Malware Analysis Report

2025-08-06 02:47

Sample ID 241031-dpv23sxjfx
Target 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N
SHA256 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43
Tags
defense_evasion discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43

Threat Level: Shows suspicious behavior

The file 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery persistence

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Indicator Removal: File Deletion

Adds Run key to start application

Drops file in System32 directory

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 03:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 03:11

Reported

2024-10-31 03:13

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wro.exe N/A
N/A N/A C:\Windows\SysWOW64\woq.exe N/A
N/A N/A C:\Windows\SysWOW64\wyulxrq.exe N/A
N/A N/A C:\Windows\SysWOW64\wdekseifi.exe N/A
N/A N/A C:\Windows\SysWOW64\wipman.exe N/A
N/A N/A C:\Windows\SysWOW64\wdce.exe N/A
N/A N/A C:\Windows\SysWOW64\wpqiqp.exe N/A
N/A N/A C:\Windows\SysWOW64\wcjibkb.exe N/A
N/A N/A C:\Windows\SysWOW64\wwioaqyl.exe N/A
N/A N/A C:\Windows\SysWOW64\wpltaa.exe N/A
N/A N/A C:\Windows\SysWOW64\wti.exe N/A
N/A N/A C:\Windows\SysWOW64\wmps.exe N/A
N/A N/A C:\Windows\SysWOW64\wywjn.exe N/A
N/A N/A C:\Windows\SysWOW64\wlfyqlekn.exe N/A
N/A N/A C:\Windows\SysWOW64\wucj.exe N/A
N/A N/A C:\Windows\SysWOW64\wrjrip.exe N/A
N/A N/A C:\Windows\SysWOW64\wqlrana.exe N/A
N/A N/A C:\Windows\SysWOW64\wvjfowh.exe N/A
N/A N/A C:\Windows\SysWOW64\wnqqjj.exe N/A
N/A N/A C:\Windows\SysWOW64\wwnanmsc.exe N/A
N/A N/A C:\Windows\SysWOW64\wnjd.exe N/A
N/A N/A C:\Windows\SysWOW64\wwrwoaf.exe N/A
N/A N/A C:\Windows\SysWOW64\wfaqad.exe N/A
N/A N/A C:\Windows\SysWOW64\wwhdvod.exe N/A
N/A N/A C:\Windows\SysWOW64\wnuewcl.exe N/A
N/A N/A C:\Windows\SysWOW64\wevo.exe N/A
N/A N/A C:\Windows\SysWOW64\wnryjr.exe N/A
N/A N/A C:\Windows\SysWOW64\wedswhut.exe N/A
N/A N/A C:\Windows\SysWOW64\wqljbbs.exe N/A
N/A N/A C:\Windows\SysWOW64\wnyf.exe N/A
N/A N/A C:\Windows\SysWOW64\wuiygjbl.exe N/A
N/A N/A C:\Windows\SysWOW64\wdcqr.exe N/A
N/A N/A C:\Windows\SysWOW64\wpg.exe N/A
N/A N/A C:\Windows\SysWOW64\wopvrj.exe N/A
N/A N/A C:\Windows\SysWOW64\woakogyxa.exe N/A
N/A N/A C:\Windows\SysWOW64\wxwt.exe N/A
N/A N/A C:\Windows\SysWOW64\wbhc.exe N/A
N/A N/A C:\Windows\SysWOW64\woptmsxh.exe N/A
N/A N/A C:\Windows\SysWOW64\wrwdahmf.exe N/A
N/A N/A C:\Windows\SysWOW64\wphqxfy.exe N/A
N/A N/A C:\Windows\SysWOW64\wdogayx.exe N/A
N/A N/A C:\Windows\SysWOW64\wydd.exe N/A
N/A N/A C:\Windows\SysWOW64\wxn.exe N/A
N/A N/A C:\Windows\SysWOW64\wlvhrwv.exe N/A
N/A N/A C:\Windows\SysWOW64\wgunqdtd.exe N/A
N/A N/A C:\Windows\SysWOW64\wwuxyqmr.exe N/A
N/A N/A C:\Windows\SysWOW64\wcslmb.exe N/A
N/A N/A C:\Windows\SysWOW64\wobcqv.exe N/A
N/A N/A C:\Windows\SysWOW64\wbpfb.exe N/A
N/A N/A C:\Windows\SysWOW64\wijvmxb.exe N/A
N/A N/A C:\Windows\SysWOW64\wvg.exe N/A
N/A N/A C:\Windows\SysWOW64\wepuvu.exe N/A
N/A N/A C:\Windows\SysWOW64\weny.exe N/A
N/A N/A C:\Windows\SysWOW64\wlhoxy.exe N/A
N/A N/A C:\Windows\SysWOW64\wxpfb.exe N/A
N/A N/A C:\Windows\SysWOW64\wec.exe N/A
N/A N/A C:\Windows\SysWOW64\wuju.exe N/A
N/A N/A C:\Windows\SysWOW64\wipliklb.exe N/A
N/A N/A C:\Windows\SysWOW64\wihaqggs.exe N/A
N/A N/A C:\Windows\SysWOW64\wupovbeb.exe N/A
N/A N/A C:\Windows\SysWOW64\wpovt.exe N/A
N/A N/A C:\Windows\SysWOW64\wyxdym.exe N/A
N/A N/A C:\Windows\SysWOW64\wfrsjtaq.exe N/A
N/A N/A C:\Windows\SysWOW64\wkevrdvsj.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe N/A
N/A N/A C:\Windows\SysWOW64\wro.exe N/A
N/A N/A C:\Windows\SysWOW64\wro.exe N/A
N/A N/A C:\Windows\SysWOW64\wro.exe N/A
N/A N/A C:\Windows\SysWOW64\wro.exe N/A
N/A N/A C:\Windows\SysWOW64\woq.exe N/A
N/A N/A C:\Windows\SysWOW64\woq.exe N/A
N/A N/A C:\Windows\SysWOW64\woq.exe N/A
N/A N/A C:\Windows\SysWOW64\woq.exe N/A
N/A N/A C:\Windows\SysWOW64\wyulxrq.exe N/A
N/A N/A C:\Windows\SysWOW64\wyulxrq.exe N/A
N/A N/A C:\Windows\SysWOW64\wyulxrq.exe N/A
N/A N/A C:\Windows\SysWOW64\wyulxrq.exe N/A
N/A N/A C:\Windows\SysWOW64\wdekseifi.exe N/A
N/A N/A C:\Windows\SysWOW64\wdekseifi.exe N/A
N/A N/A C:\Windows\SysWOW64\wdekseifi.exe N/A
N/A N/A C:\Windows\SysWOW64\wdekseifi.exe N/A
N/A N/A C:\Windows\SysWOW64\wipman.exe N/A
N/A N/A C:\Windows\SysWOW64\wipman.exe N/A
N/A N/A C:\Windows\SysWOW64\wipman.exe N/A
N/A N/A C:\Windows\SysWOW64\wipman.exe N/A
N/A N/A C:\Windows\SysWOW64\wdce.exe N/A
N/A N/A C:\Windows\SysWOW64\wdce.exe N/A
N/A N/A C:\Windows\SysWOW64\wdce.exe N/A
N/A N/A C:\Windows\SysWOW64\wdce.exe N/A
N/A N/A C:\Windows\SysWOW64\wpqiqp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpqiqp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpqiqp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpqiqp.exe N/A
N/A N/A C:\Windows\SysWOW64\wcjibkb.exe N/A
N/A N/A C:\Windows\SysWOW64\wcjibkb.exe N/A
N/A N/A C:\Windows\SysWOW64\wcjibkb.exe N/A
N/A N/A C:\Windows\SysWOW64\wcjibkb.exe N/A
N/A N/A C:\Windows\SysWOW64\wwioaqyl.exe N/A
N/A N/A C:\Windows\SysWOW64\wwioaqyl.exe N/A
N/A N/A C:\Windows\SysWOW64\wwioaqyl.exe N/A
N/A N/A C:\Windows\SysWOW64\wwioaqyl.exe N/A
N/A N/A C:\Windows\SysWOW64\wpltaa.exe N/A
N/A N/A C:\Windows\SysWOW64\wpltaa.exe N/A
N/A N/A C:\Windows\SysWOW64\wpltaa.exe N/A
N/A N/A C:\Windows\SysWOW64\wpltaa.exe N/A
N/A N/A C:\Windows\SysWOW64\wti.exe N/A
N/A N/A C:\Windows\SysWOW64\wti.exe N/A
N/A N/A C:\Windows\SysWOW64\wti.exe N/A
N/A N/A C:\Windows\SysWOW64\wti.exe N/A
N/A N/A C:\Windows\SysWOW64\wmps.exe N/A
N/A N/A C:\Windows\SysWOW64\wmps.exe N/A
N/A N/A C:\Windows\SysWOW64\wmps.exe N/A
N/A N/A C:\Windows\SysWOW64\wmps.exe N/A
N/A N/A C:\Windows\SysWOW64\wywjn.exe N/A
N/A N/A C:\Windows\SysWOW64\wywjn.exe N/A
N/A N/A C:\Windows\SysWOW64\wywjn.exe N/A
N/A N/A C:\Windows\SysWOW64\wywjn.exe N/A
N/A N/A C:\Windows\SysWOW64\wlfyqlekn.exe N/A
N/A N/A C:\Windows\SysWOW64\wlfyqlekn.exe N/A
N/A N/A C:\Windows\SysWOW64\wlfyqlekn.exe N/A
N/A N/A C:\Windows\SysWOW64\wlfyqlekn.exe N/A
N/A N/A C:\Windows\SysWOW64\wucj.exe N/A
N/A N/A C:\Windows\SysWOW64\wucj.exe N/A
N/A N/A C:\Windows\SysWOW64\wucj.exe N/A
N/A N/A C:\Windows\SysWOW64\wucj.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvjfowh = "\"C:\\Windows\\SysWOW64\\wvjfowh.exe\"" C:\Windows\SysWOW64\wvjfowh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woakogyxa = "\"C:\\Windows\\SysWOW64\\woakogyxa.exe\"" C:\Windows\SysWOW64\woakogyxa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbhc = "\"C:\\Windows\\SysWOW64\\wbhc.exe\"" C:\Windows\SysWOW64\wbhc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvg = "\"C:\\Windows\\SysWOW64\\wvg.exe\"" C:\Windows\SysWOW64\wvg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvibnag = "\"C:\\Windows\\SysWOW64\\wvibnag.exe\"" C:\Windows\SysWOW64\wvibnag.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\whkowxabh = "\"C:\\Windows\\SysWOW64\\whkowxabh.exe\"" C:\Windows\SysWOW64\whkowxabh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wovinvmq = "\"C:\\Windows\\SysWOW64\\wovinvmq.exe\"" C:\Windows\SysWOW64\wovinvmq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcjibkb = "\"C:\\Windows\\SysWOW64\\wcjibkb.exe\"" C:\Windows\SysWOW64\wcjibkb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnjd = "\"C:\\Windows\\SysWOW64\\wnjd.exe\"" C:\Windows\SysWOW64\wnjd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\weny = "\"C:\\Windows\\SysWOW64\\weny.exe\"" C:\Windows\SysWOW64\weny.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wyxdym = "\"C:\\Windows\\SysWOW64\\wyxdym.exe\"" C:\Windows\SysWOW64\wyxdym.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wopmimjs = "\"C:\\Windows\\SysWOW64\\wopmimjs.exe\"" C:\Windows\SysWOW64\wopmimjs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlvdf = "\"C:\\Windows\\SysWOW64\\wlvdf.exe\"" C:\Windows\SysWOW64\wlvdf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\weupbjox = "\"C:\\Windows\\SysWOW64\\weupbjox.exe\"" C:\Windows\SysWOW64\weupbjox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfpivqo = "\"C:\\Windows\\SysWOW64\\wfpivqo.exe\"" C:\Windows\SysWOW64\wfpivqo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcwgulng = "\"C:\\Windows\\SysWOW64\\wcwgulng.exe\"" C:\Windows\SysWOW64\wcwgulng.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wipman = "\"C:\\Windows\\SysWOW64\\wipman.exe\"" C:\Windows\SysWOW64\wipman.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuiygjbl = "\"C:\\Windows\\SysWOW64\\wuiygjbl.exe\"" C:\Windows\SysWOW64\wuiygjbl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wipliklb = "\"C:\\Windows\\SysWOW64\\wipliklb.exe\"" C:\Windows\SysWOW64\wipliklb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkvfl = "\"C:\\Windows\\SysWOW64\\wkvfl.exe\"" C:\Windows\SysWOW64\wkvfl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wymitof = "\"C:\\Windows\\SysWOW64\\wymitof.exe\"" C:\Windows\SysWOW64\wymitof.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkpsyyk = "\"C:\\Windows\\SysWOW64\\wkpsyyk.exe\"" C:\Windows\SysWOW64\wkpsyyk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxpfb = "\"C:\\Windows\\SysWOW64\\wxpfb.exe\"" C:\Windows\SysWOW64\wxpfb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wyulxrq = "\"C:\\Windows\\SysWOW64\\wyulxrq.exe\"" C:\Windows\SysWOW64\wyulxrq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlfyqlekn = "\"C:\\Windows\\SysWOW64\\wlfyqlekn.exe\"" C:\Windows\SysWOW64\wlfyqlekn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wucj = "\"C:\\Windows\\SysWOW64\\wucj.exe\"" C:\Windows\SysWOW64\wucj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwrwoaf = "\"C:\\Windows\\SysWOW64\\wwrwoaf.exe\"" C:\Windows\SysWOW64\wwrwoaf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnuewcl = "\"C:\\Windows\\SysWOW64\\wnuewcl.exe\"" C:\Windows\SysWOW64\wnuewcl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxn = "\"C:\\Windows\\SysWOW64\\wxn.exe\"" C:\Windows\SysWOW64\wxn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wijvmxb = "\"C:\\Windows\\SysWOW64\\wijvmxb.exe\"" C:\Windows\SysWOW64\wijvmxb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\whg = "\"C:\\Windows\\SysWOW64\\whg.exe\"" C:\Windows\SysWOW64\whg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkbldlc = "\"C:\\Windows\\SysWOW64\\wkbldlc.exe\"" C:\Windows\SysWOW64\wkbldlc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wglxbbnp = "\"C:\\Windows\\SysWOW64\\wglxbbnp.exe\"" C:\Windows\SysWOW64\wglxbbnp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wywjn = "\"C:\\Windows\\SysWOW64\\wywjn.exe\"" C:\Windows\SysWOW64\wywjn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqljbbs = "\"C:\\Windows\\SysWOW64\\wqljbbs.exe\"" C:\Windows\SysWOW64\wqljbbs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wec = "\"C:\\Windows\\SysWOW64\\wec.exe\"" C:\Windows\SysWOW64\wec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcvsuqh = "\"C:\\Windows\\SysWOW64\\wcvsuqh.exe\"" C:\Windows\SysWOW64\wcvsuqh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtxqalr = "\"C:\\Windows\\SysWOW64\\wtxqalr.exe\"" C:\Windows\SysWOW64\wtxqalr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wudhxfph = "\"C:\\Windows\\SysWOW64\\wudhxfph.exe\"" C:\Windows\SysWOW64\wudhxfph.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmps = "\"C:\\Windows\\SysWOW64\\wmps.exe\"" C:\Windows\SysWOW64\wmps.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfaqad = "\"C:\\Windows\\SysWOW64\\wfaqad.exe\"" C:\Windows\SysWOW64\wfaqad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wopvrj = "\"C:\\Windows\\SysWOW64\\wopvrj.exe\"" C:\Windows\SysWOW64\wopvrj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdogayx = "\"C:\\Windows\\SysWOW64\\wdogayx.exe\"" C:\Windows\SysWOW64\wdogayx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wihaqggs = "\"C:\\Windows\\SysWOW64\\wihaqggs.exe\"" C:\Windows\SysWOW64\wihaqggs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wupovbeb = "\"C:\\Windows\\SysWOW64\\wupovbeb.exe\"" C:\Windows\SysWOW64\wupovbeb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuywvyhx = "\"C:\\Windows\\SysWOW64\\wuywvyhx.exe\"" C:\Windows\SysWOW64\wuywvyhx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wrjrip = "\"C:\\Windows\\SysWOW64\\wrjrip.exe\"" C:\Windows\SysWOW64\wrjrip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wphqxfy = "\"C:\\Windows\\SysWOW64\\wphqxfy.exe\"" C:\Windows\SysWOW64\wphqxfy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wydd = "\"C:\\Windows\\SysWOW64\\wydd.exe\"" C:\Windows\SysWOW64\wydd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcslmb = "\"C:\\Windows\\SysWOW64\\wcslmb.exe\"" C:\Windows\SysWOW64\wcslmb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuju = "\"C:\\Windows\\SysWOW64\\wuju.exe\"" C:\Windows\SysWOW64\wuju.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbucou = "\"C:\\Windows\\SysWOW64\\wbucou.exe\"" C:\Windows\SysWOW64\wbucou.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdce = "\"C:\\Windows\\SysWOW64\\wdce.exe\"" C:\Windows\SysWOW64\wdce.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlvhrwv = "\"C:\\Windows\\SysWOW64\\wlvhrwv.exe\"" C:\Windows\SysWOW64\wlvhrwv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wobcqv = "\"C:\\Windows\\SysWOW64\\wobcqv.exe\"" C:\Windows\SysWOW64\wobcqv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlhoxy = "\"C:\\Windows\\SysWOW64\\wlhoxy.exe\"" C:\Windows\SysWOW64\wlhoxy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wioaxn = "\"C:\\Windows\\SysWOW64\\wioaxn.exe\"" C:\Windows\SysWOW64\wioaxn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wryrisn = "\"C:\\Windows\\SysWOW64\\wryrisn.exe\"" C:\Windows\SysWOW64\wryrisn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wevo = "\"C:\\Windows\\SysWOW64\\wevo.exe\"" C:\Windows\SysWOW64\wevo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wicydhh = "\"C:\\Windows\\SysWOW64\\wicydhh.exe\"" C:\Windows\SysWOW64\wicydhh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwnanmsc = "\"C:\\Windows\\SysWOW64\\wwnanmsc.exe\"" C:\Windows\SysWOW64\wwnanmsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnyf = "\"C:\\Windows\\SysWOW64\\wnyf.exe\"" C:\Windows\SysWOW64\wnyf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpg = "\"C:\\Windows\\SysWOW64\\wpg.exe\"" C:\Windows\SysWOW64\wpg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbpfb = "\"C:\\Windows\\SysWOW64\\wbpfb.exe\"" C:\Windows\SysWOW64\wbpfb.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wqlrana.exe C:\Windows\SysWOW64\wrjrip.exe N/A
