88a6a4a7d032aa408de5f31093239c4955234af819322983673ba2c098d09318

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe
Size

269KB
MD5

3ebb8c2a94a2ce51f752cd809fd3d697
SHA1

44f8da9685fa727dcd0546e3b75a86e06bc4a6ca
SHA256

88a6a4a7d032aa408de5f31093239c4955234af819322983673ba2c098d09318
SHA512

1130b6dfc6ea57692a16bef462308502c9369e9e7589eb7f8252b597088e81a3e6ba26cd9c28f469c623e7f6074146063223b9a28a035dc8c8844f6974cf6bbd
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpuJOJ:ZY7xh6SZI4z7FSVpuJg

Score

7^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wtrxk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wvqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wvcwr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wmlfs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wodiccno.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wuvm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	woedgc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wokgj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wwtrnxpgw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wdusd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wnmltl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	waknyo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wkeouhl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wlwem.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wwpc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wcms.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wqqmg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wlnnkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wpw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wctgg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wwsjtk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wkhcoc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wqkxb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wnqflbff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wwupxt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wtgko.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wbp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wysuqk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wxiiijxm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wbdssrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wxioue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wplgod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wylsure.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	whveuvla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wrynwj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wwtvya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wtemvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	webiw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wxqfmk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wsjhrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wnrlujgm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wwgbomj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wlio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wxulwx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wcuoswfpv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wlwhet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wnurqhd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wuelycf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wqblfes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wms.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wmti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wnocqunoo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wbditsgql.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wyqdyh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wrllf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wuygv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wtfcrjjp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wvnutwmq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wydyemmvl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wgwhfmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wgxa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wbrdnje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wxreen.exe

Executes dropped EXE 64 IoCs

pid	Process
4496	wwlssw.exe
1192	wscy.exe
3464	wmk.exe
4920	wsx.exe
4300	wpx.exe
2364	wdxgwggmv.exe
888	wwsjtk.exe
4452	wgwhfmt.exe
1252	wjaci.exe
184	wnrlujgm.exe
636	wvantlc.exe
4964	wkhcoc.exe
4780	whffgd.exe
4992	wrkdsgs.exe
4084	wnurqhd.exe
1936	woedgc.exe
2192	wwpc.exe
1272	wuelycf.exe
456	wuygv.exe
3304	wrxkn.exe
4172	wkmjo.exe
4216	wcms.exe
2764	wvrb.exe
452	whbdtosk.exe
3100	wokgj.exe
2400	wpv.exe
2940	wwu.exe
2108	wlio.exe
4340	webiw.exe
3900	wplgod.exe
2556	wyqdyh.exe
184	wgdeam.exe
5080	wgxa.exe
3760	wmg.exe
4644	whveuvla.exe
4992	wxqfmk.exe
3668	wuqjdl.exe
4568	wxulwx.exe
3964	wxreen.exe
1916	wqqmg.exe
3652	wddwfqq.exe
3840	wnmltl.exe
4736	wdipkaime.exe
3248	wdelhtg.exe
2972	wrynwj.exe
1980	waknyo.exe
3052	wtrxk.exe
4588	wum.exe
2492	wwywrd.exe
448	wwtrnxpgw.exe
4740	wwupxt.exe
4880	wwgbomj.exe
1620	wlnnkc.exe
5100	wwjukawh.exe
3612	wylsure.exe
4876	wvqx.exe
680	wpw.exe
1788	wmhvkybk.exe
3744	wjgacbyh.exe
3212	wms.exe
5104	wywyo.exe
1964	wkeouhl.exe
4584	wvcwr.exe
2960	wmonk.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wtfcrjjp.exe	wqgd.exe
File opened for modification	C:\Windows\SysWOW64\wquhmjcux.exe	wlwhet.exe
File created	C:\Windows\SysWOW64\wat.exe	wqxpoe.exe
File opened for modification	C:\Windows\SysWOW64\wxreen.exe	wxulwx.exe
File created	C:\Windows\SysWOW64\wkeouhl.exe	wywyo.exe
File created	C:\Windows\SysWOW64\wmlfs.exe	wbp.exe
File created	C:\Windows\SysWOW64\wwtvya.exe	wmlfs.exe
File opened for modification	C:\Windows\SysWOW64\wtemvn.exe	wodiccno.exe
File created	C:\Windows\SysWOW64\wlio.exe	wwu.exe
File created	C:\Windows\SysWOW64\wvvhpni.exe	wpkgpil.exe
File created	C:\Windows\SysWOW64\wuelycf.exe	wwpc.exe
File created	C:\Windows\SysWOW64\wdelhtg.exe	wdipkaime.exe
File opened for modification	C:\Windows\SysWOW64\wbp.exe	wmonk.exe
File created	C:\Windows\SysWOW64\wbditsgql.exe	wtemvn.exe
File created	C:\Windows\SysWOW64\wscy.exe	wwlssw.exe
File created	C:\Windows\SysWOW64\wwjukawh.exe	wlnnkc.exe
File created	C:\Windows\SysWOW64\wylsure.exe	wwjukawh.exe
File opened for modification	C:\Windows\SysWOW64\wrllf.exe	wypnyy.exe
File opened for modification	C:\Windows\SysWOW64\wnlweo.exe	whc.exe
File opened for modification	C:\Windows\SysWOW64\wctgg.exe	wfuco.exe
File created	C:\Windows\SysWOW64\wtmona.exe	wqyynmm.exe
File opened for modification	C:\Windows\SysWOW64\wwsdgub.exe	wnqflbff.exe
File opened for modification	C:\Windows\SysWOW64\wmk.exe	wscy.exe
File opened for modification	C:\Windows\SysWOW64\wwupxt.exe	wwtrnxpgw.exe
File opened for modification	C:\Windows\SysWOW64\wwgbomj.exe	wwupxt.exe
File opened for modification	C:\Windows\SysWOW64\wboo.exe	wvnutwmq.exe
File created	C:\Windows\SysWOW64\wqxlddnbs.exe	wnlweo.exe
File created	C:\Windows\SysWOW64\wispd.exe	wnocqunoo.exe
File opened for modification	C:\Windows\SysWOW64\wpx.exe	wsx.exe
File created	C:\Windows\SysWOW64\wxulwx.exe	wuqjdl.exe
File opened for modification	C:\Windows\SysWOW64\wmti.exe	wtox.exe
File opened for modification	C:\Windows\SysWOW64\wxioue.exe	wdusd.exe
File opened for modification	C:\Windows\SysWOW64\wydyemmvl.exe	wsjhrb.exe
File opened for modification	C:\Windows\SysWOW64\wnqflbff.exe	wqmsa.exe
File created	C:\Windows\SysWOW64\wdxgwggmv.exe	wpx.exe
File created	C:\Windows\SysWOW64\wadrihan.exe	wlwem.exe
File created	C:\Windows\SysWOW64\wtemvn.exe	wodiccno.exe
File created	C:\Windows\SysWOW64\wkhcoc.exe	wvantlc.exe
File created	C:\Windows\SysWOW64\wnqflbff.exe	wqmsa.exe
File created	C:\Windows\SysWOW64\wtajmno.exe	wxiiijxm.exe
File created	C:\Windows\SysWOW64\wgxa.exe	wgdeam.exe
File created	C:\Windows\SysWOW64\wbrdnje.exe	wwsdgub.exe
File created	C:\Windows\SysWOW64\wokgj.exe	whbdtosk.exe
File opened for modification	C:\Windows\SysWOW64\wqqmg.exe	wxreen.exe
File opened for modification	C:\Windows\SysWOW64\wqkxb.exe	wtgko.exe
File created	C:\Windows\SysWOW64\wmg.exe	wgxa.exe
File created	C:\Windows\SysWOW64\woo.exe	wtajmno.exe
File created	C:\Windows\SysWOW64\wqmsa.exe	wat.exe
File opened for modification	C:\Windows\SysWOW64\woedgc.exe	wnurqhd.exe
File opened for modification	C:\Windows\SysWOW64\wbbrrydx.exe	wadrihan.exe
File opened for modification	C:\Windows\SysWOW64\wsx.exe	wmk.exe
File opened for modification	C:\Windows\SysWOW64\wbrdnje.exe	wwsdgub.exe
File opened for modification	C:\Windows\SysWOW64\wat.exe	wqxpoe.exe
File opened for modification	C:\Windows\SysWOW64\wvvhpni.exe	wpkgpil.exe
File created	C:\Windows\SysWOW64\wqetiayq.exe	wqblfes.exe
File opened for modification	C:\Windows\SysWOW64\wrxkn.exe	wuygv.exe
File opened for modification	C:\Windows\SysWOW64\wlnnkc.exe	wwgbomj.exe
File created	C:\Windows\SysWOW64\wplgod.exe	webiw.exe
File opened for modification	C:\Windows\SysWOW64\wms.exe	wjgacbyh.exe
File created	C:\Windows\SysWOW64\wywyo.exe	wms.exe
File created	C:\Windows\SysWOW64\wlwem.exe	wrllf.exe
File opened for modification	C:\Windows\SysWOW64\wbdssrl.exe	wpup.exe
File created	C:\Windows\SysWOW64\wnocqunoo.exe	wxioue.exe
File created	C:\Windows\SysWOW64\wwywrd.exe	wum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 10 IoCs

