Analysis Overview
SHA256
124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43
Threat Level: Shows suspicious behavior
The file 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Indicator Removal: File Deletion
Adds Run key to start application
Drops file in System32 directory
Program crash
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 03:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 03:11
Reported
2024-10-31 03:13
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvjfowh = "\"C:\\Windows\\SysWOW64\\wvjfowh.exe\"" | C:\Windows\SysWOW64\wvjfowh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woakogyxa = "\"C:\\Windows\\SysWOW64\\woakogyxa.exe\"" | C:\Windows\SysWOW64\woakogyxa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbhc = "\"C:\\Windows\\SysWOW64\\wbhc.exe\"" | C:\Windows\SysWOW64\wbhc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvg = "\"C:\\Windows\\SysWOW64\\wvg.exe\"" | C:\Windows\SysWOW64\wvg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvibnag = "\"C:\\Windows\\SysWOW64\\wvibnag.exe\"" | C:\Windows\SysWOW64\wvibnag.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\whkowxabh = "\"C:\\Windows\\SysWOW64\\whkowxabh.exe\"" | C:\Windows\SysWOW64\whkowxabh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wovinvmq = "\"C:\\Windows\\SysWOW64\\wovinvmq.exe\"" | C:\Windows\SysWOW64\wovinvmq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcjibkb = "\"C:\\Windows\\SysWOW64\\wcjibkb.exe\"" | C:\Windows\SysWOW64\wcjibkb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnjd = "\"C:\\Windows\\SysWOW64\\wnjd.exe\"" | C:\Windows\SysWOW64\wnjd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\weny = "\"C:\\Windows\\SysWOW64\\weny.exe\"" | C:\Windows\SysWOW64\weny.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wyxdym = "\"C:\\Windows\\SysWOW64\\wyxdym.exe\"" | C:\Windows\SysWOW64\wyxdym.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wopmimjs = "\"C:\\Windows\\SysWOW64\\wopmimjs.exe\"" | C:\Windows\SysWOW64\wopmimjs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlvdf = "\"C:\\Windows\\SysWOW64\\wlvdf.exe\"" | C:\Windows\SysWOW64\wlvdf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\weupbjox = "\"C:\\Windows\\SysWOW64\\weupbjox.exe\"" | C:\Windows\SysWOW64\weupbjox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfpivqo = "\"C:\\Windows\\SysWOW64\\wfpivqo.exe\"" | C:\Windows\SysWOW64\wfpivqo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcwgulng = "\"C:\\Windows\\SysWOW64\\wcwgulng.exe\"" | C:\Windows\SysWOW64\wcwgulng.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wipman = "\"C:\\Windows\\SysWOW64\\wipman.exe\"" | C:\Windows\SysWOW64\wipman.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuiygjbl = "\"C:\\Windows\\SysWOW64\\wuiygjbl.exe\"" | C:\Windows\SysWOW64\wuiygjbl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wipliklb = "\"C:\\Windows\\SysWOW64\\wipliklb.exe\"" | C:\Windows\SysWOW64\wipliklb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkvfl = "\"C:\\Windows\\SysWOW64\\wkvfl.exe\"" | C:\Windows\SysWOW64\wkvfl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wymitof = "\"C:\\Windows\\SysWOW64\\wymitof.exe\"" | C:\Windows\SysWOW64\wymitof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkpsyyk = "\"C:\\Windows\\SysWOW64\\wkpsyyk.exe\"" | C:\Windows\SysWOW64\wkpsyyk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxpfb = "\"C:\\Windows\\SysWOW64\\wxpfb.exe\"" | C:\Windows\SysWOW64\wxpfb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wyulxrq = "\"C:\\Windows\\SysWOW64\\wyulxrq.exe\"" | C:\Windows\SysWOW64\wyulxrq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlfyqlekn = "\"C:\\Windows\\SysWOW64\\wlfyqlekn.exe\"" | C:\Windows\SysWOW64\wlfyqlekn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wucj = "\"C:\\Windows\\SysWOW64\\wucj.exe\"" | C:\Windows\SysWOW64\wucj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwrwoaf = "\"C:\\Windows\\SysWOW64\\wwrwoaf.exe\"" | C:\Windows\SysWOW64\wwrwoaf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnuewcl = "\"C:\\Windows\\SysWOW64\\wnuewcl.exe\"" | C:\Windows\SysWOW64\wnuewcl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxn = "\"C:\\Windows\\SysWOW64\\wxn.exe\"" | C:\Windows\SysWOW64\wxn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wijvmxb = "\"C:\\Windows\\SysWOW64\\wijvmxb.exe\"" | C:\Windows\SysWOW64\wijvmxb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\whg = "\"C:\\Windows\\SysWOW64\\whg.exe\"" | C:\Windows\SysWOW64\whg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkbldlc = "\"C:\\Windows\\SysWOW64\\wkbldlc.exe\"" | C:\Windows\SysWOW64\wkbldlc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wglxbbnp = "\"C:\\Windows\\SysWOW64\\wglxbbnp.exe\"" | C:\Windows\SysWOW64\wglxbbnp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wywjn = "\"C:\\Windows\\SysWOW64\\wywjn.exe\"" | C:\Windows\SysWOW64\wywjn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqljbbs = "\"C:\\Windows\\SysWOW64\\wqljbbs.exe\"" | C:\Windows\SysWOW64\wqljbbs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wec = "\"C:\\Windows\\SysWOW64\\wec.exe\"" | C:\Windows\SysWOW64\wec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcvsuqh = "\"C:\\Windows\\SysWOW64\\wcvsuqh.exe\"" | C:\Windows\SysWOW64\wcvsuqh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtxqalr = "\"C:\\Windows\\SysWOW64\\wtxqalr.exe\"" | C:\Windows\SysWOW64\wtxqalr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wudhxfph = "\"C:\\Windows\\SysWOW64\\wudhxfph.exe\"" | C:\Windows\SysWOW64\wudhxfph.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmps = "\"C:\\Windows\\SysWOW64\\wmps.exe\"" | C:\Windows\SysWOW64\wmps.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfaqad = "\"C:\\Windows\\SysWOW64\\wfaqad.exe\"" | C:\Windows\SysWOW64\wfaqad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wopvrj = "\"C:\\Windows\\SysWOW64\\wopvrj.exe\"" | C:\Windows\SysWOW64\wopvrj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdogayx = "\"C:\\Windows\\SysWOW64\\wdogayx.exe\"" | C:\Windows\SysWOW64\wdogayx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wihaqggs = "\"C:\\Windows\\SysWOW64\\wihaqggs.exe\"" | C:\Windows\SysWOW64\wihaqggs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wupovbeb = "\"C:\\Windows\\SysWOW64\\wupovbeb.exe\"" | C:\Windows\SysWOW64\wupovbeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuywvyhx = "\"C:\\Windows\\SysWOW64\\wuywvyhx.exe\"" | C:\Windows\SysWOW64\wuywvyhx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wrjrip = "\"C:\\Windows\\SysWOW64\\wrjrip.exe\"" | C:\Windows\SysWOW64\wrjrip.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wphqxfy = "\"C:\\Windows\\SysWOW64\\wphqxfy.exe\"" | C:\Windows\SysWOW64\wphqxfy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wydd = "\"C:\\Windows\\SysWOW64\\wydd.exe\"" | C:\Windows\SysWOW64\wydd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcslmb = "\"C:\\Windows\\SysWOW64\\wcslmb.exe\"" | C:\Windows\SysWOW64\wcslmb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuju = "\"C:\\Windows\\SysWOW64\\wuju.exe\"" | C:\Windows\SysWOW64\wuju.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbucou = "\"C:\\Windows\\SysWOW64\\wbucou.exe\"" | C:\Windows\SysWOW64\wbucou.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdce = "\"C:\\Windows\\SysWOW64\\wdce.exe\"" | C:\Windows\SysWOW64\wdce.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlvhrwv = "\"C:\\Windows\\SysWOW64\\wlvhrwv.exe\"" | C:\Windows\SysWOW64\wlvhrwv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wobcqv = "\"C:\\Windows\\SysWOW64\\wobcqv.exe\"" | C:\Windows\SysWOW64\wobcqv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlhoxy = "\"C:\\Windows\\SysWOW64\\wlhoxy.exe\"" | C:\Windows\SysWOW64\wlhoxy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wioaxn = "\"C:\\Windows\\SysWOW64\\wioaxn.exe\"" | C:\Windows\SysWOW64\wioaxn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wryrisn = "\"C:\\Windows\\SysWOW64\\wryrisn.exe\"" | C:\Windows\SysWOW64\wryrisn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wevo = "\"C:\\Windows\\SysWOW64\\wevo.exe\"" | C:\Windows\SysWOW64\wevo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wicydhh = "\"C:\\Windows\\SysWOW64\\wicydhh.exe\"" | C:\Windows\SysWOW64\wicydhh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwnanmsc = "\"C:\\Windows\\SysWOW64\\wwnanmsc.exe\"" | C:\Windows\SysWOW64\wwnanmsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnyf = "\"C:\\Windows\\SysWOW64\\wnyf.exe\"" | C:\Windows\SysWOW64\wnyf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpg = "\"C:\\Windows\\SysWOW64\\wpg.exe\"" | C:\Windows\SysWOW64\wpg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbpfb = "\"C:\\Windows\\SysWOW64\\wbpfb.exe\"" | C:\Windows\SysWOW64\wbpfb.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\wqlrana.exe | C:\Windows\SysWOW64\wrjrip.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwhdvod.exe | C:\Windows\SysWOW64\wfaqad.exe | N/A |
| File created | C:\Windows\SysWOW64\woakogyxa.exe | C:\Windows\SysWOW64\wopvrj.exe | N/A |
| File created | C:\Windows\SysWOW64\wydd.exe | C:\Windows\SysWOW64\wdogayx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wgunqdtd.exe | C:\Windows\SysWOW64\wlvhrwv.exe | N/A |
| File created | C:\Windows\SysWOW64\wbpfb.exe | C:\Windows\SysWOW64\wobcqv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wec.exe | C:\Windows\SysWOW64\wxpfb.exe | N/A |
| File created | C:\Windows\SysWOW64\wcvsuqh.exe | C:\Windows\SysWOW64\wkevrdvsj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wkvfl.exe | C:\Windows\SysWOW64\whblrqoq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbqgoh.exe | C:\Windows\SysWOW64\wcvjkj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wyulxrq.exe | C:\Windows\SysWOW64\woq.exe | N/A |
| File created | C:\Windows\SysWOW64\wwhdvod.exe | C:\Windows\SysWOW64\wfaqad.exe | N/A |
| File created | C:\Windows\SysWOW64\wnryjr.exe | C:\Windows\SysWOW64\wevo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wdogayx.exe | C:\Windows\SysWOW64\wphqxfy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbchobsd.exe | C:\Windows\SysWOW64\whkowxabh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwhltqseu.exe | C:\Windows\SysWOW64\wfljf.exe | N/A |
| File created | C:\Windows\SysWOW64\wioaxn.exe | C:\Windows\SysWOW64\wicydhh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wcwgulng.exe | C:\Windows\SysWOW64\wkpsyyk.exe | N/A |
| File created | C:\Windows\SysWOW64\wmps.exe | C:\Windows\SysWOW64\wti.exe | N/A |
| File created | C:\Windows\SysWOW64\wevo.exe | C:\Windows\SysWOW64\wnuewcl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wnryjr.exe | C:\Windows\SysWOW64\wevo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wedswhut.exe | C:\Windows\SysWOW64\wnryjr.exe | N/A |
| File created | C:\Windows\SysWOW64\wlvhrwv.exe | C:\Windows\SysWOW64\wxn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wtxqalr.exe | C:\Windows\SysWOW64\whg.exe | N/A |
| File created | C:\Windows\SysWOW64\wtvcoqo.exe | C:\Windows\SysWOW64\wyllik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wnuewcl.exe | C:\Windows\SysWOW64\wwhdvod.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbhc.exe | C:\Windows\SysWOW64\wxwt.exe | N/A |
| File created | C:\Windows\SysWOW64\woptmsxh.exe | C:\Windows\SysWOW64\wbhc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wvg.exe | C:\Windows\SysWOW64\wijvmxb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wlvdf.exe | C:\Windows\SysWOW64\wbchobsd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wovinvmq.exe | C:\Windows\SysWOW64\wtvcoqo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwnanmsc.exe | C:\Windows\SysWOW64\wnqqjj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\woakogyxa.exe | C:\Windows\SysWOW64\wopvrj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wphqxfy.exe | C:\Windows\SysWOW64\wrwdahmf.exe | N/A |
| File created | C:\Windows\SysWOW64\wobcqv.exe | C:\Windows\SysWOW64\wcslmb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wkevrdvsj.exe | C:\Windows\SysWOW64\wfrsjtaq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wfullm.exe | C:\Windows\SysWOW64\wkvfl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wudhxfph.exe | C:\Windows\SysWOW64\wydayb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wipman.exe | C:\Windows\SysWOW64\wdekseifi.exe | N/A |
| File created | C:\Windows\SysWOW64\wdce.exe | C:\Windows\SysWOW64\wipman.exe | N/A |
| File created | C:\Windows\SysWOW64\wwioaqyl.exe | C:\Windows\SysWOW64\wcjibkb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wpg.exe | C:\Windows\SysWOW64\wdcqr.exe | N/A |
| File created | C:\Windows\SysWOW64\wepuvu.exe | C:\Windows\SysWOW64\wvg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wxpfb.exe | C:\Windows\SysWOW64\wlhoxy.exe | N/A |
| File created | C:\Windows\SysWOW64\wuywvyhx.exe | C:\Windows\SysWOW64\wcvsuqh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wyllik.exe | C:\Windows\SysWOW64\wymitof.exe | N/A |
| File created | C:\Windows\SysWOW64\wsetb.exe | C:\Windows\SysWOW64\wovinvmq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wfpivqo.exe | C:\Windows\SysWOW64\wkbldlc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wti.exe | C:\Windows\SysWOW64\wpltaa.exe | N/A |
| File created | C:\Windows\SysWOW64\wvjfowh.exe | C:\Windows\SysWOW64\wqlrana.exe | N/A |
| File created | C:\Windows\SysWOW64\wnqqjj.exe | C:\Windows\SysWOW64\wvjfowh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wopvrj.exe | C:\Windows\SysWOW64\wpg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\whg.exe | C:\Windows\SysWOW64\wpqond.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wvibnag.exe | C:\Windows\SysWOW64\wtxqalr.exe | N/A |
| File created | C:\Windows\SysWOW64\wovinvmq.exe | C:\Windows\SysWOW64\wtvcoqo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wfljf.exe | C:\Windows\SysWOW64\wsetb.exe | N/A |
| File created | C:\Windows\SysWOW64\wbqgoh.exe | C:\Windows\SysWOW64\wcvjkj.exe | N/A |
| File created | C:\Windows\SysWOW64\wglxbbnp.exe | C:\Windows\SysWOW64\wudhxfph.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wro.exe | C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe | N/A |
| File created | C:\Windows\SysWOW64\wpltaa.exe | C:\Windows\SysWOW64\wwioaqyl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wrjrip.exe | C:\Windows\SysWOW64\wucj.exe | N/A |
| File created | C:\Windows\SysWOW64\wwnanmsc.exe | C:\Windows\SysWOW64\wnqqjj.exe | N/A |
| File created | C:\Windows\SysWOW64\wfaqad.exe | C:\Windows\SysWOW64\wwrwoaf.exe | N/A |
| File created | C:\Windows\SysWOW64\wcslmb.exe | C:\Windows\SysWOW64\wwuxyqmr.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\wbpfb.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\wkevrdvsj.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\wuywvyhx.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wgunqdtd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\whg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wwrwoaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wfaqad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbhc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\woptmsxh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wymitof.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wcvjkj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wvjfowh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbucou.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wuywvyhx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\weupbjox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wnjd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wwhdvod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wihaqggs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wpovt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wglxbbnp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wwuxyqmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wijvmxb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wkpsyyk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wryrisn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wtvcoqo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wnqqjj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\woakogyxa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wpqiqp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wxn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wioaxn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wuju.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wkevrdvsj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wlvdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wfrsjtaq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wyllik.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wwnanmsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbpfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wbpfb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe
"C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"
C:\Windows\SysWOW64\wro.exe
"C:\Windows\system32\wro.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"
C:\Windows\SysWOW64\woq.exe
"C:\Windows\system32\woq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wro.exe"
C:\Windows\SysWOW64\wyulxrq.exe
"C:\Windows\system32\wyulxrq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woq.exe"
C:\Windows\SysWOW64\wdekseifi.exe
"C:\Windows\system32\wdekseifi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyulxrq.exe"
C:\Windows\SysWOW64\wipman.exe
"C:\Windows\system32\wipman.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdekseifi.exe"
C:\Windows\SysWOW64\wdce.exe
"C:\Windows\system32\wdce.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipman.exe"
C:\Windows\SysWOW64\wpqiqp.exe
"C:\Windows\system32\wpqiqp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdce.exe"
C:\Windows\SysWOW64\wcjibkb.exe
"C:\Windows\system32\wcjibkb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpqiqp.exe"
C:\Windows\SysWOW64\wwioaqyl.exe
"C:\Windows\system32\wwioaqyl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjibkb.exe"
C:\Windows\SysWOW64\wpltaa.exe
"C:\Windows\system32\wpltaa.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwioaqyl.exe"
C:\Windows\SysWOW64\wti.exe
"C:\Windows\system32\wti.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpltaa.exe"
C:\Windows\SysWOW64\wmps.exe
"C:\Windows\system32\wmps.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wti.exe"
C:\Windows\SysWOW64\wywjn.exe
"C:\Windows\system32\wywjn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmps.exe"
C:\Windows\SysWOW64\wlfyqlekn.exe
"C:\Windows\system32\wlfyqlekn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywjn.exe"
C:\Windows\SysWOW64\wucj.exe
"C:\Windows\system32\wucj.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfyqlekn.exe"
C:\Windows\SysWOW64\wrjrip.exe
"C:\Windows\system32\wrjrip.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wucj.exe"
C:\Windows\SysWOW64\wqlrana.exe
"C:\Windows\system32\wqlrana.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjrip.exe"
C:\Windows\SysWOW64\wvjfowh.exe
"C:\Windows\system32\wvjfowh.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqlrana.exe"
C:\Windows\SysWOW64\wnqqjj.exe
"C:\Windows\system32\wnqqjj.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvjfowh.exe"
C:\Windows\SysWOW64\wwnanmsc.exe
"C:\Windows\system32\wwnanmsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqqjj.exe"
C:\Windows\SysWOW64\wnjd.exe
"C:\Windows\system32\wnjd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwnanmsc.exe"
C:\Windows\SysWOW64\wwrwoaf.exe
"C:\Windows\system32\wwrwoaf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnjd.exe"
C:\Windows\SysWOW64\wfaqad.exe
"C:\Windows\system32\wfaqad.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrwoaf.exe"
C:\Windows\SysWOW64\wwhdvod.exe
"C:\Windows\system32\wwhdvod.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfaqad.exe"
C:\Windows\SysWOW64\wnuewcl.exe
"C:\Windows\system32\wnuewcl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhdvod.exe"
C:\Windows\SysWOW64\wevo.exe
"C:\Windows\system32\wevo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnuewcl.exe"
C:\Windows\SysWOW64\wnryjr.exe
"C:\Windows\system32\wnryjr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wevo.exe"
C:\Windows\SysWOW64\wedswhut.exe
"C:\Windows\system32\wedswhut.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnryjr.exe"
C:\Windows\SysWOW64\wqljbbs.exe
"C:\Windows\system32\wqljbbs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wedswhut.exe"
C:\Windows\SysWOW64\wnyf.exe
"C:\Windows\system32\wnyf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqljbbs.exe"
C:\Windows\SysWOW64\wuiygjbl.exe
"C:\Windows\system32\wuiygjbl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnyf.exe"
C:\Windows\SysWOW64\wdcqr.exe
"C:\Windows\system32\wdcqr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuiygjbl.exe"
C:\Windows\SysWOW64\wpg.exe
"C:\Windows\system32\wpg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcqr.exe"
C:\Windows\SysWOW64\wopvrj.exe
"C:\Windows\system32\wopvrj.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpg.exe"
C:\Windows\SysWOW64\woakogyxa.exe
"C:\Windows\system32\woakogyxa.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wopvrj.exe"
C:\Windows\SysWOW64\wxwt.exe
"C:\Windows\system32\wxwt.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woakogyxa.exe"
C:\Windows\SysWOW64\wbhc.exe
"C:\Windows\system32\wbhc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwt.exe"
C:\Windows\SysWOW64\woptmsxh.exe
"C:\Windows\system32\woptmsxh.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhc.exe"
C:\Windows\SysWOW64\wrwdahmf.exe
"C:\Windows\system32\wrwdahmf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woptmsxh.exe"
C:\Windows\SysWOW64\wphqxfy.exe
"C:\Windows\system32\wphqxfy.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwdahmf.exe"
C:\Windows\SysWOW64\wdogayx.exe
"C:\Windows\system32\wdogayx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphqxfy.exe"
C:\Windows\SysWOW64\wydd.exe
"C:\Windows\system32\wydd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdogayx.exe"
C:\Windows\SysWOW64\wxn.exe
"C:\Windows\system32\wxn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydd.exe"
C:\Windows\SysWOW64\wlvhrwv.exe
"C:\Windows\system32\wlvhrwv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxn.exe"
C:\Windows\SysWOW64\wgunqdtd.exe
"C:\Windows\system32\wgunqdtd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvhrwv.exe"
C:\Windows\SysWOW64\wwuxyqmr.exe
"C:\Windows\system32\wwuxyqmr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgunqdtd.exe"
C:\Windows\SysWOW64\wcslmb.exe
"C:\Windows\system32\wcslmb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwuxyqmr.exe"
C:\Windows\SysWOW64\wobcqv.exe
"C:\Windows\system32\wobcqv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcslmb.exe"
C:\Windows\SysWOW64\wbpfb.exe
"C:\Windows\system32\wbpfb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobcqv.exe"
C:\Windows\SysWOW64\wijvmxb.exe
"C:\Windows\system32\wijvmxb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpfb.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 208
C:\Windows\SysWOW64\wvg.exe
"C:\Windows\system32\wvg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wijvmxb.exe"
C:\Windows\SysWOW64\wepuvu.exe
"C:\Windows\system32\wepuvu.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvg.exe"
C:\Windows\SysWOW64\weny.exe
"C:\Windows\system32\weny.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wepuvu.exe"
C:\Windows\SysWOW64\wlhoxy.exe
"C:\Windows\system32\wlhoxy.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weny.exe"
C:\Windows\SysWOW64\wxpfb.exe
"C:\Windows\system32\wxpfb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlhoxy.exe"
C:\Windows\SysWOW64\wec.exe
"C:\Windows\system32\wec.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpfb.exe"
C:\Windows\SysWOW64\wuju.exe
"C:\Windows\system32\wuju.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wec.exe"
C:\Windows\SysWOW64\wipliklb.exe
"C:\Windows\system32\wipliklb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuju.exe"
C:\Windows\SysWOW64\wihaqggs.exe
"C:\Windows\system32\wihaqggs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipliklb.exe"
C:\Windows\SysWOW64\wupovbeb.exe
"C:\Windows\system32\wupovbeb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wihaqggs.exe"
C:\Windows\SysWOW64\wpovt.exe
"C:\Windows\system32\wpovt.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wupovbeb.exe"
C:\Windows\SysWOW64\wyxdym.exe
"C:\Windows\system32\wyxdym.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpovt.exe"
C:\Windows\SysWOW64\wfrsjtaq.exe
"C:\Windows\system32\wfrsjtaq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxdym.exe"
C:\Windows\SysWOW64\wkevrdvsj.exe
"C:\Windows\system32\wkevrdvsj.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfrsjtaq.exe"
C:\Windows\SysWOW64\wcvsuqh.exe
"C:\Windows\system32\wcvsuqh.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkevrdvsj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 180
C:\Windows\SysWOW64\wuywvyhx.exe
"C:\Windows\system32\wuywvyhx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvsuqh.exe"
C:\Windows\SysWOW64\wpqond.exe
"C:\Windows\system32\wpqond.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuywvyhx.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 48
C:\Windows\SysWOW64\whg.exe
"C:\Windows\system32\whg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpqond.exe"
C:\Windows\SysWOW64\wtxqalr.exe
"C:\Windows\system32\wtxqalr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whg.exe"
C:\Windows\SysWOW64\wvibnag.exe
"C:\Windows\system32\wvibnag.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxqalr.exe"
C:\Windows\SysWOW64\wopmimjs.exe
"C:\Windows\system32\wopmimjs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvibnag.exe"
C:\Windows\SysWOW64\whkowxabh.exe
"C:\Windows\system32\whkowxabh.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wopmimjs.exe"
C:\Windows\SysWOW64\wbchobsd.exe
"C:\Windows\system32\wbchobsd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whkowxabh.exe"
C:\Windows\SysWOW64\wlvdf.exe
"C:\Windows\system32\wlvdf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbchobsd.exe"
C:\Windows\SysWOW64\whblrqoq.exe
"C:\Windows\system32\whblrqoq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvdf.exe"
C:\Windows\SysWOW64\wkvfl.exe
"C:\Windows\system32\wkvfl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whblrqoq.exe"
C:\Windows\SysWOW64\wfullm.exe
"C:\Windows\system32\wfullm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvfl.exe"
C:\Windows\SysWOW64\weupbjox.exe
"C:\Windows\system32\weupbjox.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfullm.exe"
C:\Windows\SysWOW64\wymitof.exe
"C:\Windows\system32\wymitof.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weupbjox.exe"
C:\Windows\SysWOW64\wyllik.exe
"C:\Windows\system32\wyllik.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymitof.exe"
C:\Windows\SysWOW64\wtvcoqo.exe
"C:\Windows\system32\wtvcoqo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyllik.exe"
C:\Windows\SysWOW64\wovinvmq.exe
"C:\Windows\system32\wovinvmq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvcoqo.exe"
C:\Windows\SysWOW64\wsetb.exe
"C:\Windows\system32\wsetb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovinvmq.exe"
C:\Windows\SysWOW64\wfljf.exe
"C:\Windows\system32\wfljf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsetb.exe"
C:\Windows\SysWOW64\wwhltqseu.exe
"C:\Windows\system32\wwhltqseu.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfljf.exe"
C:\Windows\SysWOW64\wkbldlc.exe
"C:\Windows\system32\wkbldlc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhltqseu.exe"
C:\Windows\SysWOW64\wfpivqo.exe
"C:\Windows\system32\wfpivqo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbldlc.exe"
C:\Windows\SysWOW64\wicydhh.exe
"C:\Windows\system32\wicydhh.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfpivqo.exe"
C:\Windows\SysWOW64\wioaxn.exe
"C:\Windows\system32\wioaxn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wicydhh.exe"
C:\Windows\SysWOW64\wydayb.exe
"C:\Windows\system32\wydayb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wioaxn.exe"
C:\Windows\SysWOW64\wudhxfph.exe
"C:\Windows\system32\wudhxfph.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydayb.exe"
C:\Windows\SysWOW64\wglxbbnp.exe
"C:\Windows\system32\wglxbbnp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudhxfph.exe"
C:\Windows\SysWOW64\wkpsyyk.exe
"C:\Windows\system32\wkpsyyk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wglxbbnp.exe"
C:\Windows\SysWOW64\wcwgulng.exe
"C:\Windows\system32\wcwgulng.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkpsyyk.exe"
C:\Windows\SysWOW64\wcvjkj.exe
"C:\Windows\system32\wcvjkj.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwgulng.exe"
C:\Windows\SysWOW64\wbqgoh.exe
"C:\Windows\system32\wbqgoh.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvjkj.exe"
C:\Windows\SysWOW64\wryrisn.exe
"C:\Windows\system32\wryrisn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbqgoh.exe"
C:\Windows\SysWOW64\wbucou.exe
"C:\Windows\system32\wbucou.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryrisn.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.ip2location.com | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 8.8.8.8:53 | best-targeted-traffic.com | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww25.best-targeted-traffic.com | udp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
Files
memory/1404-0-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1404-13-0x0000000003C30000-0x0000000003C48000-memory.dmp
memory/1404-12-0x0000000003C30000-0x0000000003C48000-memory.dmp
C:\Windows\SysWOW64\wro.exe
| MD5 | 00a971c8a6adc1f4b04ac2e25b13e819 |
| SHA1 | c20289cbae9685cd8cd01eb35432d1308b3c8637 |
| SHA256 | 09c8f8771cf84ab833c454225ced4c4e67d97388b0842beb8c181c538cae6578 |
| SHA512 | 746b881554975952650bb7d328f2624c24c39e7f8921ec44fa5f0b942d4786354679990855bf535bd25bcd30d0995054f6aac84ff8d4f9ec96d659437986a6f7 |
memory/1404-20-0x0000000003C30000-0x0000000003C48000-memory.dmp
memory/2884-22-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1404-24-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U1D3TL60.txt
| MD5 | 42756a6363efab710496a7a47bfc8cf9 |
| SHA1 | 5dc309bfde7f6805e15bf956bd6c6232c6befc83 |
| SHA256 | e5d3f6e8bb0abf6df4a3d47d90d80bc37034ae66d58f40a81161f649a4b6e594 |
| SHA512 | c30d2e5169d003d54ab639048475b1ba1c4bd8d944930d51263815c48e3dfca7af8755e0342359cfa31e4f71d3ea1d3075bbede5231432111bb6fe078c91aad8 |
memory/2884-43-0x0000000003F80000-0x0000000003F98000-memory.dmp
memory/2884-42-0x0000000003AA0000-0x0000000003AB8000-memory.dmp
\Windows\SysWOW64\woq.exe
| MD5 | ba81cc925ebe0e5d039848d64dbf832b |
| SHA1 | a63a1d557dac0ed8381c4bd0a7f7f819fc092c87 |
| SHA256 | c6fba61c2cbe5adb02221a5a3c391c7b9fc8667f1654a08510911202ca1309ec |
| SHA512 | 4d23df437741f715c5b7501f6500765c9e3382553dfb3d159a4ef716e65888819e30d38a345e0d1dd05184e8a71c7dabd1659db6cf0ad0e3358c3c27acc9a058 |
memory/2884-45-0x0000000000400000-0x0000000000418000-memory.dmp
\Windows\SysWOW64\wyulxrq.exe
| MD5 | 2934b058c6f8c2a3b98d9189a08bc31b |
| SHA1 | a86211b1f20974e2a7fb128a5f12c5bbd2b9deef |
| SHA256 | e3daaa9ed71acf2fe659b789486f8c6542062c3080ca9a45efc0a1756504134c |
| SHA512 | c1a0817c7448a9d1f4645a50127419319317049ac092641eb4311f27b73df1932904e3db1901dd2c94c406107ab7f415f71a2847075b14aad9a09fe63565d18b |
memory/2264-53-0x00000000034D0000-0x00000000034E8000-memory.dmp
memory/2264-59-0x00000000034D0000-0x00000000034E8000-memory.dmp
memory/2264-66-0x0000000004150000-0x0000000004168000-memory.dmp
memory/2264-65-0x0000000004150000-0x0000000004168000-memory.dmp
memory/2264-69-0x0000000000400000-0x0000000000418000-memory.dmp
\Windows\SysWOW64\wdekseifi.exe
| MD5 | 575fbdf385d21f23a0fa379a88e270cf |
| SHA1 | 879938a842c665e089636791a392f3548d727c6f |
| SHA256 | 90d8d133e69aaa68c11f697bf16161e4c4f3da24fd715da9203682493478fbb4 |
| SHA512 | 671327c8bbd20b8c1f954d638730bc981e7015d708e7e0ba52acce31ddc826f27ccf8a7f03e25bd3a920052d5148336788080d8928cd0b84856dcd31d6e34dd1 |
memory/1732-86-0x0000000004010000-0x0000000004028000-memory.dmp
memory/1732-88-0x0000000004020000-0x0000000004038000-memory.dmp
memory/1732-87-0x0000000004010000-0x0000000004028000-memory.dmp
memory/1732-91-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OAXX3SOJ.txt
| MD5 | 8c620919aeb945aed291c24a1bf7b76e |
| SHA1 | cadcbaeec0d9b8a99f465d3b6dc17eb5e93f03a5 |
| SHA256 | 96a87f879cb20da3829cd9476dfe326819623ae81cd9ebe9339a0e4e126af01d |
| SHA512 | 8621a529e4925882e064144c5642b70de52a2dc61618f83eb18fffd09e8c5bc606b331cd287a61de0d2326f3b20fab3aae90e02774dea338585e33ce0e99fd94 |
memory/2840-104-0x0000000003890000-0x00000000038A8000-memory.dmp
\Windows\SysWOW64\wipman.exe
| MD5 | f426ed9bcd755d2371536eb616af4eb0 |
| SHA1 | 4a4e4d3f0f8e7ecfdb1a10962eb68ff701130194 |
| SHA256 | 15ac1816e2997a360e05dc2ffe7f8d5afbb36a482d0902adaf3e8dfa70f419e5 |
| SHA512 | 2dc926fdcc1fabd4a3ab7bb10becd61271392b3b7f3881743b650f70fc1d66105fdd78f392bb604dd282aef0e0d7ded9e730c5db37ec04fa1810e040fbd8081a |
memory/2840-107-0x0000000003890000-0x00000000038A8000-memory.dmp
memory/2840-111-0x0000000003890000-0x00000000038A8000-memory.dmp
memory/2840-114-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SHWZNIR5.txt
| MD5 | 499720e469342b1fccf72fd961cee678 |
| SHA1 | 022ca149e965f4a4d2d8dd2eb19c80fe1d340e8f |
| SHA256 | dd228adc7f05a8eb611b117e3d097b9a57c8da92b719e00ed191673904788394 |
| SHA512 | e44f9e5160e7cdc635c1b9648d36514f0f2daa4bcf3f747b270e036c64679fe7bf10d9bb60018251c70fa28f3472bf959879640442a49503d49a239b48238ce7 |
\Windows\SysWOW64\wdce.exe
| MD5 | 43e7f7b35e44173fb6993341acd79fc0 |
| SHA1 | 6aec7c858b2b5dbb88c78ec03430110739a24204 |
| SHA256 | 7794847153a01ddb2edce6060b527e141edf2f82d8e33dae904c100995643811 |
| SHA512 | 230d2e249c5a0d584e226c1c75bc4cf4a6afd5af261a5831f1bea69e82db882008c1aedd190cc24f5bb12079bcd1b6e2e2492db042894998f7933402dda9c635 |
memory/2388-132-0x0000000003230000-0x0000000003248000-memory.dmp
memory/2388-131-0x0000000003230000-0x0000000003248000-memory.dmp
memory/2388-134-0x0000000000400000-0x0000000000418000-memory.dmp
\Windows\SysWOW64\wpqiqp.exe
| MD5 | a99badf2b3d09cf319e78c4d7ed611dc |
| SHA1 | db646cb56a8ad0369f7ff48ac2b35a328cd7eee2 |
| SHA256 | bda05b78f6371d9396e2a7f7aef4c059f15a0563783a5fa236807aa9d421c729 |
| SHA512 | d8536edc67faf83b1d3bc454c957865d35d69df52eeb5f400a517ea6f5b9b975492dcb8dcd192760cdcddad4c9f3b320959df52bee7acb397bbc9e44270d3b91 |
memory/2500-153-0x0000000004080000-0x0000000004098000-memory.dmp
memory/2500-152-0x0000000004080000-0x0000000004098000-memory.dmp
memory/2500-156-0x0000000000400000-0x0000000000418000-memory.dmp
\Windows\SysWOW64\wcjibkb.exe
| MD5 | 84c021ae712b9dc13033726724751875 |
| SHA1 | b015467bed00fa41931b7cf62633abf7e18cc9f5 |
| SHA256 | 8949eba300afdb3844386fd18f3e1f4a0768f48478d64f8ef7e725935045fc0f |
| SHA512 | 8b10010627bc6d910edc2256e3f2ff3a81ea271ba3b06504ebf57563a8440910db1d83f4f74366eb5f9315ba4d25e588593b56771f0ec1fbbb4d3de5854bd797 |
memory/2116-174-0x0000000002520000-0x0000000002538000-memory.dmp
memory/2116-176-0x0000000002520000-0x0000000002538000-memory.dmp
memory/2116-175-0x0000000002520000-0x0000000002538000-memory.dmp
memory/2116-173-0x0000000002520000-0x0000000002538000-memory.dmp
memory/2116-179-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2356-181-0x0000000077330000-0x000000007742A000-memory.dmp
memory/2356-180-0x0000000077210000-0x000000007732F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\install[2].htm
| MD5 | 9463ba07743e8a9aca3b55373121b7c5 |
| SHA1 | 4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f |
| SHA256 | d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d |
| SHA512 | 6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7 |
\Windows\SysWOW64\wwioaqyl.exe
| MD5 | e9749afc5c94c926cfc74709484813f2 |
| SHA1 | ba78a1ea99daa589214da71a4bb6e161767b9047 |
| SHA256 | 5612f3a02a0425180ee40abb02aee7872ef27fc862fad9aaeac6d77629fd4d88 |
| SHA512 | 6e85ac95e6ae77836ebd2f3d2970074242cb30f96cc92bf294f201000a216b47eb3864511810ab36895833adc942cf23d3fb8dbfc752cf0d4591af6f99549213 |
memory/880-203-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2080-201-0x0000000000400000-0x0000000000418000-memory.dmp
memory/880-199-0x0000000004020000-0x0000000004038000-memory.dmp
memory/880-198-0x0000000004020000-0x0000000004038000-memory.dmp
\Windows\SysWOW64\wpltaa.exe
| MD5 | ecb8d9cea6e2776a27645f94149a95d3 |
| SHA1 | f742c7d666d98ba2c6594ed6f82f3d16ff1efad1 |
| SHA256 | a61d92cce30bbcd55e65d4462cd973830d6d83192f501b5308c690f858440ca9 |
| SHA512 | 815e933e2b786b8963867c7a53b92bcd0495fa92d7a5f28bde2fc5625f80c6371251a76746c339d7ff1d687ea467dc1337413e9d8927a295d7a8466352df5119 |
memory/2080-220-0x0000000003460000-0x0000000003478000-memory.dmp
memory/2080-223-0x0000000000400000-0x0000000000418000-memory.dmp
\Windows\SysWOW64\wti.exe
| MD5 | ca316de5eb712fd5f9927becb0678c99 |
| SHA1 | 76f8dece8b7c869e9ca57ca7832ad74040fc04d3 |
| SHA256 | a9b92850dbc7dd05045eea831db22216a14c2bc00b7fcdd5f9fc53daac2109b8 |
| SHA512 | e241a1b0f489aa68703a63ac3bdd561be67eeb179703854a318d0606eda82d76bd95edb43c97f3e47fda67ad5506616e2ddaccfdddcd0bea3852abde911ce2dd |
memory/1760-237-0x00000000005F0000-0x0000000000608000-memory.dmp
memory/1760-238-0x0000000000400000-0x0000000000418000-memory.dmp
memory/976-253-0x0000000003AA0000-0x0000000003AB8000-memory.dmp
memory/976-252-0x0000000003AA0000-0x0000000003AB8000-memory.dmp
memory/976-245-0x0000000003AA0000-0x0000000003AB8000-memory.dmp
memory/976-254-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1380-268-0x0000000003820000-0x0000000003838000-memory.dmp
memory/1380-267-0x0000000003820000-0x0000000003838000-memory.dmp
memory/2068-269-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1380-270-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2068-283-0x0000000002440000-0x0000000002458000-memory.dmp
memory/2068-285-0x0000000002440000-0x0000000002458000-memory.dmp
memory/2068-287-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2068-284-0x0000000002440000-0x0000000002458000-memory.dmp
memory/1132-286-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1132-293-0x00000000031A0000-0x00000000031B8000-memory.dmp
memory/1132-302-0x0000000003E80000-0x0000000003E98000-memory.dmp
memory/1132-301-0x00000000031A0000-0x00000000031B8000-memory.dmp
memory/1132-303-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1716-316-0x0000000003C40000-0x0000000003C58000-memory.dmp
memory/1716-318-0x0000000003C40000-0x0000000003C58000-memory.dmp
memory/1716-317-0x0000000003C40000-0x0000000003C58000-memory.dmp
memory/1716-319-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2280-329-0x0000000002250000-0x0000000002268000-memory.dmp
memory/2280-334-0x0000000002250000-0x0000000002268000-memory.dmp
memory/2280-333-0x0000000002250000-0x0000000002268000-memory.dmp
memory/2280-335-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3036-349-0x0000000003B50000-0x0000000003B68000-memory.dmp
memory/3036-348-0x0000000003B50000-0x0000000003B68000-memory.dmp
memory/3036-351-0x0000000003B60000-0x0000000003B78000-memory.dmp
memory/3036-352-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3036-350-0x0000000003B60000-0x0000000003B78000-memory.dmp
memory/2656-366-0x0000000003370000-0x0000000003388000-memory.dmp
memory/2656-365-0x0000000003370000-0x0000000003388000-memory.dmp
memory/2656-367-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2700-383-0x0000000004030000-0x0000000004048000-memory.dmp
memory/2700-382-0x0000000004030000-0x0000000004048000-memory.dmp
memory/2700-381-0x0000000003E60000-0x0000000003E78000-memory.dmp
memory/2700-380-0x0000000003E60000-0x0000000003E78000-memory.dmp
memory/2700-384-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1848-394-0x0000000003B50000-0x0000000003B68000-memory.dmp
memory/1848-398-0x0000000003B60000-0x0000000003B78000-memory.dmp
memory/2028-399-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1848-400-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2028-410-0x00000000032E0000-0x00000000032F8000-memory.dmp
memory/2028-414-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2156-429-0x0000000003E80000-0x0000000003E98000-memory.dmp
memory/2156-428-0x0000000003E80000-0x0000000003E98000-memory.dmp
memory/2156-424-0x0000000003E80000-0x0000000003E98000-memory.dmp
memory/600-430-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2156-431-0x0000000000400000-0x0000000000418000-memory.dmp
memory/600-441-0x00000000035E0000-0x00000000035F8000-memory.dmp
memory/600-446-0x0000000003DF0000-0x0000000003E08000-memory.dmp
memory/600-445-0x0000000003DF0000-0x0000000003E08000-memory.dmp
memory/600-447-0x0000000000400000-0x0000000000418000-memory.dmp
memory/660-461-0x0000000003610000-0x0000000003628000-memory.dmp
memory/660-460-0x0000000003610000-0x0000000003628000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 03:11
Reported
2024-10-31 03:13
Platform
win10v2004-20241007-en
Max time kernel
116s
Max time network
121s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wkrwf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wxtumb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wpnfflpt.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wfok.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wyxgcwj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wavaoa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wnytm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wrogll.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wsvsq.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wohhq.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wovdrrma.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wxrbcifc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\weavtd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wsbkrnk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wpbp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wckcxxj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wvy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wrhenplnf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wkvfh.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wcoy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wmyforsk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wwauht.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wooyq.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wmjtv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wymnnjae.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wywxe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wphg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wpku.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wifof.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wtnsnw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wekmsexs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wxocwtx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wlgld.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wlruth.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wxyyaqsu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\whxqmnbhw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wqukncw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wfbofc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wlpdl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wlkshvuxr.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wihnferv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wix.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wguobqy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wusqppnp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wtsafq.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wdoi.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\whvsa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wcjbdsow.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wirtmnq.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wkcclo.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wimrkr.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wvpqp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wqjortx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wuwp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wbtsno.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wyfwmqdb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wujl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wtvvud.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wugjtf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wmpqp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wsidw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wmavv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wuefq.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvqutl = "\"C:\\Windows\\SysWOW64\\wvqutl.exe\"" | C:\Windows\SysWOW64\wvqutl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmavv = "\"C:\\Windows\\SysWOW64\\wmavv.exe\"" | C:\Windows\SysWOW64\wmavv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnowg = "\"C:\\Windows\\SysWOW64\\wnowg.exe\"" | C:\Windows\SysWOW64\wnowg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whrrjpl = "\"C:\\Windows\\SysWOW64\\whrrjpl.exe\"" | C:\Windows\SysWOW64\whrrjpl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\welvcsw = "\"C:\\Windows\\SysWOW64\\welvcsw.exe\"" | C:\Windows\SysWOW64\welvcsw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbtsno = "\"C:\\Windows\\SysWOW64\\wbtsno.exe\"" | C:\Windows\SysWOW64\wbtsno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wymnnjae = "\"C:\\Windows\\SysWOW64\\wymnnjae.exe\"" | C:\Windows\SysWOW64\wymnnjae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyhb = "\"C:\\Windows\\SysWOW64\\wyhb.exe\"" | C:\Windows\SysWOW64\wyhb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wix = "\"C:\\Windows\\SysWOW64\\wix.exe\"" | C:\Windows\SysWOW64\wix.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdbx = "\"C:\\Windows\\SysWOW64\\wdbx.exe\"" | C:\Windows\SysWOW64\wdbx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcjbdsow = "\"C:\\Windows\\SysWOW64\\wcjbdsow.exe\"" | C:\Windows\SysWOW64\wcjbdsow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcxje = "\"C:\\Windows\\SysWOW64\\wcxje.exe\"" | C:\Windows\SysWOW64\wcxje.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmloo = "\"C:\\Windows\\SysWOW64\\wmloo.exe\"" | C:\Windows\SysWOW64\wmloo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlruth = "\"C:\\Windows\\SysWOW64\\wlruth.exe\"" | C:\Windows\SysWOW64\wlruth.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wphg = "\"C:\\Windows\\SysWOW64\\wphg.exe\"" | C:\Windows\SysWOW64\wphg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtvvud = "\"C:\\Windows\\SysWOW64\\wtvvud.exe\"" | C:\Windows\SysWOW64\wtvvud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfok = "\"C:\\Windows\\SysWOW64\\wfok.exe\"" | C:\Windows\SysWOW64\wfok.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlkshvuxr = "\"C:\\Windows\\SysWOW64\\wlkshvuxr.exe\"" | C:\Windows\SysWOW64\wlkshvuxr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wckcxxj = "\"C:\\Windows\\SysWOW64\\wckcxxj.exe\"" | C:\Windows\SysWOW64\wckcxxj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe\"" | C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxocwtx = "\"C:\\Windows\\SysWOW64\\wxocwtx.exe\"" | C:\Windows\SysWOW64\wxocwtx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whvsa = "\"C:\\Windows\\SysWOW64\\whvsa.exe\"" | C:\Windows\SysWOW64\whvsa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiki = "\"C:\\Windows\\SysWOW64\\wiki.exe\"" | C:\Windows\SysWOW64\wiki.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wihnferv = "\"C:\\Windows\\SysWOW64\\wihnferv.exe\"" | C:\Windows\SysWOW64\wihnferv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqukncw = "\"C:\\Windows\\SysWOW64\\wqukncw.exe\"" | C:\Windows\SysWOW64\wqukncw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdnrodh = "\"C:\\Windows\\SysWOW64\\wdnrodh.exe\"" | C:\Windows\SysWOW64\wdnrodh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wirtmnq = "\"C:\\Windows\\SysWOW64\\wirtmnq.exe\"" | C:\Windows\SysWOW64\wirtmnq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtnsnw = "\"C:\\Windows\\SysWOW64\\wtnsnw.exe\"" | C:\Windows\SysWOW64\wtnsnw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmjtv = "\"C:\\Windows\\SysWOW64\\wmjtv.exe\"" | C:\Windows\SysWOW64\wmjtv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsidw = "\"C:\\Windows\\SysWOW64\\wsidw.exe\"" | C:\Windows\SysWOW64\wsidw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuwhcslaa = "\"C:\\Windows\\SysWOW64\\wuwhcslaa.exe\"" | C:\Windows\SysWOW64\wuwhcslaa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wguobqy = "\"C:\\Windows\\SysWOW64\\wguobqy.exe\"" | C:\Windows\SysWOW64\wguobqy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpnfflpt = "\"C:\\Windows\\SysWOW64\\wpnfflpt.exe\"" | C:\Windows\SysWOW64\wpnfflpt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtsafq = "\"C:\\Windows\\SysWOW64\\wtsafq.exe\"" | C:\Windows\SysWOW64\wtsafq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpku = "\"C:\\Windows\\SysWOW64\\wpku.exe\"" | C:\Windows\SysWOW64\wpku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wifof = "\"C:\\Windows\\SysWOW64\\wifof.exe\"" | C:\Windows\SysWOW64\wifof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrogll = "\"C:\\Windows\\SysWOW64\\wrogll.exe\"" | C:\Windows\SysWOW64\wrogll.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wywxe = "\"C:\\Windows\\SysWOW64\\wywxe.exe\"" | C:\Windows\SysWOW64\wywxe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcoy = "\"C:\\Windows\\SysWOW64\\wcoy.exe\"" | C:\Windows\SysWOW64\wcoy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weavtd = "\"C:\\Windows\\SysWOW64\\weavtd.exe\"" | C:\Windows\SysWOW64\weavtd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wovdrrma = "\"C:\\Windows\\SysWOW64\\wovdrrma.exe\"" | C:\Windows\SysWOW64\wovdrrma.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxrbcifc = "\"C:\\Windows\\SysWOW64\\wxrbcifc.exe\"" | C:\Windows\SysWOW64\wxrbcifc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlpdl = "\"C:\\Windows\\SysWOW64\\wlpdl.exe\"" | C:\Windows\SysWOW64\wlpdl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyfwmqdb = "\"C:\\Windows\\SysWOW64\\wyfwmqdb.exe\"" | C:\Windows\SysWOW64\wyfwmqdb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdyucpwo = "\"C:\\Windows\\SysWOW64\\wdyucpwo.exe\"" | C:\Windows\SysWOW64\wdyucpwo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wekmsexs = "\"C:\\Windows\\SysWOW64\\wekmsexs.exe\"" | C:\Windows\SysWOW64\wekmsexs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whxqmnbhw = "\"C:\\Windows\\SysWOW64\\whxqmnbhw.exe\"" | C:\Windows\SysWOW64\whxqmnbhw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxtumb = "\"C:\\Windows\\SysWOW64\\wxtumb.exe\"" | C:\Windows\SysWOW64\wxtumb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wusqppnp = "\"C:\\Windows\\SysWOW64\\wusqppnp.exe\"" | C:\Windows\SysWOW64\wusqppnp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkbpjl = "\"C:\\Windows\\SysWOW64\\wkbpjl.exe\"" | C:\Windows\SysWOW64\wkbpjl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvpqp = "\"C:\\Windows\\SysWOW64\\wvpqp.exe\"" | C:\Windows\SysWOW64\wvpqp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wujl = "\"C:\\Windows\\SysWOW64\\wujl.exe\"" | C:\Windows\SysWOW64\wujl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmakx = "\"C:\\Windows\\SysWOW64\\wmakx.exe\"" | C:\Windows\SysWOW64\wmakx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtccd = "\"C:\\Windows\\SysWOW64\\wtccd.exe\"" | C:\Windows\SysWOW64\wtccd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\webkvsrp = "\"C:\\Windows\\SysWOW64\\webkvsrp.exe\"" | C:\Windows\SysWOW64\webkvsrp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvy = "\"C:\\Windows\\SysWOW64\\wvy.exe\"" | C:\Windows\SysWOW64\wvy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfbofc = "\"C:\\Windows\\SysWOW64\\wfbofc.exe\"" | C:\Windows\SysWOW64\wfbofc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlgpcko = "\"C:\\Windows\\SysWOW64\\wlgpcko.exe\"" | C:\Windows\SysWOW64\wlgpcko.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wugjtf = "\"C:\\Windows\\SysWOW64\\wugjtf.exe\"" | C:\Windows\SysWOW64\wugjtf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wto = "\"C:\\Windows\\SysWOW64\\wto.exe\"" | C:\Windows\SysWOW64\wto.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnytm = "\"C:\\Windows\\SysWOW64\\wnytm.exe\"" | C:\Windows\SysWOW64\wnytm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwauht = "\"C:\\Windows\\SysWOW64\\wwauht.exe\"" | C:\Windows\SysWOW64\wwauht.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsvsq = "\"C:\\Windows\\SysWOW64\\wsvsq.exe\"" | C:\Windows\SysWOW64\wsvsq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkvfh = "\"C:\\Windows\\SysWOW64\\wkvfh.exe\"" | C:\Windows\SysWOW64\wkvfh.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\wxrbcifc.exe | C:\Windows\SysWOW64\wcoy.exe | N/A |
| File created | C:\Windows\SysWOW64\wlpdl.exe | C:\Windows\SysWOW64\wtccd.exe | N/A |
| File created | C:\Windows\SysWOW64\wsbkrnk.exe | C:\Windows\SysWOW64\wvqutl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wdoi.exe | C:\Windows\SysWOW64\wnowg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wlruth.exe | C:\Windows\SysWOW64\wmloo.exe | N/A |
| File created | C:\Windows\SysWOW64\wuwhcslaa.exe | C:\Windows\SysWOW64\wjhcpsila.exe | N/A |
| File created | C:\Windows\SysWOW64\wguobqy.exe | C:\Windows\SysWOW64\wuwhcslaa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wguobqy.exe | C:\Windows\SysWOW64\wuwhcslaa.exe | N/A |
| File created | C:\Windows\SysWOW64\wgocxpt.exe | C:\Windows\SysWOW64\wdbx.exe | N/A |
| File created | C:\Windows\SysWOW64\wtsafq.exe | C:\Windows\SysWOW64\wqukncw.exe | N/A |
| File created | C:\Windows\SysWOW64\wvpqp.exe | C:\Windows\SysWOW64\wmavv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wxpegfs.exe | C:\Windows\SysWOW64\wusqppnp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wto.exe | C:\Windows\SysWOW64\wfok.exe | N/A |
| File created | C:\Windows\SysWOW64\wkcclo.exe | C:\Windows\SysWOW64\wyfwmqdb.exe | N/A |
| File created | C:\Windows\SysWOW64\wmyforsk.exe | C:\Windows\SysWOW64\wcjbdsow.exe | N/A |
| File created | C:\Windows\SysWOW64\wckcxxj.exe | C:\Windows\SysWOW64\wlgld.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wnowg.exe | C:\Windows\SysWOW64\wywxe.exe | N/A |
| File created | C:\Windows\SysWOW64\wdoi.exe | C:\Windows\SysWOW64\wnowg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wpavt.exe | C:\Windows\SysWOW64\wyhb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wnytm.exe | C:\Windows\SysWOW64\wyxgcwj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wsvsq.exe | C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe | N/A |
| File created | C:\Windows\SysWOW64\wkrwf.exe | C:\Windows\SysWOW64\wxyyaqsu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wuwp.exe | C:\Windows\SysWOW64\wphg.exe | N/A |
| File created | C:\Windows\SysWOW64\wkvfh.exe | C:\Windows\SysWOW64\wdjeh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\welvcsw.exe | C:\Windows\SysWOW64\wimrkr.exe | N/A |
| File created | C:\Windows\SysWOW64\wdyucpwo.exe | C:\Windows\SysWOW64\wvy.exe | N/A |
| File created | C:\Windows\SysWOW64\wfbofc.exe | C:\Windows\SysWOW64\wdyucpwo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wooyq.exe | C:\Windows\SysWOW64\wvpqp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\whrrjpl.exe | C:\Windows\SysWOW64\wrcaabc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wsbkrnk.exe | C:\Windows\SysWOW64\wvqutl.exe | N/A |
| File created | C:\Windows\SysWOW64\wwauht.exe | C:\Windows\SysWOW64\wmyforsk.exe | N/A |
| File created | C:\Windows\SysWOW64\wirtmnq.exe | C:\Windows\SysWOW64\wwauht.exe | N/A |
| File created | C:\Windows\SysWOW64\wwts.exe | C:\Windows\SysWOW64\wuefq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wkrwf.exe | C:\Windows\SysWOW64\wxyyaqsu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wpbp.exe | C:\Windows\SysWOW64\wrogll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wyfwmqdb.exe | C:\Windows\SysWOW64\wsbkrnk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wirtmnq.exe | C:\Windows\SysWOW64\wwauht.exe | N/A |
| File created | C:\Windows\SysWOW64\wlgpcko.exe | C:\Windows\SysWOW64\wooyq.exe | N/A |
| File created | C:\Windows\SysWOW64\wqjortx.exe | C:\Windows\SysWOW64\wsvsq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wphg.exe | C:\Windows\SysWOW64\wkrwf.exe | N/A |
| File created | C:\Windows\SysWOW64\wjhcpsila.exe | C:\Windows\SysWOW64\wix.exe | N/A |
| File created | C:\Windows\SysWOW64\wcoy.exe | C:\Windows\SysWOW64\wmakx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wugjtf.exe | C:\Windows\SysWOW64\wxrbcifc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wcjbdsow.exe | C:\Windows\SysWOW64\wgocxpt.exe | N/A |
| File created | C:\Windows\SysWOW64\wqukncw.exe | C:\Windows\SysWOW64\wsidw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wfbofc.exe | C:\Windows\SysWOW64\wdyucpwo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wmloo.exe | C:\Windows\SysWOW64\wdoi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wxyyaqsu.exe | C:\Windows\SysWOW64\wiki.exe | N/A |
| File created | C:\Windows\SysWOW64\wyhb.exe | C:\Windows\SysWOW64\wkvfh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wmakx.exe | C:\Windows\SysWOW64\wovdrrma.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wpku.exe | C:\Windows\SysWOW64\wto.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wvpqp.exe | C:\Windows\SysWOW64\wmavv.exe | N/A |
| File created | C:\Windows\SysWOW64\wxocwtx.exe | C:\Windows\SysWOW64\wuwp.exe | N/A |
| File created | C:\Windows\SysWOW64\whxqmnbhw.exe | C:\Windows\SysWOW64\whvsa.exe | N/A |
| File created | C:\Windows\SysWOW64\wovdrrma.exe | C:\Windows\SysWOW64\wguobqy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwauht.exe | C:\Windows\SysWOW64\wmyforsk.exe | N/A |
| File created | C:\Windows\SysWOW64\wywxe.exe | C:\Windows\SysWOW64\wymnnjae.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wtsafq.exe | C:\Windows\SysWOW64\wqukncw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wvy.exe | C:\Windows\SysWOW64\wtsafq.exe | N/A |
| File created | C:\Windows\SysWOW64\wpjgjbd.exe | C:\Windows\SysWOW64\wfbofc.exe | N/A |
| File created | C:\Windows\SysWOW64\wmavv.exe | C:\Windows\SysWOW64\wpjgjbd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wymnnjae.exe | C:\Windows\SysWOW64\wekmsexs.exe | N/A |
| File created | C:\Windows\SysWOW64\wxyyaqsu.exe | C:\Windows\SysWOW64\wiki.exe | N/A |
| File created | C:\Windows\SysWOW64\wpavt.exe | C:\Windows\SysWOW64\wyhb.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wmakx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wusqppnp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wmpqp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wkcclo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wwauht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wlgpcko.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wdoi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wmloo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wfbofc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wdyucpwo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wdbx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wrogll.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wfok.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wpku.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wrhenplnf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wovdrrma.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wyxgcwj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wnytm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wsidw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wooyq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wiki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wuwhcslaa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wtccd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wmjtv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wujl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wrcaabc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wimrkr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wuefq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wxtumb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wqukncw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wvy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wxrbcifc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbtsno.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wcoy.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe
"C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"
C:\Windows\SysWOW64\wsvsq.exe
"C:\Windows\system32\wsvsq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"
C:\Windows\SysWOW64\wqjortx.exe
"C:\Windows\system32\wqjortx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsvsq.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1580
C:\Windows\SysWOW64\wohhq.exe
"C:\Windows\system32\wohhq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqjortx.exe"
C:\Windows\SysWOW64\wekmsexs.exe
"C:\Windows\system32\wekmsexs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohhq.exe"
C:\Windows\SysWOW64\wymnnjae.exe
"C:\Windows\system32\wymnnjae.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekmsexs.exe"
C:\Windows\SysWOW64\wywxe.exe
"C:\Windows\system32\wywxe.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymnnjae.exe"
C:\Windows\SysWOW64\wnowg.exe
"C:\Windows\system32\wnowg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywxe.exe"
C:\Windows\SysWOW64\wdoi.exe
"C:\Windows\system32\wdoi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnowg.exe"
C:\Windows\SysWOW64\wmloo.exe
"C:\Windows\system32\wmloo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdoi.exe"
C:\Windows\SysWOW64\wlruth.exe
"C:\Windows\system32\wlruth.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmloo.exe"
C:\Windows\SysWOW64\wrhenplnf.exe
"C:\Windows\system32\wrhenplnf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlruth.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 124 -p 1736 -ip 1736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 1472
C:\Windows\SysWOW64\wiki.exe
"C:\Windows\system32\wiki.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhenplnf.exe"
C:\Windows\SysWOW64\wxyyaqsu.exe
"C:\Windows\system32\wxyyaqsu.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiki.exe"
C:\Windows\SysWOW64\wkrwf.exe
"C:\Windows\system32\wkrwf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxyyaqsu.exe"
C:\Windows\SysWOW64\wphg.exe
"C:\Windows\system32\wphg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkrwf.exe"
C:\Windows\SysWOW64\wuwp.exe
"C:\Windows\system32\wuwp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphg.exe"
C:\Windows\SysWOW64\wxocwtx.exe
"C:\Windows\system32\wxocwtx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwp.exe"
C:\Windows\SysWOW64\whvsa.exe
"C:\Windows\system32\whvsa.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxocwtx.exe"
C:\Windows\SysWOW64\whxqmnbhw.exe
"C:\Windows\system32\whxqmnbhw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whvsa.exe"
C:\Windows\SysWOW64\wujl.exe
"C:\Windows\system32\wujl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxqmnbhw.exe"
C:\Windows\SysWOW64\wtvvud.exe
"C:\Windows\system32\wtvvud.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujl.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5100 -ip 5100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 1652
C:\Windows\SysWOW64\wrcaabc.exe
"C:\Windows\system32\wrcaabc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvvud.exe"
C:\Windows\SysWOW64\whrrjpl.exe
"C:\Windows\system32\whrrjpl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrcaabc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3876 -ip 3876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 116
C:\Windows\SysWOW64\wxtumb.exe
"C:\Windows\system32\wxtumb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whrrjpl.exe"
C:\Windows\SysWOW64\wdjeh.exe
"C:\Windows\system32\wdjeh.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxtumb.exe"
C:\Windows\SysWOW64\wkvfh.exe
"C:\Windows\system32\wkvfh.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdjeh.exe"
C:\Windows\SysWOW64\wyhb.exe
"C:\Windows\system32\wyhb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvfh.exe"
C:\Windows\SysWOW64\wpavt.exe
"C:\Windows\system32\wpavt.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyhb.exe"
C:\Windows\SysWOW64\wix.exe
"C:\Windows\system32\wix.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpavt.exe"
C:\Windows\SysWOW64\wjhcpsila.exe
"C:\Windows\system32\wjhcpsila.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wix.exe"
C:\Windows\SysWOW64\wuwhcslaa.exe
"C:\Windows\system32\wuwhcslaa.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhcpsila.exe"
C:\Windows\SysWOW64\wguobqy.exe
"C:\Windows\system32\wguobqy.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwhcslaa.exe"
C:\Windows\SysWOW64\wovdrrma.exe
"C:\Windows\system32\wovdrrma.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wguobqy.exe"
C:\Windows\SysWOW64\wmakx.exe
"C:\Windows\system32\wmakx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovdrrma.exe"
C:\Windows\SysWOW64\wcoy.exe
"C:\Windows\system32\wcoy.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmakx.exe"
C:\Windows\SysWOW64\wxrbcifc.exe
"C:\Windows\system32\wxrbcifc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcoy.exe"
C:\Windows\SysWOW64\wugjtf.exe
"C:\Windows\system32\wugjtf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxrbcifc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4212 -ip 4212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4212 -ip 4212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4212 -ip 4212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4212 -ip 4212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 304
C:\Windows\SysWOW64\wbtsno.exe
"C:\Windows\system32\wbtsno.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugjtf.exe"
C:\Windows\SysWOW64\wtccd.exe
"C:\Windows\system32\wtccd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbtsno.exe"
C:\Windows\SysWOW64\wlpdl.exe
"C:\Windows\system32\wlpdl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtccd.exe"
C:\Windows\SysWOW64\weavtd.exe
"C:\Windows\system32\weavtd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlpdl.exe"
C:\Windows\SysWOW64\wusqppnp.exe
"C:\Windows\system32\wusqppnp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weavtd.exe"
C:\Windows\SysWOW64\wxpegfs.exe
"C:\Windows\system32\wxpegfs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wusqppnp.exe"
C:\Windows\SysWOW64\wmpqp.exe
"C:\Windows\system32\wmpqp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpegfs.exe"
C:\Windows\SysWOW64\wpnfflpt.exe
"C:\Windows\system32\wpnfflpt.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpqp.exe"
C:\Windows\SysWOW64\wdnrodh.exe
"C:\Windows\system32\wdnrodh.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpnfflpt.exe"
C:\Windows\SysWOW64\wfok.exe
"C:\Windows\system32\wfok.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnrodh.exe"
C:\Windows\SysWOW64\wto.exe
"C:\Windows\system32\wto.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfok.exe"
C:\Windows\SysWOW64\wpku.exe
"C:\Windows\system32\wpku.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wto.exe"
C:\Windows\SysWOW64\wkbpjl.exe
"C:\Windows\system32\wkbpjl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpku.exe"
C:\Windows\SysWOW64\wvqutl.exe
"C:\Windows\system32\wvqutl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbpjl.exe"
C:\Windows\SysWOW64\wsbkrnk.exe
"C:\Windows\system32\wsbkrnk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqutl.exe"
C:\Windows\SysWOW64\wyfwmqdb.exe
"C:\Windows\system32\wyfwmqdb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsbkrnk.exe"
C:\Windows\SysWOW64\wkcclo.exe
"C:\Windows\system32\wkcclo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyfwmqdb.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1724 -ip 1724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1340
C:\Windows\SysWOW64\wimrkr.exe
"C:\Windows\system32\wimrkr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcclo.exe"
C:\Windows\SysWOW64\welvcsw.exe
"C:\Windows\system32\welvcsw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimrkr.exe"
C:\Windows\SysWOW64\wyxgcwj.exe
"C:\Windows\system32\wyxgcwj.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\welvcsw.exe"
C:\Windows\SysWOW64\wnytm.exe
"C:\Windows\system32\wnytm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxgcwj.exe"
C:\Windows\SysWOW64\wdbx.exe
"C:\Windows\system32\wdbx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnytm.exe"
C:\Windows\SysWOW64\wgocxpt.exe
"C:\Windows\system32\wgocxpt.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbx.exe"
C:\Windows\SysWOW64\wcjbdsow.exe
"C:\Windows\system32\wcjbdsow.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgocxpt.exe"
C:\Windows\SysWOW64\wmyforsk.exe
"C:\Windows\system32\wmyforsk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjbdsow.exe"
C:\Windows\SysWOW64\wwauht.exe
"C:\Windows\system32\wwauht.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmyforsk.exe"
C:\Windows\SysWOW64\wirtmnq.exe
"C:\Windows\system32\wirtmnq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwauht.exe"
C:\Windows\SysWOW64\wavaoa.exe
"C:\Windows\system32\wavaoa.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirtmnq.exe"
C:\Windows\SysWOW64\wlkshvuxr.exe
"C:\Windows\system32\wlkshvuxr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wavaoa.exe"
C:\Windows\SysWOW64\wifof.exe
"C:\Windows\system32\wifof.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkshvuxr.exe"
C:\Windows\SysWOW64\webkvsrp.exe
"C:\Windows\system32\webkvsrp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifof.exe"
C:\Windows\SysWOW64\wrogll.exe
"C:\Windows\system32\wrogll.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\webkvsrp.exe"
C:\Windows\SysWOW64\wpbp.exe
"C:\Windows\system32\wpbp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrogll.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4292 -ip 4292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1280
C:\Windows\SysWOW64\wtnsnw.exe
"C:\Windows\system32\wtnsnw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbp.exe"
C:\Windows\SysWOW64\wuefq.exe
"C:\Windows\system32\wuefq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtnsnw.exe"
C:\Windows\SysWOW64\wwts.exe
"C:\Windows\system32\wwts.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuefq.exe"
C:\Windows\SysWOW64\wmjtv.exe
"C:\Windows\system32\wmjtv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwts.exe"
C:\Windows\SysWOW64\wcxje.exe
"C:\Windows\system32\wcxje.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmjtv.exe"
C:\Windows\SysWOW64\wlgld.exe
"C:\Windows\system32\wlgld.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcxje.exe"
C:\Windows\SysWOW64\wckcxxj.exe
"C:\Windows\system32\wckcxxj.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlgld.exe"
C:\Windows\SysWOW64\wihnferv.exe
"C:\Windows\system32\wihnferv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckcxxj.exe"
C:\Windows\SysWOW64\wsidw.exe
"C:\Windows\system32\wsidw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wihnferv.exe"
C:\Windows\SysWOW64\wqukncw.exe
"C:\Windows\system32\wqukncw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsidw.exe"
C:\Windows\SysWOW64\wtsafq.exe
"C:\Windows\system32\wtsafq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqukncw.exe"
C:\Windows\SysWOW64\wvy.exe
"C:\Windows\system32\wvy.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsafq.exe"
C:\Windows\SysWOW64\wdyucpwo.exe
"C:\Windows\system32\wdyucpwo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvy.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4252 -ip 4252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1432
C:\Windows\SysWOW64\wfbofc.exe
"C:\Windows\system32\wfbofc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdyucpwo.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5112 -ip 5112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5112 -ip 5112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1536
C:\Windows\SysWOW64\wpjgjbd.exe
"C:\Windows\system32\wpjgjbd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfbofc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1836 -ip 1836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1432
C:\Windows\SysWOW64\wmavv.exe
"C:\Windows\system32\wmavv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpjgjbd.exe"
C:\Windows\SysWOW64\wvpqp.exe
"C:\Windows\system32\wvpqp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmavv.exe"
C:\Windows\SysWOW64\wooyq.exe
"C:\Windows\system32\wooyq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvpqp.exe"
C:\Windows\SysWOW64\wlgpcko.exe
"C:\Windows\system32\wlgpcko.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wooyq.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.ip2location.com | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | best-targeted-traffic.com | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 222.172.224.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.182.224.103.in-addr.arpa | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.26.223.76.in-addr.arpa | udp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww25.best-targeted-traffic.com | udp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
Files
memory/3492-0-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wsvsq.exe
| MD5 | b7d62339335b5bf423750329fd4746dc |
| SHA1 | 1b30bfc356359dacec9347280c9a1ece09da7e63 |
| SHA256 | f540f879dc0bbc82a6e5e4b3188560c8faf83b9535445763f90ad0f813f343bc |
| SHA512 | 9d7ec67aa07efc3db63abbcfb06bbb3ca2079bc543b7c03c7e7d41676c5dade32d68536210adf52604166f9c2461d658776787ab0e204b78115a60da9c4c5f42 |
memory/3492-11-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wqjortx.exe
| MD5 | bd79d1b71c59756bb620f08855e12ff7 |
| SHA1 | ade6e3db661edd87fbcf36f742cb91b80bde88cc |
| SHA256 | a034de828ff3b4c6b2a80d2512ab86a981b9f6a0813d453b266b791facfc4e4e |
| SHA512 | 73221984330becaa0869775d65de8c71eea9304fa0cc0af040eae37fcf3faf835991c772b0e72b0bd89fb79ef52fb79bb1f9f5ba89d1346a48cb9c05d50d20ad |
memory/3644-22-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wohhq.exe
| MD5 | 3ab55e66b5d8714f712774038310dd36 |
| SHA1 | 171a6081849a3e4f98730dce8e3274cb9d131354 |
| SHA256 | ab0a1c9dc2081991e45259f3577107844f1b85b93ff249505fb60a6900c84dc2 |
| SHA512 | 5fc367ca2566588701582974e7af23eaa8be1e7ec28995eee174b9d8dfeffcf4e9c4bba5d193d2d51bca4121ee8b909ef5acb8abde7ce332e8cd813a9d1838b3 |
memory/2824-33-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wekmsexs.exe
| MD5 | c8af3a1c47423afb0ada0f0671abdce0 |
| SHA1 | 20e49dc3ff52d1232df8389eda0bbf5819600bd2 |
| SHA256 | 25dba8e405896f09c769ecb2860f726a4955424468ddee20906c6c09fb1535e4 |
| SHA512 | c9eb8c4647a3ddf56f5f8123f0c4ac032439deb5ad3d3c9f182c24b349b7f525fb057403283459a734a623980a527fd8d789b2544df08eaeafbc903ab2f5e7b1 |
memory/2008-43-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wymnnjae.exe
| MD5 | 58fef14e4df1e9e0396ef41a3cc93c57 |
| SHA1 | 45a33ac021123158762af66dd4c7434ef7075cdd |
| SHA256 | b1816ec9c3789b6df846a2f88658e901fab85c1097341b38cd7f1d57a2fb4c98 |
| SHA512 | 0ac4f6017b17224007ff9716d75addc41c90e8a076c733ee63b2e3d7880fb7a3dff24bf05efcfa441f6f1f6cde28173fb7c10c58c3e4398d31b65eaf91f6782d |
memory/3240-53-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wywxe.exe
| MD5 | 1ffcdfdcc734919c7a04c233a4177c8a |
| SHA1 | 3bce12c094ab7d9de1a90c812a8634c380840206 |
| SHA256 | 5f3737afca2d5f3d59dc609398244f5914f87bd7492a75b50f90e96f59118426 |
| SHA512 | a345a3f6d983e2f98ad73669d1b98c4dd7fbc2f3089d73bd52a1403e1f464dfdb7c465e34288e163d1f8d76465359bd67cf444294b9742e5df2ef64317905e89 |
memory/3308-64-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wnowg.exe
| MD5 | 22dc67482dadc2b408b0baa1dee03224 |
| SHA1 | cd948d2c70e3b273ff78bc5ec2e30e3c2dfb9921 |
| SHA256 | 99d7013ba2bd54d6e3027aceb3e50ba4091ee0316426b3ccdc2d6d7b60c49e29 |
| SHA512 | c8d0eee042e2cf4f8180ed742e34750227eb97f51968746841e8080ec111a3ed43e356395422e86c825334d56c0266958d3b403d12e3a26a358e47c68ee48508 |
memory/1772-74-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\install[2].htm
| MD5 | 9463ba07743e8a9aca3b55373121b7c5 |
| SHA1 | 4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f |
| SHA256 | d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d |
| SHA512 | 6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7 |
C:\Windows\SysWOW64\wdoi.exe
| MD5 | db0b3a23c309931dc16c044ea0f58355 |
| SHA1 | 4be40147f9dad11271ccc6bdb8dbcc174af83d32 |
| SHA256 | c57c3d7c12e11bf29099b2495ed60e8803348b465bac1e744e12557daac5d045 |
| SHA512 | c9443f878e37ce51a1c895c94d8bd0c94ed1eb0b8bb342f5f25e07312620c08bf9e25e407da208f1a071d8accf66aab6c32be5def7dd49aad55b3d53a56be4c8 |
memory/3040-85-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wmloo.exe
| MD5 | 62e3e78913dfa2f5505a409034cf008b |
| SHA1 | 6ce19da561ff9aad01e18f015fe50df94661698e |
| SHA256 | 92eee4d29082b25fc5273e251d74b73afc65501d9d2d79e7455e5d5717ccf4c0 |
| SHA512 | fcd2ba170827aa2c59c0468aeb743ec16b00d0051d6c0507b29e575acf6c8e78ffae22dd10b5d3229609dcebe65633c63a308dbcea5323e56c55df40ff3006f2 |
memory/4272-95-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wlruth.exe
| MD5 | 83ab5f8499894a3c825329919fd68f20 |
| SHA1 | d3128cacce00bcd85e86a3a26b5eab1cfbb32eac |
| SHA256 | c09b6b2e4c02ae0fe06a573b66239e772cf36e8879aaf39d6e7b120eed4ce721 |
| SHA512 | c19630e3fe789decb9d04567df29d253bd2b909d05410a3aebe847233dc189e476f0555886a33ac0c30196d498af62759e41835631a2cbe6fc41c7bf97177504 |
memory/1860-105-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wrhenplnf.exe
| MD5 | 35f169fe8f13cb866606f4053647e2cc |
| SHA1 | dac258ae29b2b733d8e4e544358e44f83ce9662c |
| SHA256 | 88ab98a55c746c3dec2eab338fbefc6df29872a4ef8f15ba1e53c19d3cfdba77 |
| SHA512 | 8d798ad7f519926b839071e8aa8db2aa096882ac054ee41ab4ebbf7abd8b7afa8506d8d5de8c61a81656a71fc2a1420a0208b26d9f9a7e316669b2af0182396f |
memory/1736-116-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wiki.exe
| MD5 | 40e3141563be09b21481196e85d61139 |
| SHA1 | 28b3dbb53d9323c4b7b35ec4da044d68377cf495 |
| SHA256 | fa8049f5139c9acd931e4e63743da8e209a467062d874aa3770acb0649001599 |
| SHA512 | 636342c3a9f96954891eb1e6b7796bb8b3454a86970c0e7aa9b48b3002dd66baa19ba8fcc06eb3dbe8fb9af50693ec3efc2c876b09c427fcd90cd59c4668d684 |
memory/4124-127-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wxyyaqsu.exe
| MD5 | 08c280a7291c193c66eb6224daa59d95 |
| SHA1 | beecf291378831f1eaf30a5cf0fc387ef2ccad90 |
| SHA256 | 39b76f112cd82cba486e2e0d9c5f2b7e78436c96e90eb61702959d3f86f202f1 |
| SHA512 | 1a31ce195f1a4cb1bb1c9a43fb51eee2397a0cda8e4ca834a5fbf4c83a59455fb3b8961970b23256c2be31433db095f0e8d116259e4b33b292fa34b8f73f8d5f |
memory/3932-138-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wkrwf.exe
| MD5 | 819f1b4a86a2e43858745e81ecc737a0 |
| SHA1 | f6b7be000411efc76e64c17f56d908ccd7aa46f3 |
| SHA256 | 66ea7d519b589c0270b00fbebb629e0a23d33b2c686775934754ebc9b2274b61 |
| SHA512 | 37d374fb8b6a1edc1ad7b9f4941554151ec2e42c8ec50c958f1157f8c4b1e1322148ba3a56440969cdefbd9678a429b312b55404722bbd458ca7ff5e151460ad |
memory/3380-148-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wphg.exe
| MD5 | 0d2e94c9da2f382395f7c77e0a14b184 |
| SHA1 | e34e0cca9eca36b2e804a28af1a24874271b12b1 |
| SHA256 | 6564cca5ffc72d667c372a99a4353e6f3baffb415cc453390b3905344636a951 |
| SHA512 | dcb754b5f15913756d62e5bcf3d90683c8abd8f27eca1ff30c944e8d7f70644929b586d96bf088136dc6f77e5ed3972b0aad4345a1680488a1859cbadd9b69df |
memory/1236-158-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wuwp.exe
| MD5 | d3ffbd90c661d491ce1e3d0482237ef3 |
| SHA1 | 8aee8191b6a5827cdb329841142504e3e15f969b |
| SHA256 | 430288c8a4ac458e2630027479d8af9b0cae6a077a021ae1ab7a8d305a1cb22b |
| SHA512 | 92c9f3595ed1277007c8ecfcd713e33c586f26c9f8a2653dcf44f1c1bb0cde2ca00b3213086a3b60b5b92252c7637c504b71f2fd03e2d2b102a4f96991c296c4 |
memory/3928-168-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wxocwtx.exe
| MD5 | 9a9c364bd5c5cd2e2091b76ad534a07a |
| SHA1 | 65d7f5858e4743401864c801929ceef56f424ad4 |
| SHA256 | e0f9c93b70f52bfe461df92a06f86433d26d213f3614c46dab755f80de152f94 |
| SHA512 | 3f49781847d548078944b50acfd74a7788cd60e878c2f1f70b5264661104a4ab7227013aa7df092ea360ff8fdd9debfd08f7f9a416509384f6e5f4333e8260c7 |
memory/1612-179-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\whvsa.exe
| MD5 | 3ec5849eccc463c2de50e7a05b86e61d |
| SHA1 | 01629e1733e2e6586088046018370e254945078a |
| SHA256 | ef1436f589ee0c717ce873134fcb831d52a1bd4a0fe0f339766ae604eeb29608 |
| SHA512 | 1ae9286e41e887c31cda8435de00a96a4fa2a5ccf46e4db074fd01a80c74512a6864f2e9bcc28a86c47b9646f1b718f5155ec213b5d37a35179f23956b497fd3 |
memory/2872-190-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\whxqmnbhw.exe
| MD5 | 7f76bf5ca8508b8a75230f61ead5c7a6 |
| SHA1 | da745acfdd3a53228fba000ca31d36cae7894514 |
| SHA256 | 9dfaa4d66d8bb83b296dac68f029b77aa4c238829d0b095861f9809055635717 |
| SHA512 | 2c8a54e2df78eca5132540f41872a2c629b641a8e1cbfec580eef43bc505d657a38a35618625dc22074467d354409764d1bafa05ba7511086160bbcffaae1b6d |
memory/1588-200-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wujl.exe
| MD5 | a5290f088d94926ac916039f7a32ca7a |
| SHA1 | 7324330a73c14a4df82211c9fc773b7030619713 |
| SHA256 | d62a70c127f57a26815dc16c9c8c72eeb74965f3fe3c1bbd63f1e766664ffb61 |
| SHA512 | 669dfee63bd3b95bbd96cc5bac5260aad87c7187ca4f1e87585ecc8ac59210bde5d398bdfcaab6d1470a50a7e1cf9b7d07ad02636be5e2e8c65bfbc989498a7f |
memory/3796-211-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wtvvud.exe
| MD5 | 95acecac4479b1eab1c5e30e00d94c56 |
| SHA1 | 49f969b49f2b69f2a9d15fa6bf5b9b27fc77e103 |
| SHA256 | 41b9b699ca06977206e180fdf7408f8eca77c9c243b0fb83e78f0688135ac65a |
| SHA512 | 9a2b4c8a2f92dd6251c5409025c1bf7416287955013c93cea76c778215342ba24ea8bcef34c6e679c8ca0285b05672e94b8695a2d70fbb5221ca7784625143ce |
memory/5100-221-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wrcaabc.exe
| MD5 | 1d57fa01e8af11b31dbf230fd8607fc9 |
| SHA1 | 98deb4a383eb6d7af9e7819f2c7a81c065131a68 |
| SHA256 | 5e49e757a9726607b284ddd12fbf6d93833a7712887be8ebf1462fec3adfc5bb |
| SHA512 | 736e73cb67220b2089199d5ee01ab038f1ef8685de79067a6108cad09ddfc5d869c45ca829f89cad3d93ead815e1758004aa90f38ea7f0d8cddd45ab6954a3d5 |
memory/4252-232-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\whrrjpl.exe
| MD5 | df14ee5596c34746f3f059ab12d6670f |
| SHA1 | d184d07cae732e3bb0dce4c8d84e7a7cca8a366c |
| SHA256 | 2c8d020e818722af31916f7648113066bffec81ab558192d3c5e14cd3956ab15 |
| SHA512 | 138d2887ea5c86e9b4567908d16b4bb431031119a56e5470ccb2787198660413bc53aeaaa821359393c01276a5400af586168496748173450bb655ce502827ec |
memory/3876-243-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wxtumb.exe
| MD5 | 20cc9e5b2b6c3b3724f477e1cd51c945 |
| SHA1 | 3ec629cbb3bc8ced170927d9c3bc718ed0c5afc1 |
| SHA256 | be5bcf3c3561520dd918c16db1fac64ab78c98d3bdc9cc111fb426b2ea50887a |
| SHA512 | a4c2e6e8e69b0f50122a4f4791e4d1ef099ef5d33976db114e131f282a1ce282d1ae588e20fb1087e0324e299cb2de4ec06d5187699331d0d50adc5b3b089de3 |
memory/3264-253-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wdjeh.exe
| MD5 | 77e6dbbf8a93f98e96348cb49c7416b7 |
| SHA1 | a443ec10330cc0d528fe1d2da99b0d79d9621803 |
| SHA256 | f7f476e2edb42d33efcdb5e7d6ef1ddc11a63c42d8df5f6dc496259cafe82f19 |
| SHA512 | eecb06b56d9c49f7c45506a480aaf68d9bc96c73e68c6e002137f7b0312ae9a60d2b04ac0e54137d08082f5377b438f63e4d2700548731b4445cf69f565992d3 |
memory/2736-264-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wkvfh.exe
| MD5 | 4a5949517c4588034ce413b42d858ece |
| SHA1 | 10a4190ffad3246a83bcc38d5a975800b64b9c99 |
| SHA256 | 5d50e1014764562556d821b329124661a722657655576ca558071a925153bbdb |
| SHA512 | 882634c68b5f3aac69a77d870cce30ef4c1d49e7774f490f0199297f4d7ecf3314bd89d4f176fe067c3836cac957b0c8b374452fc5975a8c10233b20223d6877 |
memory/4320-274-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wyhb.exe
| MD5 | 97f0c65c3b009f01fa0507a9d761dadf |
| SHA1 | ae8655228644e655edc04d5167659c2f5fb59506 |
| SHA256 | e894dd2a59a290311955a5451f33fa0689b75541a063b2851930aa7e6ccbe6ab |
| SHA512 | b25fdd1e6e7080fd869c4fcfe6e58cc72860aa3067293058ab35f41bac75119ee251b1655e9de340b91fe0b9b87ff0d91265d5023aa23f5c06e7c6ea666a092b |
memory/5104-285-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wpavt.exe
| MD5 | 2750bf5c79f1cc17cd3c62bb9368d678 |
| SHA1 | ac8bd532d877ae663165514726dd47943d74e1be |
| SHA256 | c1f138d3a4629c7a412bce99afbc12c8b606ee7928db2bc43a9b4865094115a6 |
| SHA512 | e9f623a86ca4c5c9c75ffd06d08324399f8ad11f4aea72e42225be3cbcc56d15ada2e1d2b35d8b8934ee1d22bace0d96cd2bab5f4e88264f4ba028914b635a9c |
memory/4224-296-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wix.exe
| MD5 | 924f81118cc0b39aadfa280abbc30e48 |
| SHA1 | 666ac213346d837aa0ce308e95969478582d7111 |
| SHA256 | 5fe1b048b81175c125bb38a33d134881642a28cab704924a0e21cead23ebf4ad |
| SHA512 | b37cdef5394add6d2f163da7264e55d6a7195c2919ae14b861985cb98eb978b8742c0aa68ec337b922fa087af83ba991e840477030a5a0bfc98aa41e784766d0 |
memory/2396-306-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wjhcpsila.exe
| MD5 | a9fc168d43eebcf2bd25e244cbb182cf |
| SHA1 | 8062d5b650cc263a3bc0023796154e49d03df83b |
| SHA256 | e152b471a642450251d2b4cc0aae3f199aa750d19063e930539f5646ce27c7e8 |
| SHA512 | d9010cdc74dcb7e5d750997591721d60668526d8fd39170976355958ac83ffe8796e0372ecfe86d459f3f82460aff077d96b3031c5447c15322a8f49b0f201dd |
memory/4748-316-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wuwhcslaa.exe
| MD5 | 5e0eddbc51f40c909c09217bcd525ba8 |
| SHA1 | 64086068ff62fbadbc4a43a2390d0721bc43c726 |
| SHA256 | a65f247dd033822a5512d652a963851884ae9e0b5ea55a57ec703a89439870ac |
| SHA512 | 5de21080686b8bc067ea65e606c23014d34d99d31933f8420db47b8a3093239b701b2f5cd08c5a356166812ca5312f0a609c360be32bfacbd840d2e01ffb6bdc |
memory/2588-327-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\wguobqy.exe
| MD5 | 0f09c91c815b2a0a7f5958b383bc19e5 |
| SHA1 | d25eab49d9dcb143039ee31ba8758349214222e7 |
| SHA256 | 88f7b24d18e24d7bed8ddf3f688951d71f7bd30ba385ce43883fb72527ecbe41 |
| SHA512 | 816dc0e7f025591fcc08e91da424804f81f1ce465fa5dbaf983def2420b09ba115c7e69777dfa1118af41bf57fbc4e3df531af06681d5aaabff2f5a3436e5233 |
memory/4916-337-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4032-345-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4252-353-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4964-362-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2756-371-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4212-379-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2652-387-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4244-396-0x0000000000400000-0x0000000000418000-memory.dmp
memory/676-404-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3116-413-0x0000000000400000-0x0000000000418000-memory.dmp
memory/768-422-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3016-430-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2320-439-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3056-447-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4504-456-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1712-464-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2856-472-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2296-480-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4472-488-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1688-489-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4472-497-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1868-506-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2872-515-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1724-523-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4976-531-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4748-540-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2600-548-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2708-557-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3580-566-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3788-574-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4840-582-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1656-590-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4852-599-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4904-608-0x0000000000400000-0x0000000000418000-memory.dmp
memory/540-617-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3996-625-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4504-634-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4620-642-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1428-651-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4292-660-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2736-668-0x0000000000400000-0x0000000000418000-memory.dmp
memory/212-676-0x0000000000400000-0x0000000000418000-memory.dmp
memory/5100-684-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4848-693-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2864-701-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2872-709-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2392-718-0x0000000000400000-0x0000000000418000-memory.dmp
memory/408-726-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1032-735-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2824-744-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1652-752-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1784-760-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4252-769-0x0000000000400000-0x0000000000418000-memory.dmp
memory/5112-778-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1840-793-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4684-801-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4552-809-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1664-817-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4872-818-0x0000000000400000-0x0000000000418000-memory.dmp