Analysis Overview
SHA256
af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066
Threat Level: Shows suspicious behavior
The file af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Indicator Removal: File Deletion
Drops file in System32 directory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:40
Reported
2024-11-10 01:42
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\wbduawlg.exe | C:\Windows\SysWOW64\wflbh.exe | N/A |
| File created | C:\Windows\SysWOW64\wbtbmgyr.exe | C:\Windows\SysWOW64\wcsb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbnlbd.exe | C:\Windows\SysWOW64\wdvjweca.exe | N/A |
| File created | C:\Windows\SysWOW64\wviisvtq.exe | C:\Windows\SysWOW64\wwphpwb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wvbbguf.exe | C:\Windows\SysWOW64\wvqdrf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\woxjilhe.exe | C:\Windows\SysWOW64\wmuacc.exe | N/A |
| File created | C:\Windows\SysWOW64\wsuskndvi.exe | C:\Windows\SysWOW64\womjvwmax.exe | N/A |
| File created | C:\Windows\SysWOW64\wwfpyww.exe | C:\Windows\SysWOW64\wdxusq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wxogka.exe | C:\Windows\SysWOW64\wvboei.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwphpwb.exe | C:\Windows\SysWOW64\wdxcf.exe | N/A |
| File created | C:\Windows\SysWOW64\wbduawlg.exe | C:\Windows\SysWOW64\wflbh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wqam.exe | C:\Windows\SysWOW64\wmpc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wyotjdow.exe | C:\Windows\SysWOW64\wepokwq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wqdhkwsf.exe | C:\Windows\SysWOW64\wjqulm.exe | N/A |
| File created | C:\Windows\SysWOW64\wvdbbp.exe | C:\Windows\SysWOW64\wpcwjhv.exe | N/A |
| File created | C:\Windows\SysWOW64\wttwfn.exe | C:\Windows\SysWOW64\wgxpit.exe | N/A |
| File created | C:\Windows\SysWOW64\wcsb.exe | C:\Windows\SysWOW64\wyir.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wcngdnnqd.exe | C:\Windows\SysWOW64\weveant.exe | N/A |
| File created | C:\Windows\SysWOW64\wwuptuaw.exe | C:\Windows\SysWOW64\whuflhgh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wdbxxk.exe | C:\Windows\SysWOW64\wkguja.exe | N/A |
| File created | C:\Windows\SysWOW64\wmxvwur.exe | C:\Windows\SysWOW64\wgkgym.exe | N/A |
| File created | C:\Windows\SysWOW64\wvkog.exe | C:\Windows\SysWOW64\wxicvem.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbcb.exe | C:\Windows\SysWOW64\wdbxxk.exe | N/A |
| File created | C:\Windows\SysWOW64\wdvjweca.exe | C:\Windows\SysWOW64\waisonjx.exe | N/A |
| File created | C:\Windows\SysWOW64\wgxpit.exe | C:\Windows\SysWOW64\wmfwqqgv.exe | N/A |
| File created | C:\Windows\SysWOW64\wyoxya.exe | C:\Windows\SysWOW64\wyotjdow.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wtckye.exe | C:\Windows\SysWOW64\wlcfgv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wrgyev.exe | C:\Windows\SysWOW64\wvntro.exe | N/A |
| File created | C:\Windows\SysWOW64\wmpathdt.exe | C:\Windows\SysWOW64\woxjilhe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\waisonjx.exe | C:\Windows\SysWOW64\wxgkovckj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wlicy.exe | C:\Windows\SysWOW64\wifvxb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wvgdgkw.exe | C:\Windows\SysWOW64\wwmcd.exe | N/A |
| File created | C:\Windows\SysWOW64\wmuacc.exe | C:\Windows\SysWOW64\wuwpmv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wsuskndvi.exe | C:\Windows\SysWOW64\womjvwmax.exe | N/A |
| File created | C:\Windows\SysWOW64\winpmrprw.exe | C:\Windows\SysWOW64\wbcb.exe | N/A |
| File created | C:\Windows\SysWOW64\wxogka.exe | C:\Windows\SysWOW64\wvboei.exe | N/A |
| File created | C:\Windows\SysWOW64\wcirdywpu.exe | C:\Windows\SysWOW64\wcqqaae.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wvkog.exe | C:\Windows\SysWOW64\wxicvem.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbtbmgyr.exe | C:\Windows\SysWOW64\wcsb.exe | N/A |
| File created | C:\Windows\SysWOW64\wdefndcyi.exe | C:\Windows\SysWOW64\wlicy.exe | N/A |
| File created | C:\Windows\SysWOW64\wwmcd.exe | C:\Windows\SysWOW64\wqbnedik.exe | N/A |
| File created | C:\Windows\SysWOW64\wvboei.exe | C:\Windows\SysWOW64\wajjrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wmfwqqgv.exe | C:\Windows\SysWOW64\wmvjsrtn.exe | N/A |
| File created | C:\Windows\SysWOW64\wyir.exe | C:\Windows\SysWOW64\wqam.exe | N/A |
| File created | C:\Windows\SysWOW64\wvgif.exe | C:\Windows\SysWOW64\wxvuisl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wnyymedj.exe | C:\Windows\SysWOW64\webpfc.exe | N/A |
| File created | C:\Windows\SysWOW64\wgqbvrs.exe | C:\Windows\SysWOW64\winpmrprw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wdefndcyi.exe | C:\Windows\SysWOW64\wlicy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wvboei.exe | C:\Windows\SysWOW64\wajjrc.exe | N/A |
| File created | C:\Windows\SysWOW64\wdantqvcx.exe | C:\Windows\SysWOW64\wokudwoj.exe | N/A |
| File created | C:\Windows\SysWOW64\whxkm.exe | C:\Windows\SysWOW64\wbduawlg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wgrbie.exe | C:\Windows\SysWOW64\wcirupp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\weveant.exe | C:\Windows\SysWOW64\wjtoig.exe | N/A |
| File created | C:\Windows\SysWOW64\wkbldlc.exe | C:\Windows\SysWOW64\wgyddtuo.exe | N/A |
| File created | C:\Windows\SysWOW64\wokudwoj.exe | C:\Windows\SysWOW64\wolrla.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wjp.exe | C:\Windows\SysWOW64\wch.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wfuby.exe | C:\Windows\SysWOW64\wnyymedj.exe | N/A |
| File created | C:\Windows\SysWOW64\wkybgyll.exe | C:\Windows\SysWOW64\whvtg.exe | N/A |
| File created | C:\Windows\SysWOW64\wgkgym.exe | C:\Windows\SysWOW64\wqdhkwsf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wgkgym.exe | C:\Windows\SysWOW64\wqdhkwsf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wficyqmx.exe | C:\Windows\SysWOW64\wgqbvrs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wcqqaae.exe | C:\Windows\SysWOW64\wvdbbp.exe | N/A |
| File created | C:\Windows\SysWOW64\wsjogghc.exe | C:\Windows\SysWOW64\wssx.exe | N/A |
| File created | C:\Windows\SysWOW64\wrktcvntk.exe | C:\Windows\SysWOW64\wjp.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wokudwoj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\whxkm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wifvxb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wdantqvcx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\whsntyi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wolrla.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wmpathdt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wepokwq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wmuacc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wnyymedj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\whvtg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wqdhkwsf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wxicvem.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wttwfn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\webpfc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\werhshbg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wtckye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wrhlvi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wcqqaae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wcirupp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wgwydy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wpbftfpme.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wviisvtq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wvqdrf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wrktcvntk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\waisonjx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wnmqms.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wvboei.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wvbbguf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wsuskndvi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wvdbbp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wjp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wmvjsrtn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\womjvwmax.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wdbxxk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wlicy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wyir.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wgkgym.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbcb.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\waisonjx.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wxstndp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe
"C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"
C:\Windows\SysWOW64\wvqdrf.exe
"C:\Windows\system32\wvqdrf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"
C:\Windows\SysWOW64\wvbbguf.exe
