59⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnkpn.exe"
        58⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigyllp.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxcotkvj.exe"
        56⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wys.exe"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjoffy.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 808
        54⤵
        Program crash
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjpojfkpn.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkmo.exe"
        52⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wacp.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weneshqw.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvyvbbo.exe"
        49⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warooyjn.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdstjxjb.exe"
        47⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigijv.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdpwijxyf.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrohrmgaq.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexeipb.exe"
        43⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whlsjonq.exe"
        42⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmycnnf.exe"
        41⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxjpsusb.exe"
        40⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwlavcpa.exe"
        39⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpure.exe"
        38⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whuaesa.exe"
        37⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlmqrouhh.exe"
        36⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxmdcteis.exe"
        35⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcnivq.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkleuifeu.exe"
        33⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjmmxocc.exe"
        32⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbkuxk.exe"
        31⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjiqxbqyi.exe"
        30⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weldjpj.exe"
        29⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvjlk.exe"
        28⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wev.exe"
        27⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugpivlv.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 180
        26⤵
        Program crash
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlbdpwsgd.exe"
        25⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wttqvkpj.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwa.exe"
        23⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whgvovhvq.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 180
        22⤵
        Program crash
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugixaswb.exe"
        21⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqwwlsr.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpwhc.exe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqbo.exe"
        18⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcxiffav.exe"
        17⤵
        
        PID:880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 180
        17⤵
        Program crash
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxmkkt.exe"
        16⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wci.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfsqa.exe"
        14⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjggbo.exe"
        13⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmsvbol.exe"
        12⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiqat.exe"
        11⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikupf.exe"
        10⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmbjd.exe"
        9⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjuni.exe"
        8⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfec.exe"
        7⤵
        
        PID:1544
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wijecbdr.exe"
        6⤵
        
        PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjgn.exe"
        5⤵
        
        PID:1296
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyes.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wndcml.exe"
    3⤵
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe"
  2⤵
  - Deletes itself
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5PXVFKNS.txt

Filesize
132B

MD5
ad7fc0127f15fbcecfb10b9b8ad46e5b

SHA1
190b59a89e938d87ca93dc44d913504754502d35

SHA256
70fe6264fafa9c40a447c0437e49802fd368cb0d36ba8bed683f7fdb573ce402

SHA512
84159caf524293c2d7d043982f1a42622993a316be14a00dc38be5d760906f956785a6726fda6dd456f1d2eb24731979e9c8212966c3d8b09ef756c0da1b8732

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ANXDXCK6.txt

Filesize
132B

MD5
6f5303a4dd6b909e1e8e0aa53704fb7c

SHA1
413afa1e1525888c8a97ecf5ba094321095bd41a

SHA256
875043bc22e96a0e58195bdcfc7779347380f431a74fa590c307527dc30d7ab4

SHA512
d98df238ba43d1373fb3ae100f787a9eb5a0c1551cec678e5d55547336edda4820bcebe9b66e1899aa978f4e9de01b763dd39242f9271a34b0655095326b82a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IVAM4STK.txt

Filesize
99B

MD5
ae2377c0aa9bd89d8b13d87e163bb7c4

SHA1
2cfd74cbb6d87dbc18a443fab06b48bc97fe8ba1

SHA256
b5e08c096c632d6c54155178c51752244cb956b0f626a3692803c2a65dbfe809

SHA512
61aa00c2fc18edb2902b87e861192b2700c71259b5dea26e5011b2c9fdcfc539642a0d0c28d8f89b11ae14d9d15912f9d53ce687561da4ffe3358c494be92339

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JU3K90XF.txt

Filesize
132B

MD5
f0dee335f9eb780d5d087a199f40c881

SHA1
18cd7fd368bca25ce094759440a7eb3d83d38688

SHA256
ef692928a5661e922186390b68e2f7e63915242333ae3c2b96fad53233a67fcd

SHA512
13111116efd9d2b3e8c4da4d51d0885a5b60cb6026e21a52aa00a60f7bf0002a2c88095b10269f32d9ac762caca6d4063e8e20b8aef67be77a019e37bf3d62d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S2V283P3.txt

