Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 03:11

General

  • Target

    124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe

  • Size

    97KB

  • MD5

    12552efed1e955111926e48b1d277910

  • SHA1

    4ffe01b76370a5d571ac7f1e14a44c738a3b1b50

  • SHA256

    124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43

  • SHA512

    99f58d14120100bbf0a155c7dfb6cf316a2bdeaac33dc4fb0a8008aef4ff21a2f817f5f4087e6fe7e44dc2201b28285d6ea31940bec62bd1a15ca3b52006a346

  • SSDEEP

    1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71qCi7w:1eOLK7hNIMLrCiS4+PwRjY5xhEAXQC3

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe
    "C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Windows\SysWOW64\wro.exe
      "C:\Windows\system32\wro.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SysWOW64\woq.exe
        "C:\Windows\system32\woq.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\SysWOW64\wyulxrq.exe
          "C:\Windows\system32\wyulxrq.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\Windows\SysWOW64\wdekseifi.exe
            "C:\Windows\system32\wdekseifi.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2840
            • C:\Windows\SysWOW64\wipman.exe
              "C:\Windows\system32\wipman.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:2388
              • C:\Windows\SysWOW64\wdce.exe
                "C:\Windows\system32\wdce.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • Suspicious use of WriteProcessMemory
                PID:2500
                • C:\Windows\SysWOW64\wpqiqp.exe
                  "C:\Windows\system32\wpqiqp.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2116
                  • C:\Windows\SysWOW64\wcjibkb.exe
                    "C:\Windows\system32\wcjibkb.exe"
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Adds Run key to start application
                    • Drops file in System32 directory
                    PID:880
                    • C:\Windows\SysWOW64\wwioaqyl.exe
                      "C:\Windows\system32\wwioaqyl.exe"
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      PID:2080
                      • C:\Windows\SysWOW64\wpltaa.exe
                        "C:\Windows\system32\wpltaa.exe"
                        11⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        PID:1760
                        • C:\Windows\SysWOW64\wti.exe
                          "C:\Windows\system32\wti.exe"
                          12⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          PID:976
                          • C:\Windows\SysWOW64\wmps.exe
                            "C:\Windows\system32\wmps.exe"
                            13⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Adds Run key to start application
                            PID:1380
                            • C:\Windows\SysWOW64\wywjn.exe
                              "C:\Windows\system32\wywjn.exe"
                              14⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Adds Run key to start application
                              PID:2068
                              • C:\Windows\SysWOW64\wlfyqlekn.exe
                                "C:\Windows\system32\wlfyqlekn.exe"
                                15⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Adds Run key to start application
                                PID:1132
                                • C:\Windows\SysWOW64\wucj.exe
                                  "C:\Windows\system32\wucj.exe"
                                  16⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Adds Run key to start application
                                  • Drops file in System32 directory
                                  PID:1716
                                  • C:\Windows\SysWOW64\wrjrip.exe
                                    "C:\Windows\system32\wrjrip.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • Adds Run key to start application
                                    • Drops file in System32 directory
                                    PID:2280
                                    • C:\Windows\SysWOW64\wqlrana.exe
                                      "C:\Windows\system32\wqlrana.exe"
                                      18⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      PID:3036
                                      • C:\Windows\SysWOW64\wvjfowh.exe
                                        "C:\Windows\system32\wvjfowh.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • Adds Run key to start application
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        PID:2656
                                        • C:\Windows\SysWOW64\wnqqjj.exe
                                          "C:\Windows\system32\wnqqjj.exe"
                                          20⤵
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          PID:2700
                                          • C:\Windows\SysWOW64\wwnanmsc.exe
                                            "C:\Windows\system32\wwnanmsc.exe"
                                            21⤵
                                            • Executes dropped EXE
                                            • Adds Run key to start application
                                            • System Location Discovery: System Language Discovery
                                            PID:1848
                                            • C:\Windows\SysWOW64\wnjd.exe
                                              "C:\Windows\system32\wnjd.exe"
                                              22⤵
                                              • Executes dropped EXE
                                              • Adds Run key to start application
                                              • System Location Discovery: System Language Discovery
                                              PID:2028
                                              • C:\Windows\SysWOW64\wwrwoaf.exe
                                                "C:\Windows\system32\wwrwoaf.exe"
                                                23⤵
                                                • Executes dropped EXE
                                                • Adds Run key to start application
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                PID:2156
                                                • C:\Windows\SysWOW64\wfaqad.exe
                                                  "C:\Windows\system32\wfaqad.exe"
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Adds Run key to start application
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:600
                                                  • C:\Windows\SysWOW64\wwhdvod.exe
                                                    "C:\Windows\system32\wwhdvod.exe"
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    PID:660
                                                    • C:\Windows\SysWOW64\wnuewcl.exe
                                                      "C:\Windows\system32\wnuewcl.exe"
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • Adds Run key to start application
                                                      • Drops file in System32 directory
                                                      PID:2144
                                                      • C:\Windows\SysWOW64\wevo.exe
                                                        "C:\Windows\system32\wevo.exe"
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Adds Run key to start application
                                                        • Drops file in System32 directory
                                                        PID:3064
                                                        • C:\Windows\SysWOW64\wnryjr.exe
                                                          "C:\Windows\system32\wnryjr.exe"
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          PID:2672
                                                          • C:\Windows\SysWOW64\wedswhut.exe
                                                            "C:\Windows\system32\wedswhut.exe"
                                                            29⤵
                                                            • Executes dropped EXE
                                                            PID:2612
                                                            • C:\Windows\SysWOW64\wqljbbs.exe
                                                              "C:\Windows\system32\wqljbbs.exe"
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • Adds Run key to start application
                                                              PID:2716
                                                              • C:\Windows\SysWOW64\wnyf.exe
                                                                "C:\Windows\system32\wnyf.exe"
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Adds Run key to start application
                                                                PID:3008
                                                                • C:\Windows\SysWOW64\wuiygjbl.exe
                                                                  "C:\Windows\system32\wuiygjbl.exe"
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Adds Run key to start application
                                                                  PID:1608
                                                                  • C:\Windows\SysWOW64\wdcqr.exe
                                                                    "C:\Windows\system32\wdcqr.exe"
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    PID:2304
                                                                    • C:\Windows\SysWOW64\wpg.exe
                                                                      "C:\Windows\system32\wpg.exe"
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      • Adds Run key to start application
                                                                      • Drops file in System32 directory
                                                                      PID:3068
                                                                      • C:\Windows\SysWOW64\wopvrj.exe
                                                                        "C:\Windows\system32\wopvrj.exe"
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Adds Run key to start application
                                                                        • Drops file in System32 directory
                                                                        PID:2944
                                                                        • C:\Windows\SysWOW64\woakogyxa.exe
                                                                          "C:\Windows\system32\woakogyxa.exe"
                                                                          36⤵
                                                                          • Executes dropped EXE
                                                                          • Adds Run key to start application
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:1512
                                                                          • C:\Windows\SysWOW64\wxwt.exe
                                                                            "C:\Windows\system32\wxwt.exe"
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            PID:1892
                                                                            • C:\Windows\SysWOW64\wbhc.exe
                                                                              "C:\Windows\system32\wbhc.exe"
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • Adds Run key to start application
                                                                              • Drops file in System32 directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:2640
                                                                              • C:\Windows\SysWOW64\woptmsxh.exe
                                                                                "C:\Windows\system32\woptmsxh.exe"
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:2836
                                                                                • C:\Windows\SysWOW64\wrwdahmf.exe
                                                                                  "C:\Windows\system32\wrwdahmf.exe"
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  PID:2612
                                                                                  • C:\Windows\SysWOW64\wphqxfy.exe
                                                                                    "C:\Windows\system32\wphqxfy.exe"
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Adds Run key to start application
                                                                                    • Drops file in System32 directory
                                                                                    PID:2716
                                                                                    • C:\Windows\SysWOW64\wdogayx.exe
                                                                                      "C:\Windows\system32\wdogayx.exe"
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Adds Run key to start application
                                                                                      • Drops file in System32 directory
                                                                                      PID:2700
                                                                                      • C:\Windows\SysWOW64\wydd.exe
                                                                                        "C:\Windows\system32\wydd.exe"
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Adds Run key to start application
                                                                                        PID:976
                                                                                        • C:\Windows\SysWOW64\wxn.exe
                                                                                          "C:\Windows\system32\wxn.exe"
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • Adds Run key to start application
                                                                                          • Drops file in System32 directory
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:1592
                                                                                          • C:\Windows\SysWOW64\wlvhrwv.exe
                                                                                            "C:\Windows\system32\wlvhrwv.exe"
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Adds Run key to start application
                                                                                            • Drops file in System32 directory
                                                                                            PID:2516
                                                                                            • C:\Windows\SysWOW64\wgunqdtd.exe
                                                                                              "C:\Windows\system32\wgunqdtd.exe"
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1132
                                                                                              • C:\Windows\SysWOW64\wwuxyqmr.exe
                                                                                                "C:\Windows\system32\wwuxyqmr.exe"
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:996
                                                                                                • C:\Windows\SysWOW64\wcslmb.exe
                                                                                                  "C:\Windows\system32\wcslmb.exe"
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Adds Run key to start application
                                                                                                  • Drops file in System32 directory
                                                                                                  PID:2120
                                                                                                  • C:\Windows\SysWOW64\wobcqv.exe
                                                                                                    "C:\Windows\system32\wobcqv.exe"
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Adds Run key to start application
                                                                                                    • Drops file in System32 directory
                                                                                                    PID:2652
                                                                                                    • C:\Windows\SysWOW64\wbpfb.exe
                                                                                                      "C:\Windows\system32\wbpfb.exe"
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Adds Run key to start application
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Suspicious use of UnmapMainImage
                                                                                                      PID:2580
                                                                                                      • C:\Windows\SysWOW64\wijvmxb.exe
                                                                                                        "C:\Windows\system32\wijvmxb.exe"