"C:\Windows\system32\wvbbguf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqdrf.exe"
C:\Windows\SysWOW64\wolrla.exe
"C:\Windows\system32\wolrla.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvbbguf.exe"
C:\Windows\SysWOW64\wokudwoj.exe
"C:\Windows\system32\wokudwoj.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wolrla.exe"
C:\Windows\SysWOW64\wdantqvcx.exe
"C:\Windows\system32\wdantqvcx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wokudwoj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 48
C:\Windows\SysWOW64\whuflhgh.exe
"C:\Windows\system32\whuflhgh.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdantqvcx.exe"
C:\Windows\SysWOW64\wwuptuaw.exe
"C:\Windows\system32\wwuptuaw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whuflhgh.exe"
C:\Windows\SysWOW64\wuwpmv.exe
"C:\Windows\system32\wuwpmv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwuptuaw.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 204
C:\Windows\SysWOW64\wmuacc.exe
"C:\Windows\system32\wmuacc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwpmv.exe"
C:\Windows\SysWOW64\woxjilhe.exe
"C:\Windows\system32\woxjilhe.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmuacc.exe"
C:\Windows\SysWOW64\wmpathdt.exe
"C:\Windows\system32\wmpathdt.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxjilhe.exe"
C:\Windows\SysWOW64\wflbh.exe
"C:\Windows\system32\wflbh.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpathdt.exe"
C:\Windows\SysWOW64\wbduawlg.exe
"C:\Windows\system32\wbduawlg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wflbh.exe"
C:\Windows\SysWOW64\whxkm.exe
"C:\Windows\system32\whxkm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbduawlg.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 48
C:\Windows\SysWOW64\wmvjsrtn.exe
"C:\Windows\system32\wmvjsrtn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxkm.exe"
C:\Windows\SysWOW64\wmfwqqgv.exe
"C:\Windows\system32\wmfwqqgv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmvjsrtn.exe"
C:\Windows\SysWOW64\wgxpit.exe
"C:\Windows\system32\wgxpit.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmfwqqgv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 204
C:\Windows\SysWOW64\wttwfn.exe
"C:\Windows\system32\wttwfn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxpit.exe"
C:\Windows\SysWOW64\wssx.exe
"C:\Windows\system32\wssx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wttwfn.exe"
C:\Windows\SysWOW64\wsjogghc.exe
"C:\Windows\system32\wsjogghc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wssx.exe"
C:\Windows\SysWOW64\wch.exe
"C:\Windows\system32\wch.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjogghc.exe"
C:\Windows\SysWOW64\wjp.exe
"C:\Windows\system32\wjp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wch.exe"
C:\Windows\SysWOW64\wrktcvntk.exe
"C:\Windows\system32\wrktcvntk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjp.exe"
C:\Windows\SysWOW64\wmpc.exe
"C:\Windows\system32\wmpc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrktcvntk.exe"
C:\Windows\SysWOW64\wqam.exe
"C:\Windows\system32\wqam.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpc.exe"
C:\Windows\SysWOW64\wyir.exe
"C:\Windows\system32\wyir.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqam.exe"
C:\Windows\SysWOW64\wcsb.exe
"C:\Windows\system32\wcsb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyir.exe"
C:\Windows\SysWOW64\wbtbmgyr.exe
"C:\Windows\system32\wbtbmgyr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcsb.exe"
C:\Windows\SysWOW64\wxvuisl.exe
"C:\Windows\system32\wxvuisl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbtbmgyr.exe"
C:\Windows\SysWOW64\wvgif.exe
"C:\Windows\system32\wvgif.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxvuisl.exe"
C:\Windows\SysWOW64\wepokwq.exe
"C:\Windows\system32\wepokwq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgif.exe"
C:\Windows\SysWOW64\wyotjdow.exe
"C:\Windows\system32\wyotjdow.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wepokwq.exe"
C:\Windows\SysWOW64\wyoxya.exe
"C:\Windows\system32\wyoxya.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyotjdow.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 204
C:\Windows\SysWOW64\wcirupp.exe
"C:\Windows\system32\wcirupp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyoxya.exe"
C:\Windows\SysWOW64\wgrbie.exe
"C:\Windows\system32\wgrbie.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcirupp.exe"
C:\Windows\SysWOW64\webpfc.exe
"C:\Windows\system32\webpfc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrbie.exe"
C:\Windows\SysWOW64\wnyymedj.exe
"C:\Windows\system32\wnyymedj.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\webpfc.exe"
C:\Windows\SysWOW64\wfuby.exe
"C:\Windows\system32\wfuby.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnyymedj.exe"
C:\Windows\SysWOW64\wvmwbb.exe
"C:\Windows\system32\wvmwbb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfuby.exe"
C:\Windows\SysWOW64\wntkvoj.exe
"C:\Windows\system32\wntkvoj.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvmwbb.exe"
C:\Windows\SysWOW64\wmrmkk.exe
"C:\Windows\system32\wmrmkk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntkvoj.exe"
C:\Windows\SysWOW64\wylypkrnr.exe
"C:\Windows\system32\wylypkrnr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrmkk.exe"
C:\Windows\SysWOW64\womjvwmax.exe
"C:\Windows\system32\womjvwmax.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wylypkrnr.exe"
C:\Windows\SysWOW64\wsuskndvi.exe
"C:\Windows\system32\wsuskndvi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womjvwmax.exe"
C:\Windows\SysWOW64\wgsahgpq.exe
"C:\Windows\system32\wgsahgpq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsuskndvi.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 180
C:\Windows\SysWOW64\wksuou.exe
"C:\Windows\system32\wksuou.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsahgpq.exe"
C:\Windows\SysWOW64\wwblto.exe
"C:\Windows\system32\wwblto.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wksuou.exe"
C:\Windows\SysWOW64\wtwjxrr.exe
"C:\Windows\system32\wtwjxrr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwblto.exe"
C:\Windows\SysWOW64\woocpvj.exe
"C:\Windows\system32\woocpvj.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtwjxrr.exe"
C:\Windows\SysWOW64\wkguja.exe
"C:\Windows\system32\wkguja.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woocpvj.exe"
C:\Windows\SysWOW64\wdbxxk.exe
"C:\Windows\system32\wdbxxk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkguja.exe"
C:\Windows\SysWOW64\wbcb.exe
"C:\Windows\system32\wbcb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbxxk.exe"
C:\Windows\SysWOW64\winpmrprw.exe
"C:\Windows\system32\winpmrprw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbcb.exe"
C:\Windows\SysWOW64\wgqbvrs.exe
"C:\Windows\system32\wgqbvrs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winpmrprw.exe"
C:\Windows\SysWOW64\wficyqmx.exe
"C:\Windows\system32\wficyqmx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqbvrs.exe"
C:\Windows\SysWOW64\whvtg.exe
"C:\Windows\system32\whvtg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wficyqmx.exe"
C:\Windows\SysWOW64\wkybgyll.exe
"C:\Windows\system32\wkybgyll.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whvtg.exe"
C:\Windows\SysWOW64\werhshbg.exe
"C:\Windows\system32\werhshbg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkybgyll.exe"
C:\Windows\SysWOW64\whsntyi.exe
"C:\Windows\system32\whsntyi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\werhshbg.exe"
C:\Windows\SysWOW64\wgwydy.exe
"C:\Windows\system32\wgwydy.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whsntyi.exe"
C:\Windows\SysWOW64\wiyge.exe
"C:\Windows\system32\wiyge.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwydy.exe"
C:\Windows\SysWOW64\wlqdyhp.exe
"C:\Windows\system32\wlqdyhp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiyge.exe"
C:\Windows\SysWOW64\wjtoig.exe
"C:\Windows\system32\wjtoig.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqdyhp.exe"
C:\Windows\SysWOW64\weveant.exe
"C:\Windows\system32\weveant.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjtoig.exe"
C:\Windows\SysWOW64\wcngdnnqd.exe
"C:\Windows\system32\wcngdnnqd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weveant.exe"
C:\Windows\SysWOW64\wxgkovckj.exe
"C:\Windows\system32\wxgkovckj.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcngdnnqd.exe"
C:\Windows\SysWOW64\waisonjx.exe
"C:\Windows\system32\waisonjx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxgkovckj.exe"
C:\Windows\SysWOW64\wdvjweca.exe
"C:\Windows\system32\wdvjweca.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waisonjx.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 284 -s 488
C:\Windows\SysWOW64\wbnlbd.exe
"C:\Windows\system32\wbnlbd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvjweca.exe"
C:\Windows\SysWOW64\wugrll.exe
"C:\Windows\system32\wugrll.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbnlbd.exe"
C:\Windows\SysWOW64\wpkfetk.exe
