bbe3881944a8e5f6da506d944d929ea95a4e5335705429c8c539af9d998d294f

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 12:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a936d4fc510938e884645942d03e54e_JaffaCakes118.exe
Size

259KB
MD5

0a936d4fc510938e884645942d03e54e
SHA1

632ad6a856884e4a5cb995024321f79b86fe08c3
SHA256

bbe3881944a8e5f6da506d944d929ea95a4e5335705429c8c539af9d998d294f
SHA512

2312c1e93f56b45bc017765b5b1e574ea96ee69c7ca7f5e94fa49f3297d3b33d495eef4154c4b8ca4fbaadba4ba09056ca768d28c5aff8b1efb03f03f106c837
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpKAX:ZY7xh6SZI4z7FSVp1X

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	waivw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wfvj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wfqmwwyf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wwts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wondka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wms.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wohsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wvqmkfnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wgkl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wvwst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wsriy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wbu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wlpigpw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	0a936d4fc510938e884645942d03e54e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wmiuycyl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wrufyr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wcnsev.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wdtntr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wluclrg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wruxme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wntu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wieoua.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wgpgxhfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wmybuep.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wvhi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wlovjkop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wimfqhpfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wjrypj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wikdgua.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	whksub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wfus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wleb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wkn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wimyhgv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wvgkdy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wofttg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wnrd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wmxdlmgx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wssgyit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	weygw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wnpwq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wigrtn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wrhk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wanykjrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wrqoeu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wywxkv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wldgxd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	weaxab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wdefw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wlrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wkyxjwku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	whcomfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wws.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wbwffsf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wxtrme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wywllgyuf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wpromu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wvqyucl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wcyqcxm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wtchwj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wuessrsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wtti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wllgjnus.exe