pid	pid_target	Process	procid_target
1820	4876	WerFault.exe	255
3564	5104	WerFault.exe	273
1976	1712	WerFault.exe	290
2172	1844	WerFault.exe	349
2264	4632	WerFault.exe	366
3252	4820	WerFault.exe	395
368	2284	WerFault.exe	409
3140	4920	WerFault.exe	417
3464	4860	WerFault.exe	437
4788	4860	WerFault.exe	437

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgxa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfkdu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgdeam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwupxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkeouhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnlweo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqqmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdelhtg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjgacbyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbdssrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuqjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whffgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whveuvla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wywyo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbbrrydx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxiiijxm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyqdyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtmona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdipkaime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtemvn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgwhfmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqmsa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfuco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrxkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnurqhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wydyemmvl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 4496	512	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe	86
PID 512 wrote to memory of 4496	512	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe	86
PID 512 wrote to memory of 4496	512	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe	86
PID 512 wrote to memory of 1408	512	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe	88
PID 512 wrote to memory of 1408	512	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe	88
PID 512 wrote to memory of 1408	512	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe	88
PID 4496 wrote to memory of 1192	4496	wwlssw.exe	90
PID 4496 wrote to memory of 1192	4496	wwlssw.exe	90
PID 4496 wrote to memory of 1192	4496	wwlssw.exe	90
PID 4496 wrote to memory of 2464	4496	wwlssw.exe	91
PID 4496 wrote to memory of 2464	4496	wwlssw.exe	91
PID 4496 wrote to memory of 2464	4496	wwlssw.exe	91
PID 1192 wrote to memory of 3464	1192	wscy.exe	93
PID 1192 wrote to memory of 3464	1192	wscy.exe	93
PID 1192 wrote to memory of 3464	1192	wscy.exe	93
PID 1192 wrote to memory of 892	1192	wscy.exe	94
PID 1192 wrote to memory of 892	1192	wscy.exe	94
PID 1192 wrote to memory of 892	1192	wscy.exe	94
PID 3464 wrote to memory of 4920	3464	wmk.exe	96
PID 3464 wrote to memory of 4920	3464	wmk.exe	96
PID 3464 wrote to memory of 4920	3464	wmk.exe	96
PID 3464 wrote to memory of 1784	3464	wmk.exe	97
PID 3464 wrote to memory of 1784	3464	wmk.exe	97
PID 3464 wrote to memory of 1784	3464	wmk.exe	97
PID 4920 wrote to memory of 4300	4920	wsx.exe	99
PID 4920 wrote to memory of 4300	4920	wsx.exe	99
PID 4920 wrote to memory of 4300	4920	wsx.exe	99
PID 4920 wrote to memory of 3572	4920	wsx.exe	100
PID 4920 wrote to memory of 3572	4920	wsx.exe	100
PID 4920 wrote to memory of 3572	4920	wsx.exe	100
PID 4300 wrote to memory of 2364	4300	wpx.exe	102
PID 4300 wrote to memory of 2364	4300	wpx.exe	102
PID 4300 wrote to memory of 2364	4300	wpx.exe	102
PID 4300 wrote to memory of 2804	4300	wpx.exe	103
PID 4300 wrote to memory of 2804	4300	wpx.exe	103
PID 4300 wrote to memory of 2804	4300	wpx.exe	103
PID 2364 wrote to memory of 888	2364	wdxgwggmv.exe	105
PID 2364 wrote to memory of 888	2364	wdxgwggmv.exe	105
PID 2364 wrote to memory of 888	2364	wdxgwggmv.exe	105
PID 2364 wrote to memory of 4640	2364	wdxgwggmv.exe	106
PID 2364 wrote to memory of 4640	2364	wdxgwggmv.exe	106
PID 2364 wrote to memory of 4640	2364	wdxgwggmv.exe	106
PID 888 wrote to memory of 4452	888	wwsjtk.exe	108
PID 888 wrote to memory of 4452	888	wwsjtk.exe	108
PID 888 wrote to memory of 4452	888	wwsjtk.exe	108
PID 888 wrote to memory of 736	888	wwsjtk.exe	109
PID 888 wrote to memory of 736	888	wwsjtk.exe	109
PID 888 wrote to memory of 736	888	wwsjtk.exe	109
PID 4452 wrote to memory of 1252	4452	wgwhfmt.exe	111
PID 4452 wrote to memory of 1252	4452	wgwhfmt.exe	111
PID 4452 wrote to memory of 1252	4452	wgwhfmt.exe	111
PID 4452 wrote to memory of 4060	4452	wgwhfmt.exe	112
PID 4452 wrote to memory of 4060	4452	wgwhfmt.exe	112
PID 4452 wrote to memory of 4060	4452	wgwhfmt.exe	112
PID 1252 wrote to memory of 184	1252	wjaci.exe	114
PID 1252 wrote to memory of 184	1252	wjaci.exe	114
PID 1252 wrote to memory of 184	1252	wjaci.exe	114
PID 1252 wrote to memory of 1052	1252	wjaci.exe	115
PID 1252 wrote to memory of 1052	1252	wjaci.exe	115
PID 1252 wrote to memory of 1052	1252	wjaci.exe	115
PID 184 wrote to memory of 636	184	wnrlujgm.exe	117
PID 184 wrote to memory of 636	184	wnrlujgm.exe	117
PID 184 wrote to memory of 636	184	wnrlujgm.exe	117
PID 184 wrote to memory of 3244	184	wnrlujgm.exe	118