"C:\Windows\system32\wpkfetk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugrll.exe"
C:\Windows\SysWOW64\wnmqms.exe
"C:\Windows\system32\wnmqms.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpkfetk.exe"
C:\Windows\SysWOW64\wifvxb.exe
"C:\Windows\system32\wifvxb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnmqms.exe"
C:\Windows\SysWOW64\wlicy.exe
"C:\Windows\system32\wlicy.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifvxb.exe"
C:\Windows\SysWOW64\wdefndcyi.exe
"C:\Windows\system32\wdefndcyi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlicy.exe"
C:\Windows\SysWOW64\wjqulm.exe
"C:\Windows\system32\wjqulm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdefndcyi.exe"
C:\Windows\SysWOW64\wqdhkwsf.exe
"C:\Windows\system32\wqdhkwsf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjqulm.exe"
C:\Windows\SysWOW64\wgkgym.exe
"C:\Windows\system32\wgkgym.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqdhkwsf.exe"
C:\Windows\SysWOW64\wmxvwur.exe
"C:\Windows\system32\wmxvwur.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkgym.exe"
C:\Windows\SysWOW64\wlcfgv.exe
"C:\Windows\system32\wlcfgv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmxvwur.exe"
C:\Windows\SysWOW64\wtckye.exe
"C:\Windows\system32\wtckye.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlcfgv.exe"
C:\Windows\SysWOW64\wivst.exe
"C:\Windows\system32\wivst.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtckye.exe"
C:\Windows\SysWOW64\wgyddtuo.exe
"C:\Windows\system32\wgyddtuo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivst.exe"
C:\Windows\SysWOW64\wkbldlc.exe
"C:\Windows\system32\wkbldlc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgyddtuo.exe"
C:\Windows\SysWOW64\wajjrc.exe
"C:\Windows\system32\wajjrc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbldlc.exe"
C:\Windows\SysWOW64\wvboei.exe
"C:\Windows\system32\wvboei.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wajjrc.exe"
C:\Windows\SysWOW64\wxogka.exe
"C:\Windows\system32\wxogka.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvboei.exe"
C:\Windows\SysWOW64\wrhlvi.exe
"C:\Windows\system32\wrhlvi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxogka.exe"
C:\Windows\SysWOW64\wqynahrp.exe
"C:\Windows\system32\wqynahrp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhlvi.exe"
C:\Windows\SysWOW64\wpcwjhv.exe
"C:\Windows\system32\wpcwjhv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqynahrp.exe"
C:\Windows\SysWOW64\wvdbbp.exe
"C:\Windows\system32\wvdbbp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpcwjhv.exe"
C:\Windows\SysWOW64\wcqqaae.exe
"C:\Windows\system32\wcqqaae.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdbbp.exe"
C:\Windows\SysWOW64\wcirdywpu.exe
"C:\Windows\system32\wcirdywpu.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcqqaae.exe"
C:\Windows\SysWOW64\wdkadqec.exe
"C:\Windows\system32\wdkadqec.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcirdywpu.exe"
C:\Windows\SysWOW64\wdxusq.exe
"C:\Windows\system32\wdxusq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdkadqec.exe"
C:\Windows\SysWOW64\wwfpyww.exe
"C:\Windows\system32\wwfpyww.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxusq.exe"
C:\Windows\SysWOW64\wuulp.exe
"C:\Windows\system32\wuulp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfpyww.exe"
C:\Windows\SysWOW64\wpbftfpme.exe
"C:\Windows\system32\wpbftfpme.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuulp.exe"
C:\Windows\SysWOW64\wvntro.exe
"C:\Windows\system32\wvntro.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbftfpme.exe"
C:\Windows\SysWOW64\wrgyev.exe
"C:\Windows\system32\wrgyev.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvntro.exe"
C:\Windows\SysWOW64\wxicvem.exe
"C:\Windows\system32\wxicvem.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrgyev.exe"
C:\Windows\SysWOW64\wvkog.exe
"C:\Windows\system32\wvkog.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxicvem.exe"
C:\Windows\SysWOW64\wdxcf.exe
"C:\Windows\system32\wdxcf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkog.exe"
C:\Windows\SysWOW64\wwphpwb.exe
"C:\Windows\system32\wwphpwb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxcf.exe"
C:\Windows\SysWOW64\wviisvtq.exe
"C:\Windows\system32\wviisvtq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwphpwb.exe"
C:\Windows\SysWOW64\wqbnedik.exe
"C:\Windows\system32\wqbnedik.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wviisvtq.exe"
C:\Windows\SysWOW64\wwmcd.exe
"C:\Windows\system32\wwmcd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqbnedik.exe"
C:\Windows\SysWOW64\wvgdgkw.exe
"C:\Windows\system32\wvgdgkw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwmcd.exe"
C:\Windows\SysWOW64\wxstndp.exe
"C:\Windows\system32\wxstndp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgdgkw.exe"
C:\Windows\SysWOW64\wvugw.exe
"C:\Windows\system32\wvugw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxstndp.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 852
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.ip2location.com | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 8.8.8.8:53 | best-targeted-traffic.com | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww25.best-targeted-traffic.com | udp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
Files
memory/2368-0-0x0000000000400000-0x0000000000417000-memory.dmp
\Windows\SysWOW64\wvqdrf.exe
| MD5 | eb95f64fa14b7d769b02c9eb464896f8 |
| SHA1 | 91b3b28180b6b60fba592020e5f7049eee3379e3 |
| SHA256 | 84afa73ee4ddb18ec2e06474242c55562b14baa7f7d1d0d3df50e638ec02b148 |
| SHA512 | 1c08da2130e18ae07c40ffbd9172a1eb49f6880ac6ff5ab19e009ea41ac9ba47db2d77325c1b2bcb78b18edc8c068850e46f4533adcd05bbd85e862443c9e092 |
memory/2368-13-0x00000000037A0000-0x00000000037B7000-memory.dmp
memory/2368-12-0x00000000037A0000-0x00000000037B7000-memory.dmp
memory/2368-21-0x0000000003DB0000-0x0000000003DC7000-memory.dmp
memory/2368-20-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2368-24-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YDJQKZ76.txt
| MD5 | dd95cb0653cd0da29f2d8a7c6390ba14 |
| SHA1 | d51f6122993040cc60d92da6b6c39e792af79643 |
| SHA256 | a92455283fe29439f4123ef8e1abb7aff0a291a8b458d0d4f887a886ed78b832 |
| SHA512 | 3bb5e598bba5c1c1a039cbab4b30fe9b9df2386d2ea2e8f5661778efb9a78fa9d03c91dfcd95b7a779028866388abf6e843d5624b34d9080f3f0d5aaa3c05e0c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T432DMZD.txt
| MD5 | c6ec81e689d220c51033a716826ec5f1 |
| SHA1 | ac1b32fac3c33a816b33362813e7bd4e59d761f0 |
| SHA256 | 915f4f1c1eab5427bc3aa060fad34d8bb519b33a0bf998a51d436593e0d48e1a |
| SHA512 | 03104c63ff892b7248d43df6799780d045ca1ecd42df742a57e282e8e01e63afcffac3ec8ea35f61a03e3331424ee012be76fd5ddadb25a1b1c7d61e8a84c760 |
memory/2800-34-0x0000000003B50000-0x0000000003B67000-memory.dmp
memory/2800-38-0x0000000003B50000-0x0000000003B67000-memory.dmp
\Windows\SysWOW64\wvbbguf.exe
| MD5 | 107efc16271388a58495e95a94359c57 |
| SHA1 | 8818a11ada9e2f9017db8581f7b49e305987ec94 |
| SHA256 | 71f2e1f9702e8a4032383208dcf37834f354293dc241d0243c4f94c3d6996661 |
| SHA512 | e7192c06d008e1bab4ac3896d6ff09d423c62436bc00710acff358f28478369893228536f89e3904002dfc3d6bbc5309cba31f5367c12ff48b8e71c43e84b1dc |
memory/2800-45-0x0000000003B60000-0x0000000003B77000-memory.dmp
memory/2800-49-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2640-48-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0CH2MZY9.txt
| MD5 | 6a39ddc505da461a5cbe42a729ccac4c |
| SHA1 | 1ec1b921fa2351b9d0fd724ee8b88843da04ffeb |
| SHA256 | 8d35c679a4998c1d00f308747ebb55936fc4620602cc98f498b441ec42ca2bfb |
| SHA512 | 9ecb0d05ec23f90a2d2f3274a46122f0167bebcef517816210ae4ec6309c99419d466ee2be959a58fea273823226e19ea1ae8dd5d53c9d1146ab2b04812b7313 |
\Windows\SysWOW64\wolrla.exe
| MD5 | e6dd929ebc6c750ee9a45d65ef1ac643 |
| SHA1 | 48f319959ba3f48cb833ff4cd2f3fa6b50acb257 |
| SHA256 | ba653ea1a34112c645b11802170956ca1d4a14e7fed395c2584da597e0954682 |
| SHA512 | 9759728cbea3abcf12f939fe798f0e8c96990481d3d8b0559719e550ae7ec160d8696d3b3f685783db3cb11fed944c45d5b0c00fa0ae0508d9d996250b846cc3 |
memory/2640-71-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2640-67-0x0000000003E60000-0x0000000003E77000-memory.dmp
memory/2640-69-0x0000000003E70000-0x0000000003E87000-memory.dmp
memory/1104-72-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2640-68-0x0000000003E70000-0x0000000003E87000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W3BJGI5N.txt
| MD5 | 0521cc4db3d867873b72c6f88be66ae3 |
| SHA1 | 025cff072302630255f45087c838b159ab5a459c |
| SHA256 | dc97959401b479625283afbb2a7404d63b394092036946a8708a066dc6b43559 |
| SHA512 | 043c9128067ee04d5aad76e6cd73b1b6df3b5136aacb36ab40e264f7ebaf7a000dc051bf3249aa04fa7ae4120933a86793bb1f44b656d1aac83bd7eeb315b6c6 |
\Windows\SysWOW64\wokudwoj.exe
| MD5 | 7066acea91749dbec42aa1aee2f38089 |
| SHA1 | ecbc4e5661d011361e5ae92ecf010129d1c66832 |
| SHA256 | 63818780db5110ae1df4267207620090231cce89c1301fdaff77cdce5390681e |