Filesize
132B

MD5
73ff07022ef00e1c701866fa23be10ce

SHA1
53c8b9c62553eeeed912899a62943dfa1c34a368

SHA256
86b0eeee0cab712bf17dd3e5829086fdc4731bb708d06af0fa858388765ff6b4

SHA512
6996f77dbaa3e14de3a74bdb2788b493f6d1dbefc3452c298a0fc310a610554779169a5c97b0ee0684b2c1758ce10c0018d3f72121efb2f5678d075ce105550c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SC91K0H3.txt

Filesize
132B

MD5
8739d48c24cd1b7947788008251b1bd0

SHA1
82c8ddd3c962964485ef00b3f054ac0e9c0eeb4d

SHA256
2760f615a2a3455dd3a0cc20b6a92844a59b1867bb1c7c7ea879268f78d0a2ff

SHA512
573fcd62581f1352c82e3758afd351f71eb5673c06923ea3c8cedd8e5ed921ecb4e65bd70296c4c0f612f496b6b37bd10d4a3ee7a870ac64385599e5ebaeea23

Download Submit
C:\Windows\SysWOW64\wjuni.exe

Filesize
106KB

MD5
5aa4b0599f6da24ff363180d1b78aaeb

SHA1
c66b7ffae990ef761ebd6c4d4336d07d05c15746

SHA256
67654a4942b7a1ca823a6962d2d3b97c10526d53ca62d4393c6e1964d50309b4

SHA512
9d1618ac7c1e16fcfdf6247efb9ec3a11b1b0209580d27b0ef1afdb2eef69bdb4efcce9e530ab0a7e70421f5ad6e936453a85b9d410f225ea01ea9f6f2c0533a

Download Submit
\Windows\SysWOW64\wfec.exe

Filesize
106KB

MD5
d267284cd3b5ece157e56da650e7eec6

SHA1
fa9c07e247e0d493acc76283a64d8c5a187540ce

SHA256
0e8442c2d4b1eb17cb89f8ac20bb816d2bdc7294aeeed1807bd913aeb85f296d

SHA512
f67709a4e2b851a90055cb43335b666e85e58b571d503afecbe4bf0c11187816691a0d3e3ba814615656b35ecd0ce5566f0add17051ee4343f22d2d78c68e510

Download Submit
\Windows\SysWOW64\wijecbdr.exe

Filesize
106KB

MD5
cfafd9afd44c69f2c342880026c1427f

SHA1
8707dc4ef837abdfab3e332a37aef329eed8692e

SHA256
162cf6c9ed6e0372544758820b2dc967c33637e45eb49dae11de22a8272fa6bb

SHA512
fac085beb90f74436bd3307c4d3b8ce6e9043a3758639c2c1118692a706dd74a8988ec211caf40142bc5272072ee2fd34b94a34eb1ec61892817cde338b1fee8

Download Submit
\Windows\SysWOW64\wikupf.exe

Filesize
106KB

MD5
592f8309d910013070d598b01d65bc94

SHA1
73d7a06b07ebb8d146893d7c78bda2666186629a

SHA256
5e5ca1397a76d51101e258ceb52fc190b9e1c38ad3f193c19adb3666a66e0acb

SHA512
394b0811503ecb12d6abdee7eabd42ea3f1250a4d323dbb3ff366e6df2318b9e32011dea1bbbcb15ae873b6892634b7c7c247cbf2aa7702fe0b02b43fbd90785

Download Submit
\Windows\SysWOW64\wiqat.exe

Filesize
106KB

MD5
753f284f83d4747930c692393ba9a52d

SHA1
ac375817359d8ab1ff22072a0a8a59671f1863ee

SHA256
ad40c59a564220b3cf88e6c5023643473b53b61bfd116a13cc9a6007f332bf14

SHA512
056ae3673dfd3b9e44041f40982436813a23367c6105ff3d5ff0fa384fefaba7e1e3f6bdd52011f31b4fd9739bd726758dac96c78836ada8e2db254dcefa376d

Download Submit
\Windows\SysWOW64\wmmbjd.exe

Filesize
106KB

MD5
916e046bb7f4e5fcd63c9b17f375f2fa

SHA1
b88acca70ed2f331a596dd2f08af07aa79bedd03

SHA256
bc89df69e73334445ff4ceec5b7a53022fb71f0c45bec7c61ffb5aa3696415cd

SHA512
3a1635db90da378b5b9dce4f792643973ab059dbd6670b5e1baf027c91683aae4a750c16f1621d940d61c276b1455b4f5a9e204ee368ff0ed843b31093293edb