C:\Users\Admin\AppData\Local\Temp\3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\SysWOW64\wwlssw.exe
  "C:\Windows\system32\wwlssw.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\wscy.exe
    "C:\Windows\system32\wscy.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\SysWOW64\wmk.exe
      "C:\Windows\system32\wmk.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Windows\SysWOW64\wsx.exe
        
        "C:\Windows\system32\wsx.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4920
      - C:\Windows\SysWOW64\wpx.exe
        
        "C:\Windows\system32\wpx.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\wdxgwggmv.exe
        
        "C:\Windows\system32\wdxgwggmv.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\wwsjtk.exe
        
        "C:\Windows\system32\wwsjtk.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\wgwhfmt.exe
        
        "C:\Windows\system32\wgwhfmt.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\wjaci.exe
        
        "C:\Windows\system32\wjaci.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\wnrlujgm.exe
        
        "C:\Windows\system32\wnrlujgm.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:184
        
        C:\Windows\SysWOW64\wvantlc.exe
        
        "C:\Windows\system32\wvantlc.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\wkhcoc.exe
        
        "C:\Windows\system32\wkhcoc.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\whffgd.exe
        
        "C:\Windows\system32\whffgd.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\wrkdsgs.exe
        
        "C:\Windows\system32\wrkdsgs.exe"
        15⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\wnurqhd.exe
        
        "C:\Windows\system32\wnurqhd.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\woedgc.exe
        
        "C:\Windows\system32\woedgc.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\wwpc.exe
        
        "C:\Windows\system32\wwpc.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\wuelycf.exe
        
        "C:\Windows\system32\wuelycf.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\wuygv.exe
        
        "C:\Windows\system32\wuygv.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\wrxkn.exe
        
        "C:\Windows\system32\wrxkn.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\wkmjo.exe
        
        "C:\Windows\system32\wkmjo.exe"
        22⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\wcms.exe
        
        "C:\Windows\system32\wcms.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\wvrb.exe
        
        "C:\Windows\system32\wvrb.exe"
        24⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\whbdtosk.exe
        
        "C:\Windows\system32\whbdtosk.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\wokgj.exe
        
        "C:\Windows\system32\wokgj.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\wpv.exe
        
        "C:\Windows\system32\wpv.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\wwu.exe
        
        "C:\Windows\system32\wwu.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\wlio.exe
        
        "C:\Windows\system32\wlio.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\webiw.exe
        
        "C:\Windows\system32\webiw.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\wplgod.exe
        
        "C:\Windows\system32\wplgod.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\SysWOW64\wyqdyh.exe
        
        "C:\Windows\system32\wyqdyh.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\wgdeam.exe
        
        "C:\Windows\system32\wgdeam.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:184
        
        C:\Windows\SysWOW64\wgxa.exe
        
        "C:\Windows\system32\wgxa.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\wmg.exe
        
        "C:\Windows\system32\wmg.exe"
        35⤵
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\SysWOW64\whveuvla.exe
        
        "C:\Windows\system32\whveuvla.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\wxqfmk.exe
        
        "C:\Windows\system32\wxqfmk.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\wuqjdl.exe
        
        "C:\Windows\system32\wuqjdl.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\wxulwx.exe
        
        "C:\Windows\system32\wxulwx.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\wxreen.exe
        
        "C:\Windows\system32\wxreen.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\wqqmg.exe
        
        "C:\Windows\system32\wqqmg.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\wddwfqq.exe
        
        "C:\Windows\system32\wddwfqq.exe"
        42⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\wnmltl.exe
        
        "C:\Windows\system32\wnmltl.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\wdipkaime.exe
        
        "C:\Windows\system32\wdipkaime.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\wdelhtg.exe
        
        "C:\Windows\system32\wdelhtg.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\wrynwj.exe
        
        "C:\Windows\system32\wrynwj.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\waknyo.exe
        
        "C:\Windows\system32\waknyo.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\wtrxk.exe
        
        "C:\Windows\system32\wtrxk.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\wum.exe
        
        "C:\Windows\system32\wum.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\wwywrd.exe
        
        "C:\Windows\system32\wwywrd.exe"
        50⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\wwtrnxpgw.exe
        
        "C:\Windows\system32\wwtrnxpgw.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\wwupxt.exe
        
