845aaa534e02ff2c9b5a11599a4c639e0dadd617459ebc85fdb21064660d7d2a

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1663ab0d47c14fd2ca5a2b09a3b304c7_JaffaCakes118.exe
Size

264KB
MD5

1663ab0d47c14fd2ca5a2b09a3b304c7
SHA1

91639c83c9ea8290c1827707c2be26ac41164de3
SHA256

845aaa534e02ff2c9b5a11599a4c639e0dadd617459ebc85fdb21064660d7d2a
SHA512

2a903bf15bd95b9a1886f1b97adf2a0038fd1bbb8edf2dd87b005c11f5c68deb89c4ced0681258430a1de1c4b2488e4695e0f90a3e68b57dff556bca3236841f
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpuJJ:ZY7xh6SZI4z7FSVpuJJ

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wrkydw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wsnl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wimusjk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wscxdjo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wphgtlnw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wscrm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	waefoxt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wavggvwhu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wdsuwkbac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wfjacmpj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wlrdbtk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wypnyy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wlfywo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wjvohaef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wykdudo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wpdoudq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wmeciswax.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wdiv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wnheify.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wdjfv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wkn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wgdnemgk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	whmpgryo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	weoqsri.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wamyu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	whi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wgpx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wyrmh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wjptc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wscligsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wvisbg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wwk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wmacai.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wkjsh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wgkpb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wrednaw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wtocf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	whpsps.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wghvd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wjwt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wnlrasg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wojnjuqir.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wvrlatd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wdbni.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wfqpv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wpct.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wnexuuw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wcidybcbt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wxvidmky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wiyhnu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wtpluq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wlrbcqs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wsdfr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wloctlka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wkjdvgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wgefue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wgftqp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wqlmh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wvcwqsgx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wmxxrdu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wanfkdfmv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	whsgh.exe

Executes dropped EXE 64 IoCs

pid	Process
3480	wvg.exe
1432	wwpx.exe
4580	wfjacmpj.exe
2968	wcgrajs.exe
888	wrkydw.exe
3120	wuoaymbe.exe
440	wmb.exe
5072	wscligsm.exe
2076	wqwi.exe
1292	wkjsh.exe
4576	wqlmh.exe
320	wgd.exe
3392	wfqpv.exe
2492	wpdoudq.exe
4004	wfftxp.exe
1404	wlvcq.exe
1128	whi.exe
4288	wujl.exe
3356	wvcwqsgx.exe
220	wjwt.exe
5100	wqvlph.exe
4424	wgkpb.exe
560	wmeciswax.exe
1900	wsnl.exe
3164	woxnatbs.exe
4388	wamhsp.exe
1428	whsgh.exe
3100	wgpx.exe
2192	wvisbg.exe
3968	wdiv.exe
900	wxvidmky.exe
820	wmwumgd.exe
1176	wckjvs.exe
4320	wsdfr.exe
4124	wjqtcshu.exe
1304	wpct.exe
1600	weoqsri.exe
3356	wpgoxlsn.exe
1664	wrednaw.exe
864	wnheify.exe
3044	wtocf.exe
4120	wrbkys.exe
2624	wlrdbtk.exe
116	wxqh.exe
2644	wohdgv.exe
3680	wjvohaef.exe
2488	wiiwywtuu.exe
2052	woygsgus.exe
4876	wmxxrdu.exe
4596	wamyu.exe
884	wqqfxhc.exe
3020	wkepxmnw.exe
4916	wykdudo.exe
5080	wgbnoko.exe
4568	wifp.exe
4376	wvrlatd.exe
116	wpfwcypx.exe
2012	wwk.exe
2132	wdmopq.exe
2332	wbmm.exe
2192	wloctlka.exe
3836	wimusjk.exe
4832	wscxdjo.exe
3460	wvymtxu.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wwpx.exe	wvg.exe
File opened for modification	C:\Windows\SysWOW64\wpgoxlsn.exe	weoqsri.exe
File opened for modification	C:\Windows\SysWOW64\wuxiw.exe	wavhd.exe
File opened for modification	C:\Windows\SysWOW64\wkjdvgd.exe	whmpgryo.exe
File created	C:\Windows\SysWOW64\wkepxmnw.exe	wqqfxhc.exe
File created	C:\Windows\SysWOW64\wypnyy.exe	wgftqp.exe
File opened for modification	C:\Windows\SysWOW64\woykiv.exe	wdjfv.exe
File opened for modification	C:\Windows\SysWOW64\wqgcvwss.exe	wjptc.exe
File created	C:\Windows\SysWOW64\wlfywo.exe	wgefue.exe
File created	C:\Windows\SysWOW64\wmb.exe	wuoaymbe.exe
File opened for modification	C:\Windows\SysWOW64\wsdfr.exe	wckjvs.exe
File opened for modification	C:\Windows\SysWOW64\wypnyy.exe	wgftqp.exe
File opened for modification	C:\Windows\SysWOW64\wnlrasg.exe	woykiv.exe
File opened for modification	C:\Windows\SysWOW64\wlrbcqs.exe	waoqq.exe
File opened for modification	C:\Windows\SysWOW64\whpsps.exe	wscrm.exe
File created	C:\Windows\SysWOW64\wfqpv.exe	wgd.exe
File created	C:\Windows\SysWOW64\wfftxp.exe	wpdoudq.exe
File opened for modification	C:\Windows\SysWOW64\wgkpb.exe	wqvlph.exe
File opened for modification	C:\Windows\SysWOW64\wgdnemgk.exe	wanfkdfmv.exe
File opened for modification	C:\Windows\SysWOW64\wscligsm.exe	wmb.exe
File opened for modification	C:\Windows\SysWOW64\wqwi.exe	wscligsm.exe
File created	C:\Windows\SysWOW64\wohdgv.exe	wxqh.exe
File created	C:\Windows\SysWOW64\wphgtlnw.exe	wypnyy.exe
File created	C:\Windows\SysWOW64\wjvohaef.exe	wohdgv.exe
File created	C:\Windows\SysWOW64\wghvd.exe	wyrmh.exe
File opened for modification	C:\Windows\SysWOW64\wuoaymbe.exe	wrkydw.exe
File created	C:\Windows\SysWOW64\wdann.exe	wen.exe
File created	C:\Windows\SysWOW64\wlvcq.exe	wfftxp.exe
File opened for modification	C:\Windows\SysWOW64\wgbnoko.exe	wykdudo.exe
File opened for modification	C:\Windows\SysWOW64\wimusjk.exe	wloctlka.exe
File created	C:\Windows\SysWOW64\wiyhnu.exe	wuywedphx.exe
File created	C:\Windows\SysWOW64\wpct.exe	wjqtcshu.exe
File opened for modification	C:\Windows\SysWOW64\wlrdbtk.exe	wrbkys.exe
File created	C:\Windows\SysWOW64\wbmm.exe	wdmopq.exe
File created	C:\Windows\SysWOW64\wqgcvwss.exe	wjptc.exe
File opened for modification	C:\Windows\SysWOW64\wew.exe	wnlrasg.exe
File created	C:\Windows\SysWOW64\wto.exe	wgdnemgk.exe
File created	C:\Windows\SysWOW64\wtpluq.exe	wmacai.exe
File created	C:\Windows\SysWOW64\wwpx.exe	wvg.exe
File opened for modification	C:\Windows\SysWOW64\wfftxp.exe	wpdoudq.exe
File opened for modification	C:\Windows\SysWOW64\wkn.exe	wew.exe
File opened for modification	C:\Windows\SysWOW64\wmacai.exe	wdbni.exe
File opened for modification	C:\Windows\SysWOW64\wohdgv.exe	wxqh.exe
File opened for modification	C:\Windows\SysWOW64\wjhdbr.exe	wphgtlnw.exe
File opened for modification	C:\Windows\SysWOW64\wlfywo.exe	wgefue.exe
File created	C:\Windows\SysWOW64\wxvidmky.exe	wdiv.exe
File opened for modification	C:\Windows\SysWOW64\wjvohaef.exe	wohdgv.exe
File created	C:\Windows\SysWOW64\wscxdjo.exe	wimusjk.exe
File created	C:\Windows\SysWOW64\wcidybcbt.exe	wlfywo.exe
File opened for modification	C:\Windows\SysWOW64\wvg.exe	1663ab0d47c14fd2ca5a2b09a3b304c7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmeciswax.exe	wgkpb.exe
File created	C:\Windows\SysWOW64\weoqsri.exe	wpct.exe
File created	C:\Windows\SysWOW64\wtocf.exe	wnheify.exe
File opened for modification	C:\Windows\SysWOW64\wdann.exe	wen.exe
File created	C:\Windows\SysWOW64\wvcwqsgx.exe	wujl.exe
File opened for modification	C:\Windows\SysWOW64\whsgh.exe	wamhsp.exe
File created	C:\Windows\SysWOW64\wlrdbtk.exe	wrbkys.exe
File opened for modification	C:\Windows\SysWOW64\wvtextx.exe	wdsuwkbac.exe
File created	C:\Windows\SysWOW64\wdiv.exe	wvisbg.exe
File opened for modification	C:\Windows\SysWOW64\wcgrajs.exe	wfjacmpj.exe
File opened for modification	C:\Windows\SysWOW64\wfqpv.exe	wgd.exe
File created	C:\Windows\SysWOW64\whsgh.exe	wamhsp.exe
File opened for modification	C:\Windows\SysWOW64\wloctlka.exe	wbmm.exe
File created	C:\Windows\SysWOW64\wanfkdfmv.exe	wkn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
3560	3480	WerFault.exe	83
2528	888	WerFault.exe	99
216	888	WerFault.exe	99
4048	4124	WerFault.exe	202
3860	4124	WerFault.exe	202
3272	3356	WerFault.exe	215
4388	1892	WerFault.exe	307
2256	1892	WerFault.exe	307
2736	1320	WerFault.exe	395
1816	2544	WerFault.exe	418

