226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcf

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe
Size

106KB
MD5

fc99ae7c1213311b0f5ba99ffa3c5e00
SHA1

c0bd744f6482babf491c48e3f44b22ab24b53bd7
SHA256

226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcf
SHA512

e9b1606aae354bcc1500c66c8c5f49a107d6cdb92d6f19b86e6bea109505d6a6dd0112a15f6996b82064197eb14b5b8472b07099fdf14661a266885582b1b2f7
SSDEEP

1536:2zfXIsxrhzk2nfsW3ou3yWW2dvcW6eHcBwUi6vWE0Dl27b58XBdqaMGxuA1B:yfjxrhzk2nfsWhP7dvavi6vWEbh8XT

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	woj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wbuelx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	whcgtkqo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wnmelqn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wypyuwj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wswxqatn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wqvppxu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	whdcup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wsxmrc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wnuy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wrpcsegh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wplctgpk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wmdrknphy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wexmhi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wdqegipo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	whsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wjnhybd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wwbrcjd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wgtvh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wbgne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wkrvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wynsifcx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	weljfu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wudskw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wbc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wwxnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wvkhwq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wcmkl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wsiehppdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wqqcxjo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wcwvvl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wsjlpf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wxeghcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wkyrkcw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wph.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	winggyhmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wqcxvw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wpif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wayka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wlmsqqej.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	weq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wlyocfn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wdy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wgtju.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wxkxi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	whnivs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wwbbad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wknwucewh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wdba.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wemxvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wbpwif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wcy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wvvexjlnn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wtujrwp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wqwkao.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wyxdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wlprqoqu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wweqhm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wsmkgjge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wexo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wtfqus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wahhuq.exe

Executes dropped EXE 64 IoCs

pid	Process
2120	wrpcsegh.exe
1632	wwbrcjd.exe
3748	whcgtkqo.exe
1960	wtbhkcj.exe
1800	wayssi.exe
2104	wqcxvw.exe
3668	wbc.exe
1128	wqqcxjo.exe
4476	whixt.exe
2008	wwxnd.exe
2024	wvkvvg.exe
2016	wcwvvl.exe
1652	wvkhwq.exe
3644	wkucnk.exe
4968	wwhaeg.exe
788	wkrvu.exe
3160	wpif.exe
912	wayka.exe
3148	wgtvh.exe
2428	wqwkao.exe
1516	wgkl.exe
812	wplctgpk.exe
3028	wgog.exe
440	wemxvr.exe
2032	wsmkgjge.exe
1408	wcdoq.exe
4340	wbpwif.exe
1636	wuaqpph.exe
2788	wbgne.exe
5012	wyd.exe
2272	wmdrknphy.exe
3840	wkfpxiu.exe
4076	wxkxi.exe
4908	wnmelqn.exe
1576	wvyejrmdw.exe
4680	whnivs.exe
4692	wnerob.exe
1688	wxeghcf.exe
2700	wwgetwku.exe
452	wpfab.exe
4536	wynsifcx.exe
4376	wwbbad.exe
3028	wexmhi.exe
2056	wswxqatn.exe
5100	wqvppxu.exe
1416	wkyrkcw.exe
2180	wyxdr.exe
392	wrxk.exe
2868	wcyykf.exe
1960	wlyocfn.exe
2116	wknwucewh.exe
2252	webiw.exe
3496	wlprqoqu.exe
464	wmwumgd.exe
4188	whjgnko.exe
4052	wnbnhtp.exe
4768	wyypamhr.exe
4528	whdcup.exe
2588	wmackw.exe
3000	wsxmrc.exe
1304	wml.exe
2236	wdba.exe
2056	wexo.exe
4244	whksub.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wbh.exe	wlmsqqej.exe
File created	C:\Windows\SysWOW64\wplctgpk.exe	wgkl.exe
File opened for modification	C:\Windows\SysWOW64\wuhosj.exe	wweqhm.exe
File created	C:\Windows\SysWOW64\wwhaeg.exe	wkucnk.exe
File created	C:\Windows\SysWOW64\wlyocfn.exe	wcyykf.exe
File opened for modification	C:\Windows\SysWOW64\wlyocfn.exe	wcyykf.exe
File opened for modification	C:\Windows\SysWOW64\wml.exe	wsxmrc.exe
File created	C:\Windows\SysWOW64\wdba.exe	wml.exe
File created	C:\Windows\SysWOW64\weitde.exe	wfvk.exe
File created	C:\Windows\SysWOW64\wwbrcjd.exe	wrpcsegh.exe
File created	C:\Windows\SysWOW64\wwxnd.exe	whixt.exe
File opened for modification	C:\Windows\SysWOW64\wynsifcx.exe	wpfab.exe
File created	C:\Windows\SysWOW64\webiw.exe	wknwucewh.exe
File opened for modification	C:\Windows\SysWOW64\wnbnhtp.exe	whjgnko.exe
File created	C:\Windows\SysWOW64\wsxmrc.exe	wmackw.exe
File opened for modification	C:\Windows\SysWOW64\wudskw.exe	wnuy.exe
File opened for modification	C:\Windows\SysWOW64\wtujrwp.exe	wopje.exe
File created	C:\Windows\SysWOW64\wbc.exe	wqcxvw.exe
File opened for modification	C:\Windows\SysWOW64\wcwvvl.exe	wvkvvg.exe
File created	C:\Windows\SysWOW64\weboao.exe	wgtju.exe
File created	C:\Windows\SysWOW64\woj.exe	weitde.exe
File opened for modification	C:\Windows\SysWOW64\wjnhybd.exe	wbuelx.exe
File created	C:\Windows\SysWOW64\wyypamhr.exe	wnbnhtp.exe
File opened for modification	C:\Windows\SysWOW64\wdba.exe	wml.exe
File opened for modification	C:\Windows\SysWOW64\wbgne.exe	wuaqpph.exe
File created	C:\Windows\SysWOW64\wxkxi.exe	wkfpxiu.exe
File created	C:\Windows\SysWOW64\whdcup.exe	wyypamhr.exe
File opened for modification	C:\Windows\SysWOW64\wexo.exe	wdba.exe
File created	C:\Windows\SysWOW64\wdy.exe	wnlojj.exe
File created	C:\Windows\SysWOW64\winggyhmd.exe	wahhuq.exe
File created	C:\Windows\SysWOW64\wcdoq.exe	wsmkgjge.exe
File created	C:\Windows\SysWOW64\wbpwif.exe	wcdoq.exe
File opened for modification	C:\Windows\SysWOW64\wsiehppdr.exe	wbh.exe
File created	C:\Windows\SysWOW64\wjnhybd.exe	wbuelx.exe
File opened for modification	C:\Windows\SysWOW64\wwgetwku.exe	wxeghcf.exe
File created	C:\Windows\SysWOW64\wrxk.exe	wyxdr.exe
File created	C:\Windows\SysWOW64\wmwumgd.exe	wlprqoqu.exe
File opened for modification	C:\Windows\SysWOW64\wmackw.exe	whdcup.exe
File created	C:\Windows\SysWOW64\wdqegipo.exe	wvbvmapod.exe
File opened for modification	C:\Windows\SysWOW64\wfvk.exe	whsn.exe
File created	C:\Windows\SysWOW64\wgkl.exe	wqwkao.exe
File created	C:\Windows\SysWOW64\wyd.exe	wbgne.exe
File created	C:\Windows\SysWOW64\wvkvvg.exe	wwxnd.exe
File opened for modification	C:\Windows\SysWOW64\wvkvvg.exe	wwxnd.exe
File created	C:\Windows\SysWOW64\wqwkao.exe	wgtvh.exe
File opened for modification	C:\Windows\SysWOW64\wgog.exe	wplctgpk.exe
File created	C:\Windows\SysWOW64\wfvk.exe	whsn.exe
File opened for modification	C:\Windows\SysWOW64\woqwlftn.exe	weq.exe
File opened for modification	C:\Windows\SysWOW64\wayssi.exe	wtbhkcj.exe
File opened for modification	C:\Windows\SysWOW64\wqcxvw.exe	wayssi.exe
File created	C:\Windows\SysWOW64\wph.exe	weljfu.exe
File created	C:\Windows\SysWOW64\wakdaq.exe	weboao.exe
File opened for modification	C:\Windows\SysWOW64\wopje.exe	wypyuwj.exe
File created	C:\Windows\SysWOW64\woqwlftn.exe	weq.exe
File opened for modification	C:\Windows\SysWOW64\wplctgpk.exe	wgkl.exe
File created	C:\Windows\SysWOW64\wyxdr.exe	wkyrkcw.exe
File created	C:\Windows\SysWOW64\wsmkgjge.exe	wemxvr.exe
File opened for modification	C:\Windows\SysWOW64\wvyejrmdw.exe	wnmelqn.exe
File created	C:\Windows\SysWOW64\wwbbad.exe	wynsifcx.exe
File opened for modification	C:\Windows\SysWOW64\webiw.exe	wknwucewh.exe
File created	C:\Windows\SysWOW64\wexo.exe	wdba.exe
File created	C:\Windows\SysWOW64\wweqhm.exe	wdqegipo.exe
File created	C:\Windows\SysWOW64\wkucnk.exe	wvkhwq.exe
File created	C:\Windows\SysWOW64\wayka.exe	wpif.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
3224	1632	WerFault.exe	86
4208	3668	WerFault.exe	104
4188	3160	WerFault.exe	143
3648	3148	WerFault.exe	151
4600	2116	WerFault.exe	251
4912	464	WerFault.exe	262
3268	464	WerFault.exe	262
4744	4188	WerFault.exe	265
624	4536	WerFault.exe	319
1492	4964	WerFault.exe	393
2140	5112	WerFault.exe	401