        "C:\Windows\system32\wwupxt.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\wwgbomj.exe
        
        "C:\Windows\system32\wwgbomj.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\wlnnkc.exe
        
        "C:\Windows\system32\wlnnkc.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\wwjukawh.exe
        
        "C:\Windows\system32\wwjukawh.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\wylsure.exe
        
        "C:\Windows\system32\wylsure.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\wvqx.exe
        
        "C:\Windows\system32\wvqx.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\wpw.exe
        
        "C:\Windows\system32\wpw.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:680
        
        C:\Windows\SysWOW64\wmhvkybk.exe
        
        "C:\Windows\system32\wmhvkybk.exe"
        59⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\wjgacbyh.exe
        
        "C:\Windows\system32\wjgacbyh.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\wms.exe
        
        "C:\Windows\system32\wms.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\wywyo.exe
        
        "C:\Windows\system32\wywyo.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\wkeouhl.exe
        
        "C:\Windows\system32\wkeouhl.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\wvcwr.exe
        
        "C:\Windows\system32\wvcwr.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\wmonk.exe
        
        "C:\Windows\system32\wmonk.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\wbp.exe
        
        "C:\Windows\system32\wbp.exe"
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\wmlfs.exe
        
        "C:\Windows\system32\wmlfs.exe"
        67⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\wwtvya.exe
        
        "C:\Windows\system32\wwtvya.exe"
        68⤵
        Checks computer location settings
        
        PID:4496
        
        C:\Windows\SysWOW64\wjf.exe
        
        "C:\Windows\system32\wjf.exe"
        69⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\wysuqk.exe
        
        "C:\Windows\system32\wysuqk.exe"
        70⤵
        Checks computer location settings
        
        PID:3716
        
        C:\Windows\SysWOW64\wcuoswfpv.exe
        
        "C:\Windows\system32\wcuoswfpv.exe"
        71⤵
        Checks computer location settings
        
        PID:3572
        
        C:\Windows\SysWOW64\wypnyy.exe
        
        "C:\Windows\system32\wypnyy.exe"
        72⤵
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\wrllf.exe
        
        "C:\Windows\system32\wrllf.exe"
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\wlwem.exe
        
        "C:\Windows\system32\wlwem.exe"
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\wadrihan.exe
        
        "C:\Windows\system32\wadrihan.exe"
        75⤵
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\wbbrrydx.exe
        
        "C:\Windows\system32\wbbrrydx.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\wpup.exe
        
        "C:\Windows\system32\wpup.exe"
        77⤵
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\wbdssrl.exe
        
        "C:\Windows\system32\wbdssrl.exe"
        78⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\wpkgpil.exe
        
        "C:\Windows\system32\wpkgpil.exe"
        79⤵
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\wvvhpni.exe
        
        "C:\Windows\system32\wvvhpni.exe"
        80⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\wtox.exe
        
        "C:\Windows\system32\wtox.exe"
        81⤵
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\wmti.exe
        
        "C:\Windows\system32\wmti.exe"
        82⤵
        Checks computer location settings
        
        PID:3648
        
        C:\Windows\SysWOW64\wvnutwmq.exe
        
        "C:\Windows\system32\wvnutwmq.exe"
        83⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4720
        
        C:\Windows\SysWOW64\wboo.exe
        
        "C:\Windows\system32\wboo.exe"
        84⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\wynr.exe
        
        "C:\Windows\system32\wynr.exe"
        85⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\wfkdu.exe
        
        "C:\Windows\system32\wfkdu.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\whc.exe
        
        "C:\Windows\system32\whc.exe"
        87⤵
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\wnlweo.exe
        
        "C:\Windows\system32\wnlweo.exe"
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\wqxlddnbs.exe
        
        "C:\Windows\system32\wqxlddnbs.exe"
        89⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\wdusd.exe
        
        "C:\Windows\system32\wdusd.exe"
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\wxioue.exe
        
        "C:\Windows\system32\wxioue.exe"
        91⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\wnocqunoo.exe
        
        "C:\Windows\system32\wnocqunoo.exe"
        92⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\wispd.exe
        
        "C:\Windows\system32\wispd.exe"
        93⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\wfuco.exe
        
        "C:\Windows\system32\wfuco.exe"
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\wctgg.exe
        
        "C:\Windows\system32\wctgg.exe"
        95⤵
        Checks computer location settings
        
        PID:4668
        
        C:\Windows\SysWOW64\wodiccno.exe
        
        "C:\Windows\system32\wodiccno.exe"
        96⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\wtemvn.exe
        
        "C:\Windows\system32\wtemvn.exe"
        97⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\wbditsgql.exe
        
        "C:\Windows\system32\wbditsgql.exe"
        98⤵
        Checks computer location settings
        
        PID:1560
        
        C:\Windows\SysWOW64\wtuohfso.exe
        
        "C:\Windows\system32\wtuohfso.exe"
        99⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\wsjhrb.exe
        
        "C:\Windows\system32\wsjhrb.exe"
        100⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\wydyemmvl.exe
        
        "C:\Windows\system32\wydyemmvl.exe"
        101⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\wtgko.exe
        
        "C:\Windows\system32\wtgko.exe"
        102⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\wqkxb.exe
        
        "C:\Windows\system32\wqkxb.exe"
        103⤵
        Checks computer location settings
        
        PID:4444
        
        C:\Windows\SysWOW64\wuvm.exe
        
        "C:\Windows\system32\wuvm.exe"
        104⤵
        Checks computer location settings
        
        PID:2284
        
        C:\Windows\SysWOW64\wqyynmm.exe
        
        "C:\Windows\system32\wqyynmm.exe"
        105⤵
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\wtmona.exe
        
        "C:\Windows\system32\wtmona.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\wqblfes.exe
        
        "C:\Windows\system32\wqblfes.exe"
        107⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\wqetiayq.exe
        
        "C:\Windows\system32\wqetiayq.exe"
        108⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\wqgd.exe
        
        "C:\Windows\system32\wqgd.exe"
        109⤵
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\wtfcrjjp.exe
        
        "C:\Windows\system32\wtfcrjjp.exe"
        110⤵
        Checks computer location settings
        
        PID:1560
        
        C:\Windows\SysWOW64\wlwhet.exe
        
        "C:\Windows\system32\wlwhet.exe"
        111⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\wquhmjcux.exe
        