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscligsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvcwqsgx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdbni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpdoudq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuxiw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wavhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrbkys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgftqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wckjvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	weoqsri.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqlmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfqpv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waoqq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgbnoko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtgko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkepxmnw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wloctlka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlrdbtk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwpx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnexuuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wamyu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdjfv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscxdjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlvcq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wanfkdfmv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcidybcbt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnheify.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfjacmpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgkpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 3480	4288	1663ab0d47c14fd2ca5a2b09a3b304c7_JaffaCakes118.exe	83
PID 4288 wrote to memory of 3480	4288	1663ab0d47c14fd2ca5a2b09a3b304c7_JaffaCakes118.exe	83
PID 4288 wrote to memory of 3480	4288	1663ab0d47c14fd2ca5a2b09a3b304c7_JaffaCakes118.exe	83
PID 4288 wrote to memory of 4472	4288	1663ab0d47c14fd2ca5a2b09a3b304c7_JaffaCakes118.exe	85
PID 4288 wrote to memory of 4472	4288	1663ab0d47c14fd2ca5a2b09a3b304c7_JaffaCakes118.exe	85
PID 4288 wrote to memory of 4472	4288	1663ab0d47c14fd2ca5a2b09a3b304c7_JaffaCakes118.exe	85
PID 3480 wrote to memory of 1432	3480	wvg.exe	87
PID 3480 wrote to memory of 1432	3480	wvg.exe	87
PID 3480 wrote to memory of 1432	3480	wvg.exe	87
PID 3480 wrote to memory of 1320	3480	wvg.exe	88
PID 3480 wrote to memory of 1320	3480	wvg.exe	88
PID 3480 wrote to memory of 1320	3480	wvg.exe	88
PID 1432 wrote to memory of 4580	1432	wwpx.exe	93
PID 1432 wrote to memory of 4580	1432	wwpx.exe	93
PID 1432 wrote to memory of 4580	1432	wwpx.exe	93
PID 1432 wrote to memory of 536	1432	wwpx.exe	94
PID 1432 wrote to memory of 536	1432	wwpx.exe	94
PID 1432 wrote to memory of 536	1432	wwpx.exe	94
PID 4580 wrote to memory of 2968	4580	wfjacmpj.exe	96
PID 4580 wrote to memory of 2968	4580	wfjacmpj.exe	96
PID 4580 wrote to memory of 2968	4580	wfjacmpj.exe	96
PID 4580 wrote to memory of 4596	4580	wfjacmpj.exe	97
PID 4580 wrote to memory of 4596	4580	wfjacmpj.exe	97
PID 4580 wrote to memory of 4596	4580	wfjacmpj.exe	97
PID 2968 wrote to memory of 888	2968	wcgrajs.exe	99
PID 2968 wrote to memory of 888	2968	wcgrajs.exe	99
PID 2968 wrote to memory of 888	2968	wcgrajs.exe	99
PID 2968 wrote to memory of 3868	2968	wcgrajs.exe	100
PID 2968 wrote to memory of 3868	2968	wcgrajs.exe	100
PID 2968 wrote to memory of 3868	2968	wcgrajs.exe	100
PID 888 wrote to memory of 3120	888	wrkydw.exe	102
PID 888 wrote to memory of 3120	888	wrkydw.exe	102
PID 888 wrote to memory of 3120	888	wrkydw.exe	102
PID 888 wrote to memory of 408	888	wrkydw.exe	103
PID 888 wrote to memory of 408	888	wrkydw.exe	103
PID 888 wrote to memory of 408	888	wrkydw.exe	103
PID 3120 wrote to memory of 440	3120	wuoaymbe.exe	109
PID 3120 wrote to memory of 440	3120	wuoaymbe.exe	109
PID 3120 wrote to memory of 440	3120	wuoaymbe.exe	109
PID 3120 wrote to memory of 3608	3120	wuoaymbe.exe	110
PID 3120 wrote to memory of 3608	3120	wuoaymbe.exe	110
PID 3120 wrote to memory of 3608	3120	wuoaymbe.exe	110
PID 440 wrote to memory of 5072	440	wmb.exe	112
PID 440 wrote to memory of 5072	440	wmb.exe	112
PID 440 wrote to memory of 5072	440	wmb.exe	112
PID 440 wrote to memory of 4404	440	wmb.exe	113
PID 440 wrote to memory of 4404	440	wmb.exe	113
PID 440 wrote to memory of 4404	440	wmb.exe	113
PID 5072 wrote to memory of 2076	5072	wscligsm.exe	115
PID 5072 wrote to memory of 2076	5072	wscligsm.exe	115
PID 5072 wrote to memory of 2076	5072	wscligsm.exe	115
PID 5072 wrote to memory of 920	5072	wscligsm.exe	116
PID 5072 wrote to memory of 920	5072	wscligsm.exe	116
PID 5072 wrote to memory of 920	5072	wscligsm.exe	116
PID 2076 wrote to memory of 1292	2076	wqwi.exe	120
PID 2076 wrote to memory of 1292	2076	wqwi.exe	120
PID 2076 wrote to memory of 1292	2076	wqwi.exe	120
PID 2076 wrote to memory of 4808	2076	wqwi.exe	121
PID 2076 wrote to memory of 4808	2076	wqwi.exe	121
PID 2076 wrote to memory of 4808	2076	wqwi.exe	121
PID 1292 wrote to memory of 4576	1292	wkjsh.exe	125
PID 1292 wrote to memory of 4576	1292	wkjsh.exe	125
PID 1292 wrote to memory of 4576	1292	wkjsh.exe	125
PID 1292 wrote to memory of 2728	1292	wkjsh.exe	126