File opened for modification C:\Windows\SysWOW64\wwhdvod.exe C:\Windows\SysWOW64\wfaqad.exe N/A
File created C:\Windows\SysWOW64\woakogyxa.exe C:\Windows\SysWOW64\wopvrj.exe N/A
File created C:\Windows\SysWOW64\wydd.exe C:\Windows\SysWOW64\wdogayx.exe N/A
File opened for modification C:\Windows\SysWOW64\wgunqdtd.exe C:\Windows\SysWOW64\wlvhrwv.exe N/A
File created C:\Windows\SysWOW64\wbpfb.exe C:\Windows\SysWOW64\wobcqv.exe N/A
File opened for modification C:\Windows\SysWOW64\wec.exe C:\Windows\SysWOW64\wxpfb.exe N/A
File created C:\Windows\SysWOW64\wcvsuqh.exe C:\Windows\SysWOW64\wkevrdvsj.exe N/A
File opened for modification C:\Windows\SysWOW64\wkvfl.exe C:\Windows\SysWOW64\whblrqoq.exe N/A
File opened for modification C:\Windows\SysWOW64\wbqgoh.exe C:\Windows\SysWOW64\wcvjkj.exe N/A
File opened for modification C:\Windows\SysWOW64\wyulxrq.exe C:\Windows\SysWOW64\woq.exe N/A
File created C:\Windows\SysWOW64\wwhdvod.exe C:\Windows\SysWOW64\wfaqad.exe N/A
File created C:\Windows\SysWOW64\wnryjr.exe C:\Windows\SysWOW64\wevo.exe N/A
File opened for modification C:\Windows\SysWOW64\wdogayx.exe C:\Windows\SysWOW64\wphqxfy.exe N/A
File opened for modification C:\Windows\SysWOW64\wbchobsd.exe C:\Windows\SysWOW64\whkowxabh.exe N/A
File opened for modification C:\Windows\SysWOW64\wwhltqseu.exe C:\Windows\SysWOW64\wfljf.exe N/A
File created C:\Windows\SysWOW64\wioaxn.exe C:\Windows\SysWOW64\wicydhh.exe N/A
File opened for modification C:\Windows\SysWOW64\wcwgulng.exe C:\Windows\SysWOW64\wkpsyyk.exe N/A
File created C:\Windows\SysWOW64\wmps.exe C:\Windows\SysWOW64\wti.exe N/A
File created C:\Windows\SysWOW64\wevo.exe C:\Windows\SysWOW64\wnuewcl.exe N/A
File opened for modification C:\Windows\SysWOW64\wnryjr.exe C:\Windows\SysWOW64\wevo.exe N/A
File opened for modification C:\Windows\SysWOW64\wedswhut.exe C:\Windows\SysWOW64\wnryjr.exe N/A
File created C:\Windows\SysWOW64\wlvhrwv.exe C:\Windows\SysWOW64\wxn.exe N/A
File opened for modification C:\Windows\SysWOW64\wtxqalr.exe C:\Windows\SysWOW64\whg.exe N/A
File created C:\Windows\SysWOW64\wtvcoqo.exe C:\Windows\SysWOW64\wyllik.exe N/A
File opened for modification C:\Windows\SysWOW64\wnuewcl.exe C:\Windows\SysWOW64\wwhdvod.exe N/A
File opened for modification C:\Windows\SysWOW64\wbhc.exe C:\Windows\SysWOW64\wxwt.exe N/A
File created C:\Windows\SysWOW64\woptmsxh.exe C:\Windows\SysWOW64\wbhc.exe N/A
File opened for modification C:\Windows\SysWOW64\wvg.exe C:\Windows\SysWOW64\wijvmxb.exe N/A
File opened for modification C:\Windows\SysWOW64\wlvdf.exe C:\Windows\SysWOW64\wbchobsd.exe N/A
File opened for modification C:\Windows\SysWOW64\wovinvmq.exe C:\Windows\SysWOW64\wtvcoqo.exe N/A
File opened for modification C:\Windows\SysWOW64\wwnanmsc.exe C:\Windows\SysWOW64\wnqqjj.exe N/A
File opened for modification C:\Windows\SysWOW64\woakogyxa.exe C:\Windows\SysWOW64\wopvrj.exe N/A
File opened for modification C:\Windows\SysWOW64\wphqxfy.exe C:\Windows\SysWOW64\wrwdahmf.exe N/A
File created C:\Windows\SysWOW64\wobcqv.exe C:\Windows\SysWOW64\wcslmb.exe N/A
File opened for modification C:\Windows\SysWOW64\wkevrdvsj.exe C:\Windows\SysWOW64\wfrsjtaq.exe N/A
File opened for modification C:\Windows\SysWOW64\wfullm.exe C:\Windows\SysWOW64\wkvfl.exe N/A
File opened for modification C:\Windows\SysWOW64\wudhxfph.exe C:\Windows\SysWOW64\wydayb.exe N/A
File opened for modification C:\Windows\SysWOW64\wipman.exe C:\Windows\SysWOW64\wdekseifi.exe N/A
File created C:\Windows\SysWOW64\wdce.exe C:\Windows\SysWOW64\wipman.exe N/A
File created C:\Windows\SysWOW64\wwioaqyl.exe C:\Windows\SysWOW64\wcjibkb.exe N/A
File opened for modification C:\Windows\SysWOW64\wpg.exe C:\Windows\SysWOW64\wdcqr.exe N/A
File created C:\Windows\SysWOW64\wepuvu.exe C:\Windows\SysWOW64\wvg.exe N/A
File opened for modification C:\Windows\SysWOW64\wxpfb.exe C:\Windows\SysWOW64\wlhoxy.exe N/A
File created C:\Windows\SysWOW64\wuywvyhx.exe C:\Windows\SysWOW64\wcvsuqh.exe N/A
File opened for modification C:\Windows\SysWOW64\wyllik.exe C:\Windows\SysWOW64\wymitof.exe N/A
File created C:\Windows\SysWOW64\wsetb.exe C:\Windows\SysWOW64\wovinvmq.exe N/A
File opened for modification C:\Windows\SysWOW64\wfpivqo.exe C:\Windows\SysWOW64\wkbldlc.exe N/A
File opened for modification C:\Windows\SysWOW64\wti.exe C:\Windows\SysWOW64\wpltaa.exe N/A
File created C:\Windows\SysWOW64\wvjfowh.exe C:\Windows\SysWOW64\wqlrana.exe N/A
File created C:\Windows\SysWOW64\wnqqjj.exe C:\Windows\SysWOW64\wvjfowh.exe N/A
File opened for modification C:\Windows\SysWOW64\wopvrj.exe C:\Windows\SysWOW64\wpg.exe N/A
File opened for modification C:\Windows\SysWOW64\whg.exe C:\Windows\SysWOW64\wpqond.exe N/A
File opened for modification C:\Windows\SysWOW64\wvibnag.exe C:\Windows\SysWOW64\wtxqalr.exe N/A
File created C:\Windows\SysWOW64\wovinvmq.exe C:\Windows\SysWOW64\wtvcoqo.exe N/A
File opened for modification C:\Windows\SysWOW64\wfljf.exe C:\Windows\SysWOW64\wsetb.exe N/A
File created C:\Windows\SysWOW64\wbqgoh.exe C:\Windows\SysWOW64\wcvjkj.exe N/A
File created C:\Windows\SysWOW64\wglxbbnp.exe C:\Windows\SysWOW64\wudhxfph.exe N/A
File opened for modification C:\Windows\SysWOW64\wro.exe C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe N/A
File created C:\Windows\SysWOW64\wpltaa.exe C:\Windows\SysWOW64\wwioaqyl.exe N/A
File opened for modification C:\Windows\SysWOW64\wrjrip.exe C:\Windows\SysWOW64\wucj.exe N/A
File created C:\Windows\SysWOW64\wwnanmsc.exe C:\Windows\SysWOW64\wnqqjj.exe N/A
File created C:\Windows\SysWOW64\wfaqad.exe C:\Windows\SysWOW64\wwrwoaf.exe N/A
File created C:\Windows\SysWOW64\wcslmb.exe C:\Windows\SysWOW64\wwuxyqmr.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wgunqdtd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\whg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wwrwoaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wfaqad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbhc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\woptmsxh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wymitof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wcvjkj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wvjfowh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbucou.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wuywvyhx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\weupbjox.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wnjd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wwhdvod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wihaqggs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wpovt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wglxbbnp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wwuxyqmr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wijvmxb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wkpsyyk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wryrisn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wtvcoqo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wnqqjj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\woakogyxa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wpqiqp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wxn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wioaxn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wuju.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wkevrdvsj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wlvdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wfrsjtaq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wyllik.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wwnanmsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbpfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wbpfb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe C:\Windows\SysWOW64\wro.exe
PID 1404 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe C:\Windows\SysWOW64\wro.exe
PID 1404 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe C:\Windows\SysWOW64\wro.exe
PID 1404 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe C:\Windows\SysWOW64\wro.exe
PID 1404 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2264 N/A C:\Windows\SysWOW64\wro.exe C:\Windows\SysWOW64\woq.exe
PID 2884 wrote to memory of 2264 N/A C:\Windows\SysWOW64\wro.exe C:\Windows\SysWOW64\woq.exe
PID 2884 wrote to memory of 2264 N/A C:\Windows\SysWOW64\wro.exe C:\Windows\SysWOW64\woq.exe
PID 2884 wrote to memory of 2264 N/A C:\Windows\SysWOW64\wro.exe C:\Windows\SysWOW64\woq.exe
PID 2884 wrote to memory of 1292 N/A C:\Windows\SysWOW64\wro.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1292 N/A C:\Windows\SysWOW64\wro.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1292 N/A C:\Windows\SysWOW64\wro.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1292 N/A C:\Windows\SysWOW64\wro.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1732 N/A C:\Windows\SysWOW64\woq.exe C:\Windows\SysWOW64\wyulxrq.exe
PID 2264 wrote to memory of 1732 N/A C:\Windows\SysWOW64\woq.exe C:\Windows\SysWOW64\wyulxrq.exe
PID 2264 wrote to memory of 1732 N/A C:\Windows\SysWOW64\woq.exe C:\Windows\SysWOW64\wyulxrq.exe
PID 2264 wrote to memory of 1732 N/A C:\Windows\SysWOW64\woq.exe C:\Windows\SysWOW64\wyulxrq.exe
PID 2264 wrote to memory of 1840 N/A C:\Windows\SysWOW64\woq.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1840 N/A C:\Windows\SysWOW64\woq.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1840 N/A C:\Windows\SysWOW64\woq.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1840 N/A C:\Windows\SysWOW64\woq.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2840 N/A C:\Windows\SysWOW64\wyulxrq.exe C:\Windows\SysWOW64\wdekseifi.exe
PID 1732 wrote to memory of 2840 N/A C:\Windows\SysWOW64\wyulxrq.exe C:\Windows\SysWOW64\wdekseifi.exe
PID 1732 wrote to memory of 2840 N/A C:\Windows\SysWOW64\wyulxrq.exe C:\Windows\SysWOW64\wdekseifi.exe
PID 1732 wrote to memory of 2840 N/A C:\Windows\SysWOW64\wyulxrq.exe C:\Windows\SysWOW64\wdekseifi.exe
PID 1732 wrote to memory of 300 N/A C:\Windows\SysWOW64\wyulxrq.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 300 N/A C:\Windows\SysWOW64\wyulxrq.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 300 N/A C:\Windows\SysWOW64\wyulxrq.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 300 N/A C:\Windows\SysWOW64\wyulxrq.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2388 N/A C:\Windows\SysWOW64\wdekseifi.exe C:\Windows\SysWOW64\wipman.exe
PID 2840 wrote to memory of 2388 N/A C:\Windows\SysWOW64\wdekseifi.exe C:\Windows\SysWOW64\wipman.exe
PID 2840 wrote to memory of 2388 N/A C:\Windows\SysWOW64\wdekseifi.exe C:\Windows\SysWOW64\wipman.exe
PID 2840 wrote to memory of 2388 N/A C:\Windows\SysWOW64\wdekseifi.exe C:\Windows\SysWOW64\wipman.exe
PID 2840 wrote to memory of 2224 N/A C:\Windows\SysWOW64\wdekseifi.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2224 N/A C:\Windows\SysWOW64\wdekseifi.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2224 N/A C:\Windows\SysWOW64\wdekseifi.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2224 N/A C:\Windows\SysWOW64\wdekseifi.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2500 N/A C:\Windows\SysWOW64\wipman.exe C:\Windows\SysWOW64\wdce.exe
PID 2388 wrote to memory of 2500 N/A C:\Windows\SysWOW64\wipman.exe C:\Windows\SysWOW64\wdce.exe
PID 2388 wrote to memory of 2500 N/A C:\Windows\SysWOW64\wipman.exe C:\Windows\SysWOW64\wdce.exe
PID 2388 wrote to memory of 2500 N/A C:\Windows\SysWOW64\wipman.exe C:\Windows\SysWOW64\wdce.exe
PID 2388 wrote to memory of 2372 N/A C:\Windows\SysWOW64\wipman.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2372 N/A C:\Windows\SysWOW64\wipman.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2372 N/A C:\Windows\SysWOW64\wipman.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2372 N/A C:\Windows\SysWOW64\wipman.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2116 N/A C:\Windows\SysWOW64\wdce.exe C:\Windows\SysWOW64\wpqiqp.exe
PID 2500 wrote to memory of 2116 N/A C:\Windows\SysWOW64\wdce.exe C:\Windows\SysWOW64\wpqiqp.exe
PID 2500 wrote to memory of 2116 N/A C:\Windows\SysWOW64\wdce.exe C:\Windows\SysWOW64\wpqiqp.exe
PID 2500 wrote to memory of 2116 N/A C:\Windows\SysWOW64\wdce.exe C:\Windows\SysWOW64\wpqiqp.exe
PID 2500 wrote to memory of 2992 N/A C:\Windows\SysWOW64\wdce.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2992 N/A C:\Windows\SysWOW64\wdce.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2992 N/A C:\Windows\SysWOW64\wdce.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2992 N/A C:\Windows\SysWOW64\wdce.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 880 N/A C:\Windows\SysWOW64\wpqiqp.exe C:\Windows\SysWOW64\wcjibkb.exe
PID 2116 wrote to memory of 880 N/A C:\Windows\SysWOW64\wpqiqp.exe C:\Windows\SysWOW64\wcjibkb.exe
PID 2116 wrote to memory of 880 N/A C:\Windows\SysWOW64\wpqiqp.exe C:\Windows\SysWOW64\wcjibkb.exe
PID 2116 wrote to memory of 880 N/A C:\Windows\SysWOW64\wpqiqp.exe C:\Windows\SysWOW64\wcjibkb.exe
PID 2116 wrote to memory of 2356 N/A C:\Windows\SysWOW64\wpqiqp.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2356 N/A C:\Windows\SysWOW64\wpqiqp.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2356 N/A C:\Windows\SysWOW64\wpqiqp.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2356 N/A C:\Windows\SysWOW64\wpqiqp.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe

"C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"

C:\Windows\SysWOW64\wro.exe

"C:\Windows\system32\wro.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"

C:\Windows\SysWOW64\woq.exe

"C:\Windows\system32\woq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wro.exe"

C:\Windows\SysWOW64\wyulxrq.exe

"C:\Windows\system32\wyulxrq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woq.exe"

C:\Windows\SysWOW64\wdekseifi.exe

"C:\Windows\system32\wdekseifi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyulxrq.exe"

C:\Windows\SysWOW64\wipman.exe

"C:\Windows\system32\wipman.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdekseifi.exe"

C:\Windows\SysWOW64\wdce.exe

"C:\Windows\system32\wdce.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipman.exe"

C:\Windows\SysWOW64\wpqiqp.exe

"C:\Windows\system32\wpqiqp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdce.exe"

C:\Windows\SysWOW64\wcjibkb.exe

"C:\Windows\system32\wcjibkb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpqiqp.exe"

C:\Windows\SysWOW64\wwioaqyl.exe

"C:\Windows\system32\wwioaqyl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjibkb.exe"

C:\Windows\SysWOW64\wpltaa.exe

"C:\Windows\system32\wpltaa.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwioaqyl.exe"

C:\Windows\SysWOW64\wti.exe

"C:\Windows\system32\wti.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpltaa.exe"

C:\Windows\SysWOW64\wmps.exe

"C:\Windows\system32\wmps.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wti.exe"

C:\Windows\SysWOW64\wywjn.exe

"C:\Windows\system32\wywjn.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmps.exe"

C:\Windows\SysWOW64\wlfyqlekn.exe

"C:\Windows\system32\wlfyqlekn.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywjn.exe"

C:\Windows\SysWOW64\wucj.exe

"C:\Windows\system32\wucj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfyqlekn.exe"

C:\Windows\SysWOW64\wrjrip.exe

"C:\Windows\system32\wrjrip.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wucj.exe"

C:\Windows\SysWOW64\wqlrana.exe

"C:\Windows\system32\wqlrana.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjrip.exe"

C:\Windows\SysWOW64\wvjfowh.exe

"C:\Windows\system32\wvjfowh.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqlrana.exe"

C:\Windows\SysWOW64\wnqqjj.exe

"C:\Windows\system32\wnqqjj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvjfowh.exe"

C:\Windows\SysWOW64\wwnanmsc.exe

"C:\Windows\system32\wwnanmsc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqqjj.exe"

C:\Windows\SysWOW64\wnjd.exe

"C:\Windows\system32\wnjd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwnanmsc.exe"

C:\Windows\SysWOW64\wwrwoaf.exe

"C:\Windows\system32\wwrwoaf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnjd.exe"

C:\Windows\SysWOW64\wfaqad.exe

"C:\Windows\system32\wfaqad.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrwoaf.exe"

C:\Windows\SysWOW64\wwhdvod.exe

"C:\Windows\system32\wwhdvod.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfaqad.exe"

C:\Windows\SysWOW64\wnuewcl.exe

"C:\Windows\system32\wnuewcl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhdvod.exe"

C:\Windows\SysWOW64\wevo.exe

"C:\Windows\system32\wevo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnuewcl.exe"

C:\Windows\SysWOW64\wnryjr.exe

"C:\Windows\system32\wnryjr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wevo.exe"

C:\Windows\SysWOW64\wedswhut.exe

"C:\Windows\system32\wedswhut.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnryjr.exe"

C:\Windows\SysWOW64\wqljbbs.exe

"C:\Windows\system32\wqljbbs.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wedswhut.exe"

C:\Windows\SysWOW64\wnyf.exe

"C:\Windows\system32\wnyf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqljbbs.exe"

C:\Windows\SysWOW64\wuiygjbl.exe

"C:\Windows\system32\wuiygjbl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnyf.exe"

C:\Windows\SysWOW64\wdcqr.exe

"C:\Windows\system32\wdcqr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuiygjbl.exe"

C:\Windows\SysWOW64\wpg.exe

"C:\Windows\system32\wpg.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcqr.exe"

C:\Windows\SysWOW64\wopvrj.exe

"C:\Windows\system32\wopvrj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpg.exe"

C:\Windows\SysWOW64\woakogyxa.exe

"C:\Windows\system32\woakogyxa.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wopvrj.exe"

C:\Windows\SysWOW64\wxwt.exe

"C:\Windows\system32\wxwt.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woakogyxa.exe"

C:\Windows\SysWOW64\wbhc.exe

"C:\Windows\system32\wbhc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwt.exe"

C:\Windows\SysWOW64\woptmsxh.exe

"C:\Windows\system32\woptmsxh.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhc.exe"

C:\Windows\SysWOW64\wrwdahmf.exe

"C:\Windows\system32\wrwdahmf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woptmsxh.exe"

C:\Windows\SysWOW64\wphqxfy.exe

"C:\Windows\system32\wphqxfy.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwdahmf.exe"

C:\Windows\SysWOW64\wdogayx.exe

"C:\Windows\system32\wdogayx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphqxfy.exe"

C:\Windows\SysWOW64\wydd.exe

"C:\Windows\system32\wydd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdogayx.exe"

C:\Windows\SysWOW64\wxn.exe

"C:\Windows\system32\wxn.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydd.exe"

C:\Windows\SysWOW64\wlvhrwv.exe

"C:\Windows\system32\wlvhrwv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxn.exe"

C:\Windows\SysWOW64\wgunqdtd.exe

"C:\Windows\system32\wgunqdtd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvhrwv.exe"

C:\Windows\SysWOW64\wwuxyqmr.exe

"C:\Windows\system32\wwuxyqmr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgunqdtd.exe"

C:\Windows\SysWOW64\wcslmb.exe

"C:\Windows\system32\wcslmb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwuxyqmr.exe"

C:\Windows\SysWOW64\wobcqv.exe

"C:\Windows\system32\wobcqv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcslmb.exe"

C:\Windows\SysWOW64\wbpfb.exe

"C:\Windows\system32\wbpfb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobcqv.exe"

C:\Windows\SysWOW64\wijvmxb.exe

"C:\Windows\system32\wijvmxb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpfb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 208

C:\Windows\SysWOW64\wvg.exe

"C:\Windows\system32\wvg.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wijvmxb.exe"

C:\Windows\SysWOW64\wepuvu.exe

"C:\Windows\system32\wepuvu.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvg.exe"

C:\Windows\SysWOW64\weny.exe

"C:\Windows\system32\weny.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wepuvu.exe"

C:\Windows\SysWOW64\wlhoxy.exe

"C:\Windows\system32\wlhoxy.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weny.exe"

C:\Windows\SysWOW64\wxpfb.exe

"C:\Windows\system32\wxpfb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlhoxy.exe"

C:\Windows\SysWOW64\wec.exe

"C:\Windows\system32\wec.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpfb.exe"

C:\Windows\SysWOW64\wuju.exe

"C:\Windows\system32\wuju.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wec.exe"

C:\Windows\SysWOW64\wipliklb.exe

"C:\Windows\system32\wipliklb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuju.exe"

C:\Windows\SysWOW64\wihaqggs.exe

"C:\Windows\system32\wihaqggs.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipliklb.exe"

C:\Windows\SysWOW64\wupovbeb.exe

"C:\Windows\system32\wupovbeb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wihaqggs.exe"

C:\Windows\SysWOW64\wpovt.exe

"C:\Windows\system32\wpovt.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wupovbeb.exe"

C:\Windows\SysWOW64\wyxdym.exe

"C:\Windows\system32\wyxdym.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpovt.exe"

C:\Windows\SysWOW64\wfrsjtaq.exe

"C:\Windows\system32\wfrsjtaq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxdym.exe"

C:\Windows\SysWOW64\wkevrdvsj.exe

"C:\Windows\system32\wkevrdvsj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfrsjtaq.exe"

C:\Windows\SysWOW64\wcvsuqh.exe

"C:\Windows\system32\wcvsuqh.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkevrdvsj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 180

C:\Windows\SysWOW64\wuywvyhx.exe

"C:\Windows\system32\wuywvyhx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvsuqh.exe"

C:\Windows\SysWOW64\wpqond.exe

"C:\Windows\system32\wpqond.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuywvyhx.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 48

C:\Windows\SysWOW64\whg.exe

"C:\Windows\system32\whg.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpqond.exe"

C:\Windows\SysWOW64\wtxqalr.exe

"C:\Windows\system32\wtxqalr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whg.exe"

C:\Windows\SysWOW64\wvibnag.exe

"C:\Windows\system32\wvibnag.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxqalr.exe"

C:\Windows\SysWOW64\wopmimjs.exe

"C:\Windows\system32\wopmimjs.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvibnag.exe"

C:\Windows\SysWOW64\whkowxabh.exe

"C:\Windows\system32\whkowxabh.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wopmimjs.exe"

C:\Windows\SysWOW64\wbchobsd.exe

"C:\Windows\system32\wbchobsd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whkowxabh.exe"

C:\Windows\SysWOW64\wlvdf.exe

"C:\Windows\system32\wlvdf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbchobsd.exe"

C:\Windows\SysWOW64\whblrqoq.exe

"C:\Windows\system32\whblrqoq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvdf.exe"

C:\Windows\SysWOW64\wkvfl.exe

"C:\Windows\system32\wkvfl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whblrqoq.exe"

C:\Windows\SysWOW64\wfullm.exe

"C:\Windows\system32\wfullm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvfl.exe"

C:\Windows\SysWOW64\weupbjox.exe

"C:\Windows\system32\weupbjox.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfullm.exe"

C:\Windows\SysWOW64\wymitof.exe

"C:\Windows\system32\wymitof.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weupbjox.exe"

C:\Windows\SysWOW64\wyllik.exe

"C:\Windows\system32\wyllik.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymitof.exe"

C:\Windows\SysWOW64\wtvcoqo.exe

"C:\Windows\system32\wtvcoqo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyllik.exe"

C:\Windows\SysWOW64\wovinvmq.exe

"C:\Windows\system32\wovinvmq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvcoqo.exe"

C:\Windows\SysWOW64\wsetb.exe

"C:\Windows\system32\wsetb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovinvmq.exe"

C:\Windows\SysWOW64\wfljf.exe

"C:\Windows\system32\wfljf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsetb.exe"

C:\Windows\SysWOW64\wwhltqseu.exe

"C:\Windows\system32\wwhltqseu.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfljf.exe"

C:\Windows\SysWOW64\wkbldlc.exe

"C:\Windows\system32\wkbldlc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhltqseu.exe"

C:\Windows\SysWOW64\wfpivqo.exe

"C:\Windows\system32\wfpivqo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbldlc.exe"

C:\Windows\SysWOW64\wicydhh.exe

"C:\Windows\system32\wicydhh.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfpivqo.exe"

C:\Windows\SysWOW64\wioaxn.exe

"C:\Windows\system32\wioaxn.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wicydhh.exe"

C:\Windows\SysWOW64\wydayb.exe

"C:\Windows\system32\wydayb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wioaxn.exe"

C:\Windows\SysWOW64\wudhxfph.exe

"C:\Windows\system32\wudhxfph.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydayb.exe"

C:\Windows\SysWOW64\wglxbbnp.exe

"C:\Windows\system32\wglxbbnp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudhxfph.exe"

C:\Windows\SysWOW64\wkpsyyk.exe

"C:\Windows\system32\wkpsyyk.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wglxbbnp.exe"