        "C:\Windows\system32\wquhmjcux.exe"
        112⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\wqxpoe.exe
        
        "C:\Windows\system32\wqxpoe.exe"
        113⤵
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\wat.exe
        
        "C:\Windows\system32\wat.exe"
        114⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\wqmsa.exe
        
        "C:\Windows\system32\wqmsa.exe"
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\wnqflbff.exe
        
        "C:\Windows\system32\wnqflbff.exe"
        116⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\wwsdgub.exe
        
        "C:\Windows\system32\wwsdgub.exe"
        117⤵
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\wbrdnje.exe
        
        "C:\Windows\system32\wbrdnje.exe"
        118⤵
        Checks computer location settings
        
        PID:3032
        
        C:\Windows\SysWOW64\wctkqek.exe
        
        "C:\Windows\system32\wctkqek.exe"
        119⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\wxiiijxm.exe
        
        "C:\Windows\system32\wxiiijxm.exe"
        120⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\wtajmno.exe
        
        "C:\Windows\system32\wtajmno.exe"
        121⤵
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\woo.exe
        
        "C:\Windows\system32\woo.exe"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtajmno.exe"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxiiijxm.exe"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctkqek.exe"
        120⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbrdnje.exe"
        119⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwsdgub.exe"
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqflbff.exe"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqmsa.exe"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wat.exe"
        115⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqxpoe.exe"
        114⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wquhmjcux.exe"
        113⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1680
        113⤵
        Program crash
        
        PID:3464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1676
        113⤵
        Program crash
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwhet.exe"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtfcrjjp.exe"
        111⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgd.exe"
        110⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqetiayq.exe"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqblfes.exe"
        108⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtmona.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 1424
        107⤵
        Program crash
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqyynmm.exe"
        106⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuvm.exe"
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1672
        105⤵
        Program crash
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqkxb.exe"
        104⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtgko.exe"
        103⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydyemmvl.exe"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjhrb.exe"
        101⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1680
        101⤵
        Program crash
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtuohfso.exe"
        100⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbditsgql.exe"
        99⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtemvn.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wodiccno.exe"
        97⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctgg.exe"
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfuco.exe"
        95⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wispd.exe"
        94⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnocqunoo.exe"
        93⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxioue.exe"
        92⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1280
        92⤵
        Program crash
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdusd.exe"
        91⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqxlddnbs.exe"
        90⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnlweo.exe"
        89⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whc.exe"
        88⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfkdu.exe"
        87⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 116
        87⤵
        Program crash
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wynr.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wboo.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvnutwmq.exe"
        84⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmti.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtox.exe"
        82⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvvhpni.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpkgpil.exe"
        80⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbdssrl.exe"
        79⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpup.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbbrrydx.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wadrihan.exe"
        76⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwem.exe"
        75⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrllf.exe"
        74⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wypnyy.exe"
        73⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcuoswfpv.exe"
        72⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wysuqk.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjf.exe"
        70⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwtvya.exe"
        69⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmlfs.exe"
        68⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1668
        68⤵
        Program crash
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbp.exe"
        67⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmonk.exe"
        66⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvcwr.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkeouhl.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywyo.exe"
        63⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1244
        63⤵
        Program crash
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wms.exe"
        62⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjgacbyh.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmhvkybk.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpw.exe"
        59⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqx.exe"
        58⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1676
        58⤵
        Program crash
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wylsure.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjukawh.exe"
        56⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnnkc.exe"
        55⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwgbomj.exe"
        54⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwupxt.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwtrnxpgw.exe"
        52⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwywrd.exe"
        51⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wum.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtrxk.exe"
        49⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waknyo.exe"
        48⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrynwj.exe"
        47⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdelhtg.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdipkaime.exe"
        45⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnmltl.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wddwfqq.exe"
        43⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqmg.exe"
        42⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxreen.exe"
        41⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxulwx.exe"
        40⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuqjdl.exe"
        39⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxqfmk.exe"
        38⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whveuvla.exe"
        37⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmg.exe"
        36⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxa.exe"
        35⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgdeam.exe"
        34⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyqdyh.exe"
        33⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wplgod.exe"
        32⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\webiw.exe"
        31⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlio.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwu.exe"
        29⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpv.exe"
        28⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wokgj.exe"
        27⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whbdtosk.exe"
        26⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvrb.exe"
        25⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcms.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkmjo.exe"
        23⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrxkn.exe"
        22⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuygv.exe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuelycf.exe"
        20⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwpc.exe"
        19⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woedgc.exe"
        18⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnurqhd.exe"
        17⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkdsgs.exe"
        16⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whffgd.exe"
        15⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkhcoc.exe"
        14⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvantlc.exe"
        13⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnrlujgm.exe"
        12⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjaci.exe"
        11⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwhfmt.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwsjtk.exe"
        9⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxgwggmv.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpx.exe"
        7⤵
        
        PID:2804
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsx.exe"
        6⤵
        
        PID:3572
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmk.exe"
        5⤵
        
        PID:1784
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wscy.exe"
      4⤵
      PID:892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwlssw.exe"
    3⤵
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe"
  2⤵
  PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4876 -ip 4876
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5104 -ip 5104
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1712 -ip 1712
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1844 -ip 1844
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4632 -ip 4632
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4820 -ip 4820
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2284 -ip 2284
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4920 -ip 4920
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4860 -ip 4860
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4860 -ip 4860
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Windows\SysWOW64\wcms.exe

Filesize
270KB

MD5
ac404842593f1c624fd4297e2d9e9b55

SHA1
ba9955fd13d844bc2e72f7f14d83303053fdce9b

SHA256
c3299d3305a2779d0b74f9460a665c2fd8361f81c3b1527e8bf3f6e46bacf5df

SHA512
41c156d2ebc32f91b348697c98262c4510c99b1b6f3dad6e19f8c6959c3d4efc47e57b80a997c4b7096624f43ead890194606cb5ad811f9c0d3ed0f563475fbc

Download Submit
C:\Windows\SysWOW64\wdxgwggmv.exe

Filesize
269KB

MD5
ef97358c149699c3d910a7f5eac4de86

SHA1
90c7ed933b4e4659b636fc2ae9ae151ab927df25

SHA256
d22d6e25e4476b4269d2b207d4d39258e37b0b7478f3ed88d717eaf78129f370

SHA512
27e7504bfe644e15660b0fd487bee5818e0d3c17bbcd8a53f5fe293e25b02647d126d8d415924381e7003eaab9c0928bc55cdcf451aff2490cfd9cf70d9c252e