| SHA512 | f06aa06fb4edc877da0216a7273f09b2d1cd023a853dd5f448ee661d3f0c7b0c67cb3b2ee58bf677b4a2282cee57e95f9b7525417cbefadf47056844682b34ee |
memory/1104-93-0x0000000003EA0000-0x0000000003EB7000-memory.dmp
memory/1104-92-0x0000000003EA0000-0x0000000003EB7000-memory.dmp
memory/1104-91-0x0000000003EA0000-0x0000000003EB7000-memory.dmp
memory/2004-97-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1104-95-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZV3W6FIX.txt
| MD5 | 466944fe3e2b2bc135d12fef4bf31f4d |
| SHA1 | 30ccdefad09979db85c5ac33536a67a62632fd07 |
| SHA256 | 358acb7bd81a4bf4e3ea927a924dab09fb84ac5143907bc5011b728e0a50a098 |
| SHA512 | 6e6bef22782a0450c79034eaa6a3eca380f5a50697c81440dba99181b50d71c5fcf9f25bebc167e875293c0db65ce0486641fca9c825d2ef728549e198e8615f |
memory/2004-119-0x0000000003E70000-0x0000000003E87000-memory.dmp
memory/2004-118-0x0000000003E70000-0x0000000003E87000-memory.dmp
memory/2004-117-0x0000000003E70000-0x0000000003E87000-memory.dmp
memory/2004-116-0x0000000003E70000-0x0000000003E87000-memory.dmp
memory/2004-115-0x0000000000400000-0x0000000000417000-memory.dmp
\Windows\SysWOW64\wdantqvcx.exe
| MD5 | 0ec54cb9f13a434fbb453089d41c7fe7 |
| SHA1 | f140667024030fb2719442593dad66aac60740be |
| SHA256 | 82f68a1fa8384bac06f8cee801477f4a3c0e1bf1d7c58a9d8bce2dce0b182722 |
| SHA512 | beea6698c442ab6d77dafa315fee0744d7bee059f0a962a91e01545698b6c9e28cdbbf28472736d823eb30c44b215931b8508c5131f8287815362f002f3f9af0 |
memory/2960-121-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KHM1KUSH.txt
| MD5 | d8e311991f3310c61bc62e672bb93cc3 |
| SHA1 | db0c612a896bb8e83e1677b868209105db2e00f1 |
| SHA256 | 9d179ddd9870fc40c7f4e87654d4e3929a01713892315a1f5f5b007056c08d3b |
| SHA512 | decb08386fa62f59ae3221006954d70480a0468b26b88c6c0511a76286ce192c867a6641682104915692a95c4899e69f66b6b58769e753f1c2634fd2c79b49fb |
\Windows\SysWOW64\whuflhgh.exe
| MD5 | 18e7cec51bc2a89375478bc16ad60b2b |
| SHA1 | 7faff0457e2d76a8ea48d3593af389cca5df2d22 |
| SHA256 | ba05e9bb6a2041573f18dc5f21d906fe98397210f4baa7c2d62b150e054a1d0a |
| SHA512 | bd544e23e4039b82e26a26712a8b82c99e6ac358c9a02edea606ee9204e76c2bc425c4e7390055c8c57c4a2a98f4b1f6a1edc79cafc17973d27b74f5d2ab5b5b |
memory/2960-133-0x0000000003320000-0x0000000003337000-memory.dmp
memory/2960-139-0x0000000003320000-0x0000000003337000-memory.dmp
memory/568-148-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2960-146-0x0000000000400000-0x0000000000417000-memory.dmp
\Windows\SysWOW64\wwuptuaw.exe
| MD5 | d9b192b1e761f727481f9f3b1c8e21da |
| SHA1 | eaebc436fff97b5d0f4b2fbc85a273ed72a15243 |
| SHA256 | 174406fc86901022393cb04efca18ba9bcfcd85dc5a6f9b3ce23ad79479508bd |
| SHA512 | 02c09ac196257912acd4951389359493ca0d061e50f1b717f206e1093873a6ecc2bdc65337a5fc90a0cd9babb8062429eb88ba9b50c22f50af16d028b2f86b57 |
memory/568-163-0x0000000003160000-0x0000000003177000-memory.dmp
memory/2004-162-0x0000000003E70000-0x0000000003E87000-memory.dmp
memory/2004-161-0x0000000003E70000-0x0000000003E87000-memory.dmp
memory/2004-160-0x0000000003E70000-0x0000000003E87000-memory.dmp
memory/2556-171-0x0000000000400000-0x0000000000417000-memory.dmp
memory/568-170-0x0000000000400000-0x0000000000417000-memory.dmp
\Windows\SysWOW64\wuwpmv.exe
| MD5 | ff7f229faa91a701a694495d118ea240 |
| SHA1 | f497a6ae3c25456514e95dc8e2f06665a6f31cd0 |
| SHA256 | f574cbe2c4250268c321e9003a2f6aae32b4b9a3bb2cdcd92f4035029a7be53c |
| SHA512 | 220ffca683f042cb0a33a5f22437e8f7e81e7e09e97a9e51a34ee4c5dfb4b844e0459e5dc6f4ff5b35e0dc5177f6a1074693501d72509ea6c05385692374b23a |
memory/2556-191-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2556-190-0x0000000002170000-0x0000000002187000-memory.dmp
memory/2556-189-0x0000000002170000-0x0000000002187000-memory.dmp
memory/2236-193-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O4ZFFLR1.txt
| MD5 | 67abb7f643855b825c9a68b28e349610 |
| SHA1 | b1e7a7b84027cadd208884296678c96cd44873f0 |
| SHA256 | cc92e9be1350d5857b4d9a6752733aeeaaf31f901bd358746e72135c8c649615 |
| SHA512 | a198a64858cb1fe7896d2e5ed99c25cea08b953589a31d0cc893b5a7dd09c619a4ced34ed3b17d826461518796797f39cc7693c5d235d3a1550224a88c85d4b5 |
\Windows\SysWOW64\wmuacc.exe
| MD5 | 3a983b50b789640652def5c3efd94007 |
| SHA1 | 027d0a78b0954c43d5e388e9615b9596dbf5ac55 |
| SHA256 | 7aed1e87a3d3af5e103ef57f2a4750810820cfdd3dc0e74e368935932f2ecaf5 |
| SHA512 | 810a43ac3686aac36c6961440d42bbe7b1579b24a165930c1c298b3ed77ccae79d7ec83d70662f6313a8de1efff9cd2fa6e61b37f717f2361dc916cae2442554 |
memory/2236-209-0x0000000002310000-0x0000000002327000-memory.dmp
memory/2236-215-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1816-217-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2556-216-0x0000000002170000-0x0000000002187000-memory.dmp
memory/2556-218-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1692-235-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1816-234-0x0000000003200000-0x0000000003217000-memory.dmp
memory/1816-233-0x0000000003200000-0x0000000003217000-memory.dmp
memory/1816-232-0x0000000003200000-0x0000000003217000-memory.dmp
memory/1816-231-0x0000000003200000-0x0000000003217000-memory.dmp
memory/1816-236-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1692-245-0x0000000002330000-0x0000000002347000-memory.dmp
memory/1692-252-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1692-250-0x0000000003E20000-0x0000000003E37000-memory.dmp
memory/2920-253-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1692-251-0x0000000003E20000-0x0000000003E37000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\install[2].htm
| MD5 | 9463ba07743e8a9aca3b55373121b7c5 |
| SHA1 | 4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f |
| SHA256 | d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d |
| SHA512 | 6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7 |
memory/664-269-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2920-268-0x0000000003EE0000-0x0000000003EF7000-memory.dmp
memory/2920-267-0x0000000003ED0000-0x0000000003EE7000-memory.dmp
memory/2920-266-0x0000000003ED0000-0x0000000003EE7000-memory.dmp
memory/2920-270-0x0000000000400000-0x0000000000417000-memory.dmp
memory/664-283-0x0000000004260000-0x0000000004277000-memory.dmp
memory/664-287-0x0000000000400000-0x0000000000417000-memory.dmp
memory/664-286-0x0000000004260000-0x0000000004277000-memory.dmp
memory/664-285-0x0000000004260000-0x0000000004277000-memory.dmp
memory/664-284-0x0000000004260000-0x0000000004277000-memory.dmp
memory/944-288-0x0000000000400000-0x0000000000417000-memory.dmp
memory/944-298-0x0000000003550000-0x0000000003567000-memory.dmp
memory/2472-302-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1744-318-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2472-317-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1744-333-0x00000000032E0000-0x00000000032F7000-memory.dmp
memory/1744-332-0x00000000032E0000-0x00000000032F7000-memory.dmp
memory/944-331-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1744-334-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2864-335-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2864-350-0x0000000003960000-0x0000000003977000-memory.dmp
memory/2864-349-0x0000000003960000-0x0000000003977000-memory.dmp
memory/2864-344-0x0000000003950000-0x0000000003967000-memory.dmp
memory/2216-365-0x0000000003E70000-0x0000000003E87000-memory.dmp
memory/2216-364-0x0000000003E60000-0x0000000003E77000-memory.dmp
memory/2216-363-0x0000000003E60000-0x0000000003E77000-memory.dmp
memory/1668-366-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2216-367-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2864-385-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2864-384-0x0000000003950000-0x0000000003967000-memory.dmp
memory/1668-383-0x0000000003530000-0x0000000003547000-memory.dmp
memory/1668-382-0x0000000003530000-0x0000000003547000-memory.dmp
memory/1668-381-0x0000000003520000-0x0000000003537000-memory.dmp
memory/1668-380-0x0000000003520000-0x0000000003537000-memory.dmp
memory/1668-386-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2096-387-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2864-393-0x0000000003960000-0x0000000003977000-memory.dmp
memory/2864-392-0x0000000003950000-0x0000000003967000-memory.dmp
memory/2864-402-0x0000000003960000-0x0000000003977000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:40
Reported
2024-11-10 01:42
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