C:\Users\Admin\AppData\Local\Temp\1663ab0d47c14fd2ca5a2b09a3b304c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1663ab0d47c14fd2ca5a2b09a3b304c7_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\SysWOW64\wvg.exe
  "C:\Windows\system32\wvg.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\SysWOW64\wwpx.exe
    "C:\Windows\system32\wwpx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\SysWOW64\wfjacmpj.exe
      "C:\Windows\system32\wfjacmpj.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\SysWOW64\wcgrajs.exe
        
        "C:\Windows\system32\wcgrajs.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\SysWOW64\wrkydw.exe
        
        "C:\Windows\system32\wrkydw.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\wuoaymbe.exe
        
        "C:\Windows\system32\wuoaymbe.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\wmb.exe
        
        "C:\Windows\system32\wmb.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\wscligsm.exe
        
        "C:\Windows\system32\wscligsm.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\wqwi.exe
        
        "C:\Windows\system32\wqwi.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\wkjsh.exe
        
        "C:\Windows\system32\wkjsh.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\wqlmh.exe
        
        "C:\Windows\system32\wqlmh.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\wgd.exe
        
        "C:\Windows\system32\wgd.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:320
        
        C:\Windows\SysWOW64\wfqpv.exe
        
        "C:\Windows\system32\wfqpv.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\wpdoudq.exe
        
        "C:\Windows\system32\wpdoudq.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\wfftxp.exe
        
        "C:\Windows\system32\wfftxp.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\wlvcq.exe
        
        "C:\Windows\system32\wlvcq.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\whi.exe
        
        "C:\Windows\system32\whi.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\wujl.exe
        
        "C:\Windows\system32\wujl.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\wvcwqsgx.exe
        
        "C:\Windows\system32\wvcwqsgx.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\wjwt.exe
        
        "C:\Windows\system32\wjwt.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\wqvlph.exe
        
        "C:\Windows\system32\wqvlph.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\wgkpb.exe
        
        "C:\Windows\system32\wgkpb.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\wmeciswax.exe
        
        "C:\Windows\system32\wmeciswax.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\wsnl.exe
        
        "C:\Windows\system32\wsnl.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\woxnatbs.exe
        
        "C:\Windows\system32\woxnatbs.exe"
        26⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\wamhsp.exe
        
        "C:\Windows\system32\wamhsp.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\whsgh.exe
        
        "C:\Windows\system32\whsgh.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\wgpx.exe
        
        "C:\Windows\system32\wgpx.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\wvisbg.exe
        
        "C:\Windows\system32\wvisbg.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\wdiv.exe
        
        "C:\Windows\system32\wdiv.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\wxvidmky.exe
        
        "C:\Windows\system32\wxvidmky.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:900
        
        C:\Windows\SysWOW64\wmwumgd.exe
        
        "C:\Windows\system32\wmwumgd.exe"
        33⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Windows\SysWOW64\wckjvs.exe
        
        "C:\Windows\system32\wckjvs.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\wsdfr.exe
        
        "C:\Windows\system32\wsdfr.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\wjqtcshu.exe
        
        "C:\Windows\system32\wjqtcshu.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\wpct.exe
        
        "C:\Windows\system32\wpct.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\weoqsri.exe
        