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Adds Run key to start application
                                                                                                        • Drops file in System32 directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:1292
                                                                                                        • C:\Windows\SysWOW64\wvg.exe
                                                                                                          "C:\Windows\system32\wvg.exe"
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Adds Run key to start application
                                                                                                          • Drops file in System32 directory
                                                                                                          PID:2960
                                                                                                          • C:\Windows\SysWOW64\wepuvu.exe
                                                                                                            "C:\Windows\system32\wepuvu.exe"
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            PID:1772
                                                                                                            • C:\Windows\SysWOW64\weny.exe
                                                                                                              "C:\Windows\system32\weny.exe"
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Adds Run key to start application
                                                                                                              PID:2140
                                                                                                              • C:\Windows\SysWOW64\wlhoxy.exe
                                                                                                                "C:\Windows\system32\wlhoxy.exe"
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Adds Run key to start application
                                                                                                                • Drops file in System32 directory
                                                                                                                PID:1208
                                                                                                                • C:\Windows\SysWOW64\wxpfb.exe
                                                                                                                  "C:\Windows\system32\wxpfb.exe"
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Adds Run key to start application
                                                                                                                  • Drops file in System32 directory
                                                                                                                  PID:1512
                                                                                                                  • C:\Windows\SysWOW64\wec.exe
                                                                                                                    "C:\Windows\system32\wec.exe"
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Adds Run key to start application
                                                                                                                    PID:2432
                                                                                                                    • C:\Windows\SysWOW64\wuju.exe
                                                                                                                      "C:\Windows\system32\wuju.exe"
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Adds Run key to start application
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:2860
                                                                                                                      • C:\Windows\SysWOW64\wipliklb.exe
                                                                                                                        "C:\Windows\system32\wipliklb.exe"
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Adds Run key to start application
                                                                                                                        PID:1324
                                                                                                                        • C:\Windows\SysWOW64\wihaqggs.exe
                                                                                                                          "C:\Windows\system32\wihaqggs.exe"
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Adds Run key to start application
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:612
                                                                                                                          • C:\Windows\SysWOW64\wupovbeb.exe
                                                                                                                            "C:\Windows\system32\wupovbeb.exe"
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Adds Run key to start application
                                                                                                                            PID:2300
                                                                                                                            • C:\Windows\SysWOW64\wpovt.exe
                                                                                                                              "C:\Windows\system32\wpovt.exe"
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:2004
                                                                                                                              • C:\Windows\SysWOW64\wyxdym.exe
                                                                                                                                "C:\Windows\system32\wyxdym.exe"
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Adds Run key to start application
                                                                                                                                PID:2816
                                                                                                                                • C:\Windows\SysWOW64\wfrsjtaq.exe
                                                                                                                                  "C:\Windows\system32\wfrsjtaq.exe"
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:2648
                                                                                                                                  • C:\Windows\SysWOW64\wkevrdvsj.exe
                                                                                                                                    "C:\Windows\system32\wkevrdvsj.exe"
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:2272
                                                                                                                                    • C:\Windows\SysWOW64\wcvsuqh.exe
                                                                                                                                      "C:\Windows\system32\wcvsuqh.exe"
                                                                                                                                      66⤵
                                                                                                                                      • Adds Run key to start application
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      PID:1624
                                                                                                                                      • C:\Windows\SysWOW64\wuywvyhx.exe
                                                                                                                                        "C:\Windows\system32\wuywvyhx.exe"
                                                                                                                                        67⤵
                                                                                                                                        • Adds Run key to start application
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:2404
                                                                                                                                        • C:\Windows\SysWOW64\wpqond.exe
                                                                                                                                          "C:\Windows\system32\wpqond.exe"
                                                                                                                                          68⤵
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          PID:1944
                                                                                                                                          • C:\Windows\SysWOW64\whg.exe
                                                                                                                                            "C:\Windows\system32\whg.exe"
                                                                                                                                            69⤵
                                                                                                                                            • Adds Run key to start application
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:2964
                                                                                                                                            • C:\Windows\SysWOW64\wtxqalr.exe
                                                                                                                                              "C:\Windows\system32\wtxqalr.exe"
                                                                                                                                              70⤵
                                                                                                                                              • Adds Run key to start application
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              PID:2536
                                                                                                                                              • C:\Windows\SysWOW64\wvibnag.exe
                                                                                                                                                "C:\Windows\system32\wvibnag.exe"
                                                                                                                                                71⤵
                                                                                                                                                • Adds Run key to start application
                                                                                                                                                PID:2328
                                                                                                                                                • C:\Windows\SysWOW64\wopmimjs.exe
                                                                                                                                                  "C:\Windows\system32\wopmimjs.exe"
                                                                                                                                                  72⤵
                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                  PID:752
                                                                                                                                                  • C:\Windows\SysWOW64\whkowxabh.exe
                                                                                                                                                    "C:\Windows\system32\whkowxabh.exe"
                                                                                                                                                    73⤵
                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    PID:1660
                                                                                                                                                    • C:\Windows\SysWOW64\wbchobsd.exe
                                                                                                                                                      "C:\Windows\system32\wbchobsd.exe"
                                                                                                                                                      74⤵
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      PID:2276
                                                                                                                                                      • C:\Windows\SysWOW64\wlvdf.exe
                                                                                                                                                        "C:\Windows\system32\wlvdf.exe"
                                                                                                                                                        75⤵
                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:2268
                                                                                                                                                        • C:\Windows\SysWOW64\whblrqoq.exe
                                                                                                                                                          "C:\Windows\system32\whblrqoq.exe"
                                                                                                                                                          76⤵
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          PID:2020
                                                                                                                                                          • C:\Windows\SysWOW64\wkvfl.exe
                                                                                                                                                            "C:\Windows\system32\wkvfl.exe"
                                                                                                                                                            77⤵
                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            PID:2576
                                                                                                                                                            • C:\Windows\SysWOW64\wfullm.exe
                                                                                                                                                              "C:\Windows\system32\wfullm.exe"
                                                                                                                                                              78⤵
                                                                                                                                                                PID:2056
                                                                                                                                                                • C:\Windows\SysWOW64\weupbjox.exe
                                                                                                                                                                  "C:\Windows\system32\weupbjox.exe"
                                                                                                                                                                  79⤵
                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:300
                                                                                                                                                                  • C:\Windows\SysWOW64\wymitof.exe
                                                                                                                                                                    "C:\Windows\system32\wymitof.exe"
                                                                                                                                                                    80⤵
                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:1336
                                                                                                                                                                    • C:\Windows\SysWOW64\wyllik.exe
                                                                                                                                                                      "C:\Windows\system32\wyllik.exe"
                                                                                                                                                                      81⤵
                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:1992