Download Submit
C:\Windows\SysWOW64\webiw.exe

Filesize
270KB

MD5
1d83b2bf3a3c09861660a70b70383585

SHA1
78d187d20772314dd8a6ad63910e17d9e7028222

SHA256
4cf14d49f87743a1d04a35972d4f4aff73527480633ddff10a0707532142fb98

SHA512
cf6290aa9a737fc310b1f6f99d2ec4270f8ebae70b618dd36997eee6fc222370763424726cee9ba1ebd825028394caa3fc4bb9796558cd3e1d71e8491a8d96c0

Download Submit
C:\Windows\SysWOW64\wgdeam.exe

Filesize
270KB

MD5
54ae7b6cb2616a1475850129cf3d1f38

SHA1
b4bbd92e22629d02ce65c73a32e23af2abc9494b

SHA256
26bd7be4576c1a54a30b2455a3a82c4dc67c0116a13eca2e456f53bd1e85ae25

SHA512
7d50595df6dd53b0f03a1ea33d1594d924ba290d9aa8d998fb551116a462ec6f49a0dd3b1610a1638d789b487c72a6c77dfc87c6477cbddd28bda9c54e7a1b1a

Download Submit
C:\Windows\SysWOW64\wgwhfmt.exe

Filesize
270KB

MD5
a19c6fb773c48da4fb85091d41e527f0

SHA1
46f235429efa525ad4b6b9f1b084682bd08e3a5d

SHA256
31626ae0090a6e34c44b25a956fbd6005c44a1dadb407795f07a5c5a43561794

SHA512
aff0e88b652fac58d24dc5e8aa589e96976e9768c013f0038099613b6c69d4d50d7a582481314387a08a38bda3a8533f1d55e0b208f216137b224ab299c6747c

Download Submit
C:\Windows\SysWOW64\whbdtosk.exe

Filesize
270KB

MD5
49982a7641e48b0a582d37f454b160d8

SHA1
c1c46b12dc480f8e32b72b39b0b1137e9b604019

SHA256
b7db9d63fc1d189affbf657a19e0c5c772cd48a67487f92d005926743e5f857b

SHA512
89415f61e964cd84ff8c0ef088829d926f1cc338a3a7cfcca9862ab1b281d59bd7b22da77f7d86fc500f0390d50a2941096caa9e4ebdf29b9bc0ab544fa015e5

Download Submit
C:\Windows\SysWOW64\whffgd.exe

Filesize
270KB

MD5
37d11f04d903c8ff497c05ce5c02ce6e

SHA1
07c94b34f1cdc0c9fcec643e7ae432111ef93a32

SHA256
665b999d2af26f1cee4dca1645f0ebe686999e290f81ceb27b3b6cf5a22f3b5a

SHA512
9e981cd2eb846ba7df3325d3f63a9a08fb1b543f65f113fbe166c5d1f9c3ce2165e77c18cd520a288b62471056c7e3edd915280ac3798c0d52ebfb126ff83bbf

Download Submit
C:\Windows\SysWOW64\wjaci.exe

Filesize
270KB

MD5
f5aa5b91bb9435e08d46bd77a0445f36

SHA1
82bd1d1f5640f0cd74c2ab062008ce1c2b22ccbf

SHA256
4c22163a8b918424031b4ac256165260bc7a2298021afefeac31fc34eb0b99f2

SHA512
5f259ca7a9b300736747f36f026bbe73d609fc65dea82306641b0fa8956ac6b2f3ab33216842e3877498397a46f96204c2cbbc2eab49be4f6e1a1dc23ea16de6

Download Submit
C:\Windows\SysWOW64\wkhcoc.exe

Filesize
270KB

MD5
3d5ed54eabdee87a2fc5276b90eec2a3

SHA1
76094479e2c9d0f69052ec51032ee292b2d77b9e

SHA256
1cecce59344867748e19b50a724ce26dee7925cd18b23955a24135376b8391ac

SHA512
e2f0df09997fe2a19b690baf978cfc3c70f71a8045155bad0013f0d7719253207d722b52c0e2eb277a805e0ec6b51dc777731b2c09a74366497cf9cd7e96f054

Download Submit
C:\Windows\SysWOW64\wkmjo.exe

Filesize
270KB

MD5
afee3985b1fd2da8219afe347286a27d

SHA1
c2b7468f1af72302c6c5dddf580dad948df3b3e1

SHA256
be09af7064c39c27b940586a534aa9add4917a2292b4d4799d472ab8dfeb9a2f

SHA512
ee3c0138f84d011907e7af61896ae0cf48ee59a60f736b445a03594f5ff2ebe68937f0d721b25128f0535deafc3660bbd7d826faa8f7d96a7ab3bba860cb43a1

Download Submit
C:\Windows\SysWOW64\wlio.exe

Filesize
270KB

MD5
b3bd7ed2ba8bd9fe22b0e9fc4ffc1968

SHA1
ccba30ee7bc7956559fdd3512990a5637906ef47

SHA256
d1f3660a68612b7fac4bb772d742b21927b5ae5c1383f0305cf3761dad4bbd82

SHA512
2373d76cbc997dfb4b8296f5977b53c8fc39f15a16e7e4a6c6a6801a64afa88a1b905f8c501d00e924327549ac6c83f902fe3b80d14526b230e9ee796910269e

Download Submit
C:\Windows\SysWOW64\wmk.exe

Filesize
269KB

MD5
598edeabe0d83d645393a4f199b8f9c1

SHA1
3088c0694a1f6f9724f9339e2f4ea849cf92b056

SHA256
3ae51db6a337390563ac8a2f2fa1c1a1ac73f942f34c3d4ccfcf03dbde0db5a3

SHA512
bb1c484524b8096228d80f72a7084657518c511d72f5112104dd75f18f9712628a351cb335f3081cedf1ed6a03537c3940562c94fa18f8f901cdb38825b3ed62

Download Submit
C:\Windows\SysWOW64\wnrlujgm.exe

Filesize
270KB

MD5
71e16fc71f04683b3dc7623d5549dcbf

SHA1
b6a661cadfa6caa07271a553b4dfa38b9a7808ec

SHA256
270857219467ae3b1817722b05438f0bd07bc4ff1817a6dd1c27ec7880444a8a

SHA512
23517fdebba34cf3d70e0faea9898b97973e8565440b9f9a2c1fa99ef465a4086bca72bb582a84f7ff46f611aff207752fcdd8b861d94f8d4e1f00cea09f1c84