        "C:\Windows\system32\weoqsri.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\wpgoxlsn.exe
        
        "C:\Windows\system32\wpgoxlsn.exe"
        39⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\wrednaw.exe
        
        "C:\Windows\system32\wrednaw.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\wnheify.exe
        
        "C:\Windows\system32\wnheify.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\wtocf.exe
        
        "C:\Windows\system32\wtocf.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\wrbkys.exe
        
        "C:\Windows\system32\wrbkys.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\wlrdbtk.exe
        
        "C:\Windows\system32\wlrdbtk.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\wxqh.exe
        
        "C:\Windows\system32\wxqh.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\wohdgv.exe
        
        "C:\Windows\system32\wohdgv.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\wjvohaef.exe
        
        "C:\Windows\system32\wjvohaef.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\wiiwywtuu.exe
        
        "C:\Windows\system32\wiiwywtuu.exe"
        48⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\woygsgus.exe
        
        "C:\Windows\system32\woygsgus.exe"
        49⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\wmxxrdu.exe
        
        "C:\Windows\system32\wmxxrdu.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\wamyu.exe
        
        "C:\Windows\system32\wamyu.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\wqqfxhc.exe
        
        "C:\Windows\system32\wqqfxhc.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\wkepxmnw.exe
        
        "C:\Windows\system32\wkepxmnw.exe"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\wykdudo.exe
        
        "C:\Windows\system32\wykdudo.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\wgbnoko.exe
        
        "C:\Windows\system32\wgbnoko.exe"
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\wifp.exe
        
        "C:\Windows\system32\wifp.exe"
        56⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\wvrlatd.exe
        
        "C:\Windows\system32\wvrlatd.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\wpfwcypx.exe
        
        "C:\Windows\system32\wpfwcypx.exe"
        58⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\wwk.exe
        
        "C:\Windows\system32\wwk.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\wdmopq.exe
        
        "C:\Windows\system32\wdmopq.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\wbmm.exe
        
        "C:\Windows\system32\wbmm.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\wloctlka.exe
        
        "C:\Windows\system32\wloctlka.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\wimusjk.exe
        
        "C:\Windows\system32\wimusjk.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\wscxdjo.exe
        
        "C:\Windows\system32\wscxdjo.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\wvymtxu.exe
        
        "C:\Windows\system32\wvymtxu.exe"
        65⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\wqconcu.exe
        
        "C:\Windows\system32\wqconcu.exe"
        66⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\wgftqp.exe
        
        "C:\Windows\system32\wgftqp.exe"
        67⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\wypnyy.exe
        
        "C:\Windows\system32\wypnyy.exe"
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\wphgtlnw.exe
        
        "C:\Windows\system32\wphgtlnw.exe"
        69⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\wjhdbr.exe
        
        "C:\Windows\system32\wjhdbr.exe"
        70⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\wdjfv.exe
        
        "C:\Windows\system32\wdjfv.exe"
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\woykiv.exe
        
        "C:\Windows\system32\woykiv.exe"
        72⤵
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\wnlrasg.exe
        
        "C:\Windows\system32\wnlrasg.exe"
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\wew.exe
        
        "C:\Windows\system32\wew.exe"
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\wkn.exe
        
        "C:\Windows\system32\wkn.exe"
        75⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\wanfkdfmv.exe
        
        "C:\Windows\system32\wanfkdfmv.exe"
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\wgdnemgk.exe
        
        "C:\Windows\system32\wgdnemgk.exe"
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\wto.exe
        
        "C:\Windows\system32\wto.exe"
        78⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\wscrm.exe
        
        "C:\Windows\system32\wscrm.exe"
        79⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\whpsps.exe
        
        "C:\Windows\system32\whpsps.exe"
        80⤵
        Checks computer location settings
        
        PID:4896
        
        C:\Windows\SysWOW64\waefoxt.exe
        
        "C:\Windows\system32\waefoxt.exe"
        81⤵
        Checks computer location settings
        
        PID:3376
        
        C:\Windows\SysWOW64\wyrmh.exe
        
        "C:\Windows\system32\wyrmh.exe"
        82⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\wghvd.exe
        
        "C:\Windows\system32\wghvd.exe"
        83⤵
        Checks computer location settings
        
        PID:3860
        
        C:\Windows\SysWOW64\wavhd.exe
        
        "C:\Windows\system32\wavhd.exe"
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\wuxiw.exe
        
        "C:\Windows\system32\wuxiw.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\waoqq.exe
        
        "C:\Windows\system32\waoqq.exe"
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\wlrbcqs.exe
        
        "C:\Windows\system32\wlrbcqs.exe"
        87⤵
        Checks computer location settings
        
        PID:4860
        
        C:\Windows\SysWOW64\wjptc.exe
        
        "C:\Windows\system32\wjptc.exe"
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\wqgcvwss.exe
        
        "C:\Windows\system32\wqgcvwss.exe"
        89⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\wavggvwhu.exe
        
        "C:\Windows\system32\wavggvwhu.exe"
        90⤵
        Checks computer location settings
        
        PID:4360
        
        C:\Windows\SysWOW64\wdsuwkbac.exe
        
        "C:\Windows\system32\wdsuwkbac.exe"
        91⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\wvtextx.exe
        
        "C:\Windows\system32\wvtextx.exe"
        92⤵
        
        PID:384
        
        C:\Windows\SysWOW64\wtgko.exe
        
        "C:\Windows\system32\wtgko.exe"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\wojnjuqir.exe
        
        "C:\Windows\system32\wojnjuqir.exe"
        94⤵
        Checks computer location settings
        
        PID:4604
        
        C:\Windows\SysWOW64\wuywedphx.exe
        
        "C:\Windows\system32\wuywedphx.exe"
        95⤵
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\wiyhnu.exe
        
        "C:\Windows\system32\wiyhnu.exe"
        96⤵
        Checks computer location settings
        
        PID:2300
        
        C:\Windows\SysWOW64\whmpgryo.exe
        
        "C:\Windows\system32\whmpgryo.exe"
        97⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\wkjdvgd.exe
        
        "C:\Windows\system32\wkjdvgd.exe"
        98⤵
        Checks computer location settings
        
        PID:4356
        
        C:\Windows\SysWOW64\whwmo.exe
        
        "C:\Windows\system32\whwmo.exe"
        99⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\wdbni.exe
        