                                                                                                                                                                      • C:\Windows\SysWOW64\wtvcoqo.exe
                                                                                                                                                                        "C:\Windows\system32\wtvcoqo.exe"
                                                                                                                                                                        82⤵
                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        PID:3032
                                                                                                                                                                        • C:\Windows\SysWOW64\wovinvmq.exe
                                                                                                                                                                          "C:\Windows\system32\wovinvmq.exe"
                                                                                                                                                                          83⤵
                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          PID:760
                                                                                                                                                                          • C:\Windows\SysWOW64\wsetb.exe
                                                                                                                                                                            "C:\Windows\system32\wsetb.exe"
                                                                                                                                                                            84⤵
                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                            PID:2348
                                                                                                                                                                            • C:\Windows\SysWOW64\wfljf.exe
                                                                                                                                                                              "C:\Windows\system32\wfljf.exe"
                                                                                                                                                                              85⤵
                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                              PID:1048
                                                                                                                                                                              • C:\Windows\SysWOW64\wwhltqseu.exe
                                                                                                                                                                                "C:\Windows\system32\wwhltqseu.exe"
                                                                                                                                                                                86⤵
                                                                                                                                                                                  PID:1576
                                                                                                                                                                                  • C:\Windows\SysWOW64\wkbldlc.exe
                                                                                                                                                                                    "C:\Windows\system32\wkbldlc.exe"
                                                                                                                                                                                    87⤵
                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    PID:1132
                                                                                                                                                                                    • C:\Windows\SysWOW64\wfpivqo.exe
                                                                                                                                                                                      "C:\Windows\system32\wfpivqo.exe"
                                                                                                                                                                                      88⤵
                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                      PID:2148
                                                                                                                                                                                      • C:\Windows\SysWOW64\wicydhh.exe
                                                                                                                                                                                        "C:\Windows\system32\wicydhh.exe"
                                                                                                                                                                                        89⤵
                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                        PID:2976
                                                                                                                                                                                        • C:\Windows\SysWOW64\wioaxn.exe
                                                                                                                                                                                          "C:\Windows\system32\wioaxn.exe"
                                                                                                                                                                                          90⤵
                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:1332
                                                                                                                                                                                          • C:\Windows\SysWOW64\wydayb.exe
                                                                                                                                                                                            "C:\Windows\system32\wydayb.exe"
                                                                                                                                                                                            91⤵
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            PID:2760
                                                                                                                                                                                            • C:\Windows\SysWOW64\wudhxfph.exe
                                                                                                                                                                                              "C:\Windows\system32\wudhxfph.exe"
                                                                                                                                                                                              92⤵
                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              PID:2520
                                                                                                                                                                                              • C:\Windows\SysWOW64\wglxbbnp.exe
                                                                                                                                                                                                "C:\Windows\system32\wglxbbnp.exe"
                                                                                                                                                                                                93⤵
                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:1628
                                                                                                                                                                                                • C:\Windows\SysWOW64\wkpsyyk.exe
                                                                                                                                                                                                  "C:\Windows\system32\wkpsyyk.exe"
                                                                                                                                                                                                  94⤵
                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  PID:1580
                                                                                                                                                                                                  • C:\Windows\SysWOW64\wcwgulng.exe
                                                                                                                                                                                                    "C:\Windows\system32\wcwgulng.exe"
                                                                                                                                                                                                    95⤵
                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                    PID:2272
                                                                                                                                                                                                    • C:\Windows\SysWOW64\wcvjkj.exe
                                                                                                                                                                                                      "C:\Windows\system32\wcvjkj.exe"
                                                                                                                                                                                                      96⤵
                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:1624
                                                                                                                                                                                                      • C:\Windows\SysWOW64\wbqgoh.exe
                                                                                                                                                                                                        "C:\Windows\system32\wbqgoh.exe"
                                                                                                                                                                                                        97⤵
                                                                                                                                                                                                          PID:2808
                                                                                                                                                                                                          • C:\Windows\SysWOW64\wryrisn.exe
                                                                                                                                                                                                            "C:\Windows\system32\wryrisn.exe"
                                                                                                                                                                                                            98⤵
                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            PID:3052
                                                                                                                                                                                                            • C:\Windows\SysWOW64\wbucou.exe
                                                                                                                                                                                                              "C:\Windows\system32\wbucou.exe"
                                                                                                                                                                                                              99⤵
                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:2440
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryrisn.exe"
                                                                                                                                                                                                              99⤵
                                                                                                                                                                                                                PID:2964
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbqgoh.exe"
                                                                                                                                                                                                              98⤵
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:2152
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvjkj.exe"
                                                                                                                                                                                                            97⤵
                                                                                                                                                                                                              PID:2576
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwgulng.exe"
                                                                                                                                                                                                            96⤵
                                                                                                                                                                                                              PID:2316
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkpsyyk.exe"
                                                                                                                                                                                                            95⤵
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            PID:1472
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wglxbbnp.exe"
                                                                                                                                                                                                          94⤵
                                                                                                                                                                                                            PID:832
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudhxfph.exe"
                                                                                                                                                                                                          93⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:1028
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydayb.exe"
                                                                                                                                                                                                        92⤵
                                                                                                                                                                                                          PID:2080
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wioaxn.exe"
                                                                                                                                                                                                        91⤵
                                                                                                                                                                                                          PID:1940
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wicydhh.exe"
                                                                                                                                                                                                        90⤵
                                                                                                                                                                                                          PID:1140
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfpivqo.exe"
                                                                                                                                                                                                        89⤵