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwgetwku.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wweqhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlmsqqej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfvk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcdoq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyypamhr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnerob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whjgnko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqqcxjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvkvvg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvkhwq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsmkgjge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyxdr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whnivs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlyocfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wknwucewh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whksub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvbvmapod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbpwif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbgne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxkxi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wudskw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrxk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wayssi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkrvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmdrknphy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgtvh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnmelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2120	2036	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe	82
PID 2036 wrote to memory of 2120	2036	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe	82
PID 2036 wrote to memory of 2120	2036	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe	82
PID 2036 wrote to memory of 2400	2036	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe	84
PID 2036 wrote to memory of 2400	2036	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe	84
PID 2036 wrote to memory of 2400	2036	226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe	84
PID 2120 wrote to memory of 1632	2120	wrpcsegh.exe	86
PID 2120 wrote to memory of 1632	2120	wrpcsegh.exe	86
PID 2120 wrote to memory of 1632	2120	wrpcsegh.exe	86
PID 2120 wrote to memory of 4692	2120	wrpcsegh.exe	87
PID 2120 wrote to memory of 4692	2120	wrpcsegh.exe	87
PID 2120 wrote to memory of 4692	2120	wrpcsegh.exe	87
PID 1632 wrote to memory of 3748	1632	wwbrcjd.exe	89
PID 1632 wrote to memory of 3748	1632	wwbrcjd.exe	89
PID 1632 wrote to memory of 3748	1632	wwbrcjd.exe	89
PID 1632 wrote to memory of 312	1632	wwbrcjd.exe	90
PID 1632 wrote to memory of 312	1632	wwbrcjd.exe	90
PID 1632 wrote to memory of 312	1632	wwbrcjd.exe	90
PID 3748 wrote to memory of 1960	3748	whcgtkqo.exe	95
PID 3748 wrote to memory of 1960	3748	whcgtkqo.exe	95
PID 3748 wrote to memory of 1960	3748	whcgtkqo.exe	95
PID 3748 wrote to memory of 1772	3748	whcgtkqo.exe	96
PID 3748 wrote to memory of 1772	3748	whcgtkqo.exe	96
PID 3748 wrote to memory of 1772	3748	whcgtkqo.exe	96
PID 1960 wrote to memory of 1800	1960	wtbhkcj.exe	98
PID 1960 wrote to memory of 1800	1960	wtbhkcj.exe	98
PID 1960 wrote to memory of 1800	1960	wtbhkcj.exe	98
PID 1960 wrote to memory of 3512	1960	wtbhkcj.exe	99
PID 1960 wrote to memory of 3512	1960	wtbhkcj.exe	99
PID 1960 wrote to memory of 3512	1960	wtbhkcj.exe	99
PID 1800 wrote to memory of 2104	1800	wayssi.exe	101
PID 1800 wrote to memory of 2104	1800	wayssi.exe	101
PID 1800 wrote to memory of 2104	1800	wayssi.exe	101
PID 1800 wrote to memory of 2860	1800	wayssi.exe	102
PID 1800 wrote to memory of 2860	1800	wayssi.exe	102
PID 1800 wrote to memory of 2860	1800	wayssi.exe	102
PID 2104 wrote to memory of 3668	2104	wqcxvw.exe	104
PID 2104 wrote to memory of 3668	2104	wqcxvw.exe	104
PID 2104 wrote to memory of 3668	2104	wqcxvw.exe	104
PID 2104 wrote to memory of 3544	2104	wqcxvw.exe	105
PID 2104 wrote to memory of 3544	2104	wqcxvw.exe	105
PID 2104 wrote to memory of 3544	2104	wqcxvw.exe	105
PID 3668 wrote to memory of 1128	3668	wbc.exe	107
PID 3668 wrote to memory of 1128	3668	wbc.exe	107
PID 3668 wrote to memory of 1128	3668	wbc.exe	107
PID 3668 wrote to memory of 4680	3668	wbc.exe	108
PID 3668 wrote to memory of 4680	3668	wbc.exe	108
PID 3668 wrote to memory of 4680	3668	wbc.exe	108
PID 1128 wrote to memory of 4476	1128	wqqcxjo.exe	114
PID 1128 wrote to memory of 4476	1128	wqqcxjo.exe	114
PID 1128 wrote to memory of 4476	1128	wqqcxjo.exe	114
PID 1128 wrote to memory of 1408	1128	wqqcxjo.exe	115
PID 1128 wrote to memory of 1408	1128	wqqcxjo.exe	115
PID 1128 wrote to memory of 1408	1128	wqqcxjo.exe	115
PID 4476 wrote to memory of 2008	4476	whixt.exe	119
PID 4476 wrote to memory of 2008	4476	whixt.exe	119
PID 4476 wrote to memory of 2008	4476	whixt.exe	119
PID 4476 wrote to memory of 744	4476	whixt.exe	120
PID 4476 wrote to memory of 744	4476	whixt.exe	120
PID 4476 wrote to memory of 744	4476	whixt.exe	120
PID 2008 wrote to memory of 2024	2008	wwxnd.exe	122
PID 2008 wrote to memory of 2024	2008	wwxnd.exe	122
PID 2008 wrote to memory of 2024	2008	wwxnd.exe	122
PID 2008 wrote to memory of 448	2008	wwxnd.exe	123