Executes dropped EXE 64 IoCs

pid	Process
1508	wtti.exe
780	wdtntr.exe
4640	wluclrg.exe
3952	wllgjnus.exe
4336	wmiuycyl.exe
3088	wgkl.exe
4756	wmykov.exe
2980	wnpwq.exe
4408	wruxme.exe
4180	wigrtn.exe
1364	waivw.exe
3420	wkn.exe
3644	wfvj.exe
1148	wvwst.exe
1724	wldgxd.exe
1244	wbdr.exe
4708	wntu.exe
1352	wruonenx.exe
3252	weaxab.exe
4724	wondka.exe
4240	whcomfa.exe
4656	wnswgna.exe
1936	wmxdlmgx.exe
3836	wmybuep.exe
2768	wdefw.exe
3792	wssgyit.exe
1064	wws.exe
1628	wrhk.exe
4108	wja.exe
2112	wimyhgv.exe
4228	wvgkdy.exe
712	wikdgua.exe
1876	wofttg.exe
3568	wcwepbmk.exe
1716	wpromu.exe
1160	wulfy.exe
2532	wieoua.exe
1172	wvhi.exe
4528	wfqmwwyf.exe
4464	wrufyr.exe
4356	wcnsev.exe
2740	wsriy.exe
4656	whksub.exe
1180	wcyplht.exe
552	wms.exe
964	wnrd.exe
4912	wfus.exe
2780	wbwffsf.exe
224	wlrt.exe
4640	wbu.exe
3160	wlovjkop.exe
4464	wxtrme.exe
4356	wimfqhpfj.exe
4416	wvqyucl.exe
1936	wkyxjwku.exe
2320	wanykjrt.exe
5112	wrqoeu.exe
4548	wcyqcxm.exe
2348	wtchwj.exe
2796	wywxkv.exe
2196	wlpigpw.exe
4640	wleb.exe
3092	wywllgyuf.exe
5056	wjrypj.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wlpigpw.exe	wywxkv.exe
File created	C:\Windows\SysWOW64\wluclrg.exe	wdtntr.exe
File opened for modification	C:\Windows\SysWOW64\wvwst.exe	wfvj.exe
File created	C:\Windows\SysWOW64\wikdgua.exe	wvgkdy.exe
File created	C:\Windows\SysWOW64\wlpigpw.exe	wywxkv.exe
File opened for modification	C:\Windows\SysWOW64\wvqmkfnd.exe	weygw.exe
File opened for modification	C:\Windows\SysWOW64\wssgyit.exe	wdefw.exe
File created	C:\Windows\SysWOW64\wfqmwwyf.exe	wvhi.exe
File created	C:\Windows\SysWOW64\wbwffsf.exe	wfus.exe
File opened for modification	C:\Windows\SysWOW64\wntu.exe	wbdr.exe
File created	C:\Windows\SysWOW64\wkyxjwku.exe	wvqyucl.exe
File opened for modification	C:\Windows\SysWOW64\wdtntr.exe	wtti.exe
File opened for modification	C:\Windows\SysWOW64\wmiuycyl.exe	wllgjnus.exe
File created	C:\Windows\SysWOW64\wldgxd.exe	wvwst.exe
File created	C:\Windows\SysWOW64\wywxkv.exe	wtchwj.exe
File created	C:\Windows\SysWOW64\wgpgxhfc.exe	wwts.exe
File opened for modification	C:\Windows\SysWOW64\wrhk.exe	wws.exe
File opened for modification	C:\Windows\SysWOW64\wimyhgv.exe	wja.exe
File opened for modification	C:\Windows\SysWOW64\wvgkdy.exe	wimyhgv.exe
File opened for modification	C:\Windows\SysWOW64\wikdgua.exe	wvgkdy.exe
File opened for modification	C:\Windows\SysWOW64\wofttg.exe	wikdgua.exe
File opened for modification	C:\Windows\SysWOW64\wrufyr.exe	wfqmwwyf.exe
File opened for modification	C:\Windows\SysWOW64\wcyplht.exe	whksub.exe
File opened for modification	C:\Windows\SysWOW64\wtchwj.exe	wcyqcxm.exe
File opened for modification	C:\Windows\SysWOW64\wruxme.exe	wnpwq.exe
File opened for modification	C:\Windows\SysWOW64\wkn.exe	waivw.exe
File opened for modification	C:\Windows\SysWOW64\weaxab.exe	wruonenx.exe
File created	C:\Windows\SysWOW64\wywllgyuf.exe	wleb.exe
File created	C:\Windows\SysWOW64\wondka.exe	weaxab.exe
File opened for modification	C:\Windows\SysWOW64\wanykjrt.exe	wkyxjwku.exe
File created	C:\Windows\SysWOW64\wcyqcxm.exe	wrqoeu.exe
File created	C:\Windows\SysWOW64\wfvj.exe	wkn.exe
File created	C:\Windows\SysWOW64\wntu.exe	wbdr.exe
File opened for modification	C:\Windows\SysWOW64\wwts.exe	wjrypj.exe
File opened for modification	C:\Windows\SysWOW64\wbu.exe	wlrt.exe
File created	C:\Windows\SysWOW64\wtchwj.exe	wcyqcxm.exe
File created	C:\Windows\SysWOW64\wmxdlmgx.exe	wnswgna.exe
File opened for modification	C:\Windows\SysWOW64\wfqmwwyf.exe	wvhi.exe
File opened for modification	C:\Windows\SysWOW64\wms.exe	wcyplht.exe
File opened for modification	C:\Windows\SysWOW64\wgpgxhfc.exe	wwts.exe
File opened for modification	C:\Windows\SysWOW64\wmybuep.exe	wmxdlmgx.exe
File created	C:\Windows\SysWOW64\wrufyr.exe	wfqmwwyf.exe
File created	C:\Windows\SysWOW64\wcnsev.exe	wrufyr.exe
File created	C:\Windows\SysWOW64\wrqoeu.exe	wanykjrt.exe
File opened for modification	C:\Windows\SysWOW64\wrqoeu.exe	wanykjrt.exe
File created	C:\Windows\SysWOW64\wssgyit.exe	wdefw.exe
File created	C:\Windows\SysWOW64\whksub.exe	wsriy.exe
File created	C:\Windows\SysWOW64\wbu.exe	wlrt.exe
File opened for modification	C:\Windows\SysWOW64\wnpwq.exe	wmykov.exe
File created	C:\Windows\SysWOW64\wdefw.exe	wmybuep.exe
File created	C:\Windows\SysWOW64\wws.exe	wssgyit.exe
File opened for modification	C:\Windows\SysWOW64\wnrd.exe	wms.exe
File opened for modification	C:\Windows\SysWOW64\weygw.exe	wuessrsn.exe
File created	C:\Windows\SysWOW64\wmykov.exe	wgkl.exe
File created	C:\Windows\SysWOW64\wnpwq.exe	wmykov.exe
File created	C:\Windows\SysWOW64\wvgkdy.exe	wimyhgv.exe
File opened for modification	C:\Windows\SysWOW64\wws.exe	wssgyit.exe
File created	C:\Windows\SysWOW64\wlrt.exe	wbwffsf.exe
File created	C:\Windows\SysWOW64\wms.exe	wcyplht.exe
File created	C:\Windows\SysWOW64\wjrypj.exe	wywllgyuf.exe
File opened for modification	C:\Windows\SysWOW64\wruonenx.exe	wntu.exe
File created	C:\Windows\SysWOW64\weaxab.exe	wruonenx.exe
File opened for modification	C:\Windows\SysWOW64\wnswgna.exe	whcomfa.exe
File created	C:\Windows\SysWOW64\wsriy.exe	wcnsev.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
3340	4640	WerFault.exe	89
4288	1724	WerFault.exe	136
3024	1876	WerFault.exe	193
3060	1876	WerFault.exe	193
5108	1936	WerFault.exe	263
1964	5056	WerFault.exe	292