                                                                                                                                                                                                          PID:1124
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbldlc.exe"
                                                                                                                                                                                                        88⤵
                                                                                                                                                                                                          PID:1416
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhltqseu.exe"
                                                                                                                                                                                                        87⤵
                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                        PID:1512
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfljf.exe"
                                                                                                                                                                                                      86⤵
                                                                                                                                                                                                        PID:2556
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsetb.exe"
                                                                                                                                                                                                      85⤵
                                                                                                                                                                                                        PID:2464
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovinvmq.exe"
                                                                                                                                                                                                      84⤵
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:1592
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvcoqo.exe"
                                                                                                                                                                                                    83⤵
                                                                                                                                                                                                      PID:952
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyllik.exe"
                                                                                                                                                                                                    82⤵
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    PID:1944
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymitof.exe"
                                                                                                                                                                                                  81⤵
                                                                                                                                                                                                    PID:1940
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weupbjox.exe"
                                                                                                                                                                                                  80⤵
                                                                                                                                                                                                    PID:2912
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfullm.exe"
                                                                                                                                                                                                  79⤵
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  PID:1808
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvfl.exe"
                                                                                                                                                                                                78⤵
                                                                                                                                                                                                  PID:1836
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whblrqoq.exe"
                                                                                                                                                                                                77⤵
                                                                                                                                                                                                  PID:836
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvdf.exe"
                                                                                                                                                                                                76⤵
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:2556
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbchobsd.exe"
                                                                                                                                                                                              75⤵
                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                              PID:2464
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whkowxabh.exe"
                                                                                                                                                                                            74⤵
                                                                                                                                                                                              PID:1592
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wopmimjs.exe"
                                                                                                                                                                                            73⤵
                                                                                                                                                                                              PID:2384
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvibnag.exe"
                                                                                                                                                                                            72⤵
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:2156
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxqalr.exe"
                                                                                                                                                                                          71⤵
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:868
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whg.exe"
                                                                                                                                                                                        70⤵
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:1784
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpqond.exe"
                                                                                                                                                                                      69⤵
                                                                                                                                                                                        PID:2976
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuywvyhx.exe"
                                                                                                                                                                                      68⤵
                                                                                                                                                                                        PID:2080
                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 48
                                                                                                                                                                                        68⤵
                                                                                                                                                                                        • Program crash
                                                                                                                                                                                        PID:2428
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvsuqh.exe"
                                                                                                                                                                                      67⤵
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:2100
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkevrdvsj.exe"
                                                                                                                                                                                    66⤵
                                                                                                                                                                                      PID:2868
                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 180
                                                                                                                                                                                      66⤵
                                                                                                                                                                                      • Program crash
                                                                                                                                                                                      PID:1560
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfrsjtaq.exe"
                                                                                                                                                                                    65⤵
                                                                                                                                                                                      PID:2456
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxdym.exe"
                                                                                                                                                                                    64⤵
                                                                                                                                                                                      PID:2116
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpovt.exe"
                                                                                                                                                                                    63⤵
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    PID:1708
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wupovbeb.exe"
                                                                                                                                                                                  62⤵
                                                                                                                                                                                    PID:1280
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wihaqggs.exe"
                                                                                                                                                                                  61⤵
                                                                                                                                                                                    PID:2984
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipliklb.exe"
                                                                                                                                                                                  60⤵
                                                                                                                                                                                    PID:1668
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuju.exe"
                                                                                                                                                                                  59⤵
                                                                                                                                                                                    PID:2620
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wec.exe"
                                                                                                                                                                                  58⤵
                                                                                                                                                                                    PID:1908
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpfb.exe"
                                                                                                                                                                                  57⤵
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  PID:2088
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlhoxy.exe"
                                                                                                                                                                                56⤵
                                                                                                                                                                                  PID:1248
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weny.exe"
                                                                                                                                                                                55⤵
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                PID:2272
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wepuvu.exe"
                                                                                                                                                                              54⤵
                                                                                                                                                                                PID:2648
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvg.exe"
                                                                                                                                                                              53⤵
                                                                                                                                                                                PID:2520
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wijvmxb.exe"
                                                                                                                                                                              52⤵
                                                                                                                                                                                PID:2972
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpfb.exe"
                                                                                                                                                                              51⤵
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              PID:1256
                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 208
                                                                                                                                                                              51⤵
                                                                                                                                                                              • Program crash
                                                                                                                                                                              PID:3008
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobcqv.exe"
                                                                                                                                                                            50⤵
                                                                                                                                                                              PID:1740