        "C:\Windows\system32\wdbni.exe"
        100⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\wmacai.exe
        
        "C:\Windows\system32\wmacai.exe"
        101⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\wtpluq.exe
        
        "C:\Windows\system32\wtpluq.exe"
        102⤵
        Checks computer location settings
        
        PID:2888
        
        C:\Windows\SysWOW64\wnexuuw.exe
        
        "C:\Windows\system32\wnexuuw.exe"
        103⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\wgefue.exe
        
        "C:\Windows\system32\wgefue.exe"
        104⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\wlfywo.exe
        
        "C:\Windows\system32\wlfywo.exe"
        105⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\wcidybcbt.exe
        
        "C:\Windows\system32\wcidybcbt.exe"
        106⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\wen.exe
        
        "C:\Windows\system32\wen.exe"
        107⤵
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\wdann.exe
        
        "C:\Windows\system32\wdann.exe"
        108⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wen.exe"
        108⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcidybcbt.exe"
        107⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfywo.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgefue.exe"
        105⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1456
        105⤵
        Program crash
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnexuuw.exe"
        104⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtpluq.exe"
        103⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmacai.exe"
        102⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbni.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwmo.exe"
        100⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjdvgd.exe"
        99⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whmpgryo.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 1388
        98⤵
        Program crash
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiyhnu.exe"
        97⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuywedphx.exe"
        96⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wojnjuqir.exe"
        95⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtgko.exe"
        94⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtextx.exe"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdsuwkbac.exe"
        92⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wavggvwhu.exe"
        91⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgcvwss.exe"
        90⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjptc.exe"
        89⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrbcqs.exe"
        88⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waoqq.exe"
        87⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuxiw.exe"
        86⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wavhd.exe"
        85⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghvd.exe"
        84⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyrmh.exe"
        83⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waefoxt.exe"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whpsps.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wscrm.exe"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wto.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgdnemgk.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wanfkdfmv.exe"
        77⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkn.exe"
        76⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wew.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnlrasg.exe"
        74⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woykiv.exe"
        73⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdjfv.exe"
        72⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhdbr.exe"
        71⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphgtlnw.exe"
        70⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1440
        70⤵
        Program crash
        
        PID:4388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 116
        70⤵
        Program crash
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wypnyy.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgftqp.exe"
        68⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqconcu.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvymtxu.exe"
        66⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wscxdjo.exe"
        65⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimusjk.exe"
        64⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wloctlka.exe"
        63⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbmm.exe"
        62⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdmopq.exe"
        61⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwk.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpfwcypx.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvrlatd.exe"
        58⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifp.exe"
        57⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgbnoko.exe"
        56⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wykdudo.exe"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkepxmnw.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqfxhc.exe"
        53⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wamyu.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmxxrdu.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woygsgus.exe"
        50⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiiwywtuu.exe"
        49⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjvohaef.exe"
        48⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohdgv.exe"
        47⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxqh.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrdbtk.exe"
        45⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrbkys.exe"
        44⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtocf.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnheify.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrednaw.exe"
        41⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpgoxlsn.exe"
        40⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 1584
        40⤵
        Program crash
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weoqsri.exe"
        39⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpct.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjqtcshu.exe"
        37⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 116
        37⤵
        Program crash
        
        PID:4048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1536
        37⤵
        Program crash
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsdfr.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckjvs.exe"
        35⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmwumgd.exe"
        34⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxvidmky.exe"
        33⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdiv.exe"
        32⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvisbg.exe"
        31⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgpx.exe"
        30⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whsgh.exe"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wamhsp.exe"
        28⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxnatbs.exe"
        27⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsnl.exe"
        26⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmeciswax.exe"
        25⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkpb.exe"
        24⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqvlph.exe"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwt.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvcwqsgx.exe"
        21⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujl.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whi.exe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvcq.exe"
        18⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfftxp.exe"
        17⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpdoudq.exe"
        16⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfqpv.exe"
        15⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgd.exe"
        14⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqlmh.exe"
        13⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjsh.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqwi.exe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wscligsm.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmb.exe"
        9⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuoaymbe.exe"
        8⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkydw.exe"
        7⤵
        
        PID:408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1464
        7⤵
        Program crash
        
        PID:2528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 116
        7⤵
        Program crash
        
        PID:216
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcgrajs.exe"
        6⤵
        
        PID:3868
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfjacmpj.exe"
        5⤵
        
        PID:4596
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwpx.exe"
      4⤵
      PID:536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvg.exe"
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 1260
    3⤵
    - Program crash
    PID:3560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\1663ab0d47c14fd2ca5a2b09a3b304c7_JaffaCakes118.exe"
  2⤵
  PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3480 -ip 3480
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 888 -ip 888
1⤵
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 888 -ip 888
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4124 -ip 4124
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4124 -ip 4124
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3356 -ip 3356
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1892 -ip 1892
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1892 -ip 1892
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1320 -ip 1320
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2544 -ip 2544
1⤵
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IFM58U6K\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Windows\SysWOW64\wamhsp.exe

Filesize
264KB

MD5
bd41024eb9f603e9c0800f4ccdd63506

SHA1
3d8082fe084d4e79392992e2048cdfeea682e262

SHA256
6bd915a4264310bc92fa8323bceec45693b840cd25576b882ea31e04468d84e6

SHA512
808dcde740cfaed36cf0a9ac460bd191639ee4b8c8438da7339a41f216e4690df41b11dee019f5dd0995062e76232871dfd6eb839989c70dbf4b91fdf8e1d196

Download Submit
C:\Windows\SysWOW64\wcgrajs.exe

Filesize
264KB

MD5
1c31f4f5dd84d918f237030853a5b8f7

SHA1
a6e19c27bd9e08f236d9b00c74a9d35e5cfa788c

SHA256
b181b8679e86765194e807835ae5124270908befa46ab5f0446dab4db67764fc

SHA512
e20978503fa0676ff71cb03d2a36fd5979a28f1bbfea2a04dfcebc425399d2c70755b592c40b47b90a5924070a4368fb5873b145ec4ad31d3ab2782ab66fcb25