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	weygw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvwst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wikdgua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkyxjwku.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpwq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wulfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbdr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxtwiutbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wigrtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpromu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcnsev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wanykjrt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waivw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsriy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlpigpw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wruonenx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvqyucl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wluclrg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wieoua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiuycyl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdefw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgpgxhfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wws.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wywllgyuf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 1508	5108	0a936d4fc510938e884645942d03e54e_JaffaCakes118.exe	82
PID 5108 wrote to memory of 1508	5108	0a936d4fc510938e884645942d03e54e_JaffaCakes118.exe	82
PID 5108 wrote to memory of 1508	5108	0a936d4fc510938e884645942d03e54e_JaffaCakes118.exe	82
PID 5108 wrote to memory of 2484	5108	0a936d4fc510938e884645942d03e54e_JaffaCakes118.exe	84
PID 5108 wrote to memory of 2484	5108	0a936d4fc510938e884645942d03e54e_JaffaCakes118.exe	84
PID 5108 wrote to memory of 2484	5108	0a936d4fc510938e884645942d03e54e_JaffaCakes118.exe	84
PID 1508 wrote to memory of 780	1508	wtti.exe	86
PID 1508 wrote to memory of 780	1508	wtti.exe	86
PID 1508 wrote to memory of 780	1508	wtti.exe	86
PID 1508 wrote to memory of 880	1508	wtti.exe	87
PID 1508 wrote to memory of 880	1508	wtti.exe	87
PID 1508 wrote to memory of 880	1508	wtti.exe	87
PID 780 wrote to memory of 4640	780	wdtntr.exe	89
PID 780 wrote to memory of 4640	780	wdtntr.exe	89
PID 780 wrote to memory of 4640	780	wdtntr.exe	89
PID 780 wrote to memory of 2664	780	wdtntr.exe	90
PID 780 wrote to memory of 2664	780	wdtntr.exe	90
PID 780 wrote to memory of 2664	780	wdtntr.exe	90
PID 4640 wrote to memory of 3952	4640	wluclrg.exe	92
PID 4640 wrote to memory of 3952	4640	wluclrg.exe	92
PID 4640 wrote to memory of 3952	4640	wluclrg.exe	92
PID 4640 wrote to memory of 1816	4640	wluclrg.exe	93
PID 4640 wrote to memory of 1816	4640	wluclrg.exe	93
PID 4640 wrote to memory of 1816	4640	wluclrg.exe	93
PID 3952 wrote to memory of 4336	3952	wllgjnus.exe	98
PID 3952 wrote to memory of 4336	3952	wllgjnus.exe	98
PID 3952 wrote to memory of 4336	3952	wllgjnus.exe	98
PID 3952 wrote to memory of 1852	3952	wllgjnus.exe	99
PID 3952 wrote to memory of 1852	3952	wllgjnus.exe	99
PID 3952 wrote to memory of 1852	3952	wllgjnus.exe	99
PID 4336 wrote to memory of 3088	4336	wmiuycyl.exe	105
PID 4336 wrote to memory of 3088	4336	wmiuycyl.exe	105
PID 4336 wrote to memory of 3088	4336	wmiuycyl.exe	105
PID 4336 wrote to memory of 1072	4336	wmiuycyl.exe	106
PID 4336 wrote to memory of 1072	4336	wmiuycyl.exe	106
PID 4336 wrote to memory of 1072	4336	wmiuycyl.exe	106
PID 3088 wrote to memory of 4756	3088	wgkl.exe	108
PID 3088 wrote to memory of 4756	3088	wgkl.exe	108
PID 3088 wrote to memory of 4756	3088	wgkl.exe	108
PID 3088 wrote to memory of 3920	3088	wgkl.exe	109
PID 3088 wrote to memory of 3920	3088	wgkl.exe	109
PID 3088 wrote to memory of 3920	3088	wgkl.exe	109
PID 4756 wrote to memory of 2980	4756	wmykov.exe	112
PID 4756 wrote to memory of 2980	4756	wmykov.exe	112
PID 4756 wrote to memory of 2980	4756	wmykov.exe	112
PID 4756 wrote to memory of 564	4756	wmykov.exe	113
PID 4756 wrote to memory of 564	4756	wmykov.exe	113
PID 4756 wrote to memory of 564	4756	wmykov.exe	113
PID 2980 wrote to memory of 4408	2980	wnpwq.exe	115
PID 2980 wrote to memory of 4408	2980	wnpwq.exe	115
PID 2980 wrote to memory of 4408	2980	wnpwq.exe	115
PID 2980 wrote to memory of 772	2980	wnpwq.exe	116
PID 2980 wrote to memory of 772	2980	wnpwq.exe	116
PID 2980 wrote to memory of 772	2980	wnpwq.exe	116
PID 4408 wrote to memory of 4180	4408	wruxme.exe	118
PID 4408 wrote to memory of 4180	4408	wruxme.exe	118
PID 4408 wrote to memory of 4180	4408	wruxme.exe	118
PID 4408 wrote to memory of 1832	4408	wruxme.exe	119
PID 4408 wrote to memory of 1832	4408	wruxme.exe	119
PID 4408 wrote to memory of 1832	4408	wruxme.exe	119
PID 4180 wrote to memory of 1364	4180	wigrtn.exe	123
PID 4180 wrote to memory of 1364	4180	wigrtn.exe	123
PID 4180 wrote to memory of 1364	4180	wigrtn.exe	123
PID 4180 wrote to memory of 1172	4180	wigrtn.exe	124

C:\Users\Admin\AppData\Local\Temp\0a936d4fc510938e884645942d03e54e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a936d4fc510938e884645942d03e54e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\wtti.exe
  "C:\Windows\system32\wtti.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\wdtntr.exe
    "C:\Windows\system32\wdtntr.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\SysWOW64\wluclrg.exe
      "C:\Windows\system32\wluclrg.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Windows\SysWOW64\wllgjnus.exe
        
        "C:\Windows\system32\wllgjnus.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3952
      - C:\Windows\SysWOW64\wmiuycyl.exe
        
        "C:\Windows\system32\wmiuycyl.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\wgkl.exe
        
        "C:\Windows\system32\wgkl.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\wmykov.exe
        
        "C:\Windows\system32\wmykov.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\wnpwq.exe
        
        "C:\Windows\system32\wnpwq.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\wruxme.exe
        
        "C:\Windows\system32\wruxme.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\wigrtn.exe
        
        "C:\Windows\system32\wigrtn.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\waivw.exe
        
        "C:\Windows\system32\waivw.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\wkn.exe
        
        "C:\Windows\system32\wkn.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\wfvj.exe
        