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcslmb.exe"
                                                                                                                                                                            49⤵
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            PID:2732
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwuxyqmr.exe"
                                                                                                                                                                          48⤵
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:2556
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgunqdtd.exe"
                                                                                                                                                                        47⤵
                                                                                                                                                                          PID:848
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvhrwv.exe"
                                                                                                                                                                        46⤵
                                                                                                                                                                          PID:1576
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxn.exe"
                                                                                                                                                                        45⤵
                                                                                                                                                                          PID:2308
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydd.exe"
                                                                                                                                                                        44⤵
                                                                                                                                                                          PID:2496
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdogayx.exe"
                                                                                                                                                                        43⤵
                                                                                                                                                                          PID:2904
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphqxfy.exe"
                                                                                                                                                                        42⤵
                                                                                                                                                                          PID:2960
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwdahmf.exe"
                                                                                                                                                                        41⤵
                                                                                                                                                                          PID:1600
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woptmsxh.exe"
                                                                                                                                                                        40⤵
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        PID:2008
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhc.exe"
                                                                                                                                                                      39⤵
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:2812
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwt.exe"
                                                                                                                                                                    38⤵
                                                                                                                                                                      PID:2556
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woakogyxa.exe"
                                                                                                                                                                    37⤵
                                                                                                                                                                      PID:848
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wopvrj.exe"
                                                                                                                                                                    36⤵
                                                                                                                                                                      PID:1752
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpg.exe"
                                                                                                                                                                    35⤵
                                                                                                                                                                      PID:2416
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcqr.exe"
                                                                                                                                                                    34⤵
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:2412
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuiygjbl.exe"
                                                                                                                                                                  33⤵
                                                                                                                                                                    PID:1672
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnyf.exe"
                                                                                                                                                                  32⤵
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:2056
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqljbbs.exe"
                                                                                                                                                                31⤵
                                                                                                                                                                  PID:2776
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wedswhut.exe"
                                                                                                                                                                30⤵
                                                                                                                                                                  PID:2624
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnryjr.exe"
                                                                                                                                                                29⤵
                                                                                                                                                                  PID:2660
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wevo.exe"
                                                                                                                                                                28⤵
                                                                                                                                                                  PID:2460
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnuewcl.exe"
                                                                                                                                                                27⤵
                                                                                                                                                                  PID:1928
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhdvod.exe"
                                                                                                                                                                26⤵
                                                                                                                                                                  PID:2272
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfaqad.exe"
                                                                                                                                                                25⤵
                                                                                                                                                                  PID:2032
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrwoaf.exe"
                                                                                                                                                                24⤵
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:2908
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnjd.exe"
                                                                                                                                                              23⤵
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:928
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwnanmsc.exe"
                                                                                                                                                            22⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:2148
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqqjj.exe"
                                                                                                                                                          21⤵
                                                                                                                                                            PID:2008
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvjfowh.exe"
                                                                                                                                                          20⤵
                                                                                                                                                            PID:2576
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqlrana.exe"
                                                                                                                                                          19⤵
                                                                                                                                                            PID:2244
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjrip.exe"
                                                                                                                                                          18⤵
                                                                                                                                                            PID:1536
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wucj.exe"
                                                                                                                                                          17⤵
                                                                                                                                                            PID:2200
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfyqlekn.exe"
                                                                                                                                                          16⤵
                                                                                                                                                            PID:1076
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywjn.exe"
                                                                                                                                                          15⤵
                                                                                                                                                            PID:2240
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmps.exe"
                                                                                                                                                          14⤵
                                                                                                                                                            PID:1772
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wti.exe"
                                                                                                                                                          13⤵
                                                                                                                                                            PID:2876
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpltaa.exe"
                                                                                                                                                          12⤵
                                                                                                                                                            PID:2592
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwioaqyl.exe"
                                                                                                                                                          11⤵
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:2664
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjibkb.exe"
                                                                                                                                                        10⤵
                                                                                                                                                          PID:1404
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpqiqp.exe"
                                                                                                                                                        9⤵
                                                                                                                                                          PID:2356
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdce.exe"
                                                                                                                                                        8⤵
                                                                                                                                                          PID:2992
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipman.exe"
                                                                                                                                                        7⤵
                                                                                                                                                          PID:2372
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdekseifi.exe"
                                                                                                                                                        6⤵
                                                                                                                                                          PID:2224
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyulxrq.exe"
                                                                                                                                                        5⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:300
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woq.exe"
                                                                                                                                                      4⤵
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:1840
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wro.exe"
                                                                                                                                                    3⤵
                                                                                                                                                      PID:1292
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"
                                                                                                                                                    2⤵
                                                                                                                                                    • Deletes itself
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:2828