119s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\woicqw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wgeekhpsg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\weyedjw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wjpcalyv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wqgnitag.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wfj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wwifm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wxrqdl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wlsgdms.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wgwrse.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wtnrwrv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\weuk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wroydkw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wsnoy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wqotopmkn.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wbvwnr.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wrjqw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wctap.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wggjcfk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wwptofs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wkgxljiy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wcekla.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wph.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wkjhpe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wlsih.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wdahd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wwkehar.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wekojvq.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wnxd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\waps.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wddbxnthl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wvaoox.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wdcrphn.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wlfpnbe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wpyirfx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wlxp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wnhhk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wbarie.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wyiwhx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wkuiacj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\woopiwv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wpnqjkawo.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wgrwtdg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wdul.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wjw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wetug.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wgue.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wbu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\waytnc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wchxpsty.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wpvecm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wllpqat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wgnf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wosm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wxeajfdf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\woyeq.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wgqan.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wsjcd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wbkq.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wxxqvo.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wxos.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wtcquv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wkops.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wbhvfn.exe | N/A |
Executes dropped EXE
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\wpnqjkawo.exe | C:\Windows\SysWOW64\wtw.exe | N/A |
| File created | C:\Windows\SysWOW64\wfr.exe | C:\Windows\SysWOW64\wmrra.exe | N/A |
| File created | C:\Windows\SysWOW64\weuk.exe | C:\Windows\SysWOW64\wekojvq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wjdnqtb.exe | C:\Windows\SysWOW64\wpvecm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wlxp.exe | C:\Windows\SysWOW64\wbb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wmrra.exe | C:\Windows\SysWOW64\wosm.exe | N/A |
| File created | C:\Windows\SysWOW64\wxxqvo.exe | C:\Windows\SysWOW64\wdcrphn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwptofs.exe | C:\Windows\SysWOW64\wqgnitag.exe | N/A |
| File created | C:\Windows\SysWOW64\wgqan.exe | C:\Windows\SysWOW64\wcekla.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbarie.exe | C:\Windows\SysWOW64\wnhhk.exe | N/A |
| File created | C:\Windows\SysWOW64\wrjqw.exe | C:\Windows\SysWOW64\wbarie.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wnbgih.exe | C:\Windows\SysWOW64\wvkb.exe | N/A |
| File created | C:\Windows\SysWOW64\wjw.exe | C:\Windows\SysWOW64\wsjcd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wkuiacj.exe | C:\Windows\SysWOW64\wdxwtuc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wvcsep.exe | C:\Windows\SysWOW64\wcjyjg.exe | N/A |
| File created | C:\Windows\SysWOW64\wsklya.exe | C:\Windows\SysWOW64\wbhvfn.exe | N/A |
| File created | C:\Windows\SysWOW64\wkcudh.exe | C:\Windows\SysWOW64\wpyirfx.exe | N/A |
| File created | C:\Windows\SysWOW64\wdcrphn.exe | C:\Windows\SysWOW64\wkuiacj.exe | N/A |
| File created | C:\Windows\SysWOW64\wtw.exe | C:\Windows\SysWOW64\waps.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wlw.exe | C:\Windows\SysWOW64\weyedjw.exe | N/A |
| File created | C:\Windows\SysWOW64\wnlchxwex.exe | C:\Windows\SysWOW64\wrjqw.exe | N/A |
| File created | C:\Windows\SysWOW64\wlsih.exe | C:\Windows\SysWOW64\wdul.exe | N/A |
| File created | C:\Windows\SysWOW64\wekojvq.exe | C:\Windows\SysWOW64\wbkq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wsnoy.exe | C:\Windows\SysWOW64\wfj.exe | N/A |
| File created | C:\Windows\SysWOW64\wbhvfn.exe | C:\Windows\SysWOW64\wkops.exe | N/A |
| File created | C:\Windows\SysWOW64\wctap.exe | C:\Windows\SysWOW64\wkcudh.exe | N/A |
| File created | C:\Windows\SysWOW64\wph.exe | C:\Windows\SysWOW64\wlsih.exe | N/A |
| File created | C:\Windows\SysWOW64\wrtxcpet.exe | C:\Windows\SysWOW64\wtnrwrv.exe | N/A |
| File created | C:\Windows\SysWOW64\wxeajfdf.exe | C:\Windows\SysWOW64\wjvasmc.exe | N/A |
| File created | C:\Windows\SysWOW64\wwifm.exe | C:\Windows\SysWOW64\wsnoy.exe | N/A |
| File created | C:\Windows\SysWOW64\wtsvbkos.exe | C:\Windows\SysWOW64\wxeajfdf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wkops.exe | C:\Windows\SysWOW64\wnlchxwex.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wqgnitag.exe | C:\Windows\SysWOW64\wxos.exe | N/A |
| File created | C:\Windows\SysWOW64\wgue.exe | C:\Windows\SysWOW64\wjdnqtb.exe | N/A |
| File created | C:\Windows\SysWOW64\wsnoy.exe | C:\Windows\SysWOW64\wfj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wgrwtdg.exe | C:\Windows\SysWOW64\wgeekhpsg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wlsgdms.exe | C:\Windows\SysWOW64\wbu.exe | N/A |
| File created | C:\Windows\SysWOW64\wdqq.exe | C:\Windows\SysWOW64\wgnf.exe | N/A |
| File created | C:\Windows\SysWOW64\wlw.exe | C:\Windows\SysWOW64\weyedjw.exe | N/A |
| File created | C:\Windows\SysWOW64\wtcquv.exe | C:\Windows\SysWOW64\wmefo.exe | N/A |
| File created | C:\Windows\SysWOW64\wvtawfd.exe | C:\Windows\SysWOW64\wlxp.exe | N/A |
| File created | C:\Windows\SysWOW64\wlxp.exe | C:\Windows\SysWOW64\wbb.exe | N/A |
| File created | C:\Windows\SysWOW64\wbu.exe | C:\Windows\SysWOW64\wgrwtdg.exe | N/A |
| File created | C:\Windows\SysWOW64\wkgxljiy.exe | C:\Windows\SysWOW64\wlsgdms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wnhhk.exe | C:\Windows\SysWOW64\wgtvs.exe | N/A |
| File created | C:\Windows\SysWOW64\wkops.exe | C:\Windows\SysWOW64\wnlchxwex.exe | N/A |
| File created | C:\Windows\SysWOW64\wdahd.exe | C:\Windows\SysWOW64\wph.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wrtxcpet.exe | C:\Windows\SysWOW64\wtnrwrv.exe | N/A |
| File created | C:\Windows\SysWOW64\wbkq.exe | C:\Windows\SysWOW64\wjw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wfr.exe | C:\Windows\SysWOW64\wmrra.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wlsih.exe | C:\Windows\SysWOW64\wdul.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wekojvq.exe | C:\Windows\SysWOW64\wbkq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wxxqvo.exe | C:\Windows\SysWOW64\wdcrphn.exe | N/A |
| File created | C:\Windows\SysWOW64\wfj.exe | C:\Windows\SysWOW64\wgeoqm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wpnqjkawo.exe | C:\Windows\SysWOW64\wtw.exe | N/A |
| File created | C:\Windows\SysWOW64\woicqw.exe | C:\Windows\SysWOW64\wvcsep.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wgqan.exe | C:\Windows\SysWOW64\wcekla.exe | N/A |
| File created | C:\Windows\SysWOW64\weyedjw.exe | C:\Windows\SysWOW64\wgwrse.exe | N/A |
| File created | C:\Windows\SysWOW64\wbvwnr.exe | C:\Windows\SysWOW64\wqotopmkn.exe | N/A |
| File created | C:\Windows\SysWOW64\wggjcfk.exe | C:\Windows\SysWOW64\woopiwv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wroydkw.exe | C:\Windows\SysWOW64\wvtawfd.exe | N/A |