Download Submit
\Windows\SysWOW64\wmsvbol.exe

Filesize
106KB

MD5
bc3c50b2affbae09c6126858fc00a1e5

SHA1
64ef2ff03b734fcca3397de49de1c4be33c8ab72

SHA256
c6b1edfe659f07b04475028bbd7cd662b63fb162ec39a70d81ea161537bbdf21

SHA512
50a81045879af7aa68353bc8a23b975bcc33c0c884d7c2f9df9b412871220af5ad2120383aaf9483e8a9632ceca1fd86951447918909af6f9a50c620b9035078

Download Submit
\Windows\SysWOW64\wndcml.exe

Filesize
106KB

MD5
f966ee78d6940955408b1c8eb78ea916

SHA1
015b97b38d64bcb66d1c66cccb7a458eb6c6b975

SHA256
0bff72eb6cf98a25c287b8516b77a0bc0fe0b74b58bc8919484a8b02fa2a00a6

SHA512
dd8df125c342affbcfd72b4cf05db27790aa226d9de02d3e811b0553765fcf35ce7040c5afe935a617199b86e72c42ce14935eca6418b3247c504d047008e9e9

Download Submit
\Windows\SysWOW64\wrjgn.exe

Filesize
106KB

MD5
5f3b11e65f55282eb1ae86aaa4d9beb3

SHA1
cab60b593ab8b483ef632ae224cc3e287f668b17

SHA256
0db0c77e22bf41c3460649c8103cbf37c31817e8739ad69078a702dadc923e90

SHA512
e3f308b26874c615af083982e02bebf315dac28d59666cd34d687b7d1633f948bdca52cd4b035b0252220a670ce4c85973cb56130dbc7ecf2991d43c55a08710

Download Submit
\Windows\SysWOW64\wyes.exe

Filesize
106KB

MD5
8665ae9a3b3a672efc57d6a40b5fb7c3

SHA1
b722f80f4b0ba478b81dc305814e65e4ff0bf58e

SHA256
10c493885ab2d9993baeafd4b6de9203e2b21fc5628a471e5c21df2c2cc9449e

SHA512
ed132be9a0bb03d9294ebd55dfb1213994faa3696edb15ecf696e627f37c7973a353ca07ebd9d1e22ffd6da80174107ebdc22addf895bb69155e962674c30233

Download Submit
memory/664-85-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/664-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/664-88-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/664-84-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/664-78-0x0000000003ED0000-0x0000000003EE7000-memory.dmp

Filesize
92KB

Download
memory/848-283-0x0000000003AB0000-0x0000000003AC7000-memory.dmp

Filesize
92KB

Download
memory/848-282-0x0000000003AB0000-0x0000000003AC7000-memory.dmp

Filesize
92KB

Download
memory/848-286-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/848-284-0x0000000003AB0000-0x0000000003AC7000-memory.dmp

Filesize
92KB

Download
memory/868-301-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/868-315-0x0000000003E40000-0x0000000003E57000-memory.dmp

Filesize
92KB

Download
memory/868-316-0x0000000003E40000-0x0000000003E57000-memory.dmp

Filesize
92KB

Download
memory/868-346-0x0000000003E40000-0x0000000003E57000-memory.dmp

Filesize
92KB

Download
memory/868-337-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/884-173-0x0000000003340000-0x0000000003357000-memory.dmp

Filesize
92KB

Download
memory/884-159-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/884-181-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/884-172-0x0000000003340000-0x0000000003357000-memory.dmp

Filesize
92KB

Download
memory/884-179-0x0000000003340000-0x0000000003357000-memory.dmp

Filesize
92KB

Download
memory/892-269-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/892-265-0x00000000024C0000-0x00000000024D7000-memory.dmp

Filesize
92KB

Download
memory/1208-329-0x0000000004030000-0x0000000004047000-memory.dmp

Filesize
92KB

Download
memory/1208-326-0x0000000003E60000-0x0000000003E77000-memory.dmp

Filesize
92KB

Download
memory/1208-331-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1496-466-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1496-464-0x0000000002580000-0x0000000002597000-memory.dmp