Download Submit
C:\Windows\SysWOW64\wdiv.exe

Filesize
264KB

MD5
9e220ed2571f375a6858fbefd90e77ad

SHA1
bfa7b5a2de8656066506a9a1e9a652cfaf4017b8

SHA256
82bca3812d6c8674d40d50f7af541ec26bb71336482282a7a0d47c16e08af0b8

SHA512
0b355f69df942b345be985c6a4ac69af267d9270fe50308bcfcb0a54dd253cfba45b0eede4c332649e88079ec89d3a6a552f219e6594336f5da11c2f6434d391

Download Submit
C:\Windows\SysWOW64\wfftxp.exe

Filesize
264KB

MD5
6149fc056e9dc112aa9ac64494ff80f2

SHA1
f29f1e1e3066d1641c912065ea7e3892fd1a3058

SHA256
c50b4bdfb1ca1ac231ae93d751412b6dab7b3d19d7a8a0d02c259e0a5f5e7068

SHA512
5d99ebe172dea1ac04dfd4049ad4b06f1251f8ba1b23b2b031ad46754a85367fb0ca9b8742796a87640cd1429dd719552213a364c7650aa41e8fb49bb1538bb5

Download Submit
C:\Windows\SysWOW64\wfjacmpj.exe

Filesize
264KB

MD5
f2ebdd019226714e79d5136b177321d8

SHA1
fe1e02236d52f3ac7c71d0fe9ef874ad439082fa

SHA256
650d565996466f0946e34128698e5ae04f0afec62637e59693a4cfa173b0901b

SHA512
33f880f6b89d155619542d226b27563a29f38d25858952e8a87efcd5d6e4849f16597aee4c95b4237f5bb8bd43c5fb47fb05db4e125174c9dd27e40c089b6d8d

Download Submit
C:\Windows\SysWOW64\wfqpv.exe

Filesize
264KB

MD5
7175397e4ef1f798d6f06abec3fb6366

SHA1
98164d84537d7db0b21c9e9a5a843c732641d959

SHA256
a7375d34dbe7bf9556a1e2d7818482e2659df5036d6d552c41e9eebae6edb425

SHA512
cdbe13fbc8614f7d49fd78256dafc7bee4277be693a7ba2fc189bf265e6a26353c420d8abe645435567b942a17947302ae8964643a1a0cbab81830360281d88a

Download Submit
C:\Windows\SysWOW64\wgd.exe

Filesize
264KB

MD5
e5d295caf9cc131e0b1679824b6cfadd

SHA1
917b1f6ef0664c8f7e8ad4c3276911977dfab894

SHA256
d47a3f1d8dbd2b49dc5223ccdaeef0f4e262b547c925999f3627b62fd3ea54e2

SHA512
a6675dfb08096d3335e8579cd422c30f6efbcd24ce06de0c60dc88b029c0aba210456efefd05e781ab39af78ca0ba1d9a19ade5a44d796287cbcb340159408f8

Download Submit
C:\Windows\SysWOW64\wgkpb.exe

Filesize
264KB

MD5
e2c581017a7a4f8cc4ae82e194f290ab

SHA1
05aeb143300fc327555a26355892caa06f7687f3

SHA256
bebfec25ecbf1fc67d3a44ef5ba735c61bd7acb85fdcb174a28db771a9a4f4be

SHA512
4c7a7c5e9cb6383b7742eb1774878727cf7b53aa72211688010cd0b6aeb2db500912f4e6a68938fb0e3419805397515d0c7d17014747b1da6b8932b107dbc4b0

Download Submit
C:\Windows\SysWOW64\wgpx.exe

Filesize
264KB

MD5
74fbc01c5104c7b945160daea0ec9477

SHA1
6c8d9b0659a32e84a8150b6d3d85759b893810bb

SHA256
9f594993a3bfaf73e60b06a26f67d61a06ce0e40a6a054e2579a4e5b5a446656

SHA512
41ecfa8bdac5ffeeebf5051f5f85d6f57001719af1a1d26d87377e20befbd4936f45d2eafa0c2a5aeda8005f5b5a6839493aac1c0a3ce12804b87f925252c88f

Download Submit
C:\Windows\SysWOW64\whi.exe

Filesize
264KB

MD5
55b39ec97dd1d80f919b154ee334006f

SHA1
a12278138f5995db5863f09309779523ffc777e4

SHA256
94b31f6137acea9de5ed6e7e12c1138b53898adf5ff3ca19b09d364cbff805f8

SHA512
12d978ec8f3d5614047b79f7b9a53bce8e5486cfae90d515ea5ca44267f203f49baf32d9bda814d141a5d66c5c29529e07dc9b7957322924681265fb2596751a

Download Submit
C:\Windows\SysWOW64\whsgh.exe

Filesize
264KB

MD5
55086f7cdcf40139d084d346431f8599

SHA1
37966e55fb27ce9fbbb722c482eb34c87c5f8c83

SHA256
f71334ecb2724c5c7cc791af29e4a3d4d01155e37b1e585adea8fc4cbadb5083

SHA512
a8b6d1f3432e7358d9e9a7488e1ac7d60b6f3020e46a04684bb3b7f7cddb0b466341bcaf594928b276855bcaa9825318f66f1ceee4c5b2e152efc39d867edf88

Download Submit
C:\Windows\SysWOW64\wjwt.exe

Filesize
264KB

MD5
13d003879db8c8a45344b58d1d28461b

SHA1
093fa03ecf67fc4eadea85c7ab765bb4128058cc

SHA256
ef6844a403efbfdb0e52ddf34d9a89d63d2d2ce7db53d15f4ca93f65997f5441

SHA512
1c852421237ae689eb4a663ca76aa0658395c181d89a2451c95e8a107dfeb8c4ec84649b65ceaf0abd1701074acd36e45879c3f70fb3b07e670c78df0a93a5cf

Download Submit
C:\Windows\SysWOW64\wkjsh.exe

Filesize
264KB

MD5
caa2ff934b6253a629fba2d262a593c2

SHA1
ed3c901e9381c9306529274e50a1225af01bc315

SHA256
4efe5f299f23c8ce653c11cf2d7b19d957f8687de1ee08fa0cbfc89389c9694b

SHA512
31cd5e52dbdc36f6a32d729094f3c6f33a2f8b6a440d0040b1cc987351fada0104eafc70c224266e41c5d521702982163b9030db1b75d42e8c89691497652658

Download Submit
C:\Windows\SysWOW64\wlvcq.exe

Filesize
264KB

MD5
98df02ad16ffec0f04f16f55d78032b4

SHA1
922124518af5c0eb133fce2ae9b0c52d5cc69def

SHA256
1724d0f1ed6fd7e319d194edeffe2d5fec29d52fc131c8cebddc597823578e0f

SHA512
8d0a9b49069518d242d49029f13e3d7c78bb883809b64db397b56dd3c6edd3cf46809a1127c0a69978df24ac636cb97a23a30a07b7c36297daec714d8fb6dc4a

Download Submit
C:\Windows\SysWOW64\wmb.exe

Filesize
264KB

MD5
a6ed82366a5ad0c209a80e78302ba5f1

SHA1
88219761a1e726c192ab7d1b6e1d4ad17f6464cc

SHA256
4086086a109ec6ee579c6ec8602e78bdb4b32b3bc5285f021eb975a047b3ce50

SHA512
68088d85a876b6c0b31d4be15fe46f9ce6ecb64c4c649f2eed45947f9767ebd4954cfcc6a494b7a250d531af0983fee9a399aa5fc413599adcb8b7f782ba7ee1

Download Submit
C:\Windows\SysWOW64\wmeciswax.exe

Filesize
264KB

MD5
8ed886466b13b52c2fab918be919352e

SHA1
6b45e6dac0f8e67cfb0448b6306b4fa610d0cd0b

SHA256
1050dafdac9677b5a060fe4b7decbf11d8673601f6ff35a40b8ab793e3c7ef1a

SHA512
106ca00cedd881a094ccdca9153e6344e68fdc472fc9d39f8ae66af3f4e48e73420e72b9ac22cf7f40c114de75dd87b585bfc17a073762e182470171d081b002

Download Submit
C:\Windows\SysWOW64\wmwumgd.exe

Filesize
264KB

MD5
f6f3d5e0f0d521b077824a2f6479061c

SHA1
89c4671f25b73b3cbccea7c22201ac7ef7017bf7

SHA256
72e2dff8f77020b8f0b52a396c83674d179973d3d22610459caefca0012ac1ba

SHA512
eead3813ce394274e16f4e0dfbb205cbc1607a5ec0f8ea1163cbac5743628b68034834594c92169b3328d79301f2ac18f83d8918bcf51e9d0dff4257c2e89af9

Download Submit
C:\Windows\SysWOW64\woxnatbs.exe

Filesize
264KB

MD5
91ac9ba9c55edf1ac04a1aa5e03b50cf

SHA1
7646eb594c97d417d15d14989f1568c53c41924b

SHA256
9745b7829b2d16687a6a2b89c2f8925266de8aaa0393a4de23cb5ef6030af893

SHA512
2c01ee811307930446349311ca8b78a748cc79b005bcc57fe416d41315453b6165e5c8d7634e166462e91433a0331604beb64dd5ab1fcf3142614583f3e4249b

Download Submit
C:\Windows\SysWOW64\wpdoudq.exe

Filesize
264KB

MD5
229947fcd321aeb75932d9df63f571c2

SHA1
26a7df9bfdf9471f35aba723f8d011a7c9b27f9b

SHA256
1b4ac16bbe810e2f7feeac2b0f78a50fdbb436f23dc5f88790808fc6b34ba2cb

SHA512
602dc0639178b1fce1cc70d98fa237eb67b636beee3b2646ba3469afbe3e567379457c6d0e45b393e18efef4b192e0da7aceaa003814c7f7657d0c8c12b83df0

Download Submit
C:\Windows\SysWOW64\wqlmh.exe

Filesize
264KB

MD5
33c80f4c7730ec4cf28d7f90b145ea71

SHA1
c581562db5a7528c4a69dc36d6b692ec2735aad6

SHA256
e5320547e9074568f064972db8cad0f86536bb64f7809b1d4978fa9fc0f924e5

SHA512
ed692b59d15cf8142d3bcbaeea0e0e76a77de02163b8686e0b6b624a9924479e0813677236f2201458a85f25af0769b683de40bd8ef0bc209db23c2ab7f1b6f4

Download Submit
C:\Windows\SysWOW64\wqvlph.exe

Filesize
264KB

MD5
e97cdd144bdb1eab46f65de6f69e9975

SHA1
9fab99bd50bae15d47470806f79c054de2852174

SHA256
61c9231dc7e56ff28c9077363fc57d6fc9d6fa9d49442c93f28893b0d6f729ea

SHA512
a79c765f944d2739a79cd0b3d5ea88b16a274a71c794bfe41274f52c65ebc803f73a06ea1fc092938d580a992087236227a636e7397f9594c6069d0909c86ad8

Download Submit
C:\Windows\SysWOW64\wqwi.exe

Filesize
264KB

MD5
b235573006c1b24694ea2fce6b8751f5

SHA1
ed94f7300baff74fab37d75988436ee9d38e4c58

SHA256
804da09208b401862563d2ab89ded88ee17b4543c878b4095e5439b687cef7e1

SHA512
fde08197b3b27dbde7f912b88d4670a456b8f77b77fdf73b7614e3da06d1ba4e282b1a04b36a073d833965f78ad93b5289e4978ddbc1e99da446cb2629283abb

Download Submit
C:\Windows\SysWOW64\wrkydw.exe

Filesize
264KB

MD5
87ecab3caa508158954d9456d3b59019

SHA1
a4b6d23952f46f8e5278b2debbb4a6c0a94c5e1d

SHA256
712100483f9da240244b7a5a2f34576c5a1e51f080d15975ec59947bcaf6d64e

SHA512
57d53873d1e6e01d00d100b2643765ea7874780d6ad793b2b671103379cde09acfec922b485bf1c7da78742e114b67c5e0e90837ab7fe2b69eedb342f55a7f1f

Download Submit
C:\Windows\SysWOW64\wscligsm.exe

Filesize
264KB

MD5
0bdcd87db922a4ca2dc5ddc3c63c3a2e

SHA1
384e20e1cd3a5e93c2305508b0502c9daa353e0d

SHA256
00ca81e464f44199273cecc718117bfb97a28da7022eb25c4764aea2ba6c7f45

SHA512
310eeb8dfb17f174fa6e65b39eacadd9f4c9d1feb2805030bb57252d10ebb4f0b2ae3e459a1e4506b111358acf0190ce5e0123711dd5384588c94abc616ec958

Download Submit
C:\Windows\SysWOW64\wsnl.exe

Filesize
264KB

MD5
26cfb27c5dbb1da631b088470ac267a5

SHA1
885d282be8fd88aee9e1375419d593d99f92963a

SHA256
e208538af2b8e9430d24b01863f845e40c8f9527a45260c2800c00121d1a7391

SHA512
ed524fb89a4566d0613c316e287ddd267d43e4001a49ca2e3279ba6ab4f18157a00974d09324481e57f120b6fa63c83ed57e427416cc4327efc5347839dabaa5

Download Submit
C:\Windows\SysWOW64\wujl.exe

Filesize
264KB

MD5
3a3844e46ef49486daa7d24b7e6147d8

SHA1
0838329a4b1ea80bf14067ded23f182781cc1d3c

SHA256
41d30b968f03a83565756e0ad1fc1d0fde4528c3261c920a313625cde1641722

SHA512
b2dd1d2c57d0e9fd3b2dcf91a1ab5311e5423c7cb9210d92dd72414ee542985992b24dac4751cd7aaa7f568f71dcf6da9e89e64f594625057b35d28edc7af766

Download Submit
C:\Windows\SysWOW64\wuoaymbe.exe

Filesize
264KB

MD5
1aed7bf3b5eaf9e3183fe9ba55b25862

SHA1
dc5ac889b9ad92f5edbcd6d9e0a4d3c69ba2ac49

SHA256
426061a65f2ee0633ab286db0ffb50ef5237d9e67b34981d6cb2e6102c778060

SHA512
b5ad2686ce6e05d6d80d1324a32ba0a87797532f3de27505944b66cfc71fb7b3796d95bab8b29414120e04074c694cc682bb059d14905a1f91f8e77b02e7edb7

Download Submit
C:\Windows\SysWOW64\wvcwqsgx.exe

Filesize
264KB

MD5
694463af2933531a0d20bed971a539e9

SHA1
19aa64c0694aa83518edb22879c172a68e98ab8c

SHA256
8bb02fdbcf3402ec7ddeabf2ca88b39caf6edb55d7be51e1b85a2196c5300fc8

SHA512
faefa49e5f6b1359e824db34fefec1b955590357a6c6f575ca4bddf9c68bd5c4956271cc8df9475b6d9260498a361e7e78fab9a19c68eea41bf522cd3d6ea079

Download Submit
C:\Windows\SysWOW64\wvg.exe

Filesize
264KB

MD5
a222fb144d471808f1df057953ecb0f4

SHA1
4dbc448397f44c5a5899218a052a191fa01c8510

SHA256
6f80040dcca5855bc5733c0211351b64de3bdc38ba071fcf2d5f32cf37973f7a

SHA512
d49728dc27e1523730dd65cb42acaa8253902529ab43cda02ee34b42fd57cf28db17326ef75fcd641c4bf879dbfc8474101c55de179911cafed9e3be0bb430aa

Download Submit
C:\Windows\SysWOW64\wvisbg.exe

Filesize
264KB

MD5
8cd33f686a0645c4142d4e48be01b833

SHA1
920e84a5fcd5279b2d1a96043409ad36f3122886

SHA256
b894b4a8b5fc621c7d7723f3f42c43b1f1217cb2681409ee3db60bc9f0e662cd

SHA512
4af8b4bd68d8a66c2258263e26f5f22a866fe396f6aecbfa89ff06233ea427c93508ce93da4d2b270037c32899ca322ba8e59a151caf12ed2e7e0d618d8c4df0

Download Submit
C:\Windows\SysWOW64\wwpx.exe

Filesize
264KB

MD5
83bb1f27d5770be2ef2498bf004f2672

SHA1
e3de9893c32d03fe1a7865c3e9daf2d392dbf55b

SHA256
cd3f2b8f6c9bf58dbbad339f7980c194b01ccec9d8ddcbbc8789c18a706df8f8

SHA512
26e9ecaa7cfcc678aca19f8c870d499427a6ab742104966bfe7cea9b9788fd74effc9ec9c2acd6c396fb0369f60745df7ac4bc611fc35697a0773cf60cf861ce

Download Submit
C:\Windows\SysWOW64\wxvidmky.exe

Filesize
264KB

MD5
0d5cb995ce5491c62d5576893ffc4fa6

SHA1
0c775e52ff0332a9effbf9854f048b21fd8bd329

SHA256
c337d29f61947ace43287cec85175e01f140b492471d2a2ef9092a91db8056ef

SHA512
4c9e17326f30e9a1ae1e7fe3ccbd895f7ef6a8ae108124e2a04282f23c630e42c167cb61f9bed8c4b018ec32c8c24a9c97fca827c1cd2a7d7ac905d34e6bfef9

Download Submit
memory/116-560-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/116-450-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/220-221-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/320-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/384-851-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/440-83-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/440-859-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/560-252-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/632-705-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/700-876-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/820-346-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/864-415-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/884-511-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/888-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/900-337-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1128-190-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1176-355-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1292-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1304-381-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1344-689-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1404-179-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1420-713-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1428-295-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1432-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1592-681-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1600-390-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1624-791-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1664-407-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1668-647-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1876-722-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1892-656-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1900-263-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1980-782-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2012-569-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-484-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2076-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2132-577-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2192-316-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2192-594-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2232-629-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2324-825-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2332-586-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2488-476-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2492-157-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2540-816-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2624-441-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2644-459-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2968-53-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3020-519-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3044-423-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3100-305-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3120-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3164-273-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3208-730-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3356-399-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3356-211-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3376-756-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3392-147-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3460-621-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3480-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3480-697-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3680-467-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3736-800-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3836-603-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3860-774-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3968-326-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4004-168-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4120-432-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4124-372-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4288-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4288-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4288-200-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4320-364-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4360-833-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4368-664-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4376-552-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4388-284-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4424-842-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4424-242-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4568-544-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4576-126-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4580-43-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4596-502-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4604-867-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4660-673-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4752-739-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4832-612-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4860-808-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4876-493-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4884-765-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4896-748-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4900-638-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4916-527-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5072-94-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5080-535-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5100-231-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download