C:\Windows\SysWOW64\wcwgulng.exe

"C:\Windows\system32\wcwgulng.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkpsyyk.exe"

C:\Windows\SysWOW64\wcvjkj.exe

"C:\Windows\system32\wcvjkj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwgulng.exe"

C:\Windows\SysWOW64\wbqgoh.exe

"C:\Windows\system32\wbqgoh.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvjkj.exe"

C:\Windows\SysWOW64\wryrisn.exe

"C:\Windows\system32\wryrisn.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbqgoh.exe"

C:\Windows\SysWOW64\wbucou.exe

"C:\Windows\system32\wbucou.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryrisn.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ip2location.com udp
US 34.224.172.222:80 www.ip2location.com tcp
US 8.8.8.8:53 best-targeted-traffic.com udp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 ww25.best-targeted-traffic.com udp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 ww38.best-targeted-traffic.com udp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 ww38.best-targeted-traffic.com udp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp

Files

memory/1404-0-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1404-13-0x0000000003C30000-0x0000000003C48000-memory.dmp

memory/1404-12-0x0000000003C30000-0x0000000003C48000-memory.dmp

C:\Windows\SysWOW64\wro.exe

MD5 00a971c8a6adc1f4b04ac2e25b13e819
SHA1 c20289cbae9685cd8cd01eb35432d1308b3c8637
SHA256 09c8f8771cf84ab833c454225ced4c4e67d97388b0842beb8c181c538cae6578
SHA512 746b881554975952650bb7d328f2624c24c39e7f8921ec44fa5f0b942d4786354679990855bf535bd25bcd30d0995054f6aac84ff8d4f9ec96d659437986a6f7

memory/1404-20-0x0000000003C30000-0x0000000003C48000-memory.dmp

memory/2884-22-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1404-24-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U1D3TL60.txt

MD5 42756a6363efab710496a7a47bfc8cf9
SHA1 5dc309bfde7f6805e15bf956bd6c6232c6befc83
SHA256 e5d3f6e8bb0abf6df4a3d47d90d80bc37034ae66d58f40a81161f649a4b6e594
SHA512 c30d2e5169d003d54ab639048475b1ba1c4bd8d944930d51263815c48e3dfca7af8755e0342359cfa31e4f71d3ea1d3075bbede5231432111bb6fe078c91aad8

memory/2884-43-0x0000000003F80000-0x0000000003F98000-memory.dmp

memory/2884-42-0x0000000003AA0000-0x0000000003AB8000-memory.dmp

\Windows\SysWOW64\woq.exe

MD5 ba81cc925ebe0e5d039848d64dbf832b
SHA1 a63a1d557dac0ed8381c4bd0a7f7f819fc092c87
SHA256 c6fba61c2cbe5adb02221a5a3c391c7b9fc8667f1654a08510911202ca1309ec
SHA512 4d23df437741f715c5b7501f6500765c9e3382553dfb3d159a4ef716e65888819e30d38a345e0d1dd05184e8a71c7dabd1659db6cf0ad0e3358c3c27acc9a058

memory/2884-45-0x0000000000400000-0x0000000000418000-memory.dmp

\Windows\SysWOW64\wyulxrq.exe

MD5 2934b058c6f8c2a3b98d9189a08bc31b
SHA1 a86211b1f20974e2a7fb128a5f12c5bbd2b9deef
SHA256 e3daaa9ed71acf2fe659b789486f8c6542062c3080ca9a45efc0a1756504134c
SHA512 c1a0817c7448a9d1f4645a50127419319317049ac092641eb4311f27b73df1932904e3db1901dd2c94c406107ab7f415f71a2847075b14aad9a09fe63565d18b

memory/2264-53-0x00000000034D0000-0x00000000034E8000-memory.dmp

memory/2264-59-0x00000000034D0000-0x00000000034E8000-memory.dmp

memory/2264-66-0x0000000004150000-0x0000000004168000-memory.dmp

memory/2264-65-0x0000000004150000-0x0000000004168000-memory.dmp

memory/2264-69-0x0000000000400000-0x0000000000418000-memory.dmp

\Windows\SysWOW64\wdekseifi.exe

MD5 575fbdf385d21f23a0fa379a88e270cf
SHA1 879938a842c665e089636791a392f3548d727c6f
SHA256 90d8d133e69aaa68c11f697bf16161e4c4f3da24fd715da9203682493478fbb4
SHA512 671327c8bbd20b8c1f954d638730bc981e7015d708e7e0ba52acce31ddc826f27ccf8a7f03e25bd3a920052d5148336788080d8928cd0b84856dcd31d6e34dd1

memory/1732-86-0x0000000004010000-0x0000000004028000-memory.dmp

memory/1732-88-0x0000000004020000-0x0000000004038000-memory.dmp

memory/1732-87-0x0000000004010000-0x0000000004028000-memory.dmp

memory/1732-91-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OAXX3SOJ.txt

MD5 8c620919aeb945aed291c24a1bf7b76e
SHA1 cadcbaeec0d9b8a99f465d3b6dc17eb5e93f03a5
SHA256 96a87f879cb20da3829cd9476dfe326819623ae81cd9ebe9339a0e4e126af01d
SHA512 8621a529e4925882e064144c5642b70de52a2dc61618f83eb18fffd09e8c5bc606b331cd287a61de0d2326f3b20fab3aae90e02774dea338585e33ce0e99fd94

memory/2840-104-0x0000000003890000-0x00000000038A8000-memory.dmp

\Windows\SysWOW64\wipman.exe

MD5 f426ed9bcd755d2371536eb616af4eb0
SHA1 4a4e4d3f0f8e7ecfdb1a10962eb68ff701130194
SHA256 15ac1816e2997a360e05dc2ffe7f8d5afbb36a482d0902adaf3e8dfa70f419e5
SHA512 2dc926fdcc1fabd4a3ab7bb10becd61271392b3b7f3881743b650f70fc1d66105fdd78f392bb604dd282aef0e0d7ded9e730c5db37ec04fa1810e040fbd8081a

memory/2840-107-0x0000000003890000-0x00000000038A8000-memory.dmp

memory/2840-111-0x0000000003890000-0x00000000038A8000-memory.dmp

memory/2840-114-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SHWZNIR5.txt

MD5 499720e469342b1fccf72fd961cee678
SHA1 022ca149e965f4a4d2d8dd2eb19c80fe1d340e8f
SHA256 dd228adc7f05a8eb611b117e3d097b9a57c8da92b719e00ed191673904788394
SHA512 e44f9e5160e7cdc635c1b9648d36514f0f2daa4bcf3f747b270e036c64679fe7bf10d9bb60018251c70fa28f3472bf959879640442a49503d49a239b48238ce7

\Windows\SysWOW64\wdce.exe

MD5 43e7f7b35e44173fb6993341acd79fc0
SHA1 6aec7c858b2b5dbb88c78ec03430110739a24204
SHA256 7794847153a01ddb2edce6060b527e141edf2f82d8e33dae904c100995643811
SHA512 230d2e249c5a0d584e226c1c75bc4cf4a6afd5af261a5831f1bea69e82db882008c1aedd190cc24f5bb12079bcd1b6e2e2492db042894998f7933402dda9c635

memory/2388-132-0x0000000003230000-0x0000000003248000-memory.dmp

memory/2388-131-0x0000000003230000-0x0000000003248000-memory.dmp

memory/2388-134-0x0000000000400000-0x0000000000418000-memory.dmp

\Windows\SysWOW64\wpqiqp.exe

MD5 a99badf2b3d09cf319e78c4d7ed611dc
SHA1 db646cb56a8ad0369f7ff48ac2b35a328cd7eee2
SHA256 bda05b78f6371d9396e2a7f7aef4c059f15a0563783a5fa236807aa9d421c729
SHA512 d8536edc67faf83b1d3bc454c957865d35d69df52eeb5f400a517ea6f5b9b975492dcb8dcd192760cdcddad4c9f3b320959df52bee7acb397bbc9e44270d3b91

memory/2500-153-0x0000000004080000-0x0000000004098000-memory.dmp

memory/2500-152-0x0000000004080000-0x0000000004098000-memory.dmp

memory/2500-156-0x0000000000400000-0x0000000000418000-memory.dmp

\Windows\SysWOW64\wcjibkb.exe

MD5 84c021ae712b9dc13033726724751875
SHA1 b015467bed00fa41931b7cf62633abf7e18cc9f5
SHA256 8949eba300afdb3844386fd18f3e1f4a0768f48478d64f8ef7e725935045fc0f
SHA512 8b10010627bc6d910edc2256e3f2ff3a81ea271ba3b06504ebf57563a8440910db1d83f4f74366eb5f9315ba4d25e588593b56771f0ec1fbbb4d3de5854bd797

memory/2116-174-0x0000000002520000-0x0000000002538000-memory.dmp

memory/2116-176-0x0000000002520000-0x0000000002538000-memory.dmp

memory/2116-175-0x0000000002520000-0x0000000002538000-memory.dmp

memory/2116-173-0x0000000002520000-0x0000000002538000-memory.dmp

memory/2116-179-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2356-181-0x0000000077330000-0x000000007742A000-memory.dmp

memory/2356-180-0x0000000077210000-0x000000007732F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\install[2].htm

MD5 9463ba07743e8a9aca3b55373121b7c5
SHA1 4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f
SHA256 d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d
SHA512 6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

\Windows\SysWOW64\wwioaqyl.exe

MD5 e9749afc5c94c926cfc74709484813f2
SHA1 ba78a1ea99daa589214da71a4bb6e161767b9047
SHA256 5612f3a02a0425180ee40abb02aee7872ef27fc862fad9aaeac6d77629fd4d88
SHA512 6e85ac95e6ae77836ebd2f3d2970074242cb30f96cc92bf294f201000a216b47eb3864511810ab36895833adc942cf23d3fb8dbfc752cf0d4591af6f99549213

memory/880-203-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2080-201-0x0000000000400000-0x0000000000418000-memory.dmp

memory/880-199-0x0000000004020000-0x0000000004038000-memory.dmp

memory/880-198-0x0000000004020000-0x0000000004038000-memory.dmp

\Windows\SysWOW64\wpltaa.exe

MD5 ecb8d9cea6e2776a27645f94149a95d3
SHA1 f742c7d666d98ba2c6594ed6f82f3d16ff1efad1
SHA256 a61d92cce30bbcd55e65d4462cd973830d6d83192f501b5308c690f858440ca9
SHA512 815e933e2b786b8963867c7a53b92bcd0495fa92d7a5f28bde2fc5625f80c6371251a76746c339d7ff1d687ea467dc1337413e9d8927a295d7a8466352df5119

memory/2080-220-0x0000000003460000-0x0000000003478000-memory.dmp

memory/2080-223-0x0000000000400000-0x0000000000418000-memory.dmp

\Windows\SysWOW64\wti.exe

MD5 ca316de5eb712fd5f9927becb0678c99
SHA1 76f8dece8b7c869e9ca57ca7832ad74040fc04d3
SHA256 a9b92850dbc7dd05045eea831db22216a14c2bc00b7fcdd5f9fc53daac2109b8
SHA512 e241a1b0f489aa68703a63ac3bdd561be67eeb179703854a318d0606eda82d76bd95edb43c97f3e47fda67ad5506616e2ddaccfdddcd0bea3852abde911ce2dd

memory/1760-237-0x00000000005F0000-0x0000000000608000-memory.dmp

memory/1760-238-0x0000000000400000-0x0000000000418000-memory.dmp

memory/976-253-0x0000000003AA0000-0x0000000003AB8000-memory.dmp

memory/976-252-0x0000000003AA0000-0x0000000003AB8000-memory.dmp

memory/976-245-0x0000000003AA0000-0x0000000003AB8000-memory.dmp

memory/976-254-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1380-268-0x0000000003820000-0x0000000003838000-memory.dmp

memory/1380-267-0x0000000003820000-0x0000000003838000-memory.dmp

memory/2068-269-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1380-270-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2068-283-0x0000000002440000-0x0000000002458000-memory.dmp

memory/2068-285-0x0000000002440000-0x0000000002458000-memory.dmp

memory/2068-287-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2068-284-0x0000000002440000-0x0000000002458000-memory.dmp

memory/1132-286-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1132-293-0x00000000031A0000-0x00000000031B8000-memory.dmp

memory/1132-302-0x0000000003E80000-0x0000000003E98000-memory.dmp

memory/1132-301-0x00000000031A0000-0x00000000031B8000-memory.dmp

memory/1132-303-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1716-316-0x0000000003C40000-0x0000000003C58000-memory.dmp

memory/1716-318-0x0000000003C40000-0x0000000003C58000-memory.dmp

memory/1716-317-0x0000000003C40000-0x0000000003C58000-memory.dmp

memory/1716-319-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2280-329-0x0000000002250000-0x0000000002268000-memory.dmp

memory/2280-334-0x0000000002250000-0x0000000002268000-memory.dmp

memory/2280-333-0x0000000002250000-0x0000000002268000-memory.dmp

memory/2280-335-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3036-349-0x0000000003B50000-0x0000000003B68000-memory.dmp

memory/3036-348-0x0000000003B50000-0x0000000003B68000-memory.dmp

memory/3036-351-0x0000000003B60000-0x0000000003B78000-memory.dmp

memory/3036-352-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3036-350-0x0000000003B60000-0x0000000003B78000-memory.dmp

memory/2656-366-0x0000000003370000-0x0000000003388000-memory.dmp

memory/2656-365-0x0000000003370000-0x0000000003388000-memory.dmp

memory/2656-367-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2700-383-0x0000000004030000-0x0000000004048000-memory.dmp

memory/2700-382-0x0000000004030000-0x0000000004048000-memory.dmp

memory/2700-381-0x0000000003E60000-0x0000000003E78000-memory.dmp

memory/2700-380-0x0000000003E60000-0x0000000003E78000-memory.dmp

memory/2700-384-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1848-394-0x0000000003B50000-0x0000000003B68000-memory.dmp

memory/1848-398-0x0000000003B60000-0x0000000003B78000-memory.dmp

memory/2028-399-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1848-400-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2028-410-0x00000000032E0000-0x00000000032F8000-memory.dmp

memory/2028-414-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2156-429-0x0000000003E80000-0x0000000003E98000-memory.dmp

memory/2156-428-0x0000000003E80000-0x0000000003E98000-memory.dmp

memory/2156-424-0x0000000003E80000-0x0000000003E98000-memory.dmp

memory/600-430-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2156-431-0x0000000000400000-0x0000000000418000-memory.dmp

memory/600-441-0x00000000035E0000-0x00000000035F8000-memory.dmp

memory/600-446-0x0000000003DF0000-0x0000000003E08000-memory.dmp

memory/600-445-0x0000000003DF0000-0x0000000003E08000-memory.dmp

memory/600-447-0x0000000000400000-0x0000000000418000-memory.dmp

memory/660-461-0x0000000003610000-0x0000000003628000-memory.dmp

memory/660-460-0x0000000003610000-0x0000000003628000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 03:11