| File created | C:\Windows\SysWOW64\wgtvs.exe | C:\Windows\SysWOW64\wbvwnr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wpvecm.exe | C:\Windows\SysWOW64\wwptofs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wgtvs.exe | C:\Windows\SysWOW64\wbvwnr.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wxeajfdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wnhhk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wkuiacj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\waps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wgtvs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wlxp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wroydkw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wctap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wvkb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wrjqw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wsklya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wvtawfd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wjpcalyv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wekojvq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wjvasmc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wkcudh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wxos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wgeekhpsg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wjw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wlw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wpvecm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wllpqat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wgnf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wnbgih.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wvaoox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\woopiwv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wlfpnbe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wkops.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe
"C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"
C:\Windows\SysWOW64\wwkehar.exe
"C:\Windows\system32\wwkehar.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"
C:\Windows\SysWOW64\wtnrwrv.exe
"C:\Windows\system32\wtnrwrv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwkehar.exe"
C:\Windows\SysWOW64\wrtxcpet.exe
"C:\Windows\system32\wrtxcpet.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtnrwrv.exe"
C:\Windows\SysWOW64\wsjcd.exe
"C:\Windows\system32\wsjcd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtxcpet.exe"
C:\Windows\SysWOW64\wjw.exe
"C:\Windows\system32\wjw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjcd.exe"
C:\Windows\SysWOW64\wbkq.exe
"C:\Windows\system32\wbkq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjw.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1100 -ip 1100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1308
C:\Windows\SysWOW64\wekojvq.exe
"C:\Windows\system32\wekojvq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbkq.exe"
C:\Windows\SysWOW64\weuk.exe
"C:\Windows\system32\weuk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekojvq.exe"
C:\Windows\SysWOW64\wntcur.exe
"C:\Windows\system32\wntcur.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weuk.exe"
C:\Windows\SysWOW64\wvaoox.exe
"C:\Windows\system32\wvaoox.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntcur.exe"
C:\Windows\SysWOW64\wchxpsty.exe
"C:\Windows\system32\wchxpsty.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvaoox.exe"
C:\Windows\SysWOW64\wmefo.exe
"C:\Windows\system32\wmefo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchxpsty.exe"
C:\Windows\SysWOW64\wtcquv.exe
"C:\Windows\system32\wtcquv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmefo.exe"
C:\Windows\SysWOW64\wdxwtuc.exe
"C:\Windows\system32\wdxwtuc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtcquv.exe"
C:\Windows\SysWOW64\wkuiacj.exe
"C:\Windows\system32\wkuiacj.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxwtuc.exe"
C:\Windows\SysWOW64\wdcrphn.exe
"C:\Windows\system32\wdcrphn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkuiacj.exe"
C:\Windows\SysWOW64\wxxqvo.exe
"C:\Windows\system32\wxxqvo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcrphn.exe"
C:\Windows\SysWOW64\wnxd.exe
"C:\Windows\system32\wnxd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxqvo.exe"
C:\Windows\SysWOW64\woopiwv.exe
"C:\Windows\system32\woopiwv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnxd.exe"
C:\Windows\SysWOW64\wggjcfk.exe
"C:\Windows\system32\wggjcfk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woopiwv.exe"
C:\Windows\SysWOW64\wbb.exe
"C:\Windows\system32\wbb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wggjcfk.exe"
C:\Windows\SysWOW64\wlxp.exe
"C:\Windows\system32\wlxp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbb.exe"
C:\Windows\SysWOW64\wvtawfd.exe
"C:\Windows\system32\wvtawfd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlxp.exe"
C:\Windows\SysWOW64\wroydkw.exe
"C:\Windows\system32\wroydkw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtawfd.exe"
C:\Windows\SysWOW64\wetug.exe
"C:\Windows\system32\wetug.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wroydkw.exe"
C:\Windows\SysWOW64\wxos.exe
"C:\Windows\system32\wxos.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wetug.exe"
C:\Windows\SysWOW64\wqgnitag.exe
"C:\Windows\system32\wqgnitag.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxos.exe"
C:\Windows\SysWOW64\wwptofs.exe
"C:\Windows\system32\wwptofs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgnitag.exe"
C:\Windows\SysWOW64\wpvecm.exe
"C:\Windows\system32\wpvecm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwptofs.exe"
C:\Windows\SysWOW64\wjdnqtb.exe
"C:\Windows\system32\wjdnqtb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvecm.exe"
C:\Windows\SysWOW64\wgue.exe
"C:\Windows\system32\wgue.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdnqtb.exe"
C:\Windows\SysWOW64\wgeoqm.exe
"C:\Windows\system32\wgeoqm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgue.exe"
C:\Windows\SysWOW64\wfj.exe
"C:\Windows\system32\wfj.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgeoqm.exe"
C:\Windows\SysWOW64\wsnoy.exe
"C:\Windows\system32\wsnoy.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfj.exe"
C:\Windows\SysWOW64\wwifm.exe
"C:\Windows\system32\wwifm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsnoy.exe"
C:\Windows\SysWOW64\wxrqdl.exe
"C:\Windows\system32\wxrqdl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwifm.exe"
C:\Windows\SysWOW64\waps.exe
"C:\Windows\system32\waps.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxrqdl.exe"
C:\Windows\SysWOW64\wtw.exe
"C:\Windows\system32\wtw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waps.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 212 -ip 212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1660
C:\Windows\SysWOW64\wpnqjkawo.exe
"C:\Windows\system32\wpnqjkawo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtw.exe"
C:\Windows\SysWOW64\wcjyjg.exe
"C:\Windows\system32\wcjyjg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpnqjkawo.exe"
C:\Windows\SysWOW64\wvcsep.exe
"C:\Windows\system32\wvcsep.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjyjg.exe"
C:\Windows\SysWOW64\woicqw.exe
"C:\Windows\system32\woicqw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvcsep.exe"
C:\Windows\SysWOW64\wosm.exe
"C:\Windows\system32\wosm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woicqw.exe"
C:\Windows\SysWOW64\wmrra.exe
"C:\Windows\system32\wmrra.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wosm.exe"
C:\Windows\SysWOW64\wfr.exe
"C:\Windows\system32\wfr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrra.exe"
C:\Windows\SysWOW64\wjvasmc.exe
"C:\Windows\system32\wjvasmc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfr.exe"
C:\Windows\SysWOW64\wxeajfdf.exe
"C:\Windows\system32\wxeajfdf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjvasmc.exe"
C:\Windows\SysWOW64\wtsvbkos.exe
"C:\Windows\system32\wtsvbkos.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxeajfdf.exe"
C:\Windows\SysWOW64\wgeekhpsg.exe
"C:\Windows\system32\wgeekhpsg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsvbkos.exe"
C:\Windows\SysWOW64\wgrwtdg.exe
"C:\Windows\system32\wgrwtdg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgeekhpsg.exe"
C:\Windows\SysWOW64\wbu.exe
"C:\Windows\system32\wbu.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrwtdg.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3124 -ip 3124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1676
C:\Windows\SysWOW64\wlsgdms.exe
"C:\Windows\system32\wlsgdms.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbu.exe"
C:\Windows\SysWOW64\wkgxljiy.exe
"C:\Windows\system32\wkgxljiy.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsgdms.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3348 -ip 3348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 1536
C:\Windows\SysWOW64\wkjhpe.exe
"C:\Windows\system32\wkjhpe.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkgxljiy.exe"
C:\Windows\SysWOW64\wllpqat.exe