Filesize
92KB

Download
memory/1708-239-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-255-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-254-0x00000000033E0000-0x00000000033F7000-memory.dmp

Filesize
92KB

Download
memory/1708-248-0x00000000033E0000-0x00000000033F7000-memory.dmp

Filesize
92KB

Download
memory/1708-253-0x00000000033E0000-0x00000000033F7000-memory.dmp

Filesize
92KB

Download
memory/1748-483-0x0000000003F00000-0x0000000003F17000-memory.dmp

Filesize
92KB

Download
memory/1748-482-0x0000000003F00000-0x0000000003F17000-memory.dmp

Filesize
92KB

Download
memory/1748-467-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1748-480-0x0000000003F00000-0x0000000003F17000-memory.dmp

Filesize
92KB

Download
memory/1748-436-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1748-451-0x0000000003F00000-0x0000000003F17000-memory.dmp

Filesize
92KB

Download
memory/1748-450-0x0000000003F00000-0x0000000003F17000-memory.dmp

Filesize
92KB

Download
memory/1748-446-0x0000000003F00000-0x0000000003F17000-memory.dmp

Filesize
92KB

Download
memory/1812-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1812-41-0x0000000003180000-0x0000000003197000-memory.dmp

Filesize
92KB

Download
memory/2064-433-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/2064-435-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2064-428-0x0000000004010000-0x0000000004027000-memory.dmp

Filesize
92KB

Download
memory/2064-434-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/2136-481-0x0000000003E70000-0x0000000003E87000-memory.dmp

Filesize
92KB

Download
memory/2136-465-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2136-484-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2268-332-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2268-348-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2348-347-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2348-363-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2348-357-0x0000000000B20000-0x0000000000B37000-memory.dmp

Filesize
92KB

Download
memory/2464-182-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2464-204-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2576-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2576-132-0x0000000004150000-0x0000000004167000-memory.dmp

Filesize
92KB

Download
memory/2576-131-0x0000000004150000-0x0000000004167000-memory.dmp

Filesize
92KB

Download
memory/2576-125-0x0000000004050000-0x0000000004067000-memory.dmp

Filesize
92KB

Download
memory/2580-302-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2580-296-0x0000000004030000-0x0000000004047000-memory.dmp

Filesize
92KB

Download
memory/2580-300-0x0000000004130000-0x0000000004147000-memory.dmp

Filesize
92KB

Download
memory/2580-285-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2640-418-0x0000000003670000-0x0000000003687000-memory.dmp

Filesize
92KB

Download
memory/2640-419-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2700-390-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2700-400-0x0000000003600000-0x0000000003617000-memory.dmp

Filesize
92KB

Download
memory/2700-405-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2716-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2716-61-0x0000000003E70000-0x0000000003E87000-memory.dmp

Filesize
92KB

Download
memory/2716-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2808-362-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2808-376-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2812-202-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2812-221-0x00000000022F0000-0x0000000002307000-memory.dmp

Filesize
92KB

Download
memory/2812-222-0x00000000022F0000-0x0000000002307000-memory.dmp

Filesize
92KB

Download
memory/2812-223-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2848-389-0x0000000003590000-0x00000000035A7000-memory.dmp

Filesize
92KB

Download
memory/2848-404-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2856-108-0x0000000003E90000-0x0000000003EA7000-memory.dmp

Filesize
92KB

Download
memory/2856-111-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2856-109-0x0000000003E90000-0x0000000003EA7000-memory.dmp

Filesize
92KB

Download
memory/2856-107-0x0000000003490000-0x00000000034A7000-memory.dmp

Filesize
92KB

Download
memory/2856-106-0x0000000003490000-0x00000000034A7000-memory.dmp

Filesize
92KB

Download
memory/2872-238-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2872-237-0x00000000034E0000-0x00000000034F7000-memory.dmp

Filesize
92KB

Download
memory/2872-224-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3028-155-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/3028-154-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/3028-153-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/3028-157-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3028-152-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/3060-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3060-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3060-19-0x00000000032F0000-0x0000000003307000-memory.dmp

Filesize
92KB

Download
memory/3060-10-0x00000000032F0000-0x0000000003307000-memory.dmp

Filesize
92KB

Download