Reported

2024-10-31 03:13

Platform

win10v2004-20241007-en

Max time kernel

116s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wkrwf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wxtumb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wpnfflpt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wfok.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wyxgcwj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wavaoa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wnytm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wrogll.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wsvsq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wohhq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wovdrrma.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wxrbcifc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\weavtd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wsbkrnk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wpbp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wckcxxj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wvy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wrhenplnf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wkvfh.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wcoy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmyforsk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wwauht.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wooyq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmjtv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wymnnjae.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wywxe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wphg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wpku.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wifof.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wtnsnw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wekmsexs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wxocwtx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wlgld.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wlruth.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wxyyaqsu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\whxqmnbhw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wqukncw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wfbofc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wlpdl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wlkshvuxr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wihnferv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wix.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wguobqy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wusqppnp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wtsafq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wdoi.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\whvsa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wcjbdsow.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wirtmnq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wkcclo.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wimrkr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wvpqp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wqjortx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wuwp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wbtsno.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wyfwmqdb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wujl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wtvvud.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wugjtf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpqp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wsidw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmavv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wuefq.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wsvsq.exe N/A
N/A N/A C:\Windows\SysWOW64\wqjortx.exe N/A
N/A N/A C:\Windows\SysWOW64\wohhq.exe N/A
N/A N/A C:\Windows\SysWOW64\wekmsexs.exe N/A
N/A N/A C:\Windows\SysWOW64\wymnnjae.exe N/A
N/A N/A C:\Windows\SysWOW64\wywxe.exe N/A
N/A N/A C:\Windows\SysWOW64\wnowg.exe N/A
N/A N/A C:\Windows\SysWOW64\wdoi.exe N/A
N/A N/A C:\Windows\SysWOW64\wmloo.exe N/A
N/A N/A C:\Windows\SysWOW64\wlruth.exe N/A
N/A N/A C:\Windows\SysWOW64\wrhenplnf.exe N/A
N/A N/A C:\Windows\SysWOW64\wiki.exe N/A
N/A N/A C:\Windows\SysWOW64\wxyyaqsu.exe N/A
N/A N/A C:\Windows\SysWOW64\wkrwf.exe N/A
N/A N/A C:\Windows\SysWOW64\wphg.exe N/A
N/A N/A C:\Windows\SysWOW64\wuwp.exe N/A
N/A N/A C:\Windows\SysWOW64\wxocwtx.exe N/A
N/A N/A C:\Windows\SysWOW64\whvsa.exe N/A
N/A N/A C:\Windows\SysWOW64\whxqmnbhw.exe N/A
N/A N/A C:\Windows\SysWOW64\wujl.exe N/A
N/A N/A C:\Windows\SysWOW64\wtvvud.exe N/A
N/A N/A C:\Windows\SysWOW64\wrcaabc.exe N/A
N/A N/A C:\Windows\SysWOW64\whrrjpl.exe N/A
N/A N/A C:\Windows\SysWOW64\wxtumb.exe N/A
N/A N/A C:\Windows\SysWOW64\wdjeh.exe N/A
N/A N/A C:\Windows\SysWOW64\wkvfh.exe N/A
N/A N/A C:\Windows\SysWOW64\wyhb.exe N/A
N/A N/A C:\Windows\SysWOW64\wpavt.exe N/A
N/A N/A C:\Windows\SysWOW64\wix.exe N/A
N/A N/A C:\Windows\SysWOW64\wjhcpsila.exe N/A
N/A N/A C:\Windows\SysWOW64\wuwhcslaa.exe N/A
N/A N/A C:\Windows\SysWOW64\wguobqy.exe N/A
N/A N/A C:\Windows\SysWOW64\wovdrrma.exe N/A
N/A N/A C:\Windows\SysWOW64\wmakx.exe N/A
N/A N/A C:\Windows\SysWOW64\wcoy.exe N/A
N/A N/A C:\Windows\SysWOW64\wxrbcifc.exe N/A
N/A N/A C:\Windows\SysWOW64\wugjtf.exe N/A
N/A N/A C:\Windows\SysWOW64\wbtsno.exe N/A
N/A N/A C:\Windows\SysWOW64\wtccd.exe N/A
N/A N/A C:\Windows\SysWOW64\wlpdl.exe N/A
N/A N/A C:\Windows\SysWOW64\weavtd.exe N/A
N/A N/A C:\Windows\SysWOW64\wusqppnp.exe N/A
N/A N/A C:\Windows\SysWOW64\wxpegfs.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpqp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpnfflpt.exe N/A
N/A N/A C:\Windows\SysWOW64\wdnrodh.exe N/A
N/A N/A C:\Windows\SysWOW64\wfok.exe N/A
N/A N/A C:\Windows\SysWOW64\wto.exe N/A
N/A N/A C:\Windows\SysWOW64\wpku.exe N/A
N/A N/A C:\Windows\SysWOW64\wkbpjl.exe N/A
N/A N/A C:\Windows\SysWOW64\wvqutl.exe N/A
N/A N/A C:\Windows\SysWOW64\wsbkrnk.exe N/A
N/A N/A C:\Windows\SysWOW64\wyfwmqdb.exe N/A
N/A N/A C:\Windows\SysWOW64\wkcclo.exe N/A
N/A N/A C:\Windows\SysWOW64\wimrkr.exe N/A
N/A N/A C:\Windows\SysWOW64\welvcsw.exe N/A
N/A N/A C:\Windows\SysWOW64\wyxgcwj.exe N/A
N/A N/A C:\Windows\SysWOW64\wnytm.exe N/A
N/A N/A C:\Windows\SysWOW64\wdbx.exe N/A
N/A N/A C:\Windows\SysWOW64\wgocxpt.exe N/A
N/A N/A C:\Windows\SysWOW64\wcjbdsow.exe N/A
N/A N/A C:\Windows\SysWOW64\wmyforsk.exe N/A
N/A N/A C:\Windows\SysWOW64\wwauht.exe N/A
N/A N/A C:\Windows\SysWOW64\wirtmnq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvqutl = "\"C:\\Windows\\SysWOW64\\wvqutl.exe\"" C:\Windows\SysWOW64\wvqutl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmavv = "\"C:\\Windows\\SysWOW64\\wmavv.exe\"" C:\Windows\SysWOW64\wmavv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnowg = "\"C:\\Windows\\SysWOW64\\wnowg.exe\"" C:\Windows\SysWOW64\wnowg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whrrjpl = "\"C:\\Windows\\SysWOW64\\whrrjpl.exe\"" C:\Windows\SysWOW64\whrrjpl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\welvcsw = "\"C:\\Windows\\SysWOW64\\welvcsw.exe\"" C:\Windows\SysWOW64\welvcsw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbtsno = "\"C:\\Windows\\SysWOW64\\wbtsno.exe\"" C:\Windows\SysWOW64\wbtsno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wymnnjae = "\"C:\\Windows\\SysWOW64\\wymnnjae.exe\"" C:\Windows\SysWOW64\wymnnjae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyhb = "\"C:\\Windows\\SysWOW64\\wyhb.exe\"" C:\Windows\SysWOW64\wyhb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wix = "\"C:\\Windows\\SysWOW64\\wix.exe\"" C:\Windows\SysWOW64\wix.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdbx = "\"C:\\Windows\\SysWOW64\\wdbx.exe\"" C:\Windows\SysWOW64\wdbx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcjbdsow = "\"C:\\Windows\\SysWOW64\\wcjbdsow.exe\"" C:\Windows\SysWOW64\wcjbdsow.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcxje = "\"C:\\Windows\\SysWOW64\\wcxje.exe\"" C:\Windows\SysWOW64\wcxje.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmloo = "\"C:\\Windows\\SysWOW64\\wmloo.exe\"" C:\Windows\SysWOW64\wmloo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlruth = "\"C:\\Windows\\SysWOW64\\wlruth.exe\"" C:\Windows\SysWOW64\wlruth.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wphg = "\"C:\\Windows\\SysWOW64\\wphg.exe\"" C:\Windows\SysWOW64\wphg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtvvud = "\"C:\\Windows\\SysWOW64\\wtvvud.exe\"" C:\Windows\SysWOW64\wtvvud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfok = "\"C:\\Windows\\SysWOW64\\wfok.exe\"" C:\Windows\SysWOW64\wfok.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlkshvuxr = "\"C:\\Windows\\SysWOW64\\wlkshvuxr.exe\"" C:\Windows\SysWOW64\wlkshvuxr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wckcxxj = "\"C:\\Windows\\SysWOW64\\wckcxxj.exe\"" C:\Windows\SysWOW64\wckcxxj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe\"" C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxocwtx = "\"C:\\Windows\\SysWOW64\\wxocwtx.exe\"" C:\Windows\SysWOW64\wxocwtx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whvsa = "\"C:\\Windows\\SysWOW64\\whvsa.exe\"" C:\Windows\SysWOW64\whvsa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiki = "\"C:\\Windows\\SysWOW64\\wiki.exe\"" C:\Windows\SysWOW64\wiki.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wihnferv = "\"C:\\Windows\\SysWOW64\\wihnferv.exe\"" C:\Windows\SysWOW64\wihnferv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqukncw = "\"C:\\Windows\\SysWOW64\\wqukncw.exe\"" C:\Windows\SysWOW64\wqukncw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdnrodh = "\"C:\\Windows\\SysWOW64\\wdnrodh.exe\"" C:\Windows\SysWOW64\wdnrodh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wirtmnq = "\"C:\\Windows\\SysWOW64\\wirtmnq.exe\"" C:\Windows\SysWOW64\wirtmnq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtnsnw = "\"C:\\Windows\\SysWOW64\\wtnsnw.exe\"" C:\Windows\SysWOW64\wtnsnw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmjtv = "\"C:\\Windows\\SysWOW64\\wmjtv.exe\"" C:\Windows\SysWOW64\wmjtv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsidw = "\"C:\\Windows\\SysWOW64\\wsidw.exe\"" C:\Windows\SysWOW64\wsidw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuwhcslaa = "\"C:\\Windows\\SysWOW64\\wuwhcslaa.exe\"" C:\Windows\SysWOW64\wuwhcslaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wguobqy = "\"C:\\Windows\\SysWOW64\\wguobqy.exe\"" C:\Windows\SysWOW64\wguobqy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpnfflpt = "\"C:\\Windows\\SysWOW64\\wpnfflpt.exe\"" C:\Windows\SysWOW64\wpnfflpt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtsafq = "\"C:\\Windows\\SysWOW64\\wtsafq.exe\"" C:\Windows\SysWOW64\wtsafq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpku = "\"C:\\Windows\\SysWOW64\\wpku.exe\"" C:\Windows\SysWOW64\wpku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wifof = "\"C:\\Windows\\SysWOW64\\wifof.exe\"" C:\Windows\SysWOW64\wifof.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrogll = "\"C:\\Windows\\SysWOW64\\wrogll.exe\"" C:\Windows\SysWOW64\wrogll.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wywxe = "\"C:\\Windows\\SysWOW64\\wywxe.exe\"" C:\Windows\SysWOW64\wywxe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcoy = "\"C:\\Windows\\SysWOW64\\wcoy.exe\"" C:\Windows\SysWOW64\wcoy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weavtd = "\"C:\\Windows\\SysWOW64\\weavtd.exe\"" C:\Windows\SysWOW64\weavtd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wovdrrma = "\"C:\\Windows\\SysWOW64\\wovdrrma.exe\"" C:\Windows\SysWOW64\wovdrrma.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxrbcifc = "\"C:\\Windows\\SysWOW64\\wxrbcifc.exe\"" C:\Windows\SysWOW64\wxrbcifc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlpdl = "\"C:\\Windows\\SysWOW64\\wlpdl.exe\"" C:\Windows\SysWOW64\wlpdl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyfwmqdb = "\"C:\\Windows\\SysWOW64\\wyfwmqdb.exe\"" C:\Windows\SysWOW64\wyfwmqdb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdyucpwo = "\"C:\\Windows\\SysWOW64\\wdyucpwo.exe\"" C:\Windows\SysWOW64\wdyucpwo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wekmsexs = "\"C:\\Windows\\SysWOW64\\wekmsexs.exe\"" C:\Windows\SysWOW64\wekmsexs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whxqmnbhw = "\"C:\\Windows\\SysWOW64\\whxqmnbhw.exe\"" C:\Windows\SysWOW64\whxqmnbhw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxtumb = "\"C:\\Windows\\SysWOW64\\wxtumb.exe\"" C:\Windows\SysWOW64\wxtumb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wusqppnp = "\"C:\\Windows\\SysWOW64\\wusqppnp.exe\"" C:\Windows\SysWOW64\wusqppnp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkbpjl = "\"C:\\Windows\\SysWOW64\\wkbpjl.exe\"" C:\Windows\SysWOW64\wkbpjl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvpqp = "\"C:\\Windows\\SysWOW64\\wvpqp.exe\"" C:\Windows\SysWOW64\wvpqp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wujl = "\"C:\\Windows\\SysWOW64\\wujl.exe\"" C:\Windows\SysWOW64\wujl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmakx = "\"C:\\Windows\\SysWOW64\\wmakx.exe\"" C:\Windows\SysWOW64\wmakx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtccd = "\"C:\\Windows\\SysWOW64\\wtccd.exe\"" C:\Windows\SysWOW64\wtccd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\webkvsrp = "\"C:\\Windows\\SysWOW64\\webkvsrp.exe\"" C:\Windows\SysWOW64\webkvsrp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvy = "\"C:\\Windows\\SysWOW64\\wvy.exe\"" C:\Windows\SysWOW64\wvy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfbofc = "\"C:\\Windows\\SysWOW64\\wfbofc.exe\"" C:\Windows\SysWOW64\wfbofc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlgpcko = "\"C:\\Windows\\SysWOW64\\wlgpcko.exe\"" C:\Windows\SysWOW64\wlgpcko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wugjtf = "\"C:\\Windows\\SysWOW64\\wugjtf.exe\"" C:\Windows\SysWOW64\wugjtf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wto = "\"C:\\Windows\\SysWOW64\\wto.exe\"" C:\Windows\SysWOW64\wto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnytm = "\"C:\\Windows\\SysWOW64\\wnytm.exe\"" C:\Windows\SysWOW64\wnytm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwauht = "\"C:\\Windows\\SysWOW64\\wwauht.exe\"" C:\Windows\SysWOW64\wwauht.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsvsq = "\"C:\\Windows\\SysWOW64\\wsvsq.exe\"" C:\Windows\SysWOW64\wsvsq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkvfh = "\"C:\\Windows\\SysWOW64\\wkvfh.exe\"" C:\Windows\SysWOW64\wkvfh.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wxrbcifc.exe C:\Windows\SysWOW64\wcoy.exe N/A
File created C:\Windows\SysWOW64\wlpdl.exe C:\Windows\SysWOW64\wtccd.exe N/A
File created C:\Windows\SysWOW64\wsbkrnk.exe C:\Windows\SysWOW64\wvqutl.exe N/A
File opened for modification C:\Windows\SysWOW64\wdoi.exe C:\Windows\SysWOW64\wnowg.exe N/A
File opened for modification C:\Windows\SysWOW64\wlruth.exe C:\Windows\SysWOW64\wmloo.exe N/A
File created C:\Windows\SysWOW64\wuwhcslaa.exe C:\Windows\SysWOW64\wjhcpsila.exe N/A
File created C:\Windows\SysWOW64\wguobqy.exe C:\Windows\SysWOW64\wuwhcslaa.exe N/A
File opened for modification C:\Windows\SysWOW64\wguobqy.exe C:\Windows\SysWOW64\wuwhcslaa.exe N/A
File created C:\Windows\SysWOW64\wgocxpt.exe C:\Windows\SysWOW64\wdbx.exe N/A
File created C:\Windows\SysWOW64\wtsafq.exe C:\Windows\SysWOW64\wqukncw.exe N/A
File created C:\Windows\SysWOW64\wvpqp.exe C:\Windows\SysWOW64\wmavv.exe N/A
File opened for modification C:\Windows\SysWOW64\wxpegfs.exe C:\Windows\SysWOW64\wusqppnp.exe N/A
File opened for modification C:\Windows\SysWOW64\wto.exe C:\Windows\SysWOW64\wfok.exe N/A
File created C:\Windows\SysWOW64\wkcclo.exe C:\Windows\SysWOW64\wyfwmqdb.exe N/A
File created C:\Windows\SysWOW64\wmyforsk.exe C:\Windows\SysWOW64\wcjbdsow.exe N/A
File created C:\Windows\SysWOW64\wckcxxj.exe C:\Windows\SysWOW64\wlgld.exe N/A
File opened for modification C:\Windows\SysWOW64\wnowg.exe C:\Windows\SysWOW64\wywxe.exe N/A
File created C:\Windows\SysWOW64\wdoi.exe C:\Windows\SysWOW64\wnowg.exe N/A
File opened for modification C:\Windows\SysWOW64\wpavt.exe C:\Windows\SysWOW64\wyhb.exe N/A
File opened for modification C:\Windows\SysWOW64\wnytm.exe C:\Windows\SysWOW64\wyxgcwj.exe N/A
File opened for modification C:\Windows\SysWOW64\wsvsq.exe C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe N/A
File created C:\Windows\SysWOW64\wkrwf.exe C:\Windows\SysWOW64\wxyyaqsu.exe N/A
File opened for modification C:\Windows\SysWOW64\wuwp.exe C:\Windows\SysWOW64\wphg.exe N/A
File created C:\Windows\SysWOW64\wkvfh.exe C:\Windows\SysWOW64\wdjeh.exe N/A
File opened for modification C:\Windows\SysWOW64\welvcsw.exe C:\Windows\SysWOW64\wimrkr.exe N/A
File created C:\Windows\SysWOW64\wdyucpwo.exe C:\Windows\SysWOW64\wvy.exe N/A
File created C:\Windows\SysWOW64\wfbofc.exe C:\Windows\SysWOW64\wdyucpwo.exe N/A
File opened for modification C:\Windows\SysWOW64\wooyq.exe C:\Windows\SysWOW64\wvpqp.exe N/A
File opened for modification C:\Windows\SysWOW64\whrrjpl.exe C:\Windows\SysWOW64\wrcaabc.exe N/A
File opened for modification C:\Windows\SysWOW64\wsbkrnk.exe C:\Windows\SysWOW64\wvqutl.exe N/A
File created C:\Windows\SysWOW64\wwauht.exe C:\Windows\SysWOW64\wmyforsk.exe N/A
File created C:\Windows\SysWOW64\wirtmnq.exe C:\Windows\SysWOW64\wwauht.exe N/A
File created C:\Windows\SysWOW64\wwts.exe C:\Windows\SysWOW64\wuefq.exe N/A
File opened for modification C:\Windows\SysWOW64\wkrwf.exe C:\Windows\SysWOW64\wxyyaqsu.exe N/A
File opened for modification C:\Windows\SysWOW64\wpbp.exe C:\Windows\SysWOW64\wrogll.exe N/A
File opened for modification C:\Windows\SysWOW64\wyfwmqdb.exe C:\Windows\SysWOW64\wsbkrnk.exe N/A
File opened for modification C:\Windows\SysWOW64\wirtmnq.exe C:\Windows\SysWOW64\wwauht.exe N/A
File created C:\Windows\SysWOW64\wlgpcko.exe C:\Windows\SysWOW64\wooyq.exe N/A
File created C:\Windows\SysWOW64\wqjortx.exe C:\Windows\SysWOW64\wsvsq.exe N/A
File opened for modification C:\Windows\SysWOW64\wphg.exe C:\Windows\SysWOW64\wkrwf.exe N/A
File created C:\Windows\SysWOW64\wjhcpsila.exe C:\Windows\SysWOW64\wix.exe N/A
File created C:\Windows\SysWOW64\wcoy.exe C:\Windows\SysWOW64\wmakx.exe N/A
File opened for modification C:\Windows\SysWOW64\wugjtf.exe C:\Windows\SysWOW64\wxrbcifc.exe N/A
File opened for modification C:\Windows\SysWOW64\wcjbdsow.exe C:\Windows\SysWOW64\wgocxpt.exe N/A
File created C:\Windows\SysWOW64\wqukncw.exe C:\Windows\SysWOW64\wsidw.exe N/A
File opened for modification C:\Windows\SysWOW64\wfbofc.exe C:\Windows\SysWOW64\wdyucpwo.exe N/A
File opened for modification C:\Windows\SysWOW64\wmloo.exe C:\Windows\SysWOW64\wdoi.exe N/A
File opened for modification C:\Windows\SysWOW64\wxyyaqsu.exe C:\Windows\SysWOW64\wiki.exe N/A
File created C:\Windows\SysWOW64\wyhb.exe C:\Windows\SysWOW64\wkvfh.exe N/A
File opened for modification C:\Windows\SysWOW64\wmakx.exe C:\Windows\SysWOW64\wovdrrma.exe N/A
File opened for modification C:\Windows\SysWOW64\wpku.exe C:\Windows\SysWOW64\wto.exe N/A
File opened for modification C:\Windows\SysWOW64\wvpqp.exe C:\Windows\SysWOW64\wmavv.exe N/A
File created C:\Windows\SysWOW64\wxocwtx.exe C:\Windows\SysWOW64\wuwp.exe N/A
File created C:\Windows\SysWOW64\whxqmnbhw.exe C:\Windows\SysWOW64\whvsa.exe N/A
File created C:\Windows\SysWOW64\wovdrrma.exe C:\Windows\SysWOW64\wguobqy.exe N/A
File opened for modification C:\Windows\SysWOW64\wwauht.exe C:\Windows\SysWOW64\wmyforsk.exe N/A
File created C:\Windows\SysWOW64\wywxe.exe C:\Windows\SysWOW64\wymnnjae.exe N/A
File opened for modification C:\Windows\SysWOW64\wtsafq.exe C:\Windows\SysWOW64\wqukncw.exe N/A
File opened for modification C:\Windows\SysWOW64\wvy.exe C:\Windows\SysWOW64\wtsafq.exe N/A
File created C:\Windows\SysWOW64\wpjgjbd.exe C:\Windows\SysWOW64\wfbofc.exe N/A
File created C:\Windows\SysWOW64\wmavv.exe C:\Windows\SysWOW64\wpjgjbd.exe N/A
File opened for modification C:\Windows\SysWOW64\wymnnjae.exe C:\Windows\SysWOW64\wekmsexs.exe N/A
File created C:\Windows\SysWOW64\wxyyaqsu.exe C:\Windows\SysWOW64\wiki.exe N/A
File created C:\Windows\SysWOW64\wpavt.exe C:\Windows\SysWOW64\wyhb.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wmakx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wusqppnp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wmpqp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wkcclo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wwauht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wlgpcko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wdoi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wmloo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wfbofc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wdyucpwo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wdbx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wrogll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wfok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wpku.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wrhenplnf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wovdrrma.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wyxgcwj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wnytm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wsidw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wooyq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wiki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wuwhcslaa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wtccd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wmjtv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wujl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wrcaabc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wimrkr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wuefq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wxtumb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wqukncw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wvy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wxrbcifc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbtsno.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wcoy.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe C:\Windows\SysWOW64\wsvsq.exe
PID 3492 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe C:\Windows\SysWOW64\wsvsq.exe
PID 3492 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe C:\Windows\SysWOW64\wsvsq.exe
PID 3492 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 2824 N/A C:\Windows\SysWOW64\wsvsq.exe C:\Windows\SysWOW64\wqjortx.exe
PID 3644 wrote to memory of 2824 N/A C:\Windows\SysWOW64\wsvsq.exe C:\Windows\SysWOW64\wqjortx.exe
PID 3644 wrote to memory of 2824 N/A C:\Windows\SysWOW64\wsvsq.exe C:\Windows\SysWOW64\wqjortx.exe
PID 3644 wrote to memory of 1392 N/A C:\Windows\SysWOW64\wsvsq.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1392 N/A C:\Windows\SysWOW64\wsvsq.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1392 N/A C:\Windows\SysWOW64\wsvsq.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2008 N/A C:\Windows\SysWOW64\wqjortx.exe C:\Windows\SysWOW64\wohhq.exe
PID 2824 wrote to memory of 2008 N/A C:\Windows\SysWOW64\wqjortx.exe C:\Windows\SysWOW64\wohhq.exe
PID 2824 wrote to memory of 2008 N/A C:\Windows\SysWOW64\wqjortx.exe C:\Windows\SysWOW64\wohhq.exe
PID 2824 wrote to memory of 1564 N/A C:\Windows\SysWOW64\wqjortx.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1564 N/A C:\Windows\SysWOW64\wqjortx.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1564 N/A C:\Windows\SysWOW64\wqjortx.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 3240 N/A C:\Windows\SysWOW64\wohhq.exe C:\Windows\SysWOW64\wekmsexs.exe
PID 2008 wrote to memory of 3240 N/A C:\Windows\SysWOW64\wohhq.exe C:\Windows\SysWOW64\wekmsexs.exe
PID 2008 wrote to memory of 3240 N/A C:\Windows\SysWOW64\wohhq.exe C:\Windows\SysWOW64\wekmsexs.exe
PID 2008 wrote to memory of 4792 N/A C:\Windows\SysWOW64\wohhq.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 4792 N/A C:\Windows\SysWOW64\wohhq.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 4792 N/A C:\Windows\SysWOW64\wohhq.exe C:\Windows\SysWOW64\cmd.exe
PID 3240 wrote to memory of 3308 N/A C:\Windows\SysWOW64\wekmsexs.exe C:\Windows\SysWOW64\wymnnjae.exe
PID 3240 wrote to memory of 3308 N/A C:\Windows\SysWOW64\wekmsexs.exe C:\Windows\SysWOW64\wymnnjae.exe
PID 3240 wrote to memory of 3308 N/A C:\Windows\SysWOW64\wekmsexs.exe C:\Windows\SysWOW64\wymnnjae.exe
PID 3240 wrote to memory of 2600 N/A C:\Windows\SysWOW64\wekmsexs.exe C:\Windows\SysWOW64\cmd.exe
PID 3240 wrote to memory of 2600 N/A C:\Windows\SysWOW64\wekmsexs.exe C:\Windows\SysWOW64\cmd.exe
PID 3240 wrote to memory of 2600 N/A C:\Windows\SysWOW64\wekmsexs.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 1772 N/A C:\Windows\SysWOW64\wymnnjae.exe C:\Windows\SysWOW64\wywxe.exe
PID 3308 wrote to memory of 1772 N/A C:\Windows\SysWOW64\wymnnjae.exe C:\Windows\SysWOW64\wywxe.exe
PID 3308 wrote to memory of 1772 N/A C:\Windows\SysWOW64\wymnnjae.exe C:\Windows\SysWOW64\wywxe.exe
PID 3308 wrote to memory of 3264 N/A C:\Windows\SysWOW64\wymnnjae.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 3264 N/A C:\Windows\SysWOW64\wymnnjae.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 3264 N/A C:\Windows\SysWOW64\wymnnjae.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 3040 N/A C:\Windows\SysWOW64\wywxe.exe C:\Windows\SysWOW64\wnowg.exe
PID 1772 wrote to memory of 3040 N/A C:\Windows\SysWOW64\wywxe.exe C:\Windows\SysWOW64\wnowg.exe
PID 1772 wrote to memory of 3040 N/A C:\Windows\SysWOW64\wywxe.exe C:\Windows\SysWOW64\wnowg.exe
PID 1772 wrote to memory of 1056 N/A C:\Windows\SysWOW64\wywxe.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 1056 N/A C:\Windows\SysWOW64\wywxe.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 1056 N/A C:\Windows\SysWOW64\wywxe.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 4272 N/A C:\Windows\SysWOW64\wnowg.exe C:\Windows\SysWOW64\wdoi.exe
PID 3040 wrote to memory of 4272 N/A C:\Windows\SysWOW64\wnowg.exe C:\Windows\SysWOW64\wdoi.exe
PID 3040 wrote to memory of 4272 N/A C:\Windows\SysWOW64\wnowg.exe C:\Windows\SysWOW64\wdoi.exe
PID 3040 wrote to memory of 2320 N/A C:\Windows\SysWOW64\wnowg.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2320 N/A C:\Windows\SysWOW64\wnowg.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2320 N/A C:\Windows\SysWOW64\wnowg.exe C:\Windows\SysWOW64\cmd.exe
PID 4272 wrote to memory of 1860 N/A C:\Windows\SysWOW64\wdoi.exe C:\Windows\SysWOW64\wmloo.exe
PID 4272 wrote to memory of 1860 N/A C:\Windows\SysWOW64\wdoi.exe C:\Windows\SysWOW64\wmloo.exe
PID 4272 wrote to memory of 1860 N/A C:\Windows\SysWOW64\wdoi.exe C:\Windows\SysWOW64\wmloo.exe
PID 4272 wrote to memory of 4976 N/A C:\Windows\SysWOW64\wdoi.exe C:\Windows\SysWOW64\cmd.exe
PID 4272 wrote to memory of 4976 N/A C:\Windows\SysWOW64\wdoi.exe C:\Windows\SysWOW64\cmd.exe
PID 4272 wrote to memory of 4976 N/A C:\Windows\SysWOW64\wdoi.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 1736 N/A C:\Windows\SysWOW64\wmloo.exe C:\Windows\SysWOW64\wlruth.exe
PID 1860 wrote to memory of 1736 N/A C:\Windows\SysWOW64\wmloo.exe C:\Windows\SysWOW64\wlruth.exe
PID 1860 wrote to memory of 1736 N/A C:\Windows\SysWOW64\wmloo.exe C:\Windows\SysWOW64\wlruth.exe
PID 1860 wrote to memory of 4604 N/A C:\Windows\SysWOW64\wmloo.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 4604 N/A C:\Windows\SysWOW64\wmloo.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 4604 N/A C:\Windows\SysWOW64\wmloo.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 4124 N/A C:\Windows\SysWOW64\wlruth.exe C:\Windows\SysWOW64\wrhenplnf.exe
PID 1736 wrote to memory of 4124 N/A C:\Windows\SysWOW64\wlruth.exe C:\Windows\SysWOW64\wrhenplnf.exe
PID 1736 wrote to memory of 4124 N/A C:\Windows\SysWOW64\wlruth.exe C:\Windows\SysWOW64\wrhenplnf.exe
PID 1736 wrote to memory of 4292 N/A C:\Windows\SysWOW64\wlruth.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe

"C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"

C:\Windows\SysWOW64\wsvsq.exe

"C:\Windows\system32\wsvsq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"

C:\Windows\SysWOW64\wqjortx.exe

"C:\Windows\system32\wqjortx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsvsq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3644 -ip 3644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1580

C:\Windows\SysWOW64\wohhq.exe

"C:\Windows\system32\wohhq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqjortx.exe"

C:\Windows\SysWOW64\wekmsexs.exe

"C:\Windows\system32\wekmsexs.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohhq.exe"

C:\Windows\SysWOW64\wymnnjae.exe

"C:\Windows\system32\wymnnjae.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekmsexs.exe"

C:\Windows\SysWOW64\wywxe.exe

"C:\Windows\system32\wywxe.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymnnjae.exe"

C:\Windows\SysWOW64\wnowg.exe

"C:\Windows\system32\wnowg.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywxe.exe"

C:\Windows\SysWOW64\wdoi.exe

"C:\Windows\system32\wdoi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnowg.exe"

C:\Windows\SysWOW64\wmloo.exe

"C:\Windows\system32\wmloo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdoi.exe"

C:\Windows\SysWOW64\wlruth.exe

"C:\Windows\system32\wlruth.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmloo.exe"

C:\Windows\SysWOW64\wrhenplnf.exe

"C:\Windows\system32\wrhenplnf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlruth.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 124 -p 1736 -ip 1736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 1472

C:\Windows\SysWOW64\wiki.exe

"C:\Windows\system32\wiki.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhenplnf.exe"

C:\Windows\SysWOW64\wxyyaqsu.exe

"C:\Windows\system32\wxyyaqsu.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiki.exe"

C:\Windows\SysWOW64\wkrwf.exe

"C:\Windows\system32\wkrwf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxyyaqsu.exe"

C:\Windows\SysWOW64\wphg.exe

"C:\Windows\system32\wphg.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkrwf.exe"

C:\Windows\SysWOW64\wuwp.exe

"C:\Windows\system32\wuwp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphg.exe"

C:\Windows\SysWOW64\wxocwtx.exe

"C:\Windows\system32\wxocwtx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwp.exe"

C:\Windows\SysWOW64\whvsa.exe

"C:\Windows\system32\whvsa.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxocwtx.exe"

C:\Windows\SysWOW64\whxqmnbhw.exe

"C:\Windows\system32\whxqmnbhw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whvsa.exe"

C:\Windows\SysWOW64\wujl.exe

"C:\Windows\system32\wujl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxqmnbhw.exe"

C:\Windows\SysWOW64\wtvvud.exe

"C:\Windows\system32\wtvvud.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujl.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5100 -ip 5100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 1652

C:\Windows\SysWOW64\wrcaabc.exe

"C:\Windows\system32\wrcaabc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvvud.exe"

C:\Windows\SysWOW64\whrrjpl.exe

"C:\Windows\system32\whrrjpl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrcaabc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3876 -ip 3876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 116

C:\Windows\SysWOW64\wxtumb.exe

"C:\Windows\system32\wxtumb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whrrjpl.exe"

C:\Windows\SysWOW64\wdjeh.exe

"C:\Windows\system32\wdjeh.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxtumb.exe"

C:\Windows\SysWOW64\wkvfh.exe

"C:\Windows\system32\wkvfh.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdjeh.exe"

C:\Windows\SysWOW64\wyhb.exe

"C:\Windows\system32\wyhb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvfh.exe"

C:\Windows\SysWOW64\wpavt.exe

"C:\Windows\system32\wpavt.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyhb.exe"

C:\Windows\SysWOW64\wix.exe

"C:\Windows\system32\wix.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpavt.exe"

C:\Windows\SysWOW64\wjhcpsila.exe

"C:\Windows\system32\wjhcpsila.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wix.exe"

C:\Windows\SysWOW64\wuwhcslaa.exe

"C:\Windows\system32\wuwhcslaa.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhcpsila.exe"

C:\Windows\SysWOW64\wguobqy.exe

"C:\Windows\system32\wguobqy.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwhcslaa.exe"

C:\Windows\SysWOW64\wovdrrma.exe

"C:\Windows\system32\wovdrrma.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wguobqy.exe"

C:\Windows\SysWOW64\wmakx.exe

"C:\Windows\system32\wmakx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovdrrma.exe"

C:\Windows\SysWOW64\wcoy.exe

"C:\Windows\system32\wcoy.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmakx.exe"

C:\Windows\SysWOW64\wxrbcifc.exe

"C:\Windows\system32\wxrbcifc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcoy.exe"

C:\Windows\SysWOW64\wugjtf.exe

"C:\Windows\system32\wugjtf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxrbcifc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 304

C:\Windows\SysWOW64\wbtsno.exe

"C:\Windows\system32\wbtsno.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugjtf.exe"

C:\Windows\SysWOW64\wtccd.exe

"C:\Windows\system32\wtccd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbtsno.exe"

C:\Windows\SysWOW64\wlpdl.exe

"C:\Windows\system32\wlpdl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtccd.exe"

C:\Windows\SysWOW64\weavtd.exe

"C:\Windows\system32\weavtd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlpdl.exe"

C:\Windows\SysWOW64\wusqppnp.exe

"C:\Windows\system32\wusqppnp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weavtd.exe"

C:\Windows\SysWOW64\wxpegfs.exe

"C:\Windows\system32\wxpegfs.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wusqppnp.exe"

C:\Windows\SysWOW64\wmpqp.exe

"C:\Windows\system32\wmpqp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpegfs.exe"

C:\Windows\SysWOW64\wpnfflpt.exe

"C:\Windows\system32\wpnfflpt.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpqp.exe"

C:\Windows\SysWOW64\wdnrodh.exe

"C:\Windows\system32\wdnrodh.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpnfflpt.exe"

C:\Windows\SysWOW64\wfok.exe

"C:\Windows\system32\wfok.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnrodh.exe"

C:\Windows\SysWOW64\wto.exe

"C:\Windows\system32\wto.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfok.exe"

C:\Windows\SysWOW64\wpku.exe

"C:\Windows\system32\wpku.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wto.exe"

C:\Windows\SysWOW64\wkbpjl.exe

"C:\Windows\system32\wkbpjl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpku.exe"

C:\Windows\SysWOW64\wvqutl.exe

"C:\Windows\system32\wvqutl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbpjl.exe"

C:\Windows\SysWOW64\wsbkrnk.exe

"C:\Windows\system32\wsbkrnk.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqutl.exe"

C:\Windows\SysWOW64\wyfwmqdb.exe

"C:\Windows\system32\wyfwmqdb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsbkrnk.exe"

C:\Windows\SysWOW64\wkcclo.exe

"C:\Windows\system32\wkcclo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyfwmqdb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1724 -ip 1724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1340

C:\Windows\SysWOW64\wimrkr.exe

"C:\Windows\system32\wimrkr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcclo.exe"

C:\Windows\SysWOW64\welvcsw.exe

"C:\Windows\system32\welvcsw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimrkr.exe"

C:\Windows\SysWOW64\wyxgcwj.exe

"C:\Windows\system32\wyxgcwj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\welvcsw.exe"

C:\Windows\SysWOW64\wnytm.exe

"C:\Windows\system32\wnytm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxgcwj.exe"

C:\Windows\SysWOW64\wdbx.exe

"C:\Windows\system32\wdbx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnytm.exe"

C:\Windows\SysWOW64\wgocxpt.exe

"C:\Windows\system32\wgocxpt.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbx.exe"

C:\Windows\SysWOW64\wcjbdsow.exe

"C:\Windows\system32\wcjbdsow.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgocxpt.exe"

C:\Windows\SysWOW64\wmyforsk.exe

"C:\Windows\system32\wmyforsk.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjbdsow.exe"

C:\Windows\SysWOW64\wwauht.exe

"C:\Windows\system32\wwauht.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmyforsk.exe"

C:\Windows\SysWOW64\wirtmnq.exe

"C:\Windows\system32\wirtmnq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwauht.exe"

C:\Windows\SysWOW64\wavaoa.exe

"C:\Windows\system32\wavaoa.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirtmnq.exe"

C:\Windows\SysWOW64\wlkshvuxr.exe

"C:\Windows\system32\wlkshvuxr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wavaoa.exe"

C:\Windows\SysWOW64\wifof.exe

"C:\Windows\system32\wifof.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkshvuxr.exe"

C:\Windows\SysWOW64\webkvsrp.exe

"C:\Windows\system32\webkvsrp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifof.exe"

C:\Windows\SysWOW64\wrogll.exe

"C:\Windows\system32\wrogll.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\webkvsrp.exe"

C:\Windows\SysWOW64\wpbp.exe

"C:\Windows\system32\wpbp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrogll.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4292 -ip 4292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1280

C:\Windows\SysWOW64\wtnsnw.exe

"C:\Windows\system32\wtnsnw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbp.exe"

C:\Windows\SysWOW64\wuefq.exe

"C:\Windows\system32\wuefq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtnsnw.exe"

C:\Windows\SysWOW64\wwts.exe

"C:\Windows\system32\wwts.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuefq.exe"

C:\Windows\SysWOW64\wmjtv.exe

"C:\Windows\system32\wmjtv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwts.exe"

C:\Windows\SysWOW64\wcxje.exe

"C:\Windows\system32\wcxje.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmjtv.exe"

C:\Windows\SysWOW64\wlgld.exe

"C:\Windows\system32\wlgld.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcxje.exe"

C:\Windows\SysWOW64\wckcxxj.exe

"C:\Windows\system32\wckcxxj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlgld.exe"

C:\Windows\SysWOW64\wihnferv.exe

"C:\Windows\system32\wihnferv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckcxxj.exe"

C:\Windows\SysWOW64\wsidw.exe

"C:\Windows\system32\wsidw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wihnferv.exe"

C:\Windows\SysWOW64\wqukncw.exe

"C:\Windows\system32\wqukncw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsidw.exe"

C:\Windows\SysWOW64\wtsafq.exe

"C:\Windows\system32\wtsafq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqukncw.exe"

C:\Windows\SysWOW64\wvy.exe

"C:\Windows\system32\wvy.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsafq.exe"

C:\Windows\SysWOW64\wdyucpwo.exe

"C:\Windows\system32\wdyucpwo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvy.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4252 -ip 4252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1432

C:\Windows\SysWOW64\wfbofc.exe

"C:\Windows\system32\wfbofc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdyucpwo.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5112 -ip 5112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5112 -ip 5112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1536

C:\Windows\SysWOW64\wpjgjbd.exe

"C:\Windows\system32\wpjgjbd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfbofc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1836 -ip 1836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1432

C:\Windows\SysWOW64\wmavv.exe

"C:\Windows\system32\wmavv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpjgjbd.exe"

C:\Windows\SysWOW64\wvpqp.exe

"C:\Windows\system32\wvpqp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmavv.exe"

C:\Windows\SysWOW64\wooyq.exe

"C:\Windows\system32\wooyq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvpqp.exe"

C:\Windows\SysWOW64\wlgpcko.exe

"C:\Windows\system32\wlgpcko.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wooyq.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ip2location.com udp
US 34.224.172.222:80 www.ip2location.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 best-targeted-traffic.com udp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 ww38.best-targeted-traffic.com udp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 8.8.8.8:53 222.172.224.34.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 247.182.224.103.in-addr.arpa udp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 96.26.223.76.in-addr.arpa udp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 ww25.best-targeted-traffic.com udp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 ww38.best-targeted-traffic.com udp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 76.223.26.96:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp

Files

memory/3492-0-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wsvsq.exe

MD5 b7d62339335b5bf423750329fd4746dc
SHA1 1b30bfc356359dacec9347280c9a1ece09da7e63
SHA256 f540f879dc0bbc82a6e5e4b3188560c8faf83b9535445763f90ad0f813f343bc
SHA512 9d7ec67aa07efc3db63abbcfb06bbb3ca2079bc543b7c03c7e7d41676c5dade32d68536210adf52604166f9c2461d658776787ab0e204b78115a60da9c4c5f42

memory/3492-11-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wqjortx.exe

MD5 bd79d1b71c59756bb620f08855e12ff7
SHA1 ade6e3db661edd87fbcf36f742cb91b80bde88cc
SHA256 a034de828ff3b4c6b2a80d2512ab86a981b9f6a0813d453b266b791facfc4e4e
SHA512 73221984330becaa0869775d65de8c71eea9304fa0cc0af040eae37fcf3faf835991c772b0e72b0bd89fb79ef52fb79bb1f9f5ba89d1346a48cb9c05d50d20ad

memory/3644-22-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wohhq.exe

MD5 3ab55e66b5d8714f712774038310dd36
SHA1 171a6081849a3e4f98730dce8e3274cb9d131354
SHA256 ab0a1c9dc2081991e45259f3577107844f1b85b93ff249505fb60a6900c84dc2
SHA512 5fc367ca2566588701582974e7af23eaa8be1e7ec28995eee174b9d8dfeffcf4e9c4bba5d193d2d51bca4121ee8b909ef5acb8abde7ce332e8cd813a9d1838b3

memory/2824-33-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wekmsexs.exe

MD5 c8af3a1c47423afb0ada0f0671abdce0
SHA1 20e49dc3ff52d1232df8389eda0bbf5819600bd2
SHA256 25dba8e405896f09c769ecb2860f726a4955424468ddee20906c6c09fb1535e4
SHA512 c9eb8c4647a3ddf56f5f8123f0c4ac032439deb5ad3d3c9f182c24b349b7f525fb057403283459a734a623980a527fd8d789b2544df08eaeafbc903ab2f5e7b1

memory/2008-43-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wymnnjae.exe

MD5 58fef14e4df1e9e0396ef41a3cc93c57
SHA1 45a33ac021123158762af66dd4c7434ef7075cdd
SHA256 b1816ec9c3789b6df846a2f88658e901fab85c1097341b38cd7f1d57a2fb4c98
SHA512 0ac4f6017b17224007ff9716d75addc41c90e8a076c733ee63b2e3d7880fb7a3dff24bf05efcfa441f6f1f6cde28173fb7c10c58c3e4398d31b65eaf91f6782d

memory/3240-53-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wywxe.exe

MD5 1ffcdfdcc734919c7a04c233a4177c8a
SHA1 3bce12c094ab7d9de1a90c812a8634c380840206
SHA256 5f3737afca2d5f3d59dc609398244f5914f87bd7492a75b50f90e96f59118426
SHA512 a345a3f6d983e2f98ad73669d1b98c4dd7fbc2f3089d73bd52a1403e1f464dfdb7c465e34288e163d1f8d76465359bd67cf444294b9742e5df2ef64317905e89

memory/3308-64-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wnowg.exe

MD5 22dc67482dadc2b408b0baa1dee03224
SHA1 cd948d2c70e3b273ff78bc5ec2e30e3c2dfb9921
SHA256 99d7013ba2bd54d6e3027aceb3e50ba4091ee0316426b3ccdc2d6d7b60c49e29
SHA512 c8d0eee042e2cf4f8180ed742e34750227eb97f51968746841e8080ec111a3ed43e356395422e86c825334d56c0266958d3b403d12e3a26a358e47c68ee48508

memory/1772-74-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\install[2].htm

MD5 9463ba07743e8a9aca3b55373121b7c5
SHA1 4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f
SHA256 d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d
SHA512 6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

C:\Windows\SysWOW64\wdoi.exe

MD5 db0b3a23c309931dc16c044ea0f58355
SHA1 4be40147f9dad11271ccc6bdb8dbcc174af83d32
SHA256 c57c3d7c12e11bf29099b2495ed60e8803348b465bac1e744e12557daac5d045
SHA512 c9443f878e37ce51a1c895c94d8bd0c94ed1eb0b8bb342f5f25e07312620c08bf9e25e407da208f1a071d8accf66aab6c32be5def7dd49aad55b3d53a56be4c8

memory/3040-85-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wmloo.exe

MD5 62e3e78913dfa2f5505a409034cf008b
SHA1 6ce19da561ff9aad01e18f015fe50df94661698e
SHA256 92eee4d29082b25fc5273e251d74b73afc65501d9d2d79e7455e5d5717ccf4c0
SHA512 fcd2ba170827aa2c59c0468aeb743ec16b00d0051d6c0507b29e575acf6c8e78ffae22dd10b5d3229609dcebe65633c63a308dbcea5323e56c55df40ff3006f2

memory/4272-95-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wlruth.exe

MD5 83ab5f8499894a3c825329919fd68f20
SHA1 d3128cacce00bcd85e86a3a26b5eab1cfbb32eac
SHA256 c09b6b2e4c02ae0fe06a573b66239e772cf36e8879aaf39d6e7b120eed4ce721
SHA512 c19630e3fe789decb9d04567df29d253bd2b909d05410a3aebe847233dc189e476f0555886a33ac0c30196d498af62759e41835631a2cbe6fc41c7bf97177504

memory/1860-105-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wrhenplnf.exe

MD5 35f169fe8f13cb866606f4053647e2cc
SHA1 dac258ae29b2b733d8e4e544358e44f83ce9662c
SHA256 88ab98a55c746c3dec2eab338fbefc6df29872a4ef8f15ba1e53c19d3cfdba77
SHA512 8d798ad7f519926b839071e8aa8db2aa096882ac054ee41ab4ebbf7abd8b7afa8506d8d5de8c61a81656a71fc2a1420a0208b26d9f9a7e316669b2af0182396f

memory/1736-116-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wiki.exe

MD5 40e3141563be09b21481196e85d61139
SHA1 28b3dbb53d9323c4b7b35ec4da044d68377cf495
SHA256 fa8049f5139c9acd931e4e63743da8e209a467062d874aa3770acb0649001599
SHA512 636342c3a9f96954891eb1e6b7796bb8b3454a86970c0e7aa9b48b3002dd66baa19ba8fcc06eb3dbe8fb9af50693ec3efc2c876b09c427fcd90cd59c4668d684

memory/4124-127-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wxyyaqsu.exe

MD5 08c280a7291c193c66eb6224daa59d95
SHA1 beecf291378831f1eaf30a5cf0fc387ef2ccad90
SHA256 39b76f112cd82cba486e2e0d9c5f2b7e78436c96e90eb61702959d3f86f202f1
SHA512 1a31ce195f1a4cb1bb1c9a43fb51eee2397a0cda8e4ca834a5fbf4c83a59455fb3b8961970b23256c2be31433db095f0e8d116259e4b33b292fa34b8f73f8d5f

memory/3932-138-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wkrwf.exe

MD5 819f1b4a86a2e43858745e81ecc737a0
SHA1 f6b7be000411efc76e64c17f56d908ccd7aa46f3
SHA256 66ea7d519b589c0270b00fbebb629e0a23d33b2c686775934754ebc9b2274b61
SHA512 37d374fb8b6a1edc1ad7b9f4941554151ec2e42c8ec50c958f1157f8c4b1e1322148ba3a56440969cdefbd9678a429b312b55404722bbd458ca7ff5e151460ad

memory/3380-148-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wphg.exe

MD5 0d2e94c9da2f382395f7c77e0a14b184
SHA1 e34e0cca9eca36b2e804a28af1a24874271b12b1
SHA256 6564cca5ffc72d667c372a99a4353e6f3baffb415cc453390b3905344636a951
SHA512 dcb754b5f15913756d62e5bcf3d90683c8abd8f27eca1ff30c944e8d7f70644929b586d96bf088136dc6f77e5ed3972b0aad4345a1680488a1859cbadd9b69df

memory/1236-158-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wuwp.exe

MD5 d3ffbd90c661d491ce1e3d0482237ef3
SHA1 8aee8191b6a5827cdb329841142504e3e15f969b
SHA256 430288c8a4ac458e2630027479d8af9b0cae6a077a021ae1ab7a8d305a1cb22b
SHA512 92c9f3595ed1277007c8ecfcd713e33c586f26c9f8a2653dcf44f1c1bb0cde2ca00b3213086a3b60b5b92252c7637c504b71f2fd03e2d2b102a4f96991c296c4

memory/3928-168-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wxocwtx.exe

MD5 9a9c364bd5c5cd2e2091b76ad534a07a
SHA1 65d7f5858e4743401864c801929ceef56f424ad4
SHA256 e0f9c93b70f52bfe461df92a06f86433d26d213f3614c46dab755f80de152f94
SHA512 3f49781847d548078944b50acfd74a7788cd60e878c2f1f70b5264661104a4ab7227013aa7df092ea360ff8fdd9debfd08f7f9a416509384f6e5f4333e8260c7

memory/1612-179-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\whvsa.exe

MD5 3ec5849eccc463c2de50e7a05b86e61d
SHA1 01629e1733e2e6586088046018370e254945078a
SHA256 ef1436f589ee0c717ce873134fcb831d52a1bd4a0fe0f339766ae604eeb29608
SHA512 1ae9286e41e887c31cda8435de00a96a4fa2a5ccf46e4db074fd01a80c74512a6864f2e9bcc28a86c47b9646f1b718f5155ec213b5d37a35179f23956b497fd3

memory/2872-190-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\whxqmnbhw.exe

MD5 7f76bf5ca8508b8a75230f61ead5c7a6
SHA1 da745acfdd3a53228fba000ca31d36cae7894514
SHA256 9dfaa4d66d8bb83b296dac68f029b77aa4c238829d0b095861f9809055635717
SHA512 2c8a54e2df78eca5132540f41872a2c629b641a8e1cbfec580eef43bc505d657a38a35618625dc22074467d354409764d1bafa05ba7511086160bbcffaae1b6d

memory/1588-200-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wujl.exe

MD5 a5290f088d94926ac916039f7a32ca7a
SHA1 7324330a73c14a4df82211c9fc773b7030619713
SHA256 d62a70c127f57a26815dc16c9c8c72eeb74965f3fe3c1bbd63f1e766664ffb61
SHA512 669dfee63bd3b95bbd96cc5bac5260aad87c7187ca4f1e87585ecc8ac59210bde5d398bdfcaab6d1470a50a7e1cf9b7d07ad02636be5e2e8c65bfbc989498a7f

memory/3796-211-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wtvvud.exe

MD5 95acecac4479b1eab1c5e30e00d94c56
SHA1 49f969b49f2b69f2a9d15fa6bf5b9b27fc77e103
SHA256 41b9b699ca06977206e180fdf7408f8eca77c9c243b0fb83e78f0688135ac65a
SHA512 9a2b4c8a2f92dd6251c5409025c1bf7416287955013c93cea76c778215342ba24ea8bcef34c6e679c8ca0285b05672e94b8695a2d70fbb5221ca7784625143ce

memory/5100-221-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wrcaabc.exe

MD5 1d57fa01e8af11b31dbf230fd8607fc9
SHA1 98deb4a383eb6d7af9e7819f2c7a81c065131a68
SHA256 5e49e757a9726607b284ddd12fbf6d93833a7712887be8ebf1462fec3adfc5bb
SHA512 736e73cb67220b2089199d5ee01ab038f1ef8685de79067a6108cad09ddfc5d869c45ca829f89cad3d93ead815e1758004aa90f38ea7f0d8cddd45ab6954a3d5

memory/4252-232-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\whrrjpl.exe

MD5 df14ee5596c34746f3f059ab12d6670f
SHA1 d184d07cae732e3bb0dce4c8d84e7a7cca8a366c
SHA256 2c8d020e818722af31916f7648113066bffec81ab558192d3c5e14cd3956ab15
SHA512 138d2887ea5c86e9b4567908d16b4bb431031119a56e5470ccb2787198660413bc53aeaaa821359393c01276a5400af586168496748173450bb655ce502827ec

memory/3876-243-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wxtumb.exe

MD5 20cc9e5b2b6c3b3724f477e1cd51c945
SHA1 3ec629cbb3bc8ced170927d9c3bc718ed0c5afc1
SHA256 be5bcf3c3561520dd918c16db1fac64ab78c98d3bdc9cc111fb426b2ea50887a
SHA512 a4c2e6e8e69b0f50122a4f4791e4d1ef099ef5d33976db114e131f282a1ce282d1ae588e20fb1087e0324e299cb2de4ec06d5187699331d0d50adc5b3b089de3

memory/3264-253-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wdjeh.exe

MD5 77e6dbbf8a93f98e96348cb49c7416b7
SHA1 a443ec10330cc0d528fe1d2da99b0d79d9621803
SHA256 f7f476e2edb42d33efcdb5e7d6ef1ddc11a63c42d8df5f6dc496259cafe82f19
SHA512 eecb06b56d9c49f7c45506a480aaf68d9bc96c73e68c6e002137f7b0312ae9a60d2b04ac0e54137d08082f5377b438f63e4d2700548731b4445cf69f565992d3

memory/2736-264-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wkvfh.exe

MD5 4a5949517c4588034ce413b42d858ece
SHA1 10a4190ffad3246a83bcc38d5a975800b64b9c99
SHA256 5d50e1014764562556d821b329124661a722657655576ca558071a925153bbdb
SHA512 882634c68b5f3aac69a77d870cce30ef4c1d49e7774f490f0199297f4d7ecf3314bd89d4f176fe067c3836cac957b0c8b374452fc5975a8c10233b20223d6877

memory/4320-274-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wyhb.exe

MD5 97f0c65c3b009f01fa0507a9d761dadf
SHA1 ae8655228644e655edc04d5167659c2f5fb59506
SHA256 e894dd2a59a290311955a5451f33fa0689b75541a063b2851930aa7e6ccbe6ab
SHA512 b25fdd1e6e7080fd869c4fcfe6e58cc72860aa3067293058ab35f41bac75119ee251b1655e9de340b91fe0b9b87ff0d91265d5023aa23f5c06e7c6ea666a092b

memory/5104-285-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wpavt.exe

MD5 2750bf5c79f1cc17cd3c62bb9368d678
SHA1 ac8bd532d877ae663165514726dd47943d74e1be
SHA256 c1f138d3a4629c7a412bce99afbc12c8b606ee7928db2bc43a9b4865094115a6
SHA512 e9f623a86ca4c5c9c75ffd06d08324399f8ad11f4aea72e42225be3cbcc56d15ada2e1d2b35d8b8934ee1d22bace0d96cd2bab5f4e88264f4ba028914b635a9c

memory/4224-296-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wix.exe

MD5 924f81118cc0b39aadfa280abbc30e48
SHA1 666ac213346d837aa0ce308e95969478582d7111
SHA256 5fe1b048b81175c125bb38a33d134881642a28cab704924a0e21cead23ebf4ad
SHA512 b37cdef5394add6d2f163da7264e55d6a7195c2919ae14b861985cb98eb978b8742c0aa68ec337b922fa087af83ba991e840477030a5a0bfc98aa41e784766d0

memory/2396-306-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wjhcpsila.exe

MD5 a9fc168d43eebcf2bd25e244cbb182cf
SHA1 8062d5b650cc263a3bc0023796154e49d03df83b
SHA256 e152b471a642450251d2b4cc0aae3f199aa750d19063e930539f5646ce27c7e8
SHA512 d9010cdc74dcb7e5d750997591721d60668526d8fd39170976355958ac83ffe8796e0372ecfe86d459f3f82460aff077d96b3031c5447c15322a8f49b0f201dd

memory/4748-316-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wuwhcslaa.exe

MD5 5e0eddbc51f40c909c09217bcd525ba8
SHA1 64086068ff62fbadbc4a43a2390d0721bc43c726
SHA256 a65f247dd033822a5512d652a963851884ae9e0b5ea55a57ec703a89439870ac
SHA512 5de21080686b8bc067ea65e606c23014d34d99d31933f8420db47b8a3093239b701b2f5cd08c5a356166812ca5312f0a609c360be32bfacbd840d2e01ffb6bdc

memory/2588-327-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\wguobqy.exe

MD5 0f09c91c815b2a0a7f5958b383bc19e5
SHA1 d25eab49d9dcb143039ee31ba8758349214222e7
SHA256 88f7b24d18e24d7bed8ddf3f688951d71f7bd30ba385ce43883fb72527ecbe41
SHA512 816dc0e7f025591fcc08e91da424804f81f1ce465fa5dbaf983def2420b09ba115c7e69777dfa1118af41bf57fbc4e3df531af06681d5aaabff2f5a3436e5233

memory/4916-337-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4032-345-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4252-353-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4964-362-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2756-371-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4212-379-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2652-387-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4244-396-0x0000000000400000-0x0000000000418000-memory.dmp

memory/676-404-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3116-413-0x0000000000400000-0x0000000000418000-memory.dmp

memory/768-422-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3016-430-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2320-439-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3056-447-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4504-456-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1712-464-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2856-472-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2296-480-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4472-488-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1688-489-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4472-497-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1868-506-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2872-515-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1724-523-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4976-531-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4748-540-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2600-548-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2708-557-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3580-566-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3788-574-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4840-582-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1656-590-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4852-599-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4904-608-0x0000000000400000-0x0000000000418000-memory.dmp

memory/540-617-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3996-625-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4504-634-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4620-642-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1428-651-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4292-660-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2736-668-0x0000000000400000-0x0000000000418000-memory.dmp

memory/212-676-0x0000000000400000-0x0000000000418000-memory.dmp

memory/5100-684-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4848-693-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2864-701-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2872-709-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2392-718-0x0000000000400000-0x0000000000418000-memory.dmp

memory/408-726-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1032-735-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2824-744-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1652-752-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1784-760-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4252-769-0x0000000000400000-0x0000000000418000-memory.dmp

memory/5112-778-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1840-793-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4684-801-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4552-809-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1664-817-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4872-818-0x0000000000400000-0x0000000000418000-memory.dmp