                                                                                                                                                Network

                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                      Replay Monitor

                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                      Downloads

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\install[2].htm

                                                                                                                                                        Filesize

                                                                                                                                                        7KB

                                                                                                                                                        MD5

                                                                                                                                                        9463ba07743e8a9aca3b55373121b7c5

                                                                                                                                                        SHA1

                                                                                                                                                        4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

                                                                                                                                                        SHA256

                                                                                                                                                        d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

                                                                                                                                                        SHA512

                                                                                                                                                        6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OAXX3SOJ.txt

                                                                                                                                                        Filesize

                                                                                                                                                        132B

                                                                                                                                                        MD5

                                                                                                                                                        8c620919aeb945aed291c24a1bf7b76e

                                                                                                                                                        SHA1

                                                                                                                                                        cadcbaeec0d9b8a99f465d3b6dc17eb5e93f03a5

                                                                                                                                                        SHA256

                                                                                                                                                        96a87f879cb20da3829cd9476dfe326819623ae81cd9ebe9339a0e4e126af01d

                                                                                                                                                        SHA512

                                                                                                                                                        8621a529e4925882e064144c5642b70de52a2dc61618f83eb18fffd09e8c5bc606b331cd287a61de0d2326f3b20fab3aae90e02774dea338585e33ce0e99fd94

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SHWZNIR5.txt

                                                                                                                                                        Filesize

                                                                                                                                                        132B

                                                                                                                                                        MD5

                                                                                                                                                        499720e469342b1fccf72fd961cee678

                                                                                                                                                        SHA1

                                                                                                                                                        022ca149e965f4a4d2d8dd2eb19c80fe1d340e8f

                                                                                                                                                        SHA256

                                                                                                                                                        dd228adc7f05a8eb611b117e3d097b9a57c8da92b719e00ed191673904788394

                                                                                                                                                        SHA512

                                                                                                                                                        e44f9e5160e7cdc635c1b9648d36514f0f2daa4bcf3f747b270e036c64679fe7bf10d9bb60018251c70fa28f3472bf959879640442a49503d49a239b48238ce7

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U1D3TL60.txt

                                                                                                                                                        Filesize

                                                                                                                                                        99B

                                                                                                                                                        MD5

                                                                                                                                                        42756a6363efab710496a7a47bfc8cf9

                                                                                                                                                        SHA1

                                                                                                                                                        5dc309bfde7f6805e15bf956bd6c6232c6befc83

                                                                                                                                                        SHA256

                                                                                                                                                        e5d3f6e8bb0abf6df4a3d47d90d80bc37034ae66d58f40a81161f649a4b6e594

                                                                                                                                                        SHA512

                                                                                                                                                        c30d2e5169d003d54ab639048475b1ba1c4bd8d944930d51263815c48e3dfca7af8755e0342359cfa31e4f71d3ea1d3075bbede5231432111bb6fe078c91aad8

                                                                                                                                                      • C:\Windows\SysWOW64\wro.exe

                                                                                                                                                        Filesize

                                                                                                                                                        97KB

                                                                                                                                                        MD5

                                                                                                                                                        00a971c8a6adc1f4b04ac2e25b13e819

                                                                                                                                                        SHA1

                                                                                                                                                        c20289cbae9685cd8cd01eb35432d1308b3c8637

                                                                                                                                                        SHA256

                                                                                                                                                        09c8f8771cf84ab833c454225ced4c4e67d97388b0842beb8c181c538cae6578

                                                                                                                                                        SHA512

                                                                                                                                                        746b881554975952650bb7d328f2624c24c39e7f8921ec44fa5f0b942d4786354679990855bf535bd25bcd30d0995054f6aac84ff8d4f9ec96d659437986a6f7

                                                                                                                                                      • \Windows\SysWOW64\wcjibkb.exe

                                                                                                                                                        Filesize

                                                                                                                                                        97KB

                                                                                                                                                        MD5

                                                                                                                                                        84c021ae712b9dc13033726724751875

                                                                                                                                                        SHA1

                                                                                                                                                        b015467bed00fa41931b7cf62633abf7e18cc9f5

                                                                                                                                                        SHA256

                                                                                                                                                        8949eba300afdb3844386fd18f3e1f4a0768f48478d64f8ef7e725935045fc0f

                                                                                                                                                        SHA512

                                                                                                                                                        8b10010627bc6d910edc2256e3f2ff3a81ea271ba3b06504ebf57563a8440910db1d83f4f74366eb5f9315ba4d25e588593b56771f0ec1fbbb4d3de5854bd797