C:\Users\Admin\AppData\Local\Temp\226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe
"C:\Users\Admin\AppData\Local\Temp\226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\wrpcsegh.exe
  "C:\Windows\system32\wrpcsegh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\wwbrcjd.exe
    "C:\Windows\system32\wwbrcjd.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\whcgtkqo.exe
      "C:\Windows\system32\whcgtkqo.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3748
    - - C:\Windows\SysWOW64\wtbhkcj.exe
        
        "C:\Windows\system32\wtbhkcj.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Windows\SysWOW64\wayssi.exe
        
        "C:\Windows\system32\wayssi.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\wqcxvw.exe
        
        "C:\Windows\system32\wqcxvw.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\wbc.exe
        
        "C:\Windows\system32\wbc.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\wqqcxjo.exe
        
        "C:\Windows\system32\wqqcxjo.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\whixt.exe
        
        "C:\Windows\system32\whixt.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\wwxnd.exe
        
        "C:\Windows\system32\wwxnd.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\wvkvvg.exe
        
        "C:\Windows\system32\wvkvvg.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\wcwvvl.exe
        
        "C:\Windows\system32\wcwvvl.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\wvkhwq.exe
        
        "C:\Windows\system32\wvkhwq.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\wkucnk.exe
        
        "C:\Windows\system32\wkucnk.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\wwhaeg.exe
        
        "C:\Windows\system32\wwhaeg.exe"
        16⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\wkrvu.exe
        
        "C:\Windows\system32\wkrvu.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Windows\SysWOW64\wpif.exe
        
        "C:\Windows\system32\wpif.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\wayka.exe
        
        "C:\Windows\system32\wayka.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\wgtvh.exe
        
        "C:\Windows\system32\wgtvh.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\wqwkao.exe
        
        "C:\Windows\system32\wqwkao.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\wgkl.exe
        
        "C:\Windows\system32\wgkl.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\wplctgpk.exe
        
        "C:\Windows\system32\wplctgpk.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\wgog.exe
        
        "C:\Windows\system32\wgog.exe"
        24⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\wemxvr.exe
        
        "C:\Windows\system32\wemxvr.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:440
        
        C:\Windows\SysWOW64\wsmkgjge.exe
        
        "C:\Windows\system32\wsmkgjge.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\wcdoq.exe
        
        "C:\Windows\system32\wcdoq.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\wbpwif.exe
        
        "C:\Windows\system32\wbpwif.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\wuaqpph.exe
        
        "C:\Windows\system32\wuaqpph.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\wbgne.exe
        
        "C:\Windows\system32\wbgne.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\wyd.exe
        
        "C:\Windows\system32\wyd.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\wmdrknphy.exe
        
        "C:\Windows\system32\wmdrknphy.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\wkfpxiu.exe
        
        "C:\Windows\system32\wkfpxiu.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\wxkxi.exe
        
        "C:\Windows\system32\wxkxi.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\wnmelqn.exe
        
        "C:\Windows\system32\wnmelqn.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\wvyejrmdw.exe
        
        "C:\Windows\system32\wvyejrmdw.exe"
        36⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\whnivs.exe
        
        "C:\Windows\system32\whnivs.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\wnerob.exe
        
        "C:\Windows\system32\wnerob.exe"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\wxeghcf.exe
        