"C:\Windows\system32\wllpqat.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjhpe.exe"
C:\Windows\SysWOW64\woyeq.exe
"C:\Windows\system32\woyeq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllpqat.exe"
C:\Windows\SysWOW64\wgnf.exe
"C:\Windows\system32\wgnf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woyeq.exe"
C:\Windows\SysWOW64\wdqq.exe
"C:\Windows\system32\wdqq.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgnf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3792 -ip 3792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 1444
C:\Windows\SysWOW64\wcekla.exe
"C:\Windows\system32\wcekla.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdqq.exe"
C:\Windows\SysWOW64\wgqan.exe
"C:\Windows\system32\wgqan.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcekla.exe"
C:\Windows\SysWOW64\wlfpnbe.exe
"C:\Windows\system32\wlfpnbe.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqan.exe"
C:\Windows\SysWOW64\wgwrse.exe
"C:\Windows\system32\wgwrse.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfpnbe.exe"
C:\Windows\SysWOW64\weyedjw.exe
"C:\Windows\system32\weyedjw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwrse.exe"
C:\Windows\SysWOW64\wlw.exe
"C:\Windows\system32\wlw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weyedjw.exe"
C:\Windows\SysWOW64\waytnc.exe
"C:\Windows\system32\waytnc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlw.exe"
C:\Windows\SysWOW64\wqotopmkn.exe
"C:\Windows\system32\wqotopmkn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waytnc.exe"
C:\Windows\SysWOW64\wbvwnr.exe
"C:\Windows\system32\wbvwnr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqotopmkn.exe"
C:\Windows\SysWOW64\wgtvs.exe
"C:\Windows\system32\wgtvs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvwnr.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1156 -ip 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1536
C:\Windows\SysWOW64\wnhhk.exe
"C:\Windows\system32\wnhhk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtvs.exe"
C:\Windows\SysWOW64\wbarie.exe
"C:\Windows\system32\wbarie.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnhhk.exe"
C:\Windows\SysWOW64\wrjqw.exe
"C:\Windows\system32\wrjqw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbarie.exe"
C:\Windows\SysWOW64\wnlchxwex.exe
"C:\Windows\system32\wnlchxwex.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjqw.exe"
C:\Windows\SysWOW64\wkops.exe
"C:\Windows\system32\wkops.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnlchxwex.exe"
C:\Windows\SysWOW64\wbhvfn.exe
"C:\Windows\system32\wbhvfn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkops.exe"
C:\Windows\SysWOW64\wsklya.exe
"C:\Windows\system32\wsklya.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhvfn.exe"
C:\Windows\SysWOW64\wpyirfx.exe
"C:\Windows\system32\wpyirfx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsklya.exe"
C:\Windows\SysWOW64\wkcudh.exe
"C:\Windows\system32\wkcudh.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpyirfx.exe"
C:\Windows\SysWOW64\wctap.exe
"C:\Windows\system32\wctap.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcudh.exe"
C:\Windows\SysWOW64\wyiwhx.exe
"C:\Windows\system32\wyiwhx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctap.exe"
C:\Windows\SysWOW64\wdul.exe
"C:\Windows\system32\wdul.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyiwhx.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3976 -ip 3976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3976 -ip 3976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1536
C:\Windows\SysWOW64\wlsih.exe
"C:\Windows\system32\wlsih.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdul.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2648 -ip 2648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 748
C:\Windows\SysWOW64\wph.exe
"C:\Windows\system32\wph.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsih.exe"
C:\Windows\SysWOW64\wdahd.exe
"C:\Windows\system32\wdahd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wph.exe"
C:\Windows\SysWOW64\wemam.exe
"C:\Windows\system32\wemam.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdahd.exe"
C:\Windows\SysWOW64\wiof.exe
"C:\Windows\system32\wiof.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemam.exe"
C:\Windows\SysWOW64\wddbxnthl.exe
"C:\Windows\system32\wddbxnthl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiof.exe"
C:\Windows\SysWOW64\wagnj.exe
"C:\Windows\system32\wagnj.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wddbxnthl.exe"
C:\Windows\SysWOW64\wvkb.exe
"C:\Windows\system32\wvkb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wagnj.exe"
C:\Windows\SysWOW64\wnbgih.exe
"C:\Windows\system32\wnbgih.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkb.exe"
C:\Windows\SysWOW64\wjpcalyv.exe
"C:\Windows\system32\wjpcalyv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbgih.exe"
C:\Windows\SysWOW64\waijn.exe
"C:\Windows\system32\waijn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjpcalyv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4544 -ip 4544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4544 -ip 4544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1472
C:\Windows\SysWOW64\wwwgfc.exe
"C:\Windows\system32\wwwgfc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waijn.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.ip2location.com | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 8.8.8.8:53 | best-targeted-traffic.com | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 222.172.224.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.182.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 254.148.248.13.in-addr.arpa | udp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww25.best-targeted-traffic.com | udp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
Files
memory/836-0-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wwkehar.exe
| MD5 | 9aaeb52c2d8c8c5d53d961e2464ccf7c |
| SHA1 | e2f54eae4aa70a448baf4536b934b3b64ba9dc1b |
| SHA256 | 6db2bf1bf608c8c1b07240b298ba8fd15327a937f7cc6618551d8078dfb32e4a |
| SHA512 | d9d097d2f8ea56da751f27f9d5699524b23cb30b4b1544c1241cae0cbb8891d85e488be0ca2fe119d7d4440093769a419d86df28809528ac2847181d94929bc2 |
memory/836-11-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wtnrwrv.exe
| MD5 | dc56b3c5bbed155c45a2cd7e62c0280d |
| SHA1 | cb3ffe613f10149c0d42b32cd1306e6a149316d6 |
| SHA256 | 69ac01a9dcbef5e7a393ab225137dbdabf0b294495127ec8be86d598eeb9a43e |
| SHA512 | ba59116757b72ea844ee8c25747ae23030e0eb273b6aeb053831cab91b4b03dd95cdc0e626dca2fa457ce555af1b95c393d91207d834227e706abfccd82d6209 |
memory/2940-22-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wrtxcpet.exe
| MD5 | 661180444cb1a90a5542f5af9e97734b |
| SHA1 | 46502f31d23a861d765627c9f23bcde621dde721 |
| SHA256 | a4047c67030ae93c30fd21b66cedb4fd8229d7b679ed97b323eb98ab71fd5428 |
| SHA512 | 34b7d125b479d0f7683826d9ae7f5bfbd1cc3f68ffcccbb6ac95a7cacb1e1b06f3d29052bcbc0523c8d03896142d17c83c716771d277163d95e3cf94b045cecf |
memory/3476-33-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wsjcd.exe
| MD5 | c391e26df1f2731cad31bfd05342357a |
| SHA1 | 428ea4b461977a904e0cc1284571545a118c2221 |
| SHA256 | 51cbc2030bda178904bc4ce490dd5b0d9a06fcd20f1286190230d7aa6f41e1c7 |
| SHA512 | 69fd6411f4ff5974151b0c8bb1844dfb01b1d6492519ee898e7a9b46c449f192e4563c78285af478aba8e51e3fc994e2b06710cc5b019978c1a9010f10a81e7b |
memory/1364-43-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wjw.exe
| MD5 | a648135d7e08fec5b6f729ef347d3585 |
| SHA1 | 8503e99efabdab82c3605b5927d8e2d0d82440f4 |
| SHA256 | 9dd7889e30059ed0753a237eeffcaacb1670b258e319283b4dd44f5df641a19e |
| SHA512 | 7394b9fb017090b6884a6bd36bb4ce3e1a520638affc6b53cedea6ec54fb8a9286957b464d77785153aaf156d00d2624c5e6073e03cecc25c7c23e4ad5de4278 |
memory/3024-54-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wbkq.exe
| MD5 | 2baf14267ae0638aabc0f41f87c4d019 |
| SHA1 | df8e720d8e38f27222d0ca247633aa5b871c0580 |
| SHA256 | 4181ab947afd3539ddf77f975ca0dd8c892d2d6930d34a024f468e0f7c0c966c |
| SHA512 | df6a5e1dbbff8e15964123f0814d54671f5e712453dfa36b1417ae176954128f70478d2b3c762c9232ea4609a36c8515cd6b3aa2fe80c08efd68fb6b06fe53a2 |
memory/1100-64-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\install[2].htm
| MD5 | 9463ba07743e8a9aca3b55373121b7c5 |
| SHA1 | 4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f |
| SHA256 | d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d |
| SHA512 | 6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7 |
C:\Windows\SysWOW64\wekojvq.exe
| MD5 | 2940e341f41b90dcabcb40beec81ce74 |
| SHA1 | 7da62a86c3293db48d9be98e91b677602279a4a5 |
| SHA256 | 14c2b1d88f82a5772d1088b9bbaabf58dff43ae55b60d8122517aff7e25abbfe |
| SHA512 | de272b6d8109d6f504a2cfcc9316ceaa4a4fe6bf30ff2cb6a5023f94aaa82c0e8ed71ebf205548082484a1c98023b30d59a3b2cae7f490606ff0d50d7b82b5f6 |
memory/744-75-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\weuk.exe