                                                                                                                                                      • \Windows\SysWOW64\wdce.exe

                                                                                                                                                        Filesize

                                                                                                                                                        97KB

                                                                                                                                                        MD5

                                                                                                                                                        43e7f7b35e44173fb6993341acd79fc0

                                                                                                                                                        SHA1

                                                                                                                                                        6aec7c858b2b5dbb88c78ec03430110739a24204

                                                                                                                                                        SHA256

                                                                                                                                                        7794847153a01ddb2edce6060b527e141edf2f82d8e33dae904c100995643811

                                                                                                                                                        SHA512

                                                                                                                                                        230d2e249c5a0d584e226c1c75bc4cf4a6afd5af261a5831f1bea69e82db882008c1aedd190cc24f5bb12079bcd1b6e2e2492db042894998f7933402dda9c635

                                                                                                                                                      • \Windows\SysWOW64\wdekseifi.exe

                                                                                                                                                        Filesize

                                                                                                                                                        97KB

                                                                                                                                                        MD5

                                                                                                                                                        575fbdf385d21f23a0fa379a88e270cf

                                                                                                                                                        SHA1

                                                                                                                                                        879938a842c665e089636791a392f3548d727c6f

                                                                                                                                                        SHA256

                                                                                                                                                        90d8d133e69aaa68c11f697bf16161e4c4f3da24fd715da9203682493478fbb4

                                                                                                                                                        SHA512

                                                                                                                                                        671327c8bbd20b8c1f954d638730bc981e7015d708e7e0ba52acce31ddc826f27ccf8a7f03e25bd3a920052d5148336788080d8928cd0b84856dcd31d6e34dd1

                                                                                                                                                      • \Windows\SysWOW64\wipman.exe

                                                                                                                                                        Filesize

                                                                                                                                                        97KB

                                                                                                                                                        MD5

                                                                                                                                                        f426ed9bcd755d2371536eb616af4eb0

                                                                                                                                                        SHA1

                                                                                                                                                        4a4e4d3f0f8e7ecfdb1a10962eb68ff701130194

                                                                                                                                                        SHA256

                                                                                                                                                        15ac1816e2997a360e05dc2ffe7f8d5afbb36a482d0902adaf3e8dfa70f419e5

                                                                                                                                                        SHA512

                                                                                                                                                        2dc926fdcc1fabd4a3ab7bb10becd61271392b3b7f3881743b650f70fc1d66105fdd78f392bb604dd282aef0e0d7ded9e730c5db37ec04fa1810e040fbd8081a

                                                                                                                                                      • \Windows\SysWOW64\woq.exe

                                                                                                                                                        Filesize

                                                                                                                                                        97KB

                                                                                                                                                        MD5

                                                                                                                                                        ba81cc925ebe0e5d039848d64dbf832b

                                                                                                                                                        SHA1

                                                                                                                                                        a63a1d557dac0ed8381c4bd0a7f7f819fc092c87

                                                                                                                                                        SHA256

                                                                                                                                                        c6fba61c2cbe5adb02221a5a3c391c7b9fc8667f1654a08510911202ca1309ec

                                                                                                                                                        SHA512

                                                                                                                                                        4d23df437741f715c5b7501f6500765c9e3382553dfb3d159a4ef716e65888819e30d38a345e0d1dd05184e8a71c7dabd1659db6cf0ad0e3358c3c27acc9a058

                                                                                                                                                      • \Windows\SysWOW64\wpltaa.exe

                                                                                                                                                        Filesize

                                                                                                                                                        97KB

                                                                                                                                                        MD5

                                                                                                                                                        ecb8d9cea6e2776a27645f94149a95d3

                                                                                                                                                        SHA1

                                                                                                                                                        f742c7d666d98ba2c6594ed6f82f3d16ff1efad1

                                                                                                                                                        SHA256

                                                                                                                                                        a61d92cce30bbcd55e65d4462cd973830d6d83192f501b5308c690f858440ca9

                                                                                                                                                        SHA512

                                                                                                                                                        815e933e2b786b8963867c7a53b92bcd0495fa92d7a5f28bde2fc5625f80c6371251a76746c339d7ff1d687ea467dc1337413e9d8927a295d7a8466352df5119

                                                                                                                                                      • \Windows\SysWOW64\wpqiqp.exe

                                                                                                                                                        Filesize

                                                                                                                                                        97KB

                                                                                                                                                        MD5

                                                                                                                                                        a99badf2b3d09cf319e78c4d7ed611dc

                                                                                                                                                        SHA1

                                                                                                                                                        db646cb56a8ad0369f7ff48ac2b35a328cd7eee2

                                                                                                                                                        SHA256

                                                                                                                                                        bda05b78f6371d9396e2a7f7aef4c059f15a0563783a5fa236807aa9d421c729

                                                                                                                                                        SHA512

                                                                                                                                                        d8536edc67faf83b1d3bc454c957865d35d69df52eeb5f400a517ea6f5b9b975492dcb8dcd192760cdcddad4c9f3b320959df52bee7acb397bbc9e44270d3b91

                                                                                                                                                      • \Windows\SysWOW64\wti.exe

                                                                                                                                                        Filesize

                                                                                                                                                        97KB

                                                                                                                                                        MD5

                                                                                                                                                        ca316de5eb712fd5f9927becb0678c99

                                                                                                                                                        SHA1

                                                                                                                                                        76f8dece8b7c869e9ca57ca7832ad74040fc04d3

                                                                                                                                                        SHA256

                                                                                                                                                        a9b92850dbc7dd05045eea831db22216a14c2bc00b7fcdd5f9fc53daac2109b8

                                                                                                                                                        SHA512

                                                                                                                                                        e241a1b0f489aa68703a63ac3bdd561be67eeb179703854a318d0606eda82d76bd95edb43c97f3e47fda67ad5506616e2ddaccfdddcd0bea3852abde911ce2dd