        "C:\Windows\system32\wfvj.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\wvwst.exe
        
        "C:\Windows\system32\wvwst.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\wldgxd.exe
        
        "C:\Windows\system32\wldgxd.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\wbdr.exe
        
        "C:\Windows\system32\wbdr.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\wntu.exe
        
        "C:\Windows\system32\wntu.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\wruonenx.exe
        
        "C:\Windows\system32\wruonenx.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\weaxab.exe
        
        "C:\Windows\system32\weaxab.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\wondka.exe
        
        "C:\Windows\system32\wondka.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\whcomfa.exe
        
        "C:\Windows\system32\whcomfa.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\wnswgna.exe
        
        "C:\Windows\system32\wnswgna.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\wmxdlmgx.exe
        
        "C:\Windows\system32\wmxdlmgx.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\wmybuep.exe
        
        "C:\Windows\system32\wmybuep.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\wdefw.exe
        
        "C:\Windows\system32\wdefw.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\wssgyit.exe
        
        "C:\Windows\system32\wssgyit.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\wws.exe
        
        "C:\Windows\system32\wws.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\wrhk.exe
        
        "C:\Windows\system32\wrhk.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\wja.exe
        
        "C:\Windows\system32\wja.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\wimyhgv.exe
        
        "C:\Windows\system32\wimyhgv.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\wvgkdy.exe
        
        "C:\Windows\system32\wvgkdy.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\wikdgua.exe
        
        "C:\Windows\system32\wikdgua.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Windows\SysWOW64\wofttg.exe
        
        "C:\Windows\system32\wofttg.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\wcwepbmk.exe
        
        "C:\Windows\system32\wcwepbmk.exe"
        35⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Windows\SysWOW64\wpromu.exe
        
        "C:\Windows\system32\wpromu.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\wulfy.exe
        
        "C:\Windows\system32\wulfy.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\wieoua.exe
        
        "C:\Windows\system32\wieoua.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\wvhi.exe
        
        "C:\Windows\system32\wvhi.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\wfqmwwyf.exe
        
        "C:\Windows\system32\wfqmwwyf.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\wrufyr.exe
        
        "C:\Windows\system32\wrufyr.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\wcnsev.exe
        
        "C:\Windows\system32\wcnsev.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\wsriy.exe
        
        "C:\Windows\system32\wsriy.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\whksub.exe
        
        "C:\Windows\system32\whksub.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\wcyplht.exe
        
        "C:\Windows\system32\wcyplht.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\wms.exe
        
        "C:\Windows\system32\wms.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:552
        
        C:\Windows\SysWOW64\wnrd.exe
        
        "C:\Windows\system32\wnrd.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\wfus.exe
        
        "C:\Windows\system32\wfus.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\wbwffsf.exe
        
        "C:\Windows\system32\wbwffsf.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\wlrt.exe
        
        "C:\Windows\system32\wlrt.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\wbu.exe
        
        "C:\Windows\system32\wbu.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\wlovjkop.exe
        
        "C:\Windows\system32\wlovjkop.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\wxtrme.exe
        
        "C:\Windows\system32\wxtrme.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\wimfqhpfj.exe
        
        "C:\Windows\system32\wimfqhpfj.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\wvqyucl.exe
        
        "C:\Windows\system32\wvqyucl.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\wkyxjwku.exe
        
        "C:\Windows\system32\wkyxjwku.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\wanykjrt.exe
        
        "C:\Windows\system32\wanykjrt.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\wrqoeu.exe
        
        "C:\Windows\system32\wrqoeu.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\wcyqcxm.exe
        
        "C:\Windows\system32\wcyqcxm.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\wtchwj.exe
        
        "C:\Windows\system32\wtchwj.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\wywxkv.exe
        
        "C:\Windows\system32\wywxkv.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\wlpigpw.exe
        
        "C:\Windows\system32\wlpigpw.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\wleb.exe
        
        "C:\Windows\system32\wleb.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\wywllgyuf.exe
        
        "C:\Windows\system32\wywllgyuf.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\wjrypj.exe
        
        "C:\Windows\system32\wjrypj.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\wwts.exe
        
        "C:\Windows\system32\wwts.exe"
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:904
        
        C:\Windows\SysWOW64\wgpgxhfc.exe
        
        "C:\Windows\system32\wgpgxhfc.exe"
        67⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\wohsc.exe
        
        "C:\Windows\system32\wohsc.exe"
        68⤵
        Checks computer location settings
        
        PID:2792
        
        C:\Windows\SysWOW64\wccdye.exe
        
        "C:\Windows\system32\wccdye.exe"
        69⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\wuessrsn.exe
        
        "C:\Windows\system32\wuessrsn.exe"
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\weygw.exe
        
        "C:\Windows\system32\weygw.exe"
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\wvqmkfnd.exe
        
        "C:\Windows\system32\wvqmkfnd.exe"
        72⤵
        Checks computer location settings
        