        "C:\Windows\system32\wxeghcf.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\wwgetwku.exe
        
        "C:\Windows\system32\wwgetwku.exe"
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\wpfab.exe
        
        "C:\Windows\system32\wpfab.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\wynsifcx.exe
        
        "C:\Windows\system32\wynsifcx.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\wwbbad.exe
        
        "C:\Windows\system32\wwbbad.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\wexmhi.exe
        
        "C:\Windows\system32\wexmhi.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\wswxqatn.exe
        
        "C:\Windows\system32\wswxqatn.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\wqvppxu.exe
        
        "C:\Windows\system32\wqvppxu.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\wkyrkcw.exe
        
        "C:\Windows\system32\wkyrkcw.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\wyxdr.exe
        
        "C:\Windows\system32\wyxdr.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\wrxk.exe
        
        "C:\Windows\system32\wrxk.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\wcyykf.exe
        
        "C:\Windows\system32\wcyykf.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\wlyocfn.exe
        
        "C:\Windows\system32\wlyocfn.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\wknwucewh.exe
        
        "C:\Windows\system32\wknwucewh.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\webiw.exe
        
        "C:\Windows\system32\webiw.exe"
        53⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\wlprqoqu.exe
        
        "C:\Windows\system32\wlprqoqu.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\wmwumgd.exe
        
        "C:\Windows\system32\wmwumgd.exe"
        55⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\whjgnko.exe
        
        "C:\Windows\system32\whjgnko.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\wnbnhtp.exe
        
        "C:\Windows\system32\wnbnhtp.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\wyypamhr.exe
        
        "C:\Windows\system32\wyypamhr.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\whdcup.exe
        
        "C:\Windows\system32\whdcup.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\wmackw.exe
        
        "C:\Windows\system32\wmackw.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\wsxmrc.exe
        
        "C:\Windows\system32\wsxmrc.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\wml.exe
        
        "C:\Windows\system32\wml.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\wdba.exe
        
        "C:\Windows\system32\wdba.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\wexo.exe
        
        "C:\Windows\system32\wexo.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\whksub.exe
        
        "C:\Windows\system32\whksub.exe"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\wcy.exe
        
        "C:\Windows\system32\wcy.exe"
        66⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\weljfu.exe
        
        "C:\Windows\system32\weljfu.exe"
        67⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\wph.exe
        
        "C:\Windows\system32\wph.exe"
        68⤵
        Checks computer location settings
        
        PID:3536
        
        C:\Windows\SysWOW64\wnuy.exe
        
        "C:\Windows\system32\wnuy.exe"
        69⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\wudskw.exe
        
        "C:\Windows\system32\wudskw.exe"
        70⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\wtfqus.exe
        
        "C:\Windows\system32\wtfqus.exe"
        71⤵
        Checks computer location settings
        
        PID:2616
        
        C:\Windows\SysWOW64\wvvexjlnn.exe
        
        "C:\Windows\system32\wvvexjlnn.exe"
        72⤵
        Checks computer location settings
        
        PID:4536
        
        C:\Windows\SysWOW64\wsjlpf.exe
        
        "C:\Windows\system32\wsjlpf.exe"
        73⤵
        Checks computer location settings
        
        PID:1564
        
        C:\Windows\SysWOW64\wnlojj.exe
        
        "C:\Windows\system32\wnlojj.exe"
        74⤵
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\wdy.exe
        
        "C:\Windows\system32\wdy.exe"
        75⤵
        Checks computer location settings
        
        PID:3188
        
        C:\Windows\SysWOW64\wcmkl.exe
        
        "C:\Windows\system32\wcmkl.exe"
        76⤵
        Checks computer location settings
        
        PID:3744
        
        C:\Windows\SysWOW64\wvbvmapod.exe
        
        "C:\Windows\system32\wvbvmapod.exe"
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\wdqegipo.exe
        
        "C:\Windows\system32\wdqegipo.exe"
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\wweqhm.exe
        
        "C:\Windows\system32\wweqhm.exe"
        79⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\wuhosj.exe
        
        "C:\Windows\system32\wuhosj.exe"
        80⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\wahhuq.exe
        
        "C:\Windows\system32\wahhuq.exe"
        81⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\winggyhmd.exe
        
        "C:\Windows\system32\winggyhmd.exe"
        82⤵
        Checks computer location settings
        
        PID:4984
        
        C:\Windows\SysWOW64\wnkrofquc.exe
        
        "C:\Windows\system32\wnkrofquc.exe"
        83⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\wgtju.exe
        
        "C:\Windows\system32\wgtju.exe"
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\weboao.exe
        
        "C:\Windows\system32\weboao.exe"
        85⤵
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\wakdaq.exe
        
        "C:\Windows\system32\wakdaq.exe"
        86⤵
        
        PID:208
        
        C:\Windows\SysWOW64\wlmsqqej.exe
        
        "C:\Windows\system32\wlmsqqej.exe"
        87⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\SysWOW64\wbh.exe
        
        "C:\Windows\system32\wbh.exe"
        88⤵
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\wsiehppdr.exe
        
        "C:\Windows\system32\wsiehppdr.exe"
        89⤵
        Checks computer location settings
        
        PID:3360
        
        C:\Windows\SysWOW64\wypyuwj.exe
        
        "C:\Windows\system32\wypyuwj.exe"
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\wopje.exe
        
        "C:\Windows\system32\wopje.exe"
        91⤵
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\wtujrwp.exe
        
        "C:\Windows\system32\wtujrwp.exe"
        92⤵
        Checks computer location settings
        
        PID:3644
        
        C:\Windows\SysWOW64\wiuvb.exe
        
        "C:\Windows\system32\wiuvb.exe"
        93⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\whsn.exe
        
        "C:\Windows\system32\whsn.exe"
        94⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\wfvk.exe
        
        "C:\Windows\system32\wfvk.exe"
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\weitde.exe
        
        "C:\Windows\system32\weitde.exe"
        96⤵
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\woj.exe
        
        "C:\Windows\system32\woj.exe"
        97⤵
        Checks computer location settings
        
        PID:3632
        
        C:\Windows\SysWOW64\wbuelx.exe
        
        "C:\Windows\system32\wbuelx.exe"
        98⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\wjnhybd.exe
        