Download Submit
C:\Windows\SysWOW64\wnurqhd.exe

Filesize
270KB

MD5
06d41499cc7ee7fa45571d9a93318593

SHA1
23ff89614a9e35df8ec5d7966fdb3800a013b5d5

SHA256
3bf25664b8d30dea87c37d065350b1f86293840b9f3b79b41893e2262f12e0e6

SHA512
e686d8c427f2395bd7d4bb172d6ea8a4d821b957f0be7f0cb1f48dff71072d11b9d43c14693c363fd8940de2551d91d2095c0bd3047e99977fa408ba103de75d

Download Submit
C:\Windows\SysWOW64\woedgc.exe

Filesize
270KB

MD5
71b9c3707c49c30cbff6ee79ce1363d9

SHA1
be30ce9058017ce1afd957fd232563cf63ad6056

SHA256
164420478d841e4f96aa127c56bf259d292098e1187cc8c53bf569967dab0170

SHA512
8925453b800cd445488d6d07380e84c37653abc14545f77220464c17dcec799f0a2d0aa620dc54376348ea5e65f5a01dcac8eb5ee3c389c690d3b90bd12f7240

Download Submit
C:\Windows\SysWOW64\wokgj.exe

Filesize
270KB

MD5
adf7da52d058cac278529e039856a915

SHA1
7fcb0aa7caa9ea9606dc33230ddf734761a95348

SHA256
6d26696e5ac5a88276cb5438a6c8a7d56623b6abc6d1ceefd139513c827dd7ae

SHA512
4020c5d989b0f7fd95bf8699774e007ddcd7673803f80d1e2bdddfeec38b35c23930ff62258cef152add9fee8b14317352f53faacc92684486ae75cca07d1cee

Download Submit
C:\Windows\SysWOW64\wplgod.exe

Filesize
270KB

MD5
2ce4203e939d9173a202fb9ff3bd7163

SHA1
acf040bde988cd776747f3b3a0a70f8c03c5e8fa

SHA256
2bec4c085f9aab539f248160e1ba98fbb8a8f45aff6c728783cd5ed375ba715e

SHA512
e1ce3c2466ce846e58c209f57578bd93f4f181c8416f0863e5f8737ce0f5dd03dbe64d0c664b804e62b33252aa9dd7acab2fe8c22ce77607e77d3125fa283d81

Download Submit
C:\Windows\SysWOW64\wpv.exe

Filesize
270KB

MD5
475d65c22675db0fa1564ad6ee2a0d51

SHA1
1511d4aee143ee3a398a0bb4e544a2e26af64f56

SHA256
1df9dc77eb9b5fbafd76767ebca997de95fc395e2e3c200c6d9d94b62e163895

SHA512
488f6c3d4b14e3a64d120d3a9ec8dc779b07641c436aca9acccb33789b5e344633f1472fe41950de6a80f9f629bb3bfa8abbb8a7c20db46d37c5c031c4138c9a

Download Submit
C:\Windows\SysWOW64\wpx.exe

Filesize
269KB

MD5
7c3a53b1b8b7b14b42e901c61a811448

SHA1
93beedebe5d5a244e9b6a3cff7d91ef9064d98ac

SHA256
5be91b3ab1da64c215cb5feb11a4289f1b4e5b480d5d4b10f9c105f9cac49e1c

SHA512
2491fcd606eda4f518dbf6fbb113e0f0f98add27b194498c3500415fd580271dedc44317672d0b068f3c579343c329c011857bfc719295767b510125e028be7d

Download Submit
C:\Windows\SysWOW64\wrkdsgs.exe

Filesize
270KB

MD5
b72a6f935c287fca4b2c9adca2ec1171

SHA1
7b8c61ab9ea39959f6453024b827f679c42dc500

SHA256
706eb81e6cc3aeb5619edfa5e7a6102e9c30a28fc6315bba283d7da09bbc3941

SHA512
a4bdbfcb05fc3271d7d1aa430261c597f0f88e49068511ef5723561067672c9740c7e7809d79ae1057a3c73985f433b107454adfb0103b07cbccd98f8e5ddd7c

Download Submit
C:\Windows\SysWOW64\wrxkn.exe

Filesize
270KB

MD5
a6786ce6958028ee9b081a8af763be57

SHA1
f77296b24a73c5dfe93a9ec4433709efc8c7d3fd

SHA256
e45ba2200f7fcc6cf3a1dda4dd198e02890e139af005c2cb3f89ef1ad54e161a

SHA512
f5e3014025ca3177122ad2db924e566b1dbe13def370f89c2ac1c8638f3ce9139099d63f04b89781f3511c2d87e37ac24799548fc0d472b4a69530fc29f2fdf2

Download Submit
C:\Windows\SysWOW64\wscy.exe

Filesize
269KB

MD5
0dfa1b2ed1c38f3eaaf10d84fc304ba2

SHA1
d41ba155d4992b365704af3fd609c46367fcc404

SHA256
3fcba718a1f1014283eb928ac772f68e095fe0e2d99975f63b48b604a97baaf4

SHA512
22ec3d297404073b6f0f5a0eccff26e04ede418dd10c6bb0f3394ee0b20aa382d7738842eb7ebfc5239ed03081e82a16a8895ee3b451f579df17e30d484608a7

Download Submit
C:\Windows\SysWOW64\wsx.exe

Filesize
269KB

MD5
5ab8f5ccd42dcff5fe893a2d4f6e772e

SHA1
b3921431009fd59ae613effe702db4ccb09f01ff

SHA256
e2232494612d87822f27bc82c7103ccacfdd36792e727ddf6f6fb3cc4b00d903

SHA512
f3529f5effb0c999fb06a96a68f64d8d002385d399b4c7bb1ac629c3c0bcb3200690f22426f7bcc0aa021b76fe5fb5e3fb9d76c4296f763b40aecfd61b70e5f7

Download Submit
C:\Windows\SysWOW64\wuelycf.exe

Filesize
270KB

MD5
37831833c3483c26d4e825e89261b9d9

SHA1
12261e216a18d573fd831dbda8fe311afbc31dfb

SHA256
f262fad0f9806e70c631ae8f3127e57e8c0c74419b1fa803873beed521d03a23

SHA512
a2c7176ab53c7c6f6e094eb5cfd2edb6c93759efb0e4f51ee977628815a983d2928e2d6faa393fd64d00a18d869a1da79f8699f2229e97744154d84787aff78e