        PID:4564
        
        C:\Windows\SysWOW64\wxtwiutbn.exe
        
        "C:\Windows\system32\wxtwiutbn.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqmkfnd.exe"
        73⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weygw.exe"
        72⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuessrsn.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccdye.exe"
        70⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohsc.exe"
        69⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgpgxhfc.exe"
        68⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwts.exe"
        67⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjrypj.exe"
        66⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1660
        66⤵
        Program crash
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywllgyuf.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wleb.exe"
        64⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlpigpw.exe"
        63⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywxkv.exe"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtchwj.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcyqcxm.exe"
        60⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrqoeu.exe"
        59⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wanykjrt.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkyxjwku.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1432
        57⤵
        Program crash
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqyucl.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimfqhpfj.exe"
        55⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxtrme.exe"
        54⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlovjkop.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbu.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrt.exe"
        51⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwffsf.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfus.exe"
        49⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnrd.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wms.exe"
        47⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcyplht.exe"
        46⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whksub.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsriy.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcnsev.exe"
        43⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrufyr.exe"
        42⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfqmwwyf.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvhi.exe"
        40⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wieoua.exe"
        39⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wulfy.exe"
        38⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpromu.exe"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwepbmk.exe"
        36⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofttg.exe"
        35⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 1332
        35⤵
        Program crash
        
        PID:3024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 1568
        35⤵
        Program crash
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikdgua.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgkdy.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimyhgv.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wja.exe"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhk.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wws.exe"
        29⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wssgyit.exe"
        28⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdefw.exe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmybuep.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmxdlmgx.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnswgna.exe"
        24⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whcomfa.exe"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wondka.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weaxab.exe"
        21⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wruonenx.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntu.exe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbdr.exe"
        18⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wldgxd.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 976
        17⤵
        Program crash
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvwst.exe"
        16⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfvj.exe"
        15⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkn.exe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waivw.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigrtn.exe"
        12⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wruxme.exe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnpwq.exe"
        10⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmykov.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkl.exe"
        8⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmiuycyl.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllgjnus.exe"
        6⤵
        
        PID:1852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wluclrg.exe"
        5⤵
        
        PID:1816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1280
        5⤵
        Program crash
        
        PID:3340
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdtntr.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtti.exe"
    3⤵
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\0a936d4fc510938e884645942d03e54e_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4640 -ip 4640
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1724 -ip 1724
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1876 -ip 1876
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1876 -ip 1876
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1936 -ip 1936
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5056 -ip 5056
1⤵
PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Windows\SysWOW64\waivw.exe

Filesize
260KB

MD5
a76d9308c26dc8152c354eacd0f34994

SHA1
8aa1403daa66a601140671ad3b86d79f8fa08b4a

SHA256
da6fc34774587f494e91565f40259b971b5441cb540f6ed85a1cea0835fb6907

SHA512
1209ae302c8fceab0e4efed6abd4fbffe9f77c23ccc8f7f0390c3b8c25d845f7e96dcbfca5327492977afade3f41550eb854a69851f6f7b2dee8ce49b4066566

Download Submit
C:\Windows\SysWOW64\wbdr.exe

Filesize
260KB

MD5
b5382839c49897e9b0a5ccc07c94c58f

SHA1
64329e579d3d54bc2ae9179cbb56a0e3f074d59b

SHA256
88cd8e19cbead903556ac0761f77c58a89dc7b652e3d00bd4f758126ebc32ccd

SHA512
ff7320aeffd22d9d1d7ee65895b058018f14af0afe389d9f55419b5b2b9172624934a5c90dd976606d05c95c3ccc2b16ca004d0023735a7684e0c925687727be

Download Submit
C:\Windows\SysWOW64\wdefw.exe

Filesize
260KB

MD5
e64f181e77d5ef567ca1e72b11571910

SHA1
ea666b4435ad1068914fe7e831d7af0d0244a3b8

SHA256
f471396a3dc577e000d95defcf0a54961a3471c31a190efd8c78b46edac1bcce

SHA512
f92831c7f84ec7cde0025e7af91469b43b15161d5aab0d737b54cf1693ee2214f7f244bae7e360bde4db7aacf975fafba77d07e2f09edd6d9a03a289efe0d0c1

Download Submit
C:\Windows\SysWOW64\wdtntr.exe

Filesize
259KB

MD5
fbd6630e7cf3d3d5329c0f3ed14835f8

SHA1
363defa240827d423e84340f981869b476589846

SHA256
aeab2ec2964e1d548517d5fe2a14b8a0b30951f4ddbe98212871b118bab4ac70

SHA512
54b4c2f6897dfea2d3f4425fa9f58faa6de15ab7503209afab9b7b2a7879a052eef73283a80369e4e561e0964ee8b0d02763f51841515ddb89fb90343db22d74

Download Submit
C:\Windows\SysWOW64\weaxab.exe

Filesize
260KB

MD5
6ba1c48b7215ccfbf96981661a07096d

SHA1
afd95a84e25dd1db6e2a8fee4611070d9a93950d

SHA256
bb4f04e2eda476062bbc0602063aebedcb6e5dc9fcfeaf9ed8b68e034a1e0d10

SHA512
cd7f0073c4078bcdcd004ee84b037633b8fcc1024411343bb2286e33c74846c6c174acdf678ad2b5cb3a670d5e364f910dddacd7a18b94d41bd5362db47a6604

Download Submit
C:\Windows\SysWOW64\wfvj.exe

Filesize
260KB

MD5
f9719fa87e0f04f3752a029de50ec0b0

SHA1
843efac58d08fed344e45c80a1cdfdab45614f30

SHA256
3db2b41267327b3d9fea9fe01d098533e47dae7946c73983bd43975e98b9a3ca

SHA512
5ca227eb58c40000c29eec027f70c1cb4a710849d52700c1e2d2e34104d87d4413afdee897b1489b65196344ae8a90ca7d45c18e82c194b7ea3cb930cd413be8

Download Submit
C:\Windows\SysWOW64\wgkl.exe

Filesize
259KB

MD5
83ed965dad960c974affe2e80f91906f

SHA1
a988b07246902c1bfd982c959419d8a150d679fb

SHA256
7c6e2d9ace2e5ba1d17007364e76790ef25d40103802bf4b2f0bbf529200eda2

SHA512
460afd81d97b09081479e9fdfedd582086b7a669cc6552a8b543a9f5b9a1969411cfe2763a495c3dcfe26dba8dbe6bb841ee6c1343fc850a6728bca5b4530bf1

Download Submit
C:\Windows\SysWOW64\whcomfa.exe

Filesize
260KB

MD5
83cad0d1cf30eeec2ad8d90aad7f1c1b

SHA1
dfb7035a9163933f3a02fa5959b412400c1c1dd7

SHA256
1e7267fb0ae5f1f07800dc5ec8a270b2d1aa37782a6d5ba4ea7a88ab9379330f

SHA512
6a966e66e49144472fba368a5fab7dc76c9c1730599a2307ab23401b6b0eb33d97ae7cde541f26c5668424e078583d4fa754843ac4e7d034f6a769c0b397dcc1

Download Submit
C:\Windows\SysWOW64\wigrtn.exe

Filesize
260KB

MD5
0a2d480a5af641aafeca743594665529

SHA1
dfe4d663ad36d4b6610e596224c59a12f7fa0582

SHA256
14632f6a44ae3fe87abb954a935099945f668a2edbb37aac2e6411987dd39688

SHA512
d4b246a2f11a479911748f73c1ed2a422c3eab36b905e762ce50be5cae40e2e458030b8d9bc7bb56b07be54c7b168859e6db825ca2bc893eb9f7921b63a4bd0a

Download Submit
C:\Windows\SysWOW64\wikdgua.exe

Filesize
260KB

MD5
f06dc643a909de41872de878d19ef1c4

SHA1
6749216e2ec24dcbaafd69c9dbad2d188c8963de

SHA256
f1aaf232d2124f8e35aa2227c4d1754ec50b63bcd2c2792cdf3accac66619d44

SHA512
69cb6be16b57837963dec67002e025f15d980f88a53cf24f0a232e50db3f811240f2e172ec4574041b8e352ec3febce39fd73e06928049e6592919285adad266

Download Submit
C:\Windows\SysWOW64\wimyhgv.exe

Filesize
260KB

MD5
ad61c81b4d95f1cdb9df7a5379dd51d0

SHA1
29d7209ea0d1b679d7e12fb33c123a7153df4d88

SHA256
5205a3e4d0a01a005151d32b6f0c53c5fc00dd41d052fde9f1d356265fd15280

SHA512
02110646f6a10c45efea575b15a59e79d09a096c164d7a3ef1091952c363bd5e2f14623f2b1b5a859bbb81791abf805d7bb9a40e6a48d9a210a8ea9ae6ba447d

Download Submit
C:\Windows\SysWOW64\wja.exe

Filesize
260KB

MD5
2312082a5b1849596f58747eb5f55880

SHA1
2194f1502b82ba22cf24c885c73a7241b0b3c392

SHA256
62278614ed885f22889deaedffc6afb7231c99e5ec1878e73de99565b13a74c9

SHA512
2539b87d7d2e68641a9e433796cbb9bdc2d66d2b623051bb248b10ab6dc005e5cceedbe061c3fc8ca79869a5d70dbcd594a8cb8f21e59c81bcf0ea78afaac97e

Download Submit
C:\Windows\SysWOW64\wkn.exe

Filesize
260KB

MD5
24e23d992e48f665c7e2fcefed6d9490

SHA1
92e2520779c0705fcc17992e465be7c9cdda447c

SHA256
acb6f138f930bafa474491e8b1a32e35d8975828c227ddc7e03f560695a853c4

SHA512
e94351076e8acdd8bfdeffa9b0384ea18d1569d8994ed9068d486f420e90d2af84639b77352fcb56dece5463544a57ede667b97b2fcbbeae016ac2effb781be4

Download Submit
C:\Windows\SysWOW64\wldgxd.exe

Filesize
260KB

MD5
74e6b99eda0c56533ff2532506ad4a66

SHA1
9a854d30614d93a5f449f4285531b1885bdcd196

SHA256
ac2d4d3d74c2f29273d3d897ae2defa93da22016390bf1f7db3b7c8b2255e6cd

SHA512
e25fe87ca655ae3d03bff7e7770df73d1f8dec1ce5214e2b8db04b95a392dacb3aad57272c7de04fb5fbcc2fb150328da459497cbec3b874789cdc64709a0076

Download Submit
C:\Windows\SysWOW64\wllgjnus.exe

Filesize
259KB

MD5
ae9d99f39b7eb2b47fb55ab250d00aa2

SHA1
01911aff23c930f1ede7958175a38f0879df1524

SHA256
a79062b1b9c2f6d99d532935b60de814d026285c984271da806bfe16bc504dbc

SHA512
54052747cb623b205b91a8edfb9f7f34a8ffd36ce404b32cd6e977fb75c95f4354c6d0de5bc3e98763335e0e7b1e47e4721c590a3b0b6027dcc955af84f3a1fa

Download Submit
C:\Windows\SysWOW64\wluclrg.exe

Filesize
259KB

MD5
041870fdb90da28f126a2eefc9d7b2e3

SHA1
c07b68deb8a99c52989cba22bc28a8ee8b5ad501

SHA256
48ba3a1fb8ea21ad5014cdc88069faf1cfa70640901be129ab009729043d9ad0

SHA512
c68a64be0a88082840360f4a9fbd52c1bbcf4d75f00caa9abd28f33e739a7b3d9387efbf3f3d7fc0b5090775c708d4d87f1033d17b9f818d1a7e7ff9beb7b7ec

Download Submit
C:\Windows\SysWOW64\wmiuycyl.exe

Filesize
259KB

MD5
78233a77bfee5ae609b9eacb8f72b7a2

SHA1
41f16aee04ddf42d42e8dd7c2a35b0c43988f608

SHA256
bc53eb224257afba4a572a6e3c4bb9adb7dcbccd6f9e8e9de0c0262e491473e6

SHA512
3c77e8b5cab8472288ec46dce05c009b58a1b4deb13ba0eb7864a43fa45972efa5487ca6f8fae2a4270d5f9786956eb746db2e3ee2fd2138ddad0a3af6c71c96

Download Submit
C:\Windows\SysWOW64\wmxdlmgx.exe

Filesize
260KB

MD5
f40df53c535c60f1787f1d4f76cdc3a3

SHA1
84f78b2d84b510b7f4d07bd0997c133989c467bf

SHA256
5277d722b300a48117b9b903aee9c1d540ae0b1f00212b1e140a3ca955227917

SHA512
c1889c14c83ac3efc5f342ed0baf7e9d7ed597b3a55b25bb52bbb7ec09364e50e84a18ab0a06705261d4368f8c05922579415f77d7c7a84c3b2f30724fed6bec

Download Submit
C:\Windows\SysWOW64\wmybuep.exe

Filesize
260KB

MD5
4147bb3d16525e8daf525ac39f0513d0

SHA1
e4b559fb5e9b0f2cc7a32cd378564991bb5e6519

SHA256
1aecfa90aa7a979254075b7c023913b5ddce28800f753d733ff214e9036d118b

SHA512
2249276ef17da49ea67df31c30ba3c68497ce8e78a3301ec2cae897b20b986c3f9df2b6ab037b0f95db7e0662d232c17a1de517e5362f21b13405fd5c972458f

Download Submit
C:\Windows\SysWOW64\wmykov.exe

Filesize
259KB

MD5
4ab188e8e9c89fe4efc4956bf2d17b88

SHA1
892961e33cf7af3d937963a45ed60cb570301267

SHA256
16561e13abbb42e4c9c7792016480632ce5bedc8164a49feeecb0b3acb8bd659

SHA512
4b40ef131c1c4d336393f88615e53779e4f4a68ccd338fea566fef2e68f19471e8cc2ae5e449bb8e01b5dbbdd56b844cb1e21e0211336259fb10173bbc27d0c6

Download Submit
C:\Windows\SysWOW64\wnpwq.exe

Filesize
260KB

MD5
9b7eb736645adcb443efcfaf6f6abcbb

SHA1
9452f8d6a3709f509b57717d09fbd7a686eac19b

SHA256
ff902d0ee0a019df8539d6ba5104ae07645b2f7b11f8f8094a5ba79ea93459da

SHA512
df323dc2144faf3269c1223078e87cf5b8971d90778c9bb9ee6f72068e24fdbe491bf9d0f3b96cd34815db6af23565b99125e6cb9d7522ffe5d19d1a5bf613c3

Download Submit
C:\Windows\SysWOW64\wnswgna.exe

Filesize
260KB

MD5
5e787ce198421b151b329b34036607b9

SHA1
f3a3bfe0f5547fd92d0d7f5fee8344cc4a5e3618

SHA256
29ebccbf7c65f08d808acba4988ae62d489e9a8da82d3d0f40e2246df2bda098

SHA512
f1249631c8a8ed019cf133db69e063f54323ed87e4b49abaa477375171f6da38892dce4e04750ab527607a7ae7aec12e6eb40a19ef819e4ac4b0e466f81f65f1

Download Submit
C:\Windows\SysWOW64\wntu.exe

Filesize
260KB

MD5
bb7b5dda2ae60fbac15bd23128baa3e4

SHA1
fe1e659a329b9d7236dd8e4fe977d5d96e0ec613

SHA256
55d935316aedc6c05a6fa88a88d5bba4278e37503c960f50d8d21af25210b730

SHA512
3788588e7c42afafd3d2c22edd655ebbe5b5efb39f1451068176c0ed889cd9a6fff6866e133824aaf80994f21ff473d7c4480a0130647284ffc17e1333ec7dff

Download Submit
C:\Windows\SysWOW64\wondka.exe

Filesize
260KB

MD5
fdde4a490c7d1705b2aeadb6dde9bdf0

SHA1
e19009ab1c00daa6094f582f0d9d7a1ae8128652

SHA256
8956d59fda24e0eb3c15e3929c8698ef8e8830844370bec6fde98b6ff35d6aff

SHA512
6359081f6348cb6ccc893a54825ecf424e03cd7f1179aac5bb27b55b2edb7669387362667d983de3facfeb2bbb098d31cfbd4b7f74de700e35707127d7a2d93c

Download Submit
C:\Windows\SysWOW64\wrhk.exe

Filesize
260KB

MD5
ef09a68fdb63dc34d62eed1a02974b06

SHA1
7b26722f34ac6889ab77abe5d55c511c6f201488

SHA256
3507ffb024157b8bc61debe4151d8432e68842180e599df94a626e0d9e4a65a1

SHA512
841eb030817fea58dacdce7dee5a8b513fb8435a00e94a70b93a85e8f4230d1ca884ec10590a823dcb038108350b8f43ed65f0607dafcf960849e58db90a9c7d

Download Submit
C:\Windows\SysWOW64\wruonenx.exe

Filesize
260KB

MD5
020e73725141ed0d43593454195831c5

SHA1
c364caf002d5732dfe2167f5b4f6789aafe8fec4

SHA256
8598ff6d34cd57f95ed7f88df67f523ccc0807c576f2d6b33d05919819fc5592

SHA512
9c7de6ab68e4d66f3ea117c84f2f5398b95717660a59c3f552ca0371792a8e113ce28196ebb4f8faa48e940f0bfac4be97f1eaefbc665da0ab19005bc8bf7cce

Download Submit
C:\Windows\SysWOW64\wruxme.exe

Filesize
260KB

MD5
0267f529bce6375b2702bc19daeba795

SHA1
cf33325bc56c1bbf9d3ccc0bb52bb4938e8f7925

SHA256
093d72a17b6a8ef7ac0426db2d02d5a966dab2fb0a369561ae7bda486e9e1c28

SHA512
4d528627cf796cc3612cc1d1d34a007b92a1b7233eff47a07cf22e3249688ec6c7dd67720ab758794328126a858247bfab6a3d34899984356c1cd4afdd54a1a5

Download Submit
C:\Windows\SysWOW64\wssgyit.exe

Filesize
260KB

MD5
f273a4b18b64eac8f7d2ead39926b3a6

SHA1
d96c7014f2c54c83d6221958e2e764030af7bf0e

SHA256
b67a9d80109f96d531ddcc27d12fbb44ac53ca1b339b30aad548f6044bb9d15e

SHA512
c344533a7d72400ae3be2dd96a09e344f4221ed4e0358cbcb14285d0f08fa103ee8c4820e484a1279182a2bf69c20717fe13ce4f77f7799aac6918fd5a9bdf5a

Download Submit
C:\Windows\SysWOW64\wtti.exe

Filesize
259KB

MD5
20b70118fe5afb08eccc9d0644860323

SHA1
0f4e972fceb01775fb52804d2417c86b45f110f5

SHA256
d278ba004e549874f40452f83236e99bbb1d314cd46b63ed589ef857d9f634a8

SHA512
69710f67a0a99eefa37d45d338c7dbacaa238062a394df92d0e0beb80efc3c8bbb09959a0b9d8c34c46ad9fe445b492092a7e0cf2412e1ad7a835801efb3333d

Download Submit
C:\Windows\SysWOW64\wvgkdy.exe

Filesize
260KB

MD5
8c9896c217d1adc59eb0bd3831689342

SHA1
2266d987b96dea9576bb2750cf116a47981b73fd

SHA256
5b3bf315becef38323346c73fd43fca3b83e1a8e08f4a01d047eab2a3ec6d0f7

SHA512
265b67df9ebbd5ed80dcb89dd5990a7317d22285c7fe71c2b1d0635567066fbd46020a36ea464f1a312076400b47e9478d6877227e12c34ae304a221675276f5

Download Submit
C:\Windows\SysWOW64\wvwst.exe

Filesize
260KB

MD5
b5cf8d426c3c151b625b4a4817670f19

SHA1
02fc2a329a95e421970d10bbd958d7d4bc90a7a8

SHA256
743eb777f71d6c8766d75c00019f3b39add2851b2fef508370624b3ae0250763

SHA512
2d471d94d454a08440987224724139950e5eace66d22da7c1565bd571772a5e802520808d8576d4c07792b4863bf5d4af124dc9a80e10a70517722b4434115ba

Download Submit
C:\Windows\SysWOW64\wws.exe

Filesize
260KB

MD5
44e01f333c8319436202ae66fa13d15e

SHA1
2824777a4690310bb6ae6d9658e1b5ad2a9812ef

SHA256
0ddabdbb1ba6f13d61188eebbc02a0aedeb7bae3eceed7fcf094fad4ded9b61d

SHA512
93df4012af604997246995391274d2ef9695f3b45dbc69ef33554e4c7d44786f25bd29a504542599135560cb3c681270526ea41edcc89d3bd67b995e4854961b

Download Submit
memory/224-476-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/552-444-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/712-340-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/780-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/904-603-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/964-452-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1064-291-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1148-157-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1160-372-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1172-388-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1180-436-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1244-177-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1352-198-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1364-126-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1508-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1628-302-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1716-364-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1724-167-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-654-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1876-348-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1936-524-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1936-250-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2112-322-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2196-572-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2320-532-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2348-556-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2532-380-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2740-420-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2768-270-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2780-468-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2792-619-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2796-564-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2980-94-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3024-611-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3088-74-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3092-588-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3160-492-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3252-209-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3420-137-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3432-635-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3568-356-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3644-147-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3792-281-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3836-260-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3952-53-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4108-312-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4180-116-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4228-332-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4240-229-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4332-627-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4336-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4356-412-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4356-508-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4408-105-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4416-516-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4464-404-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4464-500-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4528-396-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4548-548-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4564-653-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4564-645-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4640-484-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4640-580-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4640-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4644-644-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4644-636-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4656-239-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4656-428-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4708-188-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4724-219-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4756-84-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4912-460-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5108-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5108-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5112-540-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download