        "C:\Windows\system32\wjnhybd.exe"
        99⤵
        Checks computer location settings
        
        PID:1376
        
        C:\Windows\SysWOW64\weq.exe
        
        "C:\Windows\system32\weq.exe"
        100⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\woqwlftn.exe
        
        "C:\Windows\system32\woqwlftn.exe"
        101⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\wvoitmcx.exe
        
        "C:\Windows\system32\wvoitmcx.exe"
        102⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\wqctt.exe
        
        "C:\Windows\system32\wqctt.exe"
        103⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvoitmcx.exe"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woqwlftn.exe"
        102⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weq.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjnhybd.exe"
        100⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbuelx.exe"
        99⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1452
        99⤵
        Program crash
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woj.exe"
        98⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weitde.exe"
        97⤵
        
        PID:8
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 912
        97⤵
        Program crash
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfvk.exe"
        96⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whsn.exe"
        95⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiuvb.exe"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtujrwp.exe"
        93⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wopje.exe"
        92⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wypyuwj.exe"
        91⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsiehppdr.exe"
        90⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbh.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlmsqqej.exe"
        88⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wakdaq.exe"
        87⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weboao.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtju.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnkrofquc.exe"
        84⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winggyhmd.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahhuq.exe"
        82⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhosj.exe"
        81⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wweqhm.exe"
        80⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdqegipo.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvbvmapod.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcmkl.exe"
        77⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdy.exe"
        76⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnlojj.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjlpf.exe"
        74⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvvexjlnn.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1476
        73⤵
        Program crash
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtfqus.exe"
        72⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudskw.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnuy.exe"
        70⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wph.exe"
        69⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weljfu.exe"
        68⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcy.exe"
        67⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whksub.exe"
        66⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexo.exe"
        65⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdba.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wml.exe"
        63⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxmrc.exe"
        62⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmackw.exe"
        61⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdcup.exe"
        60⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyypamhr.exe"
        59⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbnhtp.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whjgnko.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1676
        57⤵
        Program crash
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmwumgd.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 116
        56⤵
        Program crash
        
        PID:4912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1656
        56⤵
        Program crash
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlprqoqu.exe"
        55⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\webiw.exe"
        54⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wknwucewh.exe"
        53⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1100
        53⤵
        Program crash
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyocfn.exe"
        52⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcyykf.exe"
        51⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrxk.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxdr.exe"
        49⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkyrkcw.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqvppxu.exe"
        47⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wswxqatn.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexmhi.exe"
        45⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbbad.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wynsifcx.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpfab.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwgetwku.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxeghcf.exe"
        40⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnerob.exe"
        39⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whnivs.exe"
        38⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvyejrmdw.exe"
        37⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnmelqn.exe"
        36⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxkxi.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkfpxiu.exe"
        34⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmdrknphy.exe"
        33⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyd.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbgne.exe"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuaqpph.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpwif.exe"
        29⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcdoq.exe"
        28⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsmkgjge.exe"
        27⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemxvr.exe"
        26⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgog.exe"
        25⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wplctgpk.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkl.exe"
        23⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqwkao.exe"
        22⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtvh.exe"
        21⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 972
        21⤵
        Program crash
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wayka.exe"
        20⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpif.exe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1452
        19⤵
        Program crash
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkrvu.exe"
        18⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhaeg.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkucnk.exe"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkhwq.exe"
        15⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwvvl.exe"
        14⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkvvg.exe"
        13⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwxnd.exe"
        12⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whixt.exe"
        11⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqcxjo.exe"
        10⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbc.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 1092
        9⤵
        Program crash
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqcxvw.exe"
        8⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wayssi.exe"
        7⤵
        
        PID:2860
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtbhkcj.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whcgtkqo.exe"
        5⤵
        
        PID:1772
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbrcjd.exe"
      4⤵
      PID:312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 1676
      4⤵
      Program crash
      PID:3224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrpcsegh.exe"
    3⤵
    PID:4692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\226f7a154a2b7e08d33fa456630f37bace9df01a6a781adf9f8a8d5c25d6efcfN.exe"
  2⤵
  PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1632 -ip 1632
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3668 -ip 3668
1⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3160 -ip 3160
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3148 -ip 3148
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2116 -ip 2116
1⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 464 -ip 464
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 464 -ip 464
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4188 -ip 4188
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4536 -ip 4536
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4964 -ip 4964
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5112 -ip 5112
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Windows\SysWOW64\wayka.exe

Filesize
106KB

MD5
e26d9bfbbe54e2013728b2d313cd0cb1

SHA1
bbbd52c5daf9956760a3c83ed7f42115dbf150b8

SHA256
9a13d86d533e8c4d52b4d8459cccc4e4ab2e8896f65b3909cb4b342b0ea4c995

SHA512
0ba5c58ef9bbe64cd8531fe0f6272754aa04d05b69aeffe1d6bee0002494d9ed7419072f537a8e664437f0841cb2adf6a6cb1906892786b18adee2f836da2148

Download Submit
C:\Windows\SysWOW64\wayssi.exe

Filesize
106KB

MD5
dcaaf2ba9c8415c4ffa3e7ddbfdaae21

SHA1
7a3b384faf6bf16796821656aece99bbddaaa585

SHA256
e6017fdc1b9aa7b72201128daf3b3dbff2060ffcd7197cd4e24bfc7b0ba19e8b

SHA512
91a64ea2cf4eb5bc3f724a99681a735b9076c0718cc81a1deb790e64c65db72822ade0e1538070eb6b48f96873f1140963e3d50909afdfb123563ee779974d9b

Download Submit
C:\Windows\SysWOW64\wbc.exe

Filesize
106KB

MD5
5ed83e1addf5c4cd98ea3216781d6bcf

SHA1
6a19a5ebadace77b71968cbfca6916106e3a1be9

SHA256
33464b7169408ef94b437b71c799f821cd98aa970e4da7f1c4f12339c7c9d50a

SHA512
49960acec409b61c48143c23ebadce0d94f1083318465b2ae24cf3c7472ae70f63c1f25b36d8d08ea659ff804b3d262306d621b9ea77fbde738e563dc0b4d8d0

Download Submit
C:\Windows\SysWOW64\wbgne.exe

Filesize
107KB

MD5
45fd4e34138c8c1d7e3f0fba6a9d6258

SHA1
5f02b07922926f28aa147e8c528ff23b21df2044

SHA256
da713c652f7f3ca09b68690648afa9fa1f9b4a6ea81cb5c8c2cf993f91ec8b5a

SHA512
cf9ca06c500b7f4db697fd5db0545e0a3981fe27d0c38956d54296227ec8f31d2f946c5b8b2d049e4b1d5db82795dfd8fa65a0ab3743e2cf755fa6b157dabfcb

Download Submit
C:\Windows\SysWOW64\wbpwif.exe

Filesize
107KB

MD5
e9308a80071234715e7089897113bbac

SHA1
141f4f7eb7c773d14d1709967aba50e94481a3bb

SHA256
61ef59133b8ae032c4d3832709ed986aa69a3b47e2bbd7ef698de2da8a112074

SHA512
7c437554ca6c95bbf75c533caacd0b7bf66234ca2c4c7d132c5d1f4e664c7f505d20a699cf62f0571522bc9cbba95ed8532429cf3c4bee68358fab5fcd173801

Download Submit
C:\Windows\SysWOW64\wcdoq.exe

Filesize
107KB

MD5
ddb9d98b89667c5f2af9f173c8843676

SHA1
ba5ee2df63f1f4ce66cc66ff3d8ad311085c612f

SHA256
22547f79cbefdc76f37f376dd0d38ad8fead596ae0d78aa53cb0c623d9b96f6a

SHA512
a170b7cd0deb5aace25ae3637c9c5521fc64a0a1e27d743c0bb180e0412c9180021f362d6ce583a78ec1d9e38bb261202644e02defb0dd85bdc194e66d0a1648

Download Submit
C:\Windows\SysWOW64\wcwvvl.exe

Filesize
106KB

MD5
3040f954bb927aabde136630e003358c

SHA1
b0e775e71c94054e757e9e8f81b7dbad87e9eba2

SHA256
6e6c83048c38cd41ef1eb922a341c2d6c97044e3df02e499e3dd1f6eeae97544

SHA512
8f8b5a6a39864c88e479b8b8cac8f38581a8659b3d29310cfebf4a3e5de915c5a419d607c9330d6b1ef4b2f844a5b027f13a7a93dd760148f7b8898c88dac3b5

Download Submit
C:\Windows\SysWOW64\wemxvr.exe

Filesize
107KB

MD5
e4bee218ab9b8e92c3c660c5dc61f298

SHA1
59f0996b050f71fda5e7536a461c6af8075e9b2e

SHA256
869e83c61f65fcdc6fa15f93c147e8de5ce0838a8f395f072dc39b933800fdb0

SHA512
d6e8daaa5399232d6bfd539d568eaffe31f870d54fc6f32d614513fd1a8e72cd75170f4a1db4f41db852089b9953fb89bf6deaf8b950bc0c267479e2ac63ebcb

Download Submit
C:\Windows\SysWOW64\wgkl.exe

Filesize
106KB

MD5
7dc9aca5c0e1f10ba3dadf3c40e60357

SHA1
eb7da73c8a95f667dca90cea3686896ccba0c5d0

SHA256
11d35046665c9b39f1e09685e0f0cb4cbefe2149c9e639481da80e9b596e15f2

SHA512
194ff9a791cdc4681653b479eabb759888ba9b502244452c46df2d3aa7e49d68e0fc8208010e632b52d27dadbcf9c2555beeadd89dc7681ae867e8780f31e637

Download Submit
C:\Windows\SysWOW64\wgog.exe

Filesize
106KB

MD5
86706f1945b79b2ffc8898bc3b6bb4d8

SHA1
aa4dcd36ff572c0436e05aa7e12b3b72976d7b35

SHA256
bdfc80ad82328712e099a4a52f313f808206f6bc5a33e8bfaa46ee8a802e88ac

SHA512
2dfeef3b19dfb94c0398b67f0c0ac92dd779a66dc5185fc07750473de7ce4091ced2c49aa3144ad74e2f019f0b0e6b2ea9b0c770d73796cab4dac04a26898362

Download Submit
C:\Windows\SysWOW64\wgtvh.exe

Filesize
106KB

MD5
34ef7a708cf545636d8e17c2a3feac50

SHA1
302ac22632a52ea2710c7073dfd00331c647136a

SHA256
5a62ed22473379503c98fc03a319f4ee86c2df878744fc225a018954c1e1d7ff

SHA512
201a5fd70cbf19d794d00d02194a082eac4a764c3b0d56c7b861507d265643fe43f88c6dcfde66afaa9d5278c942ca1e9dafcd5c2cab08db14ebb3355d105185

Download Submit
C:\Windows\SysWOW64\whcgtkqo.exe

Filesize
106KB

MD5
2235046a9ba82817dc53a08dee03a617

SHA1
7a5dd2f97aa3913c273cb952d367c79553fcd2d3

SHA256
9c1c143861682ac58ff363a07e4cbb25566661e987035848638b5b55066fce32

SHA512
de8b337d30fdce67264800903e6a181c48d000f842fb64808ca15dd2fae031b47dad125ce3f04121919bc821fd1a40ee14a94a4ca8565d8418faaedb6ce9852b

Download Submit
C:\Windows\SysWOW64\whixt.exe

Filesize
106KB

MD5
26e50b0325278c9edcced580a45ab74d

SHA1
c088c73cac0dbec1f41d793bf80cf14405ed63fa

SHA256
9120e14391b349ed8f719822cc55c3ddc089f77f7bca351bafea0bfd3b4f3d4c

SHA512
8aa839981438e9bd9774762d494d528a536845ebcdde7d828f4e85df9a51e677c2dd81799fd16ed8a0b28a87ed89e9b86e76e7517817b524f2bdbbbcc22a25b6

Download Submit
C:\Windows\SysWOW64\wkfpxiu.exe

Filesize
107KB

MD5
735bb19721672208db9976805efde68c

SHA1
2106e03609f1a939ec9e64f8bd3ba06070fdc0ef

SHA256
2c6d7a77779ca79c18d75600ebaa884261aa623becebd561ee7ffbfc33b8a1aa

SHA512
8501e830722f339bc4683387867acbbaaad82c127277f4f47f656625359250d147e602f7ab9f86f83d381a44b458c6538989d7321c043530765bab753fe2ad8e

Download Submit
C:\Windows\SysWOW64\wkrvu.exe

Filesize
106KB

MD5
777f6082705e9dfc884708b8d7480597

SHA1
9814fbbb5c5ea9c7b7ba383d00ed37b086be5095

SHA256
586427b96922973253343c2ac845ba470ff9733ba4a49b52ec003e8ec779cfeb

SHA512
3b0a501e9036c25117559ce8713f71e31309c72f6d14a15b3291c22c4f27444eaf62b30dc2c42810378ba094096e72bb86c2f3267b4d488f302e7c4b3126e39f

Download Submit
C:\Windows\SysWOW64\wkucnk.exe

Filesize
106KB

MD5
26fad1776b2a5d2a9606b20b19667b28

SHA1
1ea9f3b72f51c4533b5f42de353a781022746c19

SHA256
ffa3845e640c9738b33c99d320fe40efdf23e265dccd17562372965d7a1cc8c0

SHA512
e4fd0492a06fef64db9934dd8369f0f2397990f9558042ac0848118723acc021bbc80d271eb3703ac45911b059d10452dd3db3a2cfaa12abc455d688748a314f

Download Submit
C:\Windows\SysWOW64\wmdrknphy.exe

Filesize
107KB

MD5
a58821d1c56de28fc4ed6364de90953c

SHA1
410c8213f95d037ef05459c6fcf44b13f29f6aa1

SHA256
25cf9cf0ad087f141112a6db38901e4c86b87226b3f84dfe353c840e42b6f0fb

SHA512
4749fe66cb88413381f518072e01a8ee17d8b731c2d49fe84c57280c8eb8fdf9a49a38407d60988cdf15c861e84f057bfa987cb0e3a184d5363db5a9b46b4af7

Download Submit
C:\Windows\SysWOW64\wpif.exe

Filesize
106KB

MD5
77ea1512f6c1cb1e0a4ca30091a50b6d

SHA1
0a94b97f312dcb63c58004a2648b5a76bbe2701b

SHA256
c4b512c6fb6cac141c2d089937a5e7f74ca87fab57b8a609db29a8f897d2e7d5

SHA512
8cddd2e71a02766a8c62ddcd865f254af49a38bbe3eac16512b807edf44d7a5b6cbbeccf9ff882537ec9e8bfcd5f14e9ca6f1d088e7765c5b18661c571fb3bc2

Download Submit
C:\Windows\SysWOW64\wplctgpk.exe

Filesize
106KB

MD5
a6ce3f9a583f32c53ad7c4ed1926c98a

SHA1
822c0740900707e97cd8031a8d21fb68be9374cd

SHA256
406e805659fcda6f83015826910d7ee226cbf5dc1343938aa56efde7adece4e3

SHA512
0f4be2249924cbbae1d70ebd48f1ff314d3f387560843cb46a14a6f6778d630645c29af504ed0ff5dcd89593c62736509226956ff8f9135a9851e72fecf01f4c

Download Submit
C:\Windows\SysWOW64\wqcxvw.exe

Filesize
106KB

MD5
1e5cfe4464a88871448d7cf94ebd37c7

SHA1
2f652409131ea175066f0e9c621d8e5b7480ac29

SHA256
c6d0863b50f61bbb3000c8de5e864cc716d2d0edeb437c41a8bc8c3efbd32a6d

SHA512
ad3333a19b7f2e897b7a02bb8195faf9e728cbc8e15206eedcfb6a5f8901001bfaba0df85566e905167e42eec43bdfff3777c711e75c025d48a71b188a843b43

Download Submit
C:\Windows\SysWOW64\wqqcxjo.exe

Filesize
106KB

MD5
2970b8e64fd5670cbb33037f35754b68

SHA1
cb20d1f9174f834e77e39a5dc5822c135a1b8c97

SHA256
c6ab2e95ee55c8b947270edcaff56eeab0c2842dc86850bcd15e67c90e5636ef

SHA512
94ba4325026263af4aa66a2b327fef045be73df7c2233e479c9f577ba26f43b3b35c9e534163aa57bfb76461ef0f51d8f913c50927af3acf7bf5b39eabefb36e

Download Submit
C:\Windows\SysWOW64\wqwkao.exe

Filesize
106KB

MD5
b7b3a150372084fdd21666f2a0f1bbb4

SHA1
726cb45e6edf712732dcacd95cd34893a78c5395

SHA256
5647b63f48e5446466c4a7659f4794fb560da12c634fe8ffc6ba4785d5dad841

SHA512
a4d7c7cd9ddfaa952f00eed4ed14f3f3a03695408678d58b52a381cfc94862928cc303b1c1e79865bc0f80aca3c3731cfe2a1427010da48fe1e21295edcdfd98

Download Submit
C:\Windows\SysWOW64\wrpcsegh.exe

Filesize
106KB

MD5
02f4576cfa8a5383bc94c4dcabbf4451

SHA1
1a7de00801c934698f0771c3f776455c13589f86

SHA256
840cb9bc9d9e2ab113ba999b6222546391b2e4e86d5b9b8cc83c47ea2c38a807

SHA512
0346bbc9135dea8734dae7e1e39cd872932c715bd15a81368ab7073ce43ac0d9c7bf606545b0e9616675adde952b13fad814761815a97634b2804a05a84deb33

Download Submit
C:\Windows\SysWOW64\wsmkgjge.exe

Filesize
107KB

MD5
f7602f306c57c046275afdbc413d879d

SHA1
f65312c639c4fbfe01bd053dee977ee33017b13d

SHA256
d4a4084c0b3df6195cb2651d07f363ea1860e8c74582dbf9c7ae96c8f7c9dbae

SHA512
ca41038ea8baf8d3680c5e97f8b8dd2786898e51847e4ef06f0d1cd691301513cfbbb86e5020210c2313bd7136f88ae35d13bb60950b324bdc99325dd169f369

Download Submit
C:\Windows\SysWOW64\wtbhkcj.exe

Filesize
106KB

MD5
87316813a6d8303c275cc2948a6fdb36

SHA1
97e38ffad4c16b39604503774d29221921ab74f3

SHA256
7cd321d4f0c71ccfcb9616b7bd0bae3fdda43303cfa6467398e39c0f8e0f649e

SHA512
fe37c4921102d963237c00875d969bd8c9fa07596cd21721dff8386599ee4ddbd8d91404a41891e44e9069e203eba782c57b97b0674b1d18ea81bdb1ae5f6574

Download Submit
C:\Windows\SysWOW64\wuaqpph.exe

Filesize
107KB

MD5
9921036b07581a562e7e79be968b8a7d

SHA1
9c2e41ec33f7b129e60c7112dd5d1bb25434471f

SHA256
1e6a111eb9e932f490f8deaecfee6c3d009dfbb3600d19f777f6104b6a0ea483

SHA512
aee01993ca6c91ab84195c028f4dce48c06e0c087b2ece726aaa63b7eed56e181f23e968bb1e0b7274bcf25fea910811ccbb9acac0fd45ceb391e4b10ba7f08a

Download Submit
C:\Windows\SysWOW64\wvkhwq.exe

Filesize
106KB

MD5
155f80bc501354a30721e1dd5a9766b6

SHA1
81952928c2836ba5c36d196612a2e6cd56888217

SHA256
d6baced309f6352313914dc162b33e3563ba090153fd774775f6618e83412f5e

SHA512
52baf3c650b8364d13c9c899dadd0d9a390fdfc38af8e72ef5821d9da8b560368eb8e685ff1973a7b692f8f409aa268d9ad61c10c369702abee9366ec21622e0

Download Submit
C:\Windows\SysWOW64\wvkvvg.exe

Filesize
106KB

MD5
ac914fac7e40eaba6cc381e35d890fc2

SHA1
28de5ca4e3dfc8a19771d35e36f3618e9847105c

SHA256
16d893d96f8f3a1b8b4d3745a86437560b7ccdc9acf17ce99b856310706aee29

SHA512
935d16de9d93958c387c13d8df16f7075ebe615a6a7361d542346070b6e985c4d85ff6229447ea56348873c1fd3dabec5f5c832f5426448aca1e811ffda8ee70

Download Submit
C:\Windows\SysWOW64\wwbrcjd.exe

Filesize
106KB

MD5
103516408752505fc111fa780309149d

SHA1
bf38f1988be5c9bed311cf260aca26293e944d69

SHA256
a77f3d5f8d18aea91590c33561724133f5397cd6772d23307fd1d68f99a65162

SHA512
9c795ee4f80e20c65d83080e5024b84207a04f3c13af8c02644bba5e33d7cb0740cc2fdc7eb46d712a55cb4283d242c04d5990c71763d6fbf273099518cb1918

Download Submit
C:\Windows\SysWOW64\wwhaeg.exe

Filesize
106KB

MD5
2198121052722aa2ca3f5b5541af69bf

SHA1
e278061086144f0c216d90fcc20c0453e2695522

SHA256
7dedeab31edeef40e1bb12b0ba0afa23f4ecf08afdc07487aca5692afc3432e3

SHA512
5c952e42957bd743cdcd5cb872859338c4f52c7d3a65ac090145420b8a9f13578d89aa8a3d7b953f09fae7dc5a9b392def75414369796a99f99d09169732c030

Download Submit
C:\Windows\SysWOW64\wwxnd.exe

Filesize
106KB

MD5
a4fc454cd141b39eba38b22601cd39ee

SHA1
72e1f244b1dfe71bb60755e00a616307164282a0

SHA256
6cd6e5789b00f283985614235addc96eb6af61bf1f75ab7aadfc6313a522e121

SHA512
fec0f3e3a2d42cce5aab07ff4e85e13c9d5c1bfddfa355c4f40092d65fe5f2bf66530ff7a9bd85179bab6bb312c7cc18f7450523982d387cc37855647c867c97

Download Submit
C:\Windows\SysWOW64\wyd.exe

Filesize
107KB

MD5
75e5814ddd726138d033bd3b9eeefa3b

SHA1
45be66902f1caf26609bf46b76034d75a3f437de

SHA256
01d1a7ff7cdafcbe906c03f8b775378630156a243ef78e1e51dde9606df3c0cb

SHA512
125b9461210d850391efc136850045bdcf4addc0e709f7784fb2355b090795e119ca90684931d45512c2379616a81ce5231d180ec23fcf7791b972a06868938b

Download Submit
memory/208-802-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/232-630-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/392-481-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/440-263-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/452-414-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/464-531-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/540-657-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/788-180-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/812-242-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/912-201-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1128-96-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1304-594-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1408-284-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1416-465-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1488-777-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1516-231-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1564-692-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1576-370-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1632-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1636-305-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1652-150-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1688-843-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1688-396-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1800-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1960-499-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1960-53-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2008-118-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2016-139-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2024-129-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2032-274-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2036-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2036-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2056-612-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2056-449-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2104-74-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2116-532-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2120-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2172-878-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2180-473-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2236-603-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2252-514-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2272-337-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2276-727-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-220-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2588-577-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2616-674-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2700-405-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2788-315-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2868-490-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2868-761-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3000-585-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3028-440-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3028-253-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3036-835-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3148-243-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3160-191-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3188-710-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3360-827-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3496-523-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3496-701-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3512-639-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3536-648-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3564-870-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3572-810-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3644-160-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3644-852-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3668-85-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3744-718-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3748-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3840-346-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3968-665-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4052-550-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4076-354-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4188-541-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4244-621-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4272-752-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4340-294-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4376-431-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4388-736-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4468-861-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4476-107-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4528-568-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4536-683-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4536-423-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4648-819-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4680-378-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-387-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4768-559-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4776-793-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4784-785-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4908-362-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4948-744-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4968-170-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4984-769-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5012-326-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5100-457-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download