Download Submit
C:\Windows\SysWOW64\wuygv.exe

Filesize
270KB

MD5
d2b55a1626a68db6447b0a96699a92b4

SHA1
eb4996cc97cee70a504f31b73174d8ec9a4feb55

SHA256
16cc6e03aaaae377dfbab746cbf8d43c36779d9bff40ac59bc1508ae6e973e1f

SHA512
2059c0eb183e7f71a975d5b0415f3817255789ee0c60f8b14e840b450961409866125d945e336f78d0e05a6c178a77f256309d6e0e394338f8ea4b7ca23a0aeb

Download Submit
C:\Windows\SysWOW64\wvantlc.exe

Filesize
270KB

MD5
e9e8ae10fb8ac6ca175f71220e8b8601

SHA1
2340114ebbcd3795e2f9e96a0abd22f99b6d94be

SHA256
7a4dae33e093e7fbe9026c9524f360c677d2edfb3b34bb4b5c9624523bad2d03

SHA512
1ef5d0789d3d1092118fd4972610a9f05524c252764ff884f2ea8a5e9dadf43b5e199662f267846a11fcf9220252453cc11717f63f1a9d4ff61f23c05c38d1f9

Download Submit
C:\Windows\SysWOW64\wvrb.exe

Filesize
270KB

MD5
3604704d9c3b382f1761add465e2f50f

SHA1
d39c0bff45deea28b8b1c60f83897bc83ca3e286

SHA256
83b5e6a000d8713021001f6af13d670147b01d9cc3e46b9d5f13933974d5de67

SHA512
cab8ed90d86ea696465dbb678cbcc62deeb7407394431873fcef9c059c65d4eb5bb3fe0e2f5a50db3c92bb6eccb9cdb4d05d95c3d8fb3a59620aaf155563f83f

Download Submit
C:\Windows\SysWOW64\wwlssw.exe

Filesize
269KB

MD5
805d83c6c030c73b4325bc3b461c37dc

SHA1
6a2b63922586a3e1f8f43aad59668472e3a0508f

SHA256
5519c05bf544e1f98a7d69613bd6ce5391f4c29ba2f5e24fdcf004fbf60e9aec

SHA512
ed77c3b8e4d8d73378bb5214f411e201d74097846bebf3d501e4a56a4b267b29983ccdfc4b202e9b70108eb89a8856ead1ecc003092a669514e483028801252a

Download Submit
C:\Windows\SysWOW64\wwpc.exe

Filesize
270KB

MD5
23b627996e69cbc458d7a8d8b1242aed

SHA1
9a542ba6ce158d6895aba8933951b888787e471c

SHA256
bc41071ae0102435ba44907f33475daadf5188e6d1440573ee612cd155835367

SHA512
31931c6c5aa3742b2b55dbb5b7ef17a1f8ac43a56eb64e09fe78da4ad4326120077ba02e7046a043293f669245a842fe336387f0bb18ed266d7e16dcffe53f10

Download Submit
C:\Windows\SysWOW64\wwsjtk.exe

Filesize
269KB

MD5
aca4eaeb9c3342996bde96295556280c

SHA1
7b37cd33f8a7a5a01cceed237a7641f6b8091bb0

SHA256
dfe199f2b96a7d44b5eb2befbe35b9869fb4e6489433b4cdb0d787d6837ce42a

SHA512
88828beee5c8bcb9910d3fd4ee69d05acd8e0c282743564a4cb06e2dfd3744aa8b47e279b1888a4e6cdade8f2a0abeebb95817b47ead15405f5434fc35d7eb2f

Download Submit
C:\Windows\SysWOW64\wwu.exe

Filesize
270KB

MD5
5f7174c1e913d1baaf7283fc8ec07502

SHA1
2ba0ec7866b01604253021cd2594971bf5478dca

SHA256
d31b833d0e931935e6e547c3d8bce3966ecc05f013679497af7c74de253e990e

SHA512
abb2266c1bac7216fb9b95f5f5738f2be8e366259223aa9d65be7522e6ff5bb47fa5deadf39585efea94379d44dcf2193838ff2944b988775207bcb99325a885

Download Submit
C:\Windows\SysWOW64\wyqdyh.exe

Filesize
270KB

MD5
81cddcee7124f5dc8aa5b3bbeebc7f8f

SHA1
7c8e64d65ba3f7ff428bc43a603f550267349422

SHA256
aa520f14a4e63d072f2ed721a50a44c2c4c618fa58c11a0b6e81795e0e4b6161

SHA512
33a8954387cef306792ac0100f3a092dc424877ee083a40c3dcbd7c8d0d79d497c0395b157ab8a88cba50269489c8a113fd3cc64aa13c4eafde8d07f3649da90

Download Submit
memory/184-339-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/184-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/448-493-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/452-258-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/456-207-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/512-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/512-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/636-125-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/680-554-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/840-701-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/888-83-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/988-804-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1192-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1252-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1272-197-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1396-830-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1532-854-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1620-520-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1712-633-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1788-563-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1844-796-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1912-779-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1916-407-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1936-177-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1952-736-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1964-598-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1980-459-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-300-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2192-187-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2320-745-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2364-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2400-278-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2420-753-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2492-485-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2556-331-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2568-788-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2764-248-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2928-846-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2940-289-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2960-615-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2972-451-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3052-468-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3100-268-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3212-580-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3240-727-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3248-442-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3304-217-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3464-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3572-667-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3612-538-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3648-762-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3652-416-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3668-381-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3716-658-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3744-571-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3760-356-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3780-650-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3840-624-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3840-424-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3900-821-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3900-321-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3964-398-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4084-166-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4172-228-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4216-238-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4232-684-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4300-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4340-310-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4452-94-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4492-718-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4496-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4496-641-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4536-862-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4568-389-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4584-606-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4588-476-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4632-838-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4644-364-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4668-870-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4720-770-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4736-433-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4740-502-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4780-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4876-546-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4880-813-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4880-511-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4888-692-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4920-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4964-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4992-675-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4992-155-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4992-372-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5076-709-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5080-347-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5100-529-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5104-589-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download