                                                                                                                                                      • \Windows\SysWOW64\wwioaqyl.exe

                                                                                                                                                        Filesize

                                                                                                                                                        97KB

                                                                                                                                                        MD5

                                                                                                                                                        e9749afc5c94c926cfc74709484813f2

                                                                                                                                                        SHA1

                                                                                                                                                        ba78a1ea99daa589214da71a4bb6e161767b9047

                                                                                                                                                        SHA256

                                                                                                                                                        5612f3a02a0425180ee40abb02aee7872ef27fc862fad9aaeac6d77629fd4d88

                                                                                                                                                        SHA512

                                                                                                                                                        6e85ac95e6ae77836ebd2f3d2970074242cb30f96cc92bf294f201000a216b47eb3864511810ab36895833adc942cf23d3fb8dbfc752cf0d4591af6f99549213

                                                                                                                                                      • \Windows\SysWOW64\wyulxrq.exe

                                                                                                                                                        Filesize

                                                                                                                                                        97KB

                                                                                                                                                        MD5

                                                                                                                                                        2934b058c6f8c2a3b98d9189a08bc31b

                                                                                                                                                        SHA1

                                                                                                                                                        a86211b1f20974e2a7fb128a5f12c5bbd2b9deef

                                                                                                                                                        SHA256

                                                                                                                                                        e3daaa9ed71acf2fe659b789486f8c6542062c3080ca9a45efc0a1756504134c

                                                                                                                                                        SHA512

                                                                                                                                                        c1a0817c7448a9d1f4645a50127419319317049ac092641eb4311f27b73df1932904e3db1901dd2c94c406107ab7f415f71a2847075b14aad9a09fe63565d18b

                                                                                                                                                      • memory/600-441-0x00000000035E0000-0x00000000035F8000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/600-445-0x0000000003DF0000-0x0000000003E08000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/600-430-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/600-447-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/600-446-0x0000000003DF0000-0x0000000003E08000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/660-461-0x0000000003610000-0x0000000003628000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/660-460-0x0000000003610000-0x0000000003628000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/880-199-0x0000000004020000-0x0000000004038000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/880-198-0x0000000004020000-0x0000000004038000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/880-203-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/976-253-0x0000000003AA0000-0x0000000003AB8000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/976-252-0x0000000003AA0000-0x0000000003AB8000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/976-254-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/976-245-0x0000000003AA0000-0x0000000003AB8000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1132-301-0x00000000031A0000-0x00000000031B8000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1132-286-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1132-293-0x00000000031A0000-0x00000000031B8000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1132-303-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1132-302-0x0000000003E80000-0x0000000003E98000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1380-270-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1380-268-0x0000000003820000-0x0000000003838000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1380-267-0x0000000003820000-0x0000000003838000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1404-12-0x0000000003C30000-0x0000000003C48000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1404-20-0x0000000003C30000-0x0000000003C48000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1404-13-0x0000000003C30000-0x0000000003C48000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1404-0-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1404-24-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1716-316-0x0000000003C40000-0x0000000003C58000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1716-319-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1716-317-0x0000000003C40000-0x0000000003C58000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1716-318-0x0000000003C40000-0x0000000003C58000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1732-91-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1732-86-0x0000000004010000-0x0000000004028000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1732-88-0x0000000004020000-0x0000000004038000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1732-87-0x0000000004010000-0x0000000004028000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1760-238-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1760-237-0x00000000005F0000-0x0000000000608000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1848-400-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1848-398-0x0000000003B60000-0x0000000003B78000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1848-394-0x0000000003B50000-0x0000000003B68000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2028-399-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2028-414-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2028-410-0x00000000032E0000-0x00000000032F8000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2068-269-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2068-287-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2068-284-0x0000000002440000-0x0000000002458000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2068-285-0x0000000002440000-0x0000000002458000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2068-283-0x0000000002440000-0x0000000002458000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2080-201-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2080-220-0x0000000003460000-0x0000000003478000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2080-223-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2116-173-0x0000000002520000-0x0000000002538000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2116-175-0x0000000002520000-0x0000000002538000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2116-174-0x0000000002520000-0x0000000002538000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2116-179-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2116-176-0x0000000002520000-0x0000000002538000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2156-431-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2156-429-0x0000000003E80000-0x0000000003E98000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2156-428-0x0000000003E80000-0x0000000003E98000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2156-424-0x0000000003E80000-0x0000000003E98000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2264-69-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2264-65-0x0000000004150000-0x0000000004168000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2264-66-0x0000000004150000-0x0000000004168000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2264-53-0x00000000034D0000-0x00000000034E8000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2264-59-0x00000000034D0000-0x00000000034E8000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2280-335-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2280-334-0x0000000002250000-0x0000000002268000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2280-329-0x0000000002250000-0x0000000002268000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2280-333-0x0000000002250000-0x0000000002268000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2356-181-0x0000000077330000-0x000000007742A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/2356-180-0x0000000077210000-0x000000007732F000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1.1MB

                                                                                                                                                      • memory/2388-132-0x0000000003230000-0x0000000003248000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2388-131-0x0000000003230000-0x0000000003248000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2388-134-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2500-156-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2500-152-0x0000000004080000-0x0000000004098000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2500-153-0x0000000004080000-0x0000000004098000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2656-365-0x0000000003370000-0x0000000003388000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2656-367-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2656-366-0x0000000003370000-0x0000000003388000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2700-381-0x0000000003E60000-0x0000000003E78000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2700-380-0x0000000003E60000-0x0000000003E78000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2700-384-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2700-382-0x0000000004030000-0x0000000004048000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2700-383-0x0000000004030000-0x0000000004048000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2840-111-0x0000000003890000-0x00000000038A8000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2840-114-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2840-107-0x0000000003890000-0x00000000038A8000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2840-104-0x0000000003890000-0x00000000038A8000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2884-45-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2884-42-0x0000000003AA0000-0x0000000003AB8000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2884-43-0x0000000003F80000-0x0000000003F98000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/2884-22-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/3036-350-0x0000000003B60000-0x0000000003B78000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/3036-352-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/3036-351-0x0000000003B60000-0x0000000003B78000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/3036-348-0x0000000003B50000-0x0000000003B68000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/3036-349-0x0000000003B50000-0x0000000003B68000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB