Malware Analysis Report

2024-11-13 17:36

Sample ID 241110-b3x3gsxanb
Target af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N
SHA256 af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066
Tags
defense_evasion discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066

Threat Level: Shows suspicious behavior

The file af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery

Checks computer location settings

Deletes itself

Loads dropped DLL

Executes dropped EXE

Indicator Removal: File Deletion

Drops file in System32 directory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:40

Reported

2024-11-10 01:42

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wvqdrf.exe N/A
N/A N/A C:\Windows\SysWOW64\wvbbguf.exe N/A
N/A N/A C:\Windows\SysWOW64\wolrla.exe N/A
N/A N/A C:\Windows\SysWOW64\wokudwoj.exe N/A
N/A N/A C:\Windows\SysWOW64\wdantqvcx.exe N/A
N/A N/A C:\Windows\SysWOW64\whuflhgh.exe N/A
N/A N/A C:\Windows\SysWOW64\wwuptuaw.exe N/A
N/A N/A C:\Windows\SysWOW64\wuwpmv.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuacc.exe N/A
N/A N/A C:\Windows\SysWOW64\woxjilhe.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpathdt.exe N/A
N/A N/A C:\Windows\SysWOW64\wflbh.exe N/A
N/A N/A C:\Windows\SysWOW64\wbduawlg.exe N/A
N/A N/A C:\Windows\SysWOW64\whxkm.exe N/A
N/A N/A C:\Windows\SysWOW64\wmvjsrtn.exe N/A
N/A N/A C:\Windows\SysWOW64\wmfwqqgv.exe N/A
N/A N/A C:\Windows\SysWOW64\wgxpit.exe N/A
N/A N/A C:\Windows\SysWOW64\wttwfn.exe N/A
N/A N/A C:\Windows\SysWOW64\wssx.exe N/A
N/A N/A C:\Windows\SysWOW64\wsjogghc.exe N/A
N/A N/A C:\Windows\SysWOW64\wch.exe N/A
N/A N/A C:\Windows\SysWOW64\wjp.exe N/A
N/A N/A C:\Windows\SysWOW64\wrktcvntk.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpc.exe N/A
N/A N/A C:\Windows\SysWOW64\wqam.exe N/A
N/A N/A C:\Windows\SysWOW64\wyir.exe N/A
N/A N/A C:\Windows\SysWOW64\wcsb.exe N/A
N/A N/A C:\Windows\SysWOW64\wbtbmgyr.exe N/A
N/A N/A C:\Windows\SysWOW64\wxvuisl.exe N/A
N/A N/A C:\Windows\SysWOW64\wvgif.exe N/A
N/A N/A C:\Windows\SysWOW64\wepokwq.exe N/A
N/A N/A C:\Windows\SysWOW64\wyotjdow.exe N/A
N/A N/A C:\Windows\SysWOW64\wyoxya.exe N/A
N/A N/A C:\Windows\SysWOW64\wcirupp.exe N/A
N/A N/A C:\Windows\SysWOW64\wgrbie.exe N/A
N/A N/A C:\Windows\SysWOW64\webpfc.exe N/A
N/A N/A C:\Windows\SysWOW64\wnyymedj.exe N/A
N/A N/A C:\Windows\SysWOW64\wfuby.exe N/A
N/A N/A C:\Windows\SysWOW64\wvmwbb.exe N/A
N/A N/A C:\Windows\SysWOW64\wntkvoj.exe N/A
N/A N/A C:\Windows\SysWOW64\wmrmkk.exe N/A
N/A N/A C:\Windows\SysWOW64\wylypkrnr.exe N/A
N/A N/A C:\Windows\SysWOW64\womjvwmax.exe N/A
N/A N/A C:\Windows\SysWOW64\wsuskndvi.exe N/A
N/A N/A C:\Windows\SysWOW64\wgsahgpq.exe N/A
N/A N/A C:\Windows\SysWOW64\wksuou.exe N/A
N/A N/A C:\Windows\SysWOW64\wwblto.exe N/A
N/A N/A C:\Windows\SysWOW64\wtwjxrr.exe N/A
N/A N/A C:\Windows\SysWOW64\woocpvj.exe N/A
N/A N/A C:\Windows\SysWOW64\wkguja.exe N/A
N/A N/A C:\Windows\SysWOW64\wdbxxk.exe N/A
N/A N/A C:\Windows\SysWOW64\wbcb.exe N/A
N/A N/A C:\Windows\SysWOW64\winpmrprw.exe N/A
N/A N/A C:\Windows\SysWOW64\wgqbvrs.exe N/A
N/A N/A C:\Windows\SysWOW64\wficyqmx.exe N/A
N/A N/A C:\Windows\SysWOW64\whvtg.exe N/A
N/A N/A C:\Windows\SysWOW64\wkybgyll.exe N/A
N/A N/A C:\Windows\SysWOW64\werhshbg.exe N/A
N/A N/A C:\Windows\SysWOW64\whsntyi.exe N/A
N/A N/A C:\Windows\SysWOW64\wgwydy.exe N/A
N/A N/A C:\Windows\SysWOW64\wiyge.exe N/A
N/A N/A C:\Windows\SysWOW64\wlqdyhp.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtoig.exe N/A
N/A N/A C:\Windows\SysWOW64\weveant.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe N/A
N/A N/A C:\Windows\SysWOW64\wvqdrf.exe N/A
N/A N/A C:\Windows\SysWOW64\wvqdrf.exe N/A
N/A N/A C:\Windows\SysWOW64\wvqdrf.exe N/A
N/A N/A C:\Windows\SysWOW64\wvqdrf.exe N/A
N/A N/A C:\Windows\SysWOW64\wvbbguf.exe N/A
N/A N/A C:\Windows\SysWOW64\wvbbguf.exe N/A
N/A N/A C:\Windows\SysWOW64\wvbbguf.exe N/A
N/A N/A C:\Windows\SysWOW64\wvbbguf.exe N/A
N/A N/A C:\Windows\SysWOW64\wolrla.exe N/A
N/A N/A C:\Windows\SysWOW64\wolrla.exe N/A
N/A N/A C:\Windows\SysWOW64\wolrla.exe N/A
N/A N/A C:\Windows\SysWOW64\wolrla.exe N/A
N/A N/A C:\Windows\SysWOW64\wokudwoj.exe N/A
N/A N/A C:\Windows\SysWOW64\wokudwoj.exe N/A
N/A N/A C:\Windows\SysWOW64\wokudwoj.exe N/A
N/A N/A C:\Windows\SysWOW64\wokudwoj.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\wdantqvcx.exe N/A
N/A N/A C:\Windows\SysWOW64\wdantqvcx.exe N/A
N/A N/A C:\Windows\SysWOW64\wdantqvcx.exe N/A
N/A N/A C:\Windows\SysWOW64\wdantqvcx.exe N/A
N/A N/A C:\Windows\SysWOW64\whuflhgh.exe N/A
N/A N/A C:\Windows\SysWOW64\whuflhgh.exe N/A
N/A N/A C:\Windows\SysWOW64\whuflhgh.exe N/A
N/A N/A C:\Windows\SysWOW64\whuflhgh.exe N/A
N/A N/A C:\Windows\SysWOW64\wwuptuaw.exe N/A
N/A N/A C:\Windows\SysWOW64\wwuptuaw.exe N/A
N/A N/A C:\Windows\SysWOW64\wwuptuaw.exe N/A
N/A N/A C:\Windows\SysWOW64\wwuptuaw.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\wuwpmv.exe N/A
N/A N/A C:\Windows\SysWOW64\wuwpmv.exe N/A
N/A N/A C:\Windows\SysWOW64\wuwpmv.exe N/A
N/A N/A C:\Windows\SysWOW64\wuwpmv.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuacc.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuacc.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuacc.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuacc.exe N/A
N/A N/A C:\Windows\SysWOW64\woxjilhe.exe N/A
N/A N/A C:\Windows\SysWOW64\woxjilhe.exe N/A
N/A N/A C:\Windows\SysWOW64\woxjilhe.exe N/A
N/A N/A C:\Windows\SysWOW64\woxjilhe.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpathdt.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpathdt.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpathdt.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpathdt.exe N/A
N/A N/A C:\Windows\SysWOW64\wflbh.exe N/A
N/A N/A C:\Windows\SysWOW64\wflbh.exe N/A
N/A N/A C:\Windows\SysWOW64\wflbh.exe N/A
N/A N/A C:\Windows\SysWOW64\wflbh.exe N/A
N/A N/A C:\Windows\SysWOW64\wbduawlg.exe N/A
N/A N/A C:\Windows\SysWOW64\wbduawlg.exe N/A
N/A N/A C:\Windows\SysWOW64\wbduawlg.exe N/A
N/A N/A C:\Windows\SysWOW64\wbduawlg.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wbduawlg.exe C:\Windows\SysWOW64\wflbh.exe N/A
File created C:\Windows\SysWOW64\wbtbmgyr.exe C:\Windows\SysWOW64\wcsb.exe N/A
File opened for modification C:\Windows\SysWOW64\wbnlbd.exe C:\Windows\SysWOW64\wdvjweca.exe N/A
File created C:\Windows\SysWOW64\wviisvtq.exe C:\Windows\SysWOW64\wwphpwb.exe N/A
File opened for modification C:\Windows\SysWOW64\wvbbguf.exe C:\Windows\SysWOW64\wvqdrf.exe N/A
File opened for modification C:\Windows\SysWOW64\woxjilhe.exe C:\Windows\SysWOW64\wmuacc.exe N/A
File created C:\Windows\SysWOW64\wsuskndvi.exe C:\Windows\SysWOW64\womjvwmax.exe N/A
File created C:\Windows\SysWOW64\wwfpyww.exe C:\Windows\SysWOW64\wdxusq.exe N/A
File opened for modification C:\Windows\SysWOW64\wxogka.exe C:\Windows\SysWOW64\wvboei.exe N/A
File opened for modification C:\Windows\SysWOW64\wwphpwb.exe C:\Windows\SysWOW64\wdxcf.exe N/A
File created C:\Windows\SysWOW64\wbduawlg.exe C:\Windows\SysWOW64\wflbh.exe N/A
File opened for modification C:\Windows\SysWOW64\wqam.exe C:\Windows\SysWOW64\wmpc.exe N/A
File opened for modification C:\Windows\SysWOW64\wyotjdow.exe C:\Windows\SysWOW64\wepokwq.exe N/A
File opened for modification C:\Windows\SysWOW64\wqdhkwsf.exe C:\Windows\SysWOW64\wjqulm.exe N/A
File created C:\Windows\SysWOW64\wvdbbp.exe C:\Windows\SysWOW64\wpcwjhv.exe N/A
File created C:\Windows\SysWOW64\wttwfn.exe C:\Windows\SysWOW64\wgxpit.exe N/A
File created C:\Windows\SysWOW64\wcsb.exe C:\Windows\SysWOW64\wyir.exe N/A
File opened for modification C:\Windows\SysWOW64\wcngdnnqd.exe C:\Windows\SysWOW64\weveant.exe N/A
File created C:\Windows\SysWOW64\wwuptuaw.exe C:\Windows\SysWOW64\whuflhgh.exe N/A
File opened for modification C:\Windows\SysWOW64\wdbxxk.exe C:\Windows\SysWOW64\wkguja.exe N/A
File created C:\Windows\SysWOW64\wmxvwur.exe C:\Windows\SysWOW64\wgkgym.exe N/A
File created C:\Windows\SysWOW64\wvkog.exe C:\Windows\SysWOW64\wxicvem.exe N/A
File opened for modification C:\Windows\SysWOW64\wbcb.exe C:\Windows\SysWOW64\wdbxxk.exe N/A
File created C:\Windows\SysWOW64\wdvjweca.exe C:\Windows\SysWOW64\waisonjx.exe N/A
File created C:\Windows\SysWOW64\wgxpit.exe C:\Windows\SysWOW64\wmfwqqgv.exe N/A
File created C:\Windows\SysWOW64\wyoxya.exe C:\Windows\SysWOW64\wyotjdow.exe N/A
File opened for modification C:\Windows\SysWOW64\wtckye.exe C:\Windows\SysWOW64\wlcfgv.exe N/A
File opened for modification C:\Windows\SysWOW64\wrgyev.exe C:\Windows\SysWOW64\wvntro.exe N/A
File created C:\Windows\SysWOW64\wmpathdt.exe C:\Windows\SysWOW64\woxjilhe.exe N/A
File opened for modification C:\Windows\SysWOW64\waisonjx.exe C:\Windows\SysWOW64\wxgkovckj.exe N/A
File opened for modification C:\Windows\SysWOW64\wlicy.exe C:\Windows\SysWOW64\wifvxb.exe N/A
File opened for modification C:\Windows\SysWOW64\wvgdgkw.exe C:\Windows\SysWOW64\wwmcd.exe N/A
File created C:\Windows\SysWOW64\wmuacc.exe C:\Windows\SysWOW64\wuwpmv.exe N/A
File opened for modification C:\Windows\SysWOW64\wsuskndvi.exe C:\Windows\SysWOW64\womjvwmax.exe N/A
File created C:\Windows\SysWOW64\winpmrprw.exe C:\Windows\SysWOW64\wbcb.exe N/A
File created C:\Windows\SysWOW64\wxogka.exe C:\Windows\SysWOW64\wvboei.exe N/A
File created C:\Windows\SysWOW64\wcirdywpu.exe C:\Windows\SysWOW64\wcqqaae.exe N/A
File opened for modification C:\Windows\SysWOW64\wvkog.exe C:\Windows\SysWOW64\wxicvem.exe N/A
File opened for modification C:\Windows\SysWOW64\wbtbmgyr.exe C:\Windows\SysWOW64\wcsb.exe N/A
File created C:\Windows\SysWOW64\wdefndcyi.exe C:\Windows\SysWOW64\wlicy.exe N/A
File created C:\Windows\SysWOW64\wwmcd.exe C:\Windows\SysWOW64\wqbnedik.exe N/A
File created C:\Windows\SysWOW64\wvboei.exe C:\Windows\SysWOW64\wajjrc.exe N/A
File opened for modification C:\Windows\SysWOW64\wmfwqqgv.exe C:\Windows\SysWOW64\wmvjsrtn.exe N/A
File created C:\Windows\SysWOW64\wyir.exe C:\Windows\SysWOW64\wqam.exe N/A
File created C:\Windows\SysWOW64\wvgif.exe C:\Windows\SysWOW64\wxvuisl.exe N/A
File opened for modification C:\Windows\SysWOW64\wnyymedj.exe C:\Windows\SysWOW64\webpfc.exe N/A
File created C:\Windows\SysWOW64\wgqbvrs.exe C:\Windows\SysWOW64\winpmrprw.exe N/A
File opened for modification C:\Windows\SysWOW64\wdefndcyi.exe C:\Windows\SysWOW64\wlicy.exe N/A
File opened for modification C:\Windows\SysWOW64\wvboei.exe C:\Windows\SysWOW64\wajjrc.exe N/A
File created C:\Windows\SysWOW64\wdantqvcx.exe C:\Windows\SysWOW64\wokudwoj.exe N/A
File created C:\Windows\SysWOW64\whxkm.exe C:\Windows\SysWOW64\wbduawlg.exe N/A
File opened for modification C:\Windows\SysWOW64\wgrbie.exe C:\Windows\SysWOW64\wcirupp.exe N/A
File opened for modification C:\Windows\SysWOW64\weveant.exe C:\Windows\SysWOW64\wjtoig.exe N/A
File created C:\Windows\SysWOW64\wkbldlc.exe C:\Windows\SysWOW64\wgyddtuo.exe N/A
File created C:\Windows\SysWOW64\wokudwoj.exe C:\Windows\SysWOW64\wolrla.exe N/A
File opened for modification C:\Windows\SysWOW64\wjp.exe C:\Windows\SysWOW64\wch.exe N/A
File opened for modification C:\Windows\SysWOW64\wfuby.exe C:\Windows\SysWOW64\wnyymedj.exe N/A
File created C:\Windows\SysWOW64\wkybgyll.exe C:\Windows\SysWOW64\whvtg.exe N/A
File created C:\Windows\SysWOW64\wgkgym.exe C:\Windows\SysWOW64\wqdhkwsf.exe N/A
File opened for modification C:\Windows\SysWOW64\wgkgym.exe C:\Windows\SysWOW64\wqdhkwsf.exe N/A
File opened for modification C:\Windows\SysWOW64\wficyqmx.exe C:\Windows\SysWOW64\wgqbvrs.exe N/A
File opened for modification C:\Windows\SysWOW64\wcqqaae.exe C:\Windows\SysWOW64\wvdbbp.exe N/A
File created C:\Windows\SysWOW64\wsjogghc.exe C:\Windows\SysWOW64\wssx.exe N/A
File created C:\Windows\SysWOW64\wrktcvntk.exe C:\Windows\SysWOW64\wjp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wokudwoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\whxkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wifvxb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wdantqvcx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\whsntyi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wolrla.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wmpathdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wepokwq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wmuacc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wnyymedj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\whvtg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wqdhkwsf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wxicvem.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wttwfn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\webpfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\werhshbg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wtckye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wrhlvi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wcqqaae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wcirupp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wgwydy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wpbftfpme.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wviisvtq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wvqdrf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wrktcvntk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\waisonjx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wnmqms.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wvboei.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wvbbguf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wsuskndvi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wvdbbp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wmvjsrtn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\womjvwmax.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wdbxxk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wlicy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wyir.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wgkgym.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbcb.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\waisonjx.exe N/A
N/A N/A C:\Windows\SysWOW64\wxstndp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe C:\Windows\SysWOW64\wvqdrf.exe
PID 2368 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe C:\Windows\SysWOW64\wvqdrf.exe
PID 2368 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe C:\Windows\SysWOW64\wvqdrf.exe
PID 2368 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe C:\Windows\SysWOW64\wvqdrf.exe
PID 2368 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2640 N/A C:\Windows\SysWOW64\wvqdrf.exe C:\Windows\SysWOW64\wvbbguf.exe
PID 2800 wrote to memory of 2640 N/A C:\Windows\SysWOW64\wvqdrf.exe C:\Windows\SysWOW64\wvbbguf.exe
PID 2800 wrote to memory of 2640 N/A C:\Windows\SysWOW64\wvqdrf.exe C:\Windows\SysWOW64\wvbbguf.exe
PID 2800 wrote to memory of 2640 N/A C:\Windows\SysWOW64\wvqdrf.exe C:\Windows\SysWOW64\wvbbguf.exe
PID 2800 wrote to memory of 2636 N/A C:\Windows\SysWOW64\wvqdrf.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2636 N/A C:\Windows\SysWOW64\wvqdrf.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2636 N/A C:\Windows\SysWOW64\wvqdrf.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2636 N/A C:\Windows\SysWOW64\wvqdrf.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1104 N/A C:\Windows\SysWOW64\wvbbguf.exe C:\Windows\SysWOW64\wolrla.exe
PID 2640 wrote to memory of 1104 N/A C:\Windows\SysWOW64\wvbbguf.exe C:\Windows\SysWOW64\wolrla.exe
PID 2640 wrote to memory of 1104 N/A C:\Windows\SysWOW64\wvbbguf.exe C:\Windows\SysWOW64\wolrla.exe
PID 2640 wrote to memory of 1104 N/A C:\Windows\SysWOW64\wvbbguf.exe C:\Windows\SysWOW64\wolrla.exe
PID 2640 wrote to memory of 1832 N/A C:\Windows\SysWOW64\wvbbguf.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1832 N/A C:\Windows\SysWOW64\wvbbguf.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1832 N/A C:\Windows\SysWOW64\wvbbguf.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1832 N/A C:\Windows\SysWOW64\wvbbguf.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 2004 N/A C:\Windows\SysWOW64\wolrla.exe C:\Windows\SysWOW64\wokudwoj.exe
PID 1104 wrote to memory of 2004 N/A C:\Windows\SysWOW64\wolrla.exe C:\Windows\SysWOW64\wokudwoj.exe
PID 1104 wrote to memory of 2004 N/A C:\Windows\SysWOW64\wolrla.exe C:\Windows\SysWOW64\wokudwoj.exe
PID 1104 wrote to memory of 2004 N/A C:\Windows\SysWOW64\wolrla.exe C:\Windows\SysWOW64\wokudwoj.exe
PID 1104 wrote to memory of 2092 N/A C:\Windows\SysWOW64\wolrla.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 2092 N/A C:\Windows\SysWOW64\wolrla.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 2092 N/A C:\Windows\SysWOW64\wolrla.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 2092 N/A C:\Windows\SysWOW64\wolrla.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2960 N/A C:\Windows\SysWOW64\wokudwoj.exe C:\Windows\SysWOW64\wdantqvcx.exe
PID 2004 wrote to memory of 2960 N/A C:\Windows\SysWOW64\wokudwoj.exe C:\Windows\SysWOW64\wdantqvcx.exe
PID 2004 wrote to memory of 2960 N/A C:\Windows\SysWOW64\wokudwoj.exe C:\Windows\SysWOW64\wdantqvcx.exe
PID 2004 wrote to memory of 2960 N/A C:\Windows\SysWOW64\wokudwoj.exe C:\Windows\SysWOW64\wdantqvcx.exe
PID 2004 wrote to memory of 2164 N/A C:\Windows\SysWOW64\wokudwoj.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2164 N/A C:\Windows\SysWOW64\wokudwoj.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2164 N/A C:\Windows\SysWOW64\wokudwoj.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2164 N/A C:\Windows\SysWOW64\wokudwoj.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2040 N/A C:\Windows\SysWOW64\wokudwoj.exe C:\Windows\SysWOW64\WerFault.exe
PID 2004 wrote to memory of 2040 N/A C:\Windows\SysWOW64\wokudwoj.exe C:\Windows\SysWOW64\WerFault.exe
PID 2004 wrote to memory of 2040 N/A C:\Windows\SysWOW64\wokudwoj.exe C:\Windows\SysWOW64\WerFault.exe
PID 2004 wrote to memory of 2040 N/A C:\Windows\SysWOW64\wokudwoj.exe C:\Windows\SysWOW64\WerFault.exe
PID 2960 wrote to memory of 568 N/A C:\Windows\SysWOW64\wdantqvcx.exe C:\Windows\SysWOW64\whuflhgh.exe
PID 2960 wrote to memory of 568 N/A C:\Windows\SysWOW64\wdantqvcx.exe C:\Windows\SysWOW64\whuflhgh.exe
PID 2960 wrote to memory of 568 N/A C:\Windows\SysWOW64\wdantqvcx.exe C:\Windows\SysWOW64\whuflhgh.exe
PID 2960 wrote to memory of 568 N/A C:\Windows\SysWOW64\wdantqvcx.exe C:\Windows\SysWOW64\whuflhgh.exe
PID 2960 wrote to memory of 2100 N/A C:\Windows\SysWOW64\wdantqvcx.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2100 N/A C:\Windows\SysWOW64\wdantqvcx.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2100 N/A C:\Windows\SysWOW64\wdantqvcx.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2100 N/A C:\Windows\SysWOW64\wdantqvcx.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 2556 N/A C:\Windows\SysWOW64\whuflhgh.exe C:\Windows\SysWOW64\wwuptuaw.exe
PID 568 wrote to memory of 2556 N/A C:\Windows\SysWOW64\whuflhgh.exe C:\Windows\SysWOW64\wwuptuaw.exe
PID 568 wrote to memory of 2556 N/A C:\Windows\SysWOW64\whuflhgh.exe C:\Windows\SysWOW64\wwuptuaw.exe
PID 568 wrote to memory of 2556 N/A C:\Windows\SysWOW64\whuflhgh.exe C:\Windows\SysWOW64\wwuptuaw.exe
PID 568 wrote to memory of 264 N/A C:\Windows\SysWOW64\whuflhgh.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 264 N/A C:\Windows\SysWOW64\whuflhgh.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 264 N/A C:\Windows\SysWOW64\whuflhgh.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 264 N/A C:\Windows\SysWOW64\whuflhgh.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2236 N/A C:\Windows\SysWOW64\wwuptuaw.exe C:\Windows\SysWOW64\wuwpmv.exe
PID 2556 wrote to memory of 2236 N/A C:\Windows\SysWOW64\wwuptuaw.exe C:\Windows\SysWOW64\wuwpmv.exe
PID 2556 wrote to memory of 2236 N/A C:\Windows\SysWOW64\wwuptuaw.exe C:\Windows\SysWOW64\wuwpmv.exe
PID 2556 wrote to memory of 2236 N/A C:\Windows\SysWOW64\wwuptuaw.exe C:\Windows\SysWOW64\wuwpmv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe

"C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"

C:\Windows\SysWOW64\wvqdrf.exe

"C:\Windows\system32\wvqdrf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"

C:\Windows\SysWOW64\wvbbguf.exe

"C:\Windows\system32\wvbbguf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqdrf.exe"

C:\Windows\SysWOW64\wolrla.exe

"C:\Windows\system32\wolrla.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvbbguf.exe"

C:\Windows\SysWOW64\wokudwoj.exe

"C:\Windows\system32\wokudwoj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wolrla.exe"

C:\Windows\SysWOW64\wdantqvcx.exe

"C:\Windows\system32\wdantqvcx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wokudwoj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 48

C:\Windows\SysWOW64\whuflhgh.exe

"C:\Windows\system32\whuflhgh.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdantqvcx.exe"

C:\Windows\SysWOW64\wwuptuaw.exe

"C:\Windows\system32\wwuptuaw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whuflhgh.exe"

C:\Windows\SysWOW64\wuwpmv.exe

"C:\Windows\system32\wuwpmv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwuptuaw.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 204

C:\Windows\SysWOW64\wmuacc.exe

"C:\Windows\system32\wmuacc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwpmv.exe"

C:\Windows\SysWOW64\woxjilhe.exe

"C:\Windows\system32\woxjilhe.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmuacc.exe"

C:\Windows\SysWOW64\wmpathdt.exe

"C:\Windows\system32\wmpathdt.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxjilhe.exe"

C:\Windows\SysWOW64\wflbh.exe

"C:\Windows\system32\wflbh.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpathdt.exe"

C:\Windows\SysWOW64\wbduawlg.exe

"C:\Windows\system32\wbduawlg.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wflbh.exe"

C:\Windows\SysWOW64\whxkm.exe

"C:\Windows\system32\whxkm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbduawlg.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 48

C:\Windows\SysWOW64\wmvjsrtn.exe

"C:\Windows\system32\wmvjsrtn.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxkm.exe"

C:\Windows\SysWOW64\wmfwqqgv.exe

"C:\Windows\system32\wmfwqqgv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmvjsrtn.exe"

C:\Windows\SysWOW64\wgxpit.exe

"C:\Windows\system32\wgxpit.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmfwqqgv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 204

C:\Windows\SysWOW64\wttwfn.exe

"C:\Windows\system32\wttwfn.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxpit.exe"

C:\Windows\SysWOW64\wssx.exe

"C:\Windows\system32\wssx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wttwfn.exe"

C:\Windows\SysWOW64\wsjogghc.exe

"C:\Windows\system32\wsjogghc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wssx.exe"

C:\Windows\SysWOW64\wch.exe

"C:\Windows\system32\wch.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjogghc.exe"

C:\Windows\SysWOW64\wjp.exe

"C:\Windows\system32\wjp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wch.exe"

C:\Windows\SysWOW64\wrktcvntk.exe

"C:\Windows\system32\wrktcvntk.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjp.exe"

C:\Windows\SysWOW64\wmpc.exe

"C:\Windows\system32\wmpc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrktcvntk.exe"

C:\Windows\SysWOW64\wqam.exe

"C:\Windows\system32\wqam.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpc.exe"

C:\Windows\SysWOW64\wyir.exe

"C:\Windows\system32\wyir.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqam.exe"

C:\Windows\SysWOW64\wcsb.exe

"C:\Windows\system32\wcsb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyir.exe"

C:\Windows\SysWOW64\wbtbmgyr.exe

"C:\Windows\system32\wbtbmgyr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcsb.exe"

C:\Windows\SysWOW64\wxvuisl.exe

"C:\Windows\system32\wxvuisl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbtbmgyr.exe"

C:\Windows\SysWOW64\wvgif.exe

"C:\Windows\system32\wvgif.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxvuisl.exe"

C:\Windows\SysWOW64\wepokwq.exe

"C:\Windows\system32\wepokwq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgif.exe"

C:\Windows\SysWOW64\wyotjdow.exe

"C:\Windows\system32\wyotjdow.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wepokwq.exe"

C:\Windows\SysWOW64\wyoxya.exe

"C:\Windows\system32\wyoxya.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyotjdow.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 204

C:\Windows\SysWOW64\wcirupp.exe

"C:\Windows\system32\wcirupp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyoxya.exe"

C:\Windows\SysWOW64\wgrbie.exe

"C:\Windows\system32\wgrbie.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcirupp.exe"

C:\Windows\SysWOW64\webpfc.exe

"C:\Windows\system32\webpfc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrbie.exe"

C:\Windows\SysWOW64\wnyymedj.exe

"C:\Windows\system32\wnyymedj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\webpfc.exe"

C:\Windows\SysWOW64\wfuby.exe

"C:\Windows\system32\wfuby.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnyymedj.exe"

C:\Windows\SysWOW64\wvmwbb.exe

"C:\Windows\system32\wvmwbb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfuby.exe"

C:\Windows\SysWOW64\wntkvoj.exe

"C:\Windows\system32\wntkvoj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvmwbb.exe"

C:\Windows\SysWOW64\wmrmkk.exe

"C:\Windows\system32\wmrmkk.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntkvoj.exe"

C:\Windows\SysWOW64\wylypkrnr.exe

"C:\Windows\system32\wylypkrnr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrmkk.exe"

C:\Windows\SysWOW64\womjvwmax.exe

"C:\Windows\system32\womjvwmax.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wylypkrnr.exe"

C:\Windows\SysWOW64\wsuskndvi.exe

"C:\Windows\system32\wsuskndvi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womjvwmax.exe"

C:\Windows\SysWOW64\wgsahgpq.exe

"C:\Windows\system32\wgsahgpq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsuskndvi.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 180

C:\Windows\SysWOW64\wksuou.exe

"C:\Windows\system32\wksuou.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsahgpq.exe"

C:\Windows\SysWOW64\wwblto.exe

"C:\Windows\system32\wwblto.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wksuou.exe"

C:\Windows\SysWOW64\wtwjxrr.exe

"C:\Windows\system32\wtwjxrr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwblto.exe"

C:\Windows\SysWOW64\woocpvj.exe

"C:\Windows\system32\woocpvj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtwjxrr.exe"

C:\Windows\SysWOW64\wkguja.exe

"C:\Windows\system32\wkguja.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woocpvj.exe"

C:\Windows\SysWOW64\wdbxxk.exe

"C:\Windows\system32\wdbxxk.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkguja.exe"

C:\Windows\SysWOW64\wbcb.exe

"C:\Windows\system32\wbcb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbxxk.exe"

C:\Windows\SysWOW64\winpmrprw.exe

"C:\Windows\system32\winpmrprw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbcb.exe"

C:\Windows\SysWOW64\wgqbvrs.exe

"C:\Windows\system32\wgqbvrs.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winpmrprw.exe"

C:\Windows\SysWOW64\wficyqmx.exe

"C:\Windows\system32\wficyqmx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqbvrs.exe"

C:\Windows\SysWOW64\whvtg.exe

"C:\Windows\system32\whvtg.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wficyqmx.exe"

C:\Windows\SysWOW64\wkybgyll.exe

"C:\Windows\system32\wkybgyll.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whvtg.exe"

C:\Windows\SysWOW64\werhshbg.exe

"C:\Windows\system32\werhshbg.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkybgyll.exe"

C:\Windows\SysWOW64\whsntyi.exe

"C:\Windows\system32\whsntyi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\werhshbg.exe"

C:\Windows\SysWOW64\wgwydy.exe

"C:\Windows\system32\wgwydy.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whsntyi.exe"

C:\Windows\SysWOW64\wiyge.exe

"C:\Windows\system32\wiyge.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwydy.exe"

C:\Windows\SysWOW64\wlqdyhp.exe

"C:\Windows\system32\wlqdyhp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiyge.exe"

C:\Windows\SysWOW64\wjtoig.exe

"C:\Windows\system32\wjtoig.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqdyhp.exe"

C:\Windows\SysWOW64\weveant.exe

"C:\Windows\system32\weveant.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjtoig.exe"

C:\Windows\SysWOW64\wcngdnnqd.exe

"C:\Windows\system32\wcngdnnqd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weveant.exe"

C:\Windows\SysWOW64\wxgkovckj.exe

"C:\Windows\system32\wxgkovckj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcngdnnqd.exe"

C:\Windows\SysWOW64\waisonjx.exe

"C:\Windows\system32\waisonjx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxgkovckj.exe"

C:\Windows\SysWOW64\wdvjweca.exe

"C:\Windows\system32\wdvjweca.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waisonjx.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 284 -s 488

C:\Windows\SysWOW64\wbnlbd.exe

"C:\Windows\system32\wbnlbd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvjweca.exe"

C:\Windows\SysWOW64\wugrll.exe

"C:\Windows\system32\wugrll.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbnlbd.exe"

C:\Windows\SysWOW64\wpkfetk.exe

"C:\Windows\system32\wpkfetk.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugrll.exe"

C:\Windows\SysWOW64\wnmqms.exe

"C:\Windows\system32\wnmqms.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpkfetk.exe"

C:\Windows\SysWOW64\wifvxb.exe

"C:\Windows\system32\wifvxb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnmqms.exe"

C:\Windows\SysWOW64\wlicy.exe

"C:\Windows\system32\wlicy.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifvxb.exe"

C:\Windows\SysWOW64\wdefndcyi.exe

"C:\Windows\system32\wdefndcyi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlicy.exe"

C:\Windows\SysWOW64\wjqulm.exe

"C:\Windows\system32\wjqulm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdefndcyi.exe"

C:\Windows\SysWOW64\wqdhkwsf.exe

"C:\Windows\system32\wqdhkwsf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjqulm.exe"

C:\Windows\SysWOW64\wgkgym.exe

"C:\Windows\system32\wgkgym.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqdhkwsf.exe"

C:\Windows\SysWOW64\wmxvwur.exe

"C:\Windows\system32\wmxvwur.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkgym.exe"

C:\Windows\SysWOW64\wlcfgv.exe

"C:\Windows\system32\wlcfgv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmxvwur.exe"

C:\Windows\SysWOW64\wtckye.exe

"C:\Windows\system32\wtckye.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlcfgv.exe"

C:\Windows\SysWOW64\wivst.exe

"C:\Windows\system32\wivst.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtckye.exe"

C:\Windows\SysWOW64\wgyddtuo.exe

"C:\Windows\system32\wgyddtuo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivst.exe"

C:\Windows\SysWOW64\wkbldlc.exe

"C:\Windows\system32\wkbldlc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgyddtuo.exe"

C:\Windows\SysWOW64\wajjrc.exe

"C:\Windows\system32\wajjrc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbldlc.exe"

C:\Windows\SysWOW64\wvboei.exe

"C:\Windows\system32\wvboei.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wajjrc.exe"

C:\Windows\SysWOW64\wxogka.exe

"C:\Windows\system32\wxogka.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvboei.exe"

C:\Windows\SysWOW64\wrhlvi.exe

"C:\Windows\system32\wrhlvi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxogka.exe"

C:\Windows\SysWOW64\wqynahrp.exe

"C:\Windows\system32\wqynahrp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhlvi.exe"

C:\Windows\SysWOW64\wpcwjhv.exe

"C:\Windows\system32\wpcwjhv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqynahrp.exe"

C:\Windows\SysWOW64\wvdbbp.exe

"C:\Windows\system32\wvdbbp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpcwjhv.exe"

C:\Windows\SysWOW64\wcqqaae.exe

"C:\Windows\system32\wcqqaae.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdbbp.exe"

C:\Windows\SysWOW64\wcirdywpu.exe

"C:\Windows\system32\wcirdywpu.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcqqaae.exe"

C:\Windows\SysWOW64\wdkadqec.exe

"C:\Windows\system32\wdkadqec.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcirdywpu.exe"

C:\Windows\SysWOW64\wdxusq.exe

"C:\Windows\system32\wdxusq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdkadqec.exe"

C:\Windows\SysWOW64\wwfpyww.exe

"C:\Windows\system32\wwfpyww.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxusq.exe"

C:\Windows\SysWOW64\wuulp.exe

"C:\Windows\system32\wuulp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfpyww.exe"

C:\Windows\SysWOW64\wpbftfpme.exe

"C:\Windows\system32\wpbftfpme.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuulp.exe"

C:\Windows\SysWOW64\wvntro.exe

"C:\Windows\system32\wvntro.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbftfpme.exe"

C:\Windows\SysWOW64\wrgyev.exe

"C:\Windows\system32\wrgyev.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvntro.exe"

C:\Windows\SysWOW64\wxicvem.exe

"C:\Windows\system32\wxicvem.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrgyev.exe"

C:\Windows\SysWOW64\wvkog.exe

"C:\Windows\system32\wvkog.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxicvem.exe"

C:\Windows\SysWOW64\wdxcf.exe

"C:\Windows\system32\wdxcf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkog.exe"

C:\Windows\SysWOW64\wwphpwb.exe

"C:\Windows\system32\wwphpwb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxcf.exe"

C:\Windows\SysWOW64\wviisvtq.exe

"C:\Windows\system32\wviisvtq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwphpwb.exe"

C:\Windows\SysWOW64\wqbnedik.exe

"C:\Windows\system32\wqbnedik.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wviisvtq.exe"

C:\Windows\SysWOW64\wwmcd.exe

"C:\Windows\system32\wwmcd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqbnedik.exe"

C:\Windows\SysWOW64\wvgdgkw.exe

"C:\Windows\system32\wvgdgkw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwmcd.exe"

C:\Windows\SysWOW64\wxstndp.exe

"C:\Windows\system32\wxstndp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgdgkw.exe"

C:\Windows\SysWOW64\wvugw.exe

"C:\Windows\system32\wvugw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxstndp.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 852

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ip2location.com udp
US 34.224.172.222:80 www.ip2location.com tcp
US 8.8.8.8:53 best-targeted-traffic.com udp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 ww25.best-targeted-traffic.com udp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 ww38.best-targeted-traffic.com udp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp

Files

memory/2368-0-0x0000000000400000-0x0000000000417000-memory.dmp

\Windows\SysWOW64\wvqdrf.exe

MD5 eb95f64fa14b7d769b02c9eb464896f8
SHA1 91b3b28180b6b60fba592020e5f7049eee3379e3
SHA256 84afa73ee4ddb18ec2e06474242c55562b14baa7f7d1d0d3df50e638ec02b148
SHA512 1c08da2130e18ae07c40ffbd9172a1eb49f6880ac6ff5ab19e009ea41ac9ba47db2d77325c1b2bcb78b18edc8c068850e46f4533adcd05bbd85e862443c9e092

memory/2368-13-0x00000000037A0000-0x00000000037B7000-memory.dmp

memory/2368-12-0x00000000037A0000-0x00000000037B7000-memory.dmp

memory/2368-21-0x0000000003DB0000-0x0000000003DC7000-memory.dmp

memory/2368-20-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2368-24-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YDJQKZ76.txt

MD5 dd95cb0653cd0da29f2d8a7c6390ba14
SHA1 d51f6122993040cc60d92da6b6c39e792af79643
SHA256 a92455283fe29439f4123ef8e1abb7aff0a291a8b458d0d4f887a886ed78b832
SHA512 3bb5e598bba5c1c1a039cbab4b30fe9b9df2386d2ea2e8f5661778efb9a78fa9d03c91dfcd95b7a779028866388abf6e843d5624b34d9080f3f0d5aaa3c05e0c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T432DMZD.txt

MD5 c6ec81e689d220c51033a716826ec5f1
SHA1 ac1b32fac3c33a816b33362813e7bd4e59d761f0
SHA256 915f4f1c1eab5427bc3aa060fad34d8bb519b33a0bf998a51d436593e0d48e1a
SHA512 03104c63ff892b7248d43df6799780d045ca1ecd42df742a57e282e8e01e63afcffac3ec8ea35f61a03e3331424ee012be76fd5ddadb25a1b1c7d61e8a84c760

memory/2800-34-0x0000000003B50000-0x0000000003B67000-memory.dmp

memory/2800-38-0x0000000003B50000-0x0000000003B67000-memory.dmp

\Windows\SysWOW64\wvbbguf.exe

MD5 107efc16271388a58495e95a94359c57
SHA1 8818a11ada9e2f9017db8581f7b49e305987ec94
SHA256 71f2e1f9702e8a4032383208dcf37834f354293dc241d0243c4f94c3d6996661
SHA512 e7192c06d008e1bab4ac3896d6ff09d423c62436bc00710acff358f28478369893228536f89e3904002dfc3d6bbc5309cba31f5367c12ff48b8e71c43e84b1dc

memory/2800-45-0x0000000003B60000-0x0000000003B77000-memory.dmp

memory/2800-49-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2640-48-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0CH2MZY9.txt

MD5 6a39ddc505da461a5cbe42a729ccac4c
SHA1 1ec1b921fa2351b9d0fd724ee8b88843da04ffeb
SHA256 8d35c679a4998c1d00f308747ebb55936fc4620602cc98f498b441ec42ca2bfb
SHA512 9ecb0d05ec23f90a2d2f3274a46122f0167bebcef517816210ae4ec6309c99419d466ee2be959a58fea273823226e19ea1ae8dd5d53c9d1146ab2b04812b7313

\Windows\SysWOW64\wolrla.exe

MD5 e6dd929ebc6c750ee9a45d65ef1ac643
SHA1 48f319959ba3f48cb833ff4cd2f3fa6b50acb257
SHA256 ba653ea1a34112c645b11802170956ca1d4a14e7fed395c2584da597e0954682
SHA512 9759728cbea3abcf12f939fe798f0e8c96990481d3d8b0559719e550ae7ec160d8696d3b3f685783db3cb11fed944c45d5b0c00fa0ae0508d9d996250b846cc3

memory/2640-71-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2640-67-0x0000000003E60000-0x0000000003E77000-memory.dmp

memory/2640-69-0x0000000003E70000-0x0000000003E87000-memory.dmp

memory/1104-72-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2640-68-0x0000000003E70000-0x0000000003E87000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W3BJGI5N.txt

MD5 0521cc4db3d867873b72c6f88be66ae3
SHA1 025cff072302630255f45087c838b159ab5a459c
SHA256 dc97959401b479625283afbb2a7404d63b394092036946a8708a066dc6b43559
SHA512 043c9128067ee04d5aad76e6cd73b1b6df3b5136aacb36ab40e264f7ebaf7a000dc051bf3249aa04fa7ae4120933a86793bb1f44b656d1aac83bd7eeb315b6c6

\Windows\SysWOW64\wokudwoj.exe

MD5 7066acea91749dbec42aa1aee2f38089
SHA1 ecbc4e5661d011361e5ae92ecf010129d1c66832
SHA256 63818780db5110ae1df4267207620090231cce89c1301fdaff77cdce5390681e
SHA512 f06aa06fb4edc877da0216a7273f09b2d1cd023a853dd5f448ee661d3f0c7b0c67cb3b2ee58bf677b4a2282cee57e95f9b7525417cbefadf47056844682b34ee

memory/1104-93-0x0000000003EA0000-0x0000000003EB7000-memory.dmp

memory/1104-92-0x0000000003EA0000-0x0000000003EB7000-memory.dmp

memory/1104-91-0x0000000003EA0000-0x0000000003EB7000-memory.dmp

memory/2004-97-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1104-95-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZV3W6FIX.txt

MD5 466944fe3e2b2bc135d12fef4bf31f4d
SHA1 30ccdefad09979db85c5ac33536a67a62632fd07
SHA256 358acb7bd81a4bf4e3ea927a924dab09fb84ac5143907bc5011b728e0a50a098
SHA512 6e6bef22782a0450c79034eaa6a3eca380f5a50697c81440dba99181b50d71c5fcf9f25bebc167e875293c0db65ce0486641fca9c825d2ef728549e198e8615f

memory/2004-119-0x0000000003E70000-0x0000000003E87000-memory.dmp

memory/2004-118-0x0000000003E70000-0x0000000003E87000-memory.dmp

memory/2004-117-0x0000000003E70000-0x0000000003E87000-memory.dmp

memory/2004-116-0x0000000003E70000-0x0000000003E87000-memory.dmp

memory/2004-115-0x0000000000400000-0x0000000000417000-memory.dmp

\Windows\SysWOW64\wdantqvcx.exe

MD5 0ec54cb9f13a434fbb453089d41c7fe7
SHA1 f140667024030fb2719442593dad66aac60740be
SHA256 82f68a1fa8384bac06f8cee801477f4a3c0e1bf1d7c58a9d8bce2dce0b182722
SHA512 beea6698c442ab6d77dafa315fee0744d7bee059f0a962a91e01545698b6c9e28cdbbf28472736d823eb30c44b215931b8508c5131f8287815362f002f3f9af0

memory/2960-121-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KHM1KUSH.txt

MD5 d8e311991f3310c61bc62e672bb93cc3
SHA1 db0c612a896bb8e83e1677b868209105db2e00f1
SHA256 9d179ddd9870fc40c7f4e87654d4e3929a01713892315a1f5f5b007056c08d3b
SHA512 decb08386fa62f59ae3221006954d70480a0468b26b88c6c0511a76286ce192c867a6641682104915692a95c4899e69f66b6b58769e753f1c2634fd2c79b49fb

\Windows\SysWOW64\whuflhgh.exe

MD5 18e7cec51bc2a89375478bc16ad60b2b
SHA1 7faff0457e2d76a8ea48d3593af389cca5df2d22
SHA256 ba05e9bb6a2041573f18dc5f21d906fe98397210f4baa7c2d62b150e054a1d0a
SHA512 bd544e23e4039b82e26a26712a8b82c99e6ac358c9a02edea606ee9204e76c2bc425c4e7390055c8c57c4a2a98f4b1f6a1edc79cafc17973d27b74f5d2ab5b5b

memory/2960-133-0x0000000003320000-0x0000000003337000-memory.dmp

memory/2960-139-0x0000000003320000-0x0000000003337000-memory.dmp

memory/568-148-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2960-146-0x0000000000400000-0x0000000000417000-memory.dmp

\Windows\SysWOW64\wwuptuaw.exe

MD5 d9b192b1e761f727481f9f3b1c8e21da
SHA1 eaebc436fff97b5d0f4b2fbc85a273ed72a15243
SHA256 174406fc86901022393cb04efca18ba9bcfcd85dc5a6f9b3ce23ad79479508bd
SHA512 02c09ac196257912acd4951389359493ca0d061e50f1b717f206e1093873a6ecc2bdc65337a5fc90a0cd9babb8062429eb88ba9b50c22f50af16d028b2f86b57

memory/568-163-0x0000000003160000-0x0000000003177000-memory.dmp

memory/2004-162-0x0000000003E70000-0x0000000003E87000-memory.dmp

memory/2004-161-0x0000000003E70000-0x0000000003E87000-memory.dmp

memory/2004-160-0x0000000003E70000-0x0000000003E87000-memory.dmp

memory/2556-171-0x0000000000400000-0x0000000000417000-memory.dmp

memory/568-170-0x0000000000400000-0x0000000000417000-memory.dmp

\Windows\SysWOW64\wuwpmv.exe

MD5 ff7f229faa91a701a694495d118ea240
SHA1 f497a6ae3c25456514e95dc8e2f06665a6f31cd0
SHA256 f574cbe2c4250268c321e9003a2f6aae32b4b9a3bb2cdcd92f4035029a7be53c
SHA512 220ffca683f042cb0a33a5f22437e8f7e81e7e09e97a9e51a34ee4c5dfb4b844e0459e5dc6f4ff5b35e0dc5177f6a1074693501d72509ea6c05385692374b23a

memory/2556-191-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2556-190-0x0000000002170000-0x0000000002187000-memory.dmp

memory/2556-189-0x0000000002170000-0x0000000002187000-memory.dmp

memory/2236-193-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O4ZFFLR1.txt

MD5 67abb7f643855b825c9a68b28e349610
SHA1 b1e7a7b84027cadd208884296678c96cd44873f0
SHA256 cc92e9be1350d5857b4d9a6752733aeeaaf31f901bd358746e72135c8c649615
SHA512 a198a64858cb1fe7896d2e5ed99c25cea08b953589a31d0cc893b5a7dd09c619a4ced34ed3b17d826461518796797f39cc7693c5d235d3a1550224a88c85d4b5

\Windows\SysWOW64\wmuacc.exe

MD5 3a983b50b789640652def5c3efd94007
SHA1 027d0a78b0954c43d5e388e9615b9596dbf5ac55
SHA256 7aed1e87a3d3af5e103ef57f2a4750810820cfdd3dc0e74e368935932f2ecaf5
SHA512 810a43ac3686aac36c6961440d42bbe7b1579b24a165930c1c298b3ed77ccae79d7ec83d70662f6313a8de1efff9cd2fa6e61b37f717f2361dc916cae2442554

memory/2236-209-0x0000000002310000-0x0000000002327000-memory.dmp

memory/2236-215-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1816-217-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2556-216-0x0000000002170000-0x0000000002187000-memory.dmp

memory/2556-218-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1692-235-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1816-234-0x0000000003200000-0x0000000003217000-memory.dmp

memory/1816-233-0x0000000003200000-0x0000000003217000-memory.dmp

memory/1816-232-0x0000000003200000-0x0000000003217000-memory.dmp

memory/1816-231-0x0000000003200000-0x0000000003217000-memory.dmp

memory/1816-236-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1692-245-0x0000000002330000-0x0000000002347000-memory.dmp

memory/1692-252-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1692-250-0x0000000003E20000-0x0000000003E37000-memory.dmp

memory/2920-253-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1692-251-0x0000000003E20000-0x0000000003E37000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\install[2].htm

MD5 9463ba07743e8a9aca3b55373121b7c5
SHA1 4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f
SHA256 d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d
SHA512 6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

memory/664-269-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2920-268-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

memory/2920-267-0x0000000003ED0000-0x0000000003EE7000-memory.dmp

memory/2920-266-0x0000000003ED0000-0x0000000003EE7000-memory.dmp

memory/2920-270-0x0000000000400000-0x0000000000417000-memory.dmp

memory/664-283-0x0000000004260000-0x0000000004277000-memory.dmp

memory/664-287-0x0000000000400000-0x0000000000417000-memory.dmp

memory/664-286-0x0000000004260000-0x0000000004277000-memory.dmp

memory/664-285-0x0000000004260000-0x0000000004277000-memory.dmp

memory/664-284-0x0000000004260000-0x0000000004277000-memory.dmp

memory/944-288-0x0000000000400000-0x0000000000417000-memory.dmp

memory/944-298-0x0000000003550000-0x0000000003567000-memory.dmp

memory/2472-302-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1744-318-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2472-317-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1744-333-0x00000000032E0000-0x00000000032F7000-memory.dmp

memory/1744-332-0x00000000032E0000-0x00000000032F7000-memory.dmp

memory/944-331-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1744-334-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2864-335-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2864-350-0x0000000003960000-0x0000000003977000-memory.dmp

memory/2864-349-0x0000000003960000-0x0000000003977000-memory.dmp

memory/2864-344-0x0000000003950000-0x0000000003967000-memory.dmp

memory/2216-365-0x0000000003E70000-0x0000000003E87000-memory.dmp

memory/2216-364-0x0000000003E60000-0x0000000003E77000-memory.dmp

memory/2216-363-0x0000000003E60000-0x0000000003E77000-memory.dmp

memory/1668-366-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2216-367-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2864-385-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2864-384-0x0000000003950000-0x0000000003967000-memory.dmp

memory/1668-383-0x0000000003530000-0x0000000003547000-memory.dmp

memory/1668-382-0x0000000003530000-0x0000000003547000-memory.dmp

memory/1668-381-0x0000000003520000-0x0000000003537000-memory.dmp

memory/1668-380-0x0000000003520000-0x0000000003537000-memory.dmp

memory/1668-386-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2096-387-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2864-393-0x0000000003960000-0x0000000003977000-memory.dmp

memory/2864-392-0x0000000003950000-0x0000000003967000-memory.dmp

memory/2864-402-0x0000000003960000-0x0000000003977000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:40

Reported

2024-11-10 01:42

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\woicqw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wgeekhpsg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\weyedjw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wjpcalyv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wqgnitag.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wfj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wwifm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wxrqdl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wlsgdms.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wgwrse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wtnrwrv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\weuk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wroydkw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wsnoy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wqotopmkn.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wbvwnr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wrjqw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wctap.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wggjcfk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wwptofs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wkgxljiy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wcekla.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wph.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wkjhpe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wlsih.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wdahd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wwkehar.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wekojvq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wnxd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\waps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wddbxnthl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wvaoox.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wdcrphn.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wlfpnbe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wpyirfx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wlxp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wnhhk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wbarie.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wyiwhx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wkuiacj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\woopiwv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wpnqjkawo.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wgrwtdg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wdul.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wjw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wetug.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wgue.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wbu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\waytnc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wchxpsty.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wpvecm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wllpqat.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wgnf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wosm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wxeajfdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\woyeq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wgqan.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wsjcd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wbkq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wxxqvo.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wxos.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wtcquv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wkops.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wbhvfn.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wwkehar.exe N/A
N/A N/A C:\Windows\SysWOW64\wtnrwrv.exe N/A
N/A N/A C:\Windows\SysWOW64\wrtxcpet.exe N/A
N/A N/A C:\Windows\SysWOW64\wsjcd.exe N/A
N/A N/A C:\Windows\SysWOW64\wjw.exe N/A
N/A N/A C:\Windows\SysWOW64\wbkq.exe N/A
N/A N/A C:\Windows\SysWOW64\wekojvq.exe N/A
N/A N/A C:\Windows\SysWOW64\weuk.exe N/A
N/A N/A C:\Windows\SysWOW64\wntcur.exe N/A
N/A N/A C:\Windows\SysWOW64\wvaoox.exe N/A
N/A N/A C:\Windows\SysWOW64\wchxpsty.exe N/A
N/A N/A C:\Windows\SysWOW64\wmefo.exe N/A
N/A N/A C:\Windows\SysWOW64\wtcquv.exe N/A
N/A N/A C:\Windows\SysWOW64\wdxwtuc.exe N/A
N/A N/A C:\Windows\SysWOW64\wkuiacj.exe N/A
N/A N/A C:\Windows\SysWOW64\wdcrphn.exe N/A
N/A N/A C:\Windows\SysWOW64\wxxqvo.exe N/A
N/A N/A C:\Windows\SysWOW64\wnxd.exe N/A
N/A N/A C:\Windows\SysWOW64\woopiwv.exe N/A
N/A N/A C:\Windows\SysWOW64\wggjcfk.exe N/A
N/A N/A C:\Windows\SysWOW64\wbb.exe N/A
N/A N/A C:\Windows\SysWOW64\wlxp.exe N/A
N/A N/A C:\Windows\SysWOW64\wvtawfd.exe N/A
N/A N/A C:\Windows\SysWOW64\wroydkw.exe N/A
N/A N/A C:\Windows\SysWOW64\wetug.exe N/A
N/A N/A C:\Windows\SysWOW64\wxos.exe N/A
N/A N/A C:\Windows\SysWOW64\wqgnitag.exe N/A
N/A N/A C:\Windows\SysWOW64\wwptofs.exe N/A
N/A N/A C:\Windows\SysWOW64\wpvecm.exe N/A
N/A N/A C:\Windows\SysWOW64\wjdnqtb.exe N/A
N/A N/A C:\Windows\SysWOW64\wgue.exe N/A
N/A N/A C:\Windows\SysWOW64\wgeoqm.exe N/A
N/A N/A C:\Windows\SysWOW64\wfj.exe N/A
N/A N/A C:\Windows\SysWOW64\wsnoy.exe N/A
N/A N/A C:\Windows\SysWOW64\wwifm.exe N/A
N/A N/A C:\Windows\SysWOW64\wxrqdl.exe N/A
N/A N/A C:\Windows\SysWOW64\waps.exe N/A
N/A N/A C:\Windows\SysWOW64\wtw.exe N/A
N/A N/A C:\Windows\SysWOW64\wpnqjkawo.exe N/A
N/A N/A C:\Windows\SysWOW64\wcjyjg.exe N/A
N/A N/A C:\Windows\SysWOW64\wvcsep.exe N/A
N/A N/A C:\Windows\SysWOW64\woicqw.exe N/A
N/A N/A C:\Windows\SysWOW64\wosm.exe N/A
N/A N/A C:\Windows\SysWOW64\wmrra.exe N/A
N/A N/A C:\Windows\SysWOW64\wfr.exe N/A
N/A N/A C:\Windows\SysWOW64\wjvasmc.exe N/A
N/A N/A C:\Windows\SysWOW64\wxeajfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wtsvbkos.exe N/A
N/A N/A C:\Windows\SysWOW64\wgeekhpsg.exe N/A
N/A N/A C:\Windows\SysWOW64\wgrwtdg.exe N/A
N/A N/A C:\Windows\SysWOW64\wbu.exe N/A
N/A N/A C:\Windows\SysWOW64\wlsgdms.exe N/A
N/A N/A C:\Windows\SysWOW64\wkgxljiy.exe N/A
N/A N/A C:\Windows\SysWOW64\wkjhpe.exe N/A
N/A N/A C:\Windows\SysWOW64\wllpqat.exe N/A
N/A N/A C:\Windows\SysWOW64\woyeq.exe N/A
N/A N/A C:\Windows\SysWOW64\wgnf.exe N/A
N/A N/A C:\Windows\SysWOW64\wdqq.exe N/A
N/A N/A C:\Windows\SysWOW64\wcekla.exe N/A
N/A N/A C:\Windows\SysWOW64\wgqan.exe N/A
N/A N/A C:\Windows\SysWOW64\wlfpnbe.exe N/A
N/A N/A C:\Windows\SysWOW64\wgwrse.exe N/A
N/A N/A C:\Windows\SysWOW64\weyedjw.exe N/A
N/A N/A C:\Windows\SysWOW64\wlw.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wpnqjkawo.exe C:\Windows\SysWOW64\wtw.exe N/A
File created C:\Windows\SysWOW64\wfr.exe C:\Windows\SysWOW64\wmrra.exe N/A
File created C:\Windows\SysWOW64\weuk.exe C:\Windows\SysWOW64\wekojvq.exe N/A
File opened for modification C:\Windows\SysWOW64\wjdnqtb.exe C:\Windows\SysWOW64\wpvecm.exe N/A
File opened for modification C:\Windows\SysWOW64\wlxp.exe C:\Windows\SysWOW64\wbb.exe N/A
File opened for modification C:\Windows\SysWOW64\wmrra.exe C:\Windows\SysWOW64\wosm.exe N/A
File created C:\Windows\SysWOW64\wxxqvo.exe C:\Windows\SysWOW64\wdcrphn.exe N/A
File opened for modification C:\Windows\SysWOW64\wwptofs.exe C:\Windows\SysWOW64\wqgnitag.exe N/A
File created C:\Windows\SysWOW64\wgqan.exe C:\Windows\SysWOW64\wcekla.exe N/A
File opened for modification C:\Windows\SysWOW64\wbarie.exe C:\Windows\SysWOW64\wnhhk.exe N/A
File created C:\Windows\SysWOW64\wrjqw.exe C:\Windows\SysWOW64\wbarie.exe N/A
File opened for modification C:\Windows\SysWOW64\wnbgih.exe C:\Windows\SysWOW64\wvkb.exe N/A
File created C:\Windows\SysWOW64\wjw.exe C:\Windows\SysWOW64\wsjcd.exe N/A
File opened for modification C:\Windows\SysWOW64\wkuiacj.exe C:\Windows\SysWOW64\wdxwtuc.exe N/A
File opened for modification C:\Windows\SysWOW64\wvcsep.exe C:\Windows\SysWOW64\wcjyjg.exe N/A
File created C:\Windows\SysWOW64\wsklya.exe C:\Windows\SysWOW64\wbhvfn.exe N/A
File created C:\Windows\SysWOW64\wkcudh.exe C:\Windows\SysWOW64\wpyirfx.exe N/A
File created C:\Windows\SysWOW64\wdcrphn.exe C:\Windows\SysWOW64\wkuiacj.exe N/A
File created C:\Windows\SysWOW64\wtw.exe C:\Windows\SysWOW64\waps.exe N/A
File opened for modification C:\Windows\SysWOW64\wlw.exe C:\Windows\SysWOW64\weyedjw.exe N/A
File created C:\Windows\SysWOW64\wnlchxwex.exe C:\Windows\SysWOW64\wrjqw.exe N/A
File created C:\Windows\SysWOW64\wlsih.exe C:\Windows\SysWOW64\wdul.exe N/A
File created C:\Windows\SysWOW64\wekojvq.exe C:\Windows\SysWOW64\wbkq.exe N/A
File opened for modification C:\Windows\SysWOW64\wsnoy.exe C:\Windows\SysWOW64\wfj.exe N/A
File created C:\Windows\SysWOW64\wbhvfn.exe C:\Windows\SysWOW64\wkops.exe N/A
File created C:\Windows\SysWOW64\wctap.exe C:\Windows\SysWOW64\wkcudh.exe N/A
File created C:\Windows\SysWOW64\wph.exe C:\Windows\SysWOW64\wlsih.exe N/A
File created C:\Windows\SysWOW64\wrtxcpet.exe C:\Windows\SysWOW64\wtnrwrv.exe N/A
File created C:\Windows\SysWOW64\wxeajfdf.exe C:\Windows\SysWOW64\wjvasmc.exe N/A
File created C:\Windows\SysWOW64\wwifm.exe C:\Windows\SysWOW64\wsnoy.exe N/A
File created C:\Windows\SysWOW64\wtsvbkos.exe C:\Windows\SysWOW64\wxeajfdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wkops.exe C:\Windows\SysWOW64\wnlchxwex.exe N/A
File opened for modification C:\Windows\SysWOW64\wqgnitag.exe C:\Windows\SysWOW64\wxos.exe N/A
File created C:\Windows\SysWOW64\wgue.exe C:\Windows\SysWOW64\wjdnqtb.exe N/A
File created C:\Windows\SysWOW64\wsnoy.exe C:\Windows\SysWOW64\wfj.exe N/A
File opened for modification C:\Windows\SysWOW64\wgrwtdg.exe C:\Windows\SysWOW64\wgeekhpsg.exe N/A
File opened for modification C:\Windows\SysWOW64\wlsgdms.exe C:\Windows\SysWOW64\wbu.exe N/A
File created C:\Windows\SysWOW64\wdqq.exe C:\Windows\SysWOW64\wgnf.exe N/A
File created C:\Windows\SysWOW64\wlw.exe C:\Windows\SysWOW64\weyedjw.exe N/A
File created C:\Windows\SysWOW64\wtcquv.exe C:\Windows\SysWOW64\wmefo.exe N/A
File created C:\Windows\SysWOW64\wvtawfd.exe C:\Windows\SysWOW64\wlxp.exe N/A
File created C:\Windows\SysWOW64\wlxp.exe C:\Windows\SysWOW64\wbb.exe N/A
File created C:\Windows\SysWOW64\wbu.exe C:\Windows\SysWOW64\wgrwtdg.exe N/A
File created C:\Windows\SysWOW64\wkgxljiy.exe C:\Windows\SysWOW64\wlsgdms.exe N/A
File opened for modification C:\Windows\SysWOW64\wnhhk.exe C:\Windows\SysWOW64\wgtvs.exe N/A
File created C:\Windows\SysWOW64\wkops.exe C:\Windows\SysWOW64\wnlchxwex.exe N/A
File created C:\Windows\SysWOW64\wdahd.exe C:\Windows\SysWOW64\wph.exe N/A
File opened for modification C:\Windows\SysWOW64\wrtxcpet.exe C:\Windows\SysWOW64\wtnrwrv.exe N/A
File created C:\Windows\SysWOW64\wbkq.exe C:\Windows\SysWOW64\wjw.exe N/A
File opened for modification C:\Windows\SysWOW64\wfr.exe C:\Windows\SysWOW64\wmrra.exe N/A
File opened for modification C:\Windows\SysWOW64\wlsih.exe C:\Windows\SysWOW64\wdul.exe N/A
File opened for modification C:\Windows\SysWOW64\wekojvq.exe C:\Windows\SysWOW64\wbkq.exe N/A
File opened for modification C:\Windows\SysWOW64\wxxqvo.exe C:\Windows\SysWOW64\wdcrphn.exe N/A
File created C:\Windows\SysWOW64\wfj.exe C:\Windows\SysWOW64\wgeoqm.exe N/A
File opened for modification C:\Windows\SysWOW64\wpnqjkawo.exe C:\Windows\SysWOW64\wtw.exe N/A
File created C:\Windows\SysWOW64\woicqw.exe C:\Windows\SysWOW64\wvcsep.exe N/A
File opened for modification C:\Windows\SysWOW64\wgqan.exe C:\Windows\SysWOW64\wcekla.exe N/A
File created C:\Windows\SysWOW64\weyedjw.exe C:\Windows\SysWOW64\wgwrse.exe N/A
File created C:\Windows\SysWOW64\wbvwnr.exe C:\Windows\SysWOW64\wqotopmkn.exe N/A
File created C:\Windows\SysWOW64\wggjcfk.exe C:\Windows\SysWOW64\woopiwv.exe N/A
File opened for modification C:\Windows\SysWOW64\wroydkw.exe C:\Windows\SysWOW64\wvtawfd.exe N/A
File created C:\Windows\SysWOW64\wgtvs.exe C:\Windows\SysWOW64\wbvwnr.exe N/A
File opened for modification C:\Windows\SysWOW64\wpvecm.exe C:\Windows\SysWOW64\wwptofs.exe N/A
File opened for modification C:\Windows\SysWOW64\wgtvs.exe C:\Windows\SysWOW64\wbvwnr.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wxeajfdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wnhhk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wkuiacj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\waps.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wgtvs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wlxp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wroydkw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wctap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wvkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wrjqw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wsklya.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wvtawfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wjpcalyv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wekojvq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wjvasmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wkcudh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wxos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wgeekhpsg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wjw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wlw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wpvecm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wllpqat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wgnf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wnbgih.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wvaoox.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\woopiwv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wlfpnbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wkops.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe C:\Windows\SysWOW64\wwkehar.exe
PID 836 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe C:\Windows\SysWOW64\wwkehar.exe
PID 836 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe C:\Windows\SysWOW64\wwkehar.exe
PID 836 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 3476 N/A C:\Windows\SysWOW64\wwkehar.exe C:\Windows\SysWOW64\wtnrwrv.exe
PID 2940 wrote to memory of 3476 N/A C:\Windows\SysWOW64\wwkehar.exe C:\Windows\SysWOW64\wtnrwrv.exe
PID 2940 wrote to memory of 3476 N/A C:\Windows\SysWOW64\wwkehar.exe C:\Windows\SysWOW64\wtnrwrv.exe
PID 2940 wrote to memory of 2484 N/A C:\Windows\SysWOW64\wwkehar.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2484 N/A C:\Windows\SysWOW64\wwkehar.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2484 N/A C:\Windows\SysWOW64\wwkehar.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 1364 N/A C:\Windows\SysWOW64\wtnrwrv.exe C:\Windows\SysWOW64\wrtxcpet.exe
PID 3476 wrote to memory of 1364 N/A C:\Windows\SysWOW64\wtnrwrv.exe C:\Windows\SysWOW64\wrtxcpet.exe
PID 3476 wrote to memory of 1364 N/A C:\Windows\SysWOW64\wtnrwrv.exe C:\Windows\SysWOW64\wrtxcpet.exe
PID 3476 wrote to memory of 2036 N/A C:\Windows\SysWOW64\wtnrwrv.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2036 N/A C:\Windows\SysWOW64\wtnrwrv.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2036 N/A C:\Windows\SysWOW64\wtnrwrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 3024 N/A C:\Windows\SysWOW64\wrtxcpet.exe C:\Windows\SysWOW64\wsjcd.exe
PID 1364 wrote to memory of 3024 N/A C:\Windows\SysWOW64\wrtxcpet.exe C:\Windows\SysWOW64\wsjcd.exe
PID 1364 wrote to memory of 3024 N/A C:\Windows\SysWOW64\wrtxcpet.exe C:\Windows\SysWOW64\wsjcd.exe
PID 1364 wrote to memory of 3320 N/A C:\Windows\SysWOW64\wrtxcpet.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 3320 N/A C:\Windows\SysWOW64\wrtxcpet.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 3320 N/A C:\Windows\SysWOW64\wrtxcpet.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 1100 N/A C:\Windows\SysWOW64\wsjcd.exe C:\Windows\SysWOW64\wjw.exe
PID 3024 wrote to memory of 1100 N/A C:\Windows\SysWOW64\wsjcd.exe C:\Windows\SysWOW64\wjw.exe
PID 3024 wrote to memory of 1100 N/A C:\Windows\SysWOW64\wsjcd.exe C:\Windows\SysWOW64\wjw.exe
PID 3024 wrote to memory of 4516 N/A C:\Windows\SysWOW64\wsjcd.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 4516 N/A C:\Windows\SysWOW64\wsjcd.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 4516 N/A C:\Windows\SysWOW64\wsjcd.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 744 N/A C:\Windows\SysWOW64\wjw.exe C:\Windows\SysWOW64\wbkq.exe
PID 1100 wrote to memory of 744 N/A C:\Windows\SysWOW64\wjw.exe C:\Windows\SysWOW64\wbkq.exe
PID 1100 wrote to memory of 744 N/A C:\Windows\SysWOW64\wjw.exe C:\Windows\SysWOW64\wbkq.exe
PID 1100 wrote to memory of 832 N/A C:\Windows\SysWOW64\wjw.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 832 N/A C:\Windows\SysWOW64\wjw.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 832 N/A C:\Windows\SysWOW64\wjw.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 3900 N/A C:\Windows\SysWOW64\wbkq.exe C:\Windows\SysWOW64\wekojvq.exe
PID 744 wrote to memory of 3900 N/A C:\Windows\SysWOW64\wbkq.exe C:\Windows\SysWOW64\wekojvq.exe
PID 744 wrote to memory of 3900 N/A C:\Windows\SysWOW64\wbkq.exe C:\Windows\SysWOW64\wekojvq.exe
PID 744 wrote to memory of 2424 N/A C:\Windows\SysWOW64\wbkq.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 2424 N/A C:\Windows\SysWOW64\wbkq.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 2424 N/A C:\Windows\SysWOW64\wbkq.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 1200 N/A C:\Windows\SysWOW64\wekojvq.exe C:\Windows\SysWOW64\weuk.exe
PID 3900 wrote to memory of 1200 N/A C:\Windows\SysWOW64\wekojvq.exe C:\Windows\SysWOW64\weuk.exe
PID 3900 wrote to memory of 1200 N/A C:\Windows\SysWOW64\wekojvq.exe C:\Windows\SysWOW64\weuk.exe
PID 3900 wrote to memory of 1948 N/A C:\Windows\SysWOW64\wekojvq.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 1948 N/A C:\Windows\SysWOW64\wekojvq.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 1948 N/A C:\Windows\SysWOW64\wekojvq.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 1048 N/A C:\Windows\SysWOW64\weuk.exe C:\Windows\SysWOW64\wntcur.exe
PID 1200 wrote to memory of 1048 N/A C:\Windows\SysWOW64\weuk.exe C:\Windows\SysWOW64\wntcur.exe
PID 1200 wrote to memory of 1048 N/A C:\Windows\SysWOW64\weuk.exe C:\Windows\SysWOW64\wntcur.exe
PID 1200 wrote to memory of 3204 N/A C:\Windows\SysWOW64\weuk.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 3204 N/A C:\Windows\SysWOW64\weuk.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 3204 N/A C:\Windows\SysWOW64\weuk.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 2360 N/A C:\Windows\SysWOW64\wntcur.exe C:\Windows\SysWOW64\wvaoox.exe
PID 1048 wrote to memory of 2360 N/A C:\Windows\SysWOW64\wntcur.exe C:\Windows\SysWOW64\wvaoox.exe
PID 1048 wrote to memory of 2360 N/A C:\Windows\SysWOW64\wntcur.exe C:\Windows\SysWOW64\wvaoox.exe
PID 1048 wrote to memory of 4600 N/A C:\Windows\SysWOW64\wntcur.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 4600 N/A C:\Windows\SysWOW64\wntcur.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 4600 N/A C:\Windows\SysWOW64\wntcur.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 1584 N/A C:\Windows\SysWOW64\wvaoox.exe C:\Windows\SysWOW64\wchxpsty.exe
PID 2360 wrote to memory of 1584 N/A C:\Windows\SysWOW64\wvaoox.exe C:\Windows\SysWOW64\wchxpsty.exe
PID 2360 wrote to memory of 1584 N/A C:\Windows\SysWOW64\wvaoox.exe C:\Windows\SysWOW64\wchxpsty.exe
PID 2360 wrote to memory of 1960 N/A C:\Windows\SysWOW64\wvaoox.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe

"C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"

C:\Windows\SysWOW64\wwkehar.exe

"C:\Windows\system32\wwkehar.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"

C:\Windows\SysWOW64\wtnrwrv.exe

"C:\Windows\system32\wtnrwrv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwkehar.exe"

C:\Windows\SysWOW64\wrtxcpet.exe

"C:\Windows\system32\wrtxcpet.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtnrwrv.exe"

C:\Windows\SysWOW64\wsjcd.exe

"C:\Windows\system32\wsjcd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtxcpet.exe"

C:\Windows\SysWOW64\wjw.exe

"C:\Windows\system32\wjw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjcd.exe"

C:\Windows\SysWOW64\wbkq.exe

"C:\Windows\system32\wbkq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjw.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1100 -ip 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1308

C:\Windows\SysWOW64\wekojvq.exe

"C:\Windows\system32\wekojvq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbkq.exe"

C:\Windows\SysWOW64\weuk.exe

"C:\Windows\system32\weuk.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekojvq.exe"

C:\Windows\SysWOW64\wntcur.exe

"C:\Windows\system32\wntcur.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weuk.exe"

C:\Windows\SysWOW64\wvaoox.exe

"C:\Windows\system32\wvaoox.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntcur.exe"

C:\Windows\SysWOW64\wchxpsty.exe

"C:\Windows\system32\wchxpsty.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvaoox.exe"

C:\Windows\SysWOW64\wmefo.exe

"C:\Windows\system32\wmefo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchxpsty.exe"

C:\Windows\SysWOW64\wtcquv.exe

"C:\Windows\system32\wtcquv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmefo.exe"

C:\Windows\SysWOW64\wdxwtuc.exe

"C:\Windows\system32\wdxwtuc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtcquv.exe"

C:\Windows\SysWOW64\wkuiacj.exe

"C:\Windows\system32\wkuiacj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxwtuc.exe"

C:\Windows\SysWOW64\wdcrphn.exe

"C:\Windows\system32\wdcrphn.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkuiacj.exe"

C:\Windows\SysWOW64\wxxqvo.exe

"C:\Windows\system32\wxxqvo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcrphn.exe"

C:\Windows\SysWOW64\wnxd.exe

"C:\Windows\system32\wnxd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxqvo.exe"

C:\Windows\SysWOW64\woopiwv.exe

"C:\Windows\system32\woopiwv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnxd.exe"

C:\Windows\SysWOW64\wggjcfk.exe

"C:\Windows\system32\wggjcfk.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woopiwv.exe"

C:\Windows\SysWOW64\wbb.exe

"C:\Windows\system32\wbb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wggjcfk.exe"

C:\Windows\SysWOW64\wlxp.exe

"C:\Windows\system32\wlxp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbb.exe"

C:\Windows\SysWOW64\wvtawfd.exe

"C:\Windows\system32\wvtawfd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlxp.exe"

C:\Windows\SysWOW64\wroydkw.exe

"C:\Windows\system32\wroydkw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtawfd.exe"

C:\Windows\SysWOW64\wetug.exe

"C:\Windows\system32\wetug.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wroydkw.exe"

C:\Windows\SysWOW64\wxos.exe

"C:\Windows\system32\wxos.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wetug.exe"

C:\Windows\SysWOW64\wqgnitag.exe

"C:\Windows\system32\wqgnitag.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxos.exe"

C:\Windows\SysWOW64\wwptofs.exe

"C:\Windows\system32\wwptofs.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgnitag.exe"

C:\Windows\SysWOW64\wpvecm.exe

"C:\Windows\system32\wpvecm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwptofs.exe"

C:\Windows\SysWOW64\wjdnqtb.exe

"C:\Windows\system32\wjdnqtb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvecm.exe"

C:\Windows\SysWOW64\wgue.exe

"C:\Windows\system32\wgue.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdnqtb.exe"

C:\Windows\SysWOW64\wgeoqm.exe

"C:\Windows\system32\wgeoqm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgue.exe"

C:\Windows\SysWOW64\wfj.exe

"C:\Windows\system32\wfj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgeoqm.exe"

C:\Windows\SysWOW64\wsnoy.exe

"C:\Windows\system32\wsnoy.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfj.exe"

C:\Windows\SysWOW64\wwifm.exe

"C:\Windows\system32\wwifm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsnoy.exe"

C:\Windows\SysWOW64\wxrqdl.exe

"C:\Windows\system32\wxrqdl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwifm.exe"

C:\Windows\SysWOW64\waps.exe

"C:\Windows\system32\waps.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxrqdl.exe"

C:\Windows\SysWOW64\wtw.exe

"C:\Windows\system32\wtw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waps.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 212 -ip 212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1660

C:\Windows\SysWOW64\wpnqjkawo.exe

"C:\Windows\system32\wpnqjkawo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtw.exe"

C:\Windows\SysWOW64\wcjyjg.exe

"C:\Windows\system32\wcjyjg.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpnqjkawo.exe"

C:\Windows\SysWOW64\wvcsep.exe

"C:\Windows\system32\wvcsep.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjyjg.exe"

C:\Windows\SysWOW64\woicqw.exe

"C:\Windows\system32\woicqw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvcsep.exe"

C:\Windows\SysWOW64\wosm.exe

"C:\Windows\system32\wosm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woicqw.exe"

C:\Windows\SysWOW64\wmrra.exe

"C:\Windows\system32\wmrra.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wosm.exe"

C:\Windows\SysWOW64\wfr.exe

"C:\Windows\system32\wfr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrra.exe"

C:\Windows\SysWOW64\wjvasmc.exe

"C:\Windows\system32\wjvasmc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfr.exe"

C:\Windows\SysWOW64\wxeajfdf.exe

"C:\Windows\system32\wxeajfdf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjvasmc.exe"

C:\Windows\SysWOW64\wtsvbkos.exe

"C:\Windows\system32\wtsvbkos.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxeajfdf.exe"

C:\Windows\SysWOW64\wgeekhpsg.exe

"C:\Windows\system32\wgeekhpsg.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsvbkos.exe"

C:\Windows\SysWOW64\wgrwtdg.exe

"C:\Windows\system32\wgrwtdg.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgeekhpsg.exe"

C:\Windows\SysWOW64\wbu.exe

"C:\Windows\system32\wbu.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrwtdg.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3124 -ip 3124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1676

C:\Windows\SysWOW64\wlsgdms.exe

"C:\Windows\system32\wlsgdms.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbu.exe"

C:\Windows\SysWOW64\wkgxljiy.exe

"C:\Windows\system32\wkgxljiy.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsgdms.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3348 -ip 3348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 1536

C:\Windows\SysWOW64\wkjhpe.exe

"C:\Windows\system32\wkjhpe.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkgxljiy.exe"

C:\Windows\SysWOW64\wllpqat.exe

"C:\Windows\system32\wllpqat.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjhpe.exe"

C:\Windows\SysWOW64\woyeq.exe

"C:\Windows\system32\woyeq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllpqat.exe"

C:\Windows\SysWOW64\wgnf.exe

"C:\Windows\system32\wgnf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woyeq.exe"

C:\Windows\SysWOW64\wdqq.exe

"C:\Windows\system32\wdqq.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgnf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3792 -ip 3792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 1444

C:\Windows\SysWOW64\wcekla.exe

"C:\Windows\system32\wcekla.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdqq.exe"

C:\Windows\SysWOW64\wgqan.exe

"C:\Windows\system32\wgqan.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcekla.exe"

C:\Windows\SysWOW64\wlfpnbe.exe

"C:\Windows\system32\wlfpnbe.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqan.exe"

C:\Windows\SysWOW64\wgwrse.exe

"C:\Windows\system32\wgwrse.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfpnbe.exe"

C:\Windows\SysWOW64\weyedjw.exe

"C:\Windows\system32\weyedjw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwrse.exe"

C:\Windows\SysWOW64\wlw.exe

"C:\Windows\system32\wlw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weyedjw.exe"

C:\Windows\SysWOW64\waytnc.exe

"C:\Windows\system32\waytnc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlw.exe"

C:\Windows\SysWOW64\wqotopmkn.exe

"C:\Windows\system32\wqotopmkn.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waytnc.exe"

C:\Windows\SysWOW64\wbvwnr.exe

"C:\Windows\system32\wbvwnr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqotopmkn.exe"

C:\Windows\SysWOW64\wgtvs.exe

"C:\Windows\system32\wgtvs.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvwnr.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1156 -ip 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1536

C:\Windows\SysWOW64\wnhhk.exe

"C:\Windows\system32\wnhhk.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtvs.exe"

C:\Windows\SysWOW64\wbarie.exe

"C:\Windows\system32\wbarie.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnhhk.exe"

C:\Windows\SysWOW64\wrjqw.exe

"C:\Windows\system32\wrjqw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbarie.exe"

C:\Windows\SysWOW64\wnlchxwex.exe

"C:\Windows\system32\wnlchxwex.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjqw.exe"

C:\Windows\SysWOW64\wkops.exe

"C:\Windows\system32\wkops.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnlchxwex.exe"

C:\Windows\SysWOW64\wbhvfn.exe

"C:\Windows\system32\wbhvfn.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkops.exe"

C:\Windows\SysWOW64\wsklya.exe

"C:\Windows\system32\wsklya.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhvfn.exe"

C:\Windows\SysWOW64\wpyirfx.exe

"C:\Windows\system32\wpyirfx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsklya.exe"

C:\Windows\SysWOW64\wkcudh.exe

"C:\Windows\system32\wkcudh.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpyirfx.exe"

C:\Windows\SysWOW64\wctap.exe

"C:\Windows\system32\wctap.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcudh.exe"

C:\Windows\SysWOW64\wyiwhx.exe

"C:\Windows\system32\wyiwhx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctap.exe"

C:\Windows\SysWOW64\wdul.exe

"C:\Windows\system32\wdul.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyiwhx.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3976 -ip 3976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3976 -ip 3976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1536

C:\Windows\SysWOW64\wlsih.exe

"C:\Windows\system32\wlsih.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdul.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2648 -ip 2648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 748

C:\Windows\SysWOW64\wph.exe

"C:\Windows\system32\wph.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsih.exe"

C:\Windows\SysWOW64\wdahd.exe

"C:\Windows\system32\wdahd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wph.exe"

C:\Windows\SysWOW64\wemam.exe

"C:\Windows\system32\wemam.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdahd.exe"

C:\Windows\SysWOW64\wiof.exe

"C:\Windows\system32\wiof.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemam.exe"

C:\Windows\SysWOW64\wddbxnthl.exe

"C:\Windows\system32\wddbxnthl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiof.exe"

C:\Windows\SysWOW64\wagnj.exe

"C:\Windows\system32\wagnj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wddbxnthl.exe"

C:\Windows\SysWOW64\wvkb.exe

"C:\Windows\system32\wvkb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wagnj.exe"

C:\Windows\SysWOW64\wnbgih.exe

"C:\Windows\system32\wnbgih.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkb.exe"

C:\Windows\SysWOW64\wjpcalyv.exe

"C:\Windows\system32\wjpcalyv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbgih.exe"

C:\Windows\SysWOW64\waijn.exe

"C:\Windows\system32\waijn.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjpcalyv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4544 -ip 4544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4544 -ip 4544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1472

C:\Windows\SysWOW64\wwwgfc.exe

"C:\Windows\system32\wwwgfc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waijn.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ip2location.com udp
US 34.224.172.222:80 www.ip2location.com tcp
US 8.8.8.8:53 best-targeted-traffic.com udp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 222.172.224.34.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 247.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 ww38.best-targeted-traffic.com udp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 254.148.248.13.in-addr.arpa udp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 ww25.best-targeted-traffic.com udp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 ww38.best-targeted-traffic.com udp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 13.248.148.254:80 ww38.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 199.59.243.227:80 ww25.best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp
US 34.224.172.222:80 www.ip2location.com tcp
US 103.224.182.247:80 best-targeted-traffic.com tcp

Files

memory/836-0-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wwkehar.exe

MD5 9aaeb52c2d8c8c5d53d961e2464ccf7c
SHA1 e2f54eae4aa70a448baf4536b934b3b64ba9dc1b
SHA256 6db2bf1bf608c8c1b07240b298ba8fd15327a937f7cc6618551d8078dfb32e4a
SHA512 d9d097d2f8ea56da751f27f9d5699524b23cb30b4b1544c1241cae0cbb8891d85e488be0ca2fe119d7d4440093769a419d86df28809528ac2847181d94929bc2

memory/836-11-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wtnrwrv.exe

MD5 dc56b3c5bbed155c45a2cd7e62c0280d
SHA1 cb3ffe613f10149c0d42b32cd1306e6a149316d6
SHA256 69ac01a9dcbef5e7a393ab225137dbdabf0b294495127ec8be86d598eeb9a43e
SHA512 ba59116757b72ea844ee8c25747ae23030e0eb273b6aeb053831cab91b4b03dd95cdc0e626dca2fa457ce555af1b95c393d91207d834227e706abfccd82d6209

memory/2940-22-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wrtxcpet.exe

MD5 661180444cb1a90a5542f5af9e97734b
SHA1 46502f31d23a861d765627c9f23bcde621dde721
SHA256 a4047c67030ae93c30fd21b66cedb4fd8229d7b679ed97b323eb98ab71fd5428
SHA512 34b7d125b479d0f7683826d9ae7f5bfbd1cc3f68ffcccbb6ac95a7cacb1e1b06f3d29052bcbc0523c8d03896142d17c83c716771d277163d95e3cf94b045cecf

memory/3476-33-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wsjcd.exe

MD5 c391e26df1f2731cad31bfd05342357a
SHA1 428ea4b461977a904e0cc1284571545a118c2221
SHA256 51cbc2030bda178904bc4ce490dd5b0d9a06fcd20f1286190230d7aa6f41e1c7
SHA512 69fd6411f4ff5974151b0c8bb1844dfb01b1d6492519ee898e7a9b46c449f192e4563c78285af478aba8e51e3fc994e2b06710cc5b019978c1a9010f10a81e7b

memory/1364-43-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wjw.exe

MD5 a648135d7e08fec5b6f729ef347d3585
SHA1 8503e99efabdab82c3605b5927d8e2d0d82440f4
SHA256 9dd7889e30059ed0753a237eeffcaacb1670b258e319283b4dd44f5df641a19e
SHA512 7394b9fb017090b6884a6bd36bb4ce3e1a520638affc6b53cedea6ec54fb8a9286957b464d77785153aaf156d00d2624c5e6073e03cecc25c7c23e4ad5de4278

memory/3024-54-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wbkq.exe

MD5 2baf14267ae0638aabc0f41f87c4d019
SHA1 df8e720d8e38f27222d0ca247633aa5b871c0580
SHA256 4181ab947afd3539ddf77f975ca0dd8c892d2d6930d34a024f468e0f7c0c966c
SHA512 df6a5e1dbbff8e15964123f0814d54671f5e712453dfa36b1417ae176954128f70478d2b3c762c9232ea4609a36c8515cd6b3aa2fe80c08efd68fb6b06fe53a2

memory/1100-64-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\install[2].htm

MD5 9463ba07743e8a9aca3b55373121b7c5
SHA1 4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f
SHA256 d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d
SHA512 6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

C:\Windows\SysWOW64\wekojvq.exe

MD5 2940e341f41b90dcabcb40beec81ce74
SHA1 7da62a86c3293db48d9be98e91b677602279a4a5
SHA256 14c2b1d88f82a5772d1088b9bbaabf58dff43ae55b60d8122517aff7e25abbfe
SHA512 de272b6d8109d6f504a2cfcc9316ceaa4a4fe6bf30ff2cb6a5023f94aaa82c0e8ed71ebf205548082484a1c98023b30d59a3b2cae7f490606ff0d50d7b82b5f6

memory/744-75-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\weuk.exe

MD5 eac730272ec3221de919ade7abcc7b98
SHA1 934cfc5b4f886ed28f697dbfe0ddcd6d8765c7d5
SHA256 f8bb44f4119fbf82f484276d645cbcf1336a85b72dd88f31a43fb9e06bf1253e
SHA512 353dbffb6543e998b366ac5d8e110b9daf9db45719e2a04fcf6b23e4c08bcec1aef7ae95495f216b7e7798cfc674862dd951b1ef053c86eb2953c7c35b656302

memory/3900-85-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wntcur.exe

MD5 6565532460511b825b324baa2916d60e
SHA1 219559b96245eb1f9e06c457a484247b017b1fec
SHA256 5788c43d0ca4a1f11d0ca8c1d46f8f73107c036594f9ef6b7922123f07d7d021
SHA512 7aa5f59439874bb2d7a9bdaf9726ef204311af59e3723608f330922029dae642691df4de6a31a61bdccaf675a8f2ca2846c16cddd02be1bf1ab43f08a7699802

memory/1200-96-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wvaoox.exe

MD5 39ad8d3180520a3222985801924ea8b4
SHA1 404d777cfc93197a16d3c869d8280f1e95b5fd4f
SHA256 43feb723b3f587452984ae13fd9220178718d19841bc18ce20d81d34a9a8eff8
SHA512 76149d1edc28a8ccb726e4041a24e72f0de26198bdc114c35fae2b00e97f67cfc09b8bc6783a3dd476fd7a3929c77ecff7a98d1f689a919a77f235021bcfa157

memory/1048-107-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wchxpsty.exe

MD5 f8a96c73edc4206f67d67cdd8f64e42e
SHA1 a781686fc410f0e5791b859f53b8f09ad3badd8d
SHA256 f1942ac22056d9121862a4afa6c3e9068316a0a0333e350993eb2d2aa280b833
SHA512 5a290b6c5619bb5d9233ef83606bbd36d3b35385b17f191ffd6f709f9943c24e2d0ba836d3dc0e9a232b900146ea46046f091fcea5234c44de67fc15e3246423

memory/2360-118-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wmefo.exe

MD5 2413044a1d68167e10330a7aed418e4c
SHA1 fba87ae3803a95d0848d6731fe26683f07b0c218
SHA256 403381db3841ec5f3f4df2fa480b842e8a3522d546a99c7063a4206840acfc7e
SHA512 8c0edcde40fda9a6c0b66219bd615a416b4eb8df78eb37c0da9f4595901b1333a91d8d1c8782a8ed698b40c3e0778ab2cf07e85b6df19d59040e9cfbfa2f889f

memory/1584-129-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wtcquv.exe

MD5 6997d7a01feaed0e830afea8aef98ec6
SHA1 4433b02f85ad58c898e7b1819d3948685d14b9e7
SHA256 a349823ba74f542fc84bb77ee0e6bf0bbc6c7a8374c74937a6b8a172f7baad42
SHA512 1e36b887ae44fb80dcfe876200e3e63314a32dd3578dc76ef046a0cd9b0b81ad5a08bbc7be2d61628bbf39e95b86a147dcc6dac935e1b178f9c74c6dc5029078

memory/3920-140-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wdxwtuc.exe

MD5 8a1437d3c1a3273dbafdb0e5fe5afda2
SHA1 c5ab27a4c122fcb969d996535e8f78bd29cbce7e
SHA256 6af05907650ef5d3e7931e7ec455636ae6c1f6b1add5adf937be5ebce7cd6a72
SHA512 169dd20a03564cc578f223d93597b980f9dd13e7d887090fea7e29719fe238f9f6093037749eef592b4d84722eebc63160d5f8b208c02380429ed2650bbd0bc4

memory/2428-151-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wkuiacj.exe

MD5 7275ff3a384a169abffd1039f02d995b
SHA1 c98dc15b4db80672a7e7ecf3905a30bb18962e93
SHA256 74542e3850373806de42a032db30c29006f3d28eb50448660046cd3e342c81c8
SHA512 589c606dcf12aa61144557ccad3d169a6a2f358f3b6b0479fc4f2a2edfe20ff75fb721b3b1e9315ee2f50d5029225989b25e2609097e2e3732724105727b31d9

memory/1996-162-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wdcrphn.exe

MD5 96ed296554abac9a395a7b376cc70908
SHA1 062875a892f7dbe80e161e3d85393eec7cf6e014
SHA256 2da938a25ebaf96b1ea77486892700b6ae797d9245d10519f8a44a9977ac2384
SHA512 d383f99466d097432a5063a0801baf9bf20e31793571fe3b4fbaec861acaa7eb133b539739c6d35b437603b4ff161818f58cd00207133021e218efd52a525124

memory/4268-173-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wxxqvo.exe

MD5 0dca54bdf09e1206f252ea340faba924
SHA1 e689b641003be8a5d92d659d147ba7678d5e5a7d
SHA256 b3bc818b6db709ccf1ab395b03d591d2c109f90539804e84154e5dc808a31052
SHA512 7e469650cb7cc2e9b8b594c44f04c31c40ebb21559488691b534958d546d7d99c4acdfbf26d47073f04d6f0335b312f6b265926b0600f3110ef36a9fdeeda5d0

memory/876-183-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wnxd.exe

MD5 1ef638cd4ef521f90e0dad5e9aa1dd61
SHA1 dac4a64f1cb6c18bff4ba757d9fa9dde42d64c8f
SHA256 fea598ff307071f9a8d925c86f3ddef983bb938a09e2b698d276ffda08d0f764
SHA512 47adb06cb4a8d8103695ad5ee1edd338962e1f9ccf5b157d1743afdb1273fe926fe42e254f0d53eff8daf0b9c2c7fb82baaa6f5630f5145df112e99ca48e8222

memory/3508-194-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\woopiwv.exe

MD5 c465af67e692231538055966fb833da7
SHA1 d81c034359d7ca27dc6ff822be4435ff69788c0e
SHA256 5519423460f451d7d3282b2a7046ad1f4f567e2fecb658059e3c87cab8ba716c
SHA512 7464ec1b8bd95769107d83d5b3eb731dfac69a6a306097736d2a2a831846ee9ea01065fb61a27c78cb80d2a002dca5d0523fb2c6674141120268d53657c77f95

memory/2304-205-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wggjcfk.exe

MD5 b2ad6ce49de8c6f1708f36437e44a677
SHA1 b4f5f728f988bd8ea6b95c29280522f7ce414eef
SHA256 77e8d513c5f1215670e54f193ddb672891266bafb76c65dd71801aa856867058
SHA512 01e1248b84fcb54fa1b93a6490dd07a2adbb1b0fb4cf866ccf63ef57368b31d8897653223a8e0b6598b489fb5eb6814553e1188e38149896354d37a281516892

memory/1804-216-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wbb.exe

MD5 dd58640e11fb116ff558854f3aff3364
SHA1 b6fa284995551cd842ec82d813b881f344fbc213
SHA256 5b37a133f675ebaf4e6de090f15f28220b745103dff2616eebebfd4df5a0aaf6
SHA512 f0d957a73f9a3917f4d96a224a7ab174d0a26770ef6f24158cc8e1fdd9caf44d2340d7d34f06bc70cb77dec21a8613f0f83b7e0dfd70d67b0508294559302d42

memory/1944-227-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wlxp.exe

MD5 d8d506f087a77741c5eae398fe57fc7a
SHA1 4805753c862e594b112506360b476c08b4e78e4d
SHA256 b481b3e420888f09a0376e5f5146d994fed741c22928a2bf27351ee971862bca
SHA512 a2fe23746ce110b13b494b476608487cd4641329cd98e58690a0044ce9fa2b489149f030ff77b6fd666dc76bee1550e720a75068bb148be888ac38eaf1a1115e

memory/2936-237-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wvtawfd.exe

MD5 d19d06fb67bc2a2ba2e7d385fb5b7e0a
SHA1 a41695f231fa85c6a617e8164c30472f7de1ae8b
SHA256 c88bce8f29014c442de8c2508b34bad22098b2628bb9602985bd69f749a2fad5
SHA512 e47270c9d53c47aa37bb31b3b8673fba7b03330568630d7cb2e33603a2d82cf37bd9537b911110c25a0a98cc4e5587caa7d2397ecc14c8845d8ca2deb5789e54

memory/4372-248-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wroydkw.exe

MD5 42805d2b2df3dd0ad18b2b6e497117a5
SHA1 8abf9b4e8c6df6e93e2907aa598801489ed39e64
SHA256 1728320447c190d309de199a2cc7e0a7b0630119181eacd2ad978daa80ff3265
SHA512 f90231a5d07e8dc7072fabb0d3520e1f154b1c439cf49aced8f6593b58ab2407df3966b20b9e1e8fc45afd479dae11b6b6427e145da6f2a2eedf53f4144707be

memory/1900-258-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wetug.exe

MD5 dec472a5661224fdcbc4f05147855e76
SHA1 94a167afd172a60232a2eacf733a1b8f502f0e8c
SHA256 133ec1139e9c97ee4c7223066c9f698f65b916d73ad134ba141027287af1b030
SHA512 304826b10daf5576dcff64818c0b6ff0a5ea1dd7024efcbb42ead2f8142a909ce443e86d95494e52a155664b175f07aa34fdf647a4fc95181b3bea1140d966e0

memory/2716-269-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wxos.exe

MD5 4217c25b1f85e95f4e275da0cc20fe7d
SHA1 ff4470183904ad6db730d5696008cf42138a332e
SHA256 23bbc76b770669444151a9d5e524aed5d585367ca39568bbcc4dc3826e79a3dc
SHA512 5481fea349b2d71532c03bc3391c7e154dced1f595d166f2b738dc22046b39ff7b93b3ce8c3af150a1805b0f545f9383ea247bf8744e1a3bf8321d00e5f9936d

memory/2728-280-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wqgnitag.exe

MD5 0bb0cfef7b9f547641da41d2f69dee1f
SHA1 6a03aa8fbae741076e786b03934ebf2411dd1868
SHA256 04a555b2acd7c432fd0eddf04df28e1249c924acd2253f0ce2c8a0d4b1ae687b
SHA512 044d43af69a9187a954f3adc4795f83cde18dd5fc713cb49aeb5f011607f01876294ae0b91cfbd2b5c1abe915c82072eab5c0e925b2c86009cc0b495b8f767e0

memory/4576-290-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wwptofs.exe

MD5 e78decb794c5372fde0298bdd3d85844
SHA1 bff9430aad84a178abd0d884004b02e93062d8fb
SHA256 3ca49d93d63cb131fc506fad8b66896389b12f71c65a7f88284faa916650b52f
SHA512 c36044e6c359bb894d021bf65537287e4334521b0c1e78020f4e307b7044b2f20537088e941fb060354a97f83741b666d961ef4053e74572ed39b682ab09d4e4

memory/1948-301-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wpvecm.exe

MD5 0a2eeaa7f377cf986e8c4782f99caac4
SHA1 4e92641cb3229693ca4ffabff1b482903ff4d0ed
SHA256 22c98c9b9b420446c6c874963379675c92a8203005c27d789d1c87d6a9e2261d
SHA512 5a75e6a22c2130fa1dd12cb8f2f2e453313974546957f8f317dff763dd069be537f64609cac9b68304995334bcc291a03024de10ab5c5e53aba8a7f25489dcc4

memory/3988-312-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wjdnqtb.exe

MD5 eefe85a88281be7ecb476b63568dd015
SHA1 3fde7bad3f6068866b7580bb104c410508a16ca7
SHA256 d3bc30c834c414075614060d891ea53f300c3ef670de1129dc8416f071facc96
SHA512 f6dd2402897c1ea8100fb546951a4d29c77665e6006a8743ebce25829cb8ef1328ae7b70fbe5638579470a6a5095d268da72b5be7e7247054ccb6b629a8c71c3

memory/1832-323-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wgue.exe

MD5 e91d47e0740aa951479982a95ae6bd18
SHA1 7d6d4681c44eef42fd0814447e04f8e7bff1e521
SHA256 9874f6b5102ed9a033c7dd7ebc13de4187c1e2acbe7f2bd40de7759ad6fc1f7d
SHA512 6397331f303e8291af94e499a9519ed1d2adcfd43d29da9c0232f72aea086dd8e4135f8c7193ad3fe8908471d95315054f026276eeae04eaab3d31bce9a81631

memory/3224-333-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\wgeoqm.exe

MD5 d3a817900f014dc63d338596f85f7c69
SHA1 ab0036cffa3ce87390006d95b7bde45361d1b4b6
SHA256 18d3928f565c8b8c75c402edfddabd56c7bb0ca43d65ac24e8b4bb1a950a71a9
SHA512 55cd68059b7a070f721fe1e049a83b313dd377ec638d76dd8cb7b4ce96cd04eee3e7b96a96ff61c557efee5495f21f7d32d00241f5b314501f528b5f828ce6ee

memory/1500-344-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4324-352-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4232-360-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1628-368-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3900-376-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4008-385-0x0000000000400000-0x0000000000417000-memory.dmp

memory/212-394-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2268-403-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3584-412-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3500-421-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1380-429-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1292-437-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3568-445-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3900-453-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2120-461-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3236-469-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1996-477-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1644-485-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1156-493-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3124-501-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3964-509-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3348-517-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3768-525-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4228-533-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2972-541-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4600-549-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3792-557-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4920-565-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3028-573-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2368-581-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1032-589-0x0000000000400000-0x0000000000417000-memory.dmp

memory/972-597-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1332-605-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1364-613-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1992-621-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3756-629-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3760-644-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1520-652-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3900-660-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1796-668-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1924-676-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3424-684-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1580-692-0x0000000000400000-0x0000000000417000-memory.dmp

memory/528-700-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2116-708-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1708-716-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3456-724-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3976-732-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2648-740-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4396-748-0x0000000000400000-0x0000000000417000-memory.dmp

memory/5052-756-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4392-764-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4412-765-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4392-773-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4992-781-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2908-789-0x0000000000400000-0x0000000000417000-memory.dmp

memory/448-797-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1904-805-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3392-813-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4544-821-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4896-829-0x0000000000400000-0x0000000000417000-memory.dmp