| MD5 | eac730272ec3221de919ade7abcc7b98 |
| SHA1 | 934cfc5b4f886ed28f697dbfe0ddcd6d8765c7d5 |
| SHA256 | f8bb44f4119fbf82f484276d645cbcf1336a85b72dd88f31a43fb9e06bf1253e |
| SHA512 | 353dbffb6543e998b366ac5d8e110b9daf9db45719e2a04fcf6b23e4c08bcec1aef7ae95495f216b7e7798cfc674862dd951b1ef053c86eb2953c7c35b656302 |
memory/3900-85-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wntcur.exe
| MD5 | 6565532460511b825b324baa2916d60e |
| SHA1 | 219559b96245eb1f9e06c457a484247b017b1fec |
| SHA256 | 5788c43d0ca4a1f11d0ca8c1d46f8f73107c036594f9ef6b7922123f07d7d021 |
| SHA512 | 7aa5f59439874bb2d7a9bdaf9726ef204311af59e3723608f330922029dae642691df4de6a31a61bdccaf675a8f2ca2846c16cddd02be1bf1ab43f08a7699802 |
memory/1200-96-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wvaoox.exe
| MD5 | 39ad8d3180520a3222985801924ea8b4 |
| SHA1 | 404d777cfc93197a16d3c869d8280f1e95b5fd4f |
| SHA256 | 43feb723b3f587452984ae13fd9220178718d19841bc18ce20d81d34a9a8eff8 |
| SHA512 | 76149d1edc28a8ccb726e4041a24e72f0de26198bdc114c35fae2b00e97f67cfc09b8bc6783a3dd476fd7a3929c77ecff7a98d1f689a919a77f235021bcfa157 |
memory/1048-107-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wchxpsty.exe
| MD5 | f8a96c73edc4206f67d67cdd8f64e42e |
| SHA1 | a781686fc410f0e5791b859f53b8f09ad3badd8d |
| SHA256 | f1942ac22056d9121862a4afa6c3e9068316a0a0333e350993eb2d2aa280b833 |
| SHA512 | 5a290b6c5619bb5d9233ef83606bbd36d3b35385b17f191ffd6f709f9943c24e2d0ba836d3dc0e9a232b900146ea46046f091fcea5234c44de67fc15e3246423 |
memory/2360-118-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wmefo.exe
| MD5 | 2413044a1d68167e10330a7aed418e4c |
| SHA1 | fba87ae3803a95d0848d6731fe26683f07b0c218 |
| SHA256 | 403381db3841ec5f3f4df2fa480b842e8a3522d546a99c7063a4206840acfc7e |
| SHA512 | 8c0edcde40fda9a6c0b66219bd615a416b4eb8df78eb37c0da9f4595901b1333a91d8d1c8782a8ed698b40c3e0778ab2cf07e85b6df19d59040e9cfbfa2f889f |
memory/1584-129-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wtcquv.exe
| MD5 | 6997d7a01feaed0e830afea8aef98ec6 |
| SHA1 | 4433b02f85ad58c898e7b1819d3948685d14b9e7 |
| SHA256 | a349823ba74f542fc84bb77ee0e6bf0bbc6c7a8374c74937a6b8a172f7baad42 |
| SHA512 | 1e36b887ae44fb80dcfe876200e3e63314a32dd3578dc76ef046a0cd9b0b81ad5a08bbc7be2d61628bbf39e95b86a147dcc6dac935e1b178f9c74c6dc5029078 |
memory/3920-140-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wdxwtuc.exe
| MD5 | 8a1437d3c1a3273dbafdb0e5fe5afda2 |
| SHA1 | c5ab27a4c122fcb969d996535e8f78bd29cbce7e |
| SHA256 | 6af05907650ef5d3e7931e7ec455636ae6c1f6b1add5adf937be5ebce7cd6a72 |
| SHA512 | 169dd20a03564cc578f223d93597b980f9dd13e7d887090fea7e29719fe238f9f6093037749eef592b4d84722eebc63160d5f8b208c02380429ed2650bbd0bc4 |
memory/2428-151-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wkuiacj.exe
| MD5 | 7275ff3a384a169abffd1039f02d995b |
| SHA1 | c98dc15b4db80672a7e7ecf3905a30bb18962e93 |
| SHA256 | 74542e3850373806de42a032db30c29006f3d28eb50448660046cd3e342c81c8 |
| SHA512 | 589c606dcf12aa61144557ccad3d169a6a2f358f3b6b0479fc4f2a2edfe20ff75fb721b3b1e9315ee2f50d5029225989b25e2609097e2e3732724105727b31d9 |
memory/1996-162-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wdcrphn.exe
| MD5 | 96ed296554abac9a395a7b376cc70908 |
| SHA1 | 062875a892f7dbe80e161e3d85393eec7cf6e014 |
| SHA256 | 2da938a25ebaf96b1ea77486892700b6ae797d9245d10519f8a44a9977ac2384 |
| SHA512 | d383f99466d097432a5063a0801baf9bf20e31793571fe3b4fbaec861acaa7eb133b539739c6d35b437603b4ff161818f58cd00207133021e218efd52a525124 |
memory/4268-173-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wxxqvo.exe
| MD5 | 0dca54bdf09e1206f252ea340faba924 |
| SHA1 | e689b641003be8a5d92d659d147ba7678d5e5a7d |
| SHA256 | b3bc818b6db709ccf1ab395b03d591d2c109f90539804e84154e5dc808a31052 |
| SHA512 | 7e469650cb7cc2e9b8b594c44f04c31c40ebb21559488691b534958d546d7d99c4acdfbf26d47073f04d6f0335b312f6b265926b0600f3110ef36a9fdeeda5d0 |
memory/876-183-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wnxd.exe
| MD5 | 1ef638cd4ef521f90e0dad5e9aa1dd61 |
| SHA1 | dac4a64f1cb6c18bff4ba757d9fa9dde42d64c8f |
| SHA256 | fea598ff307071f9a8d925c86f3ddef983bb938a09e2b698d276ffda08d0f764 |
| SHA512 | 47adb06cb4a8d8103695ad5ee1edd338962e1f9ccf5b157d1743afdb1273fe926fe42e254f0d53eff8daf0b9c2c7fb82baaa6f5630f5145df112e99ca48e8222 |
memory/3508-194-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\woopiwv.exe
| MD5 | c465af67e692231538055966fb833da7 |
| SHA1 | d81c034359d7ca27dc6ff822be4435ff69788c0e |
| SHA256 | 5519423460f451d7d3282b2a7046ad1f4f567e2fecb658059e3c87cab8ba716c |
| SHA512 | 7464ec1b8bd95769107d83d5b3eb731dfac69a6a306097736d2a2a831846ee9ea01065fb61a27c78cb80d2a002dca5d0523fb2c6674141120268d53657c77f95 |
memory/2304-205-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wggjcfk.exe
| MD5 | b2ad6ce49de8c6f1708f36437e44a677 |
| SHA1 | b4f5f728f988bd8ea6b95c29280522f7ce414eef |
| SHA256 | 77e8d513c5f1215670e54f193ddb672891266bafb76c65dd71801aa856867058 |
| SHA512 | 01e1248b84fcb54fa1b93a6490dd07a2adbb1b0fb4cf866ccf63ef57368b31d8897653223a8e0b6598b489fb5eb6814553e1188e38149896354d37a281516892 |
memory/1804-216-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wbb.exe
| MD5 | dd58640e11fb116ff558854f3aff3364 |
| SHA1 | b6fa284995551cd842ec82d813b881f344fbc213 |
| SHA256 | 5b37a133f675ebaf4e6de090f15f28220b745103dff2616eebebfd4df5a0aaf6 |
| SHA512 | f0d957a73f9a3917f4d96a224a7ab174d0a26770ef6f24158cc8e1fdd9caf44d2340d7d34f06bc70cb77dec21a8613f0f83b7e0dfd70d67b0508294559302d42 |
memory/1944-227-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wlxp.exe
| MD5 | d8d506f087a77741c5eae398fe57fc7a |
| SHA1 | 4805753c862e594b112506360b476c08b4e78e4d |
| SHA256 | b481b3e420888f09a0376e5f5146d994fed741c22928a2bf27351ee971862bca |
| SHA512 | a2fe23746ce110b13b494b476608487cd4641329cd98e58690a0044ce9fa2b489149f030ff77b6fd666dc76bee1550e720a75068bb148be888ac38eaf1a1115e |
memory/2936-237-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wvtawfd.exe
| MD5 | d19d06fb67bc2a2ba2e7d385fb5b7e0a |
| SHA1 | a41695f231fa85c6a617e8164c30472f7de1ae8b |
| SHA256 | c88bce8f29014c442de8c2508b34bad22098b2628bb9602985bd69f749a2fad5 |
| SHA512 | e47270c9d53c47aa37bb31b3b8673fba7b03330568630d7cb2e33603a2d82cf37bd9537b911110c25a0a98cc4e5587caa7d2397ecc14c8845d8ca2deb5789e54 |
memory/4372-248-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wroydkw.exe
| MD5 | 42805d2b2df3dd0ad18b2b6e497117a5 |
| SHA1 | 8abf9b4e8c6df6e93e2907aa598801489ed39e64 |
| SHA256 | 1728320447c190d309de199a2cc7e0a7b0630119181eacd2ad978daa80ff3265 |
| SHA512 | f90231a5d07e8dc7072fabb0d3520e1f154b1c439cf49aced8f6593b58ab2407df3966b20b9e1e8fc45afd479dae11b6b6427e145da6f2a2eedf53f4144707be |
memory/1900-258-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wetug.exe
| MD5 | dec472a5661224fdcbc4f05147855e76 |
| SHA1 | 94a167afd172a60232a2eacf733a1b8f502f0e8c |
| SHA256 | 133ec1139e9c97ee4c7223066c9f698f65b916d73ad134ba141027287af1b030 |
| SHA512 | 304826b10daf5576dcff64818c0b6ff0a5ea1dd7024efcbb42ead2f8142a909ce443e86d95494e52a155664b175f07aa34fdf647a4fc95181b3bea1140d966e0 |
memory/2716-269-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wxos.exe
| MD5 | 4217c25b1f85e95f4e275da0cc20fe7d |
| SHA1 | ff4470183904ad6db730d5696008cf42138a332e |
| SHA256 | 23bbc76b770669444151a9d5e524aed5d585367ca39568bbcc4dc3826e79a3dc |
| SHA512 | 5481fea349b2d71532c03bc3391c7e154dced1f595d166f2b738dc22046b39ff7b93b3ce8c3af150a1805b0f545f9383ea247bf8744e1a3bf8321d00e5f9936d |
memory/2728-280-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wqgnitag.exe
| MD5 | 0bb0cfef7b9f547641da41d2f69dee1f |
| SHA1 | 6a03aa8fbae741076e786b03934ebf2411dd1868 |
| SHA256 | 04a555b2acd7c432fd0eddf04df28e1249c924acd2253f0ce2c8a0d4b1ae687b |
| SHA512 | 044d43af69a9187a954f3adc4795f83cde18dd5fc713cb49aeb5f011607f01876294ae0b91cfbd2b5c1abe915c82072eab5c0e925b2c86009cc0b495b8f767e0 |
memory/4576-290-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wwptofs.exe
| MD5 | e78decb794c5372fde0298bdd3d85844 |
| SHA1 | bff9430aad84a178abd0d884004b02e93062d8fb |
| SHA256 | 3ca49d93d63cb131fc506fad8b66896389b12f71c65a7f88284faa916650b52f |
| SHA512 | c36044e6c359bb894d021bf65537287e4334521b0c1e78020f4e307b7044b2f20537088e941fb060354a97f83741b666d961ef4053e74572ed39b682ab09d4e4 |
memory/1948-301-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wpvecm.exe
| MD5 | 0a2eeaa7f377cf986e8c4782f99caac4 |
| SHA1 | 4e92641cb3229693ca4ffabff1b482903ff4d0ed |
| SHA256 | 22c98c9b9b420446c6c874963379675c92a8203005c27d789d1c87d6a9e2261d |
| SHA512 | 5a75e6a22c2130fa1dd12cb8f2f2e453313974546957f8f317dff763dd069be537f64609cac9b68304995334bcc291a03024de10ab5c5e53aba8a7f25489dcc4 |
memory/3988-312-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wjdnqtb.exe
| MD5 | eefe85a88281be7ecb476b63568dd015 |
| SHA1 | 3fde7bad3f6068866b7580bb104c410508a16ca7 |
| SHA256 | d3bc30c834c414075614060d891ea53f300c3ef670de1129dc8416f071facc96 |
| SHA512 | f6dd2402897c1ea8100fb546951a4d29c77665e6006a8743ebce25829cb8ef1328ae7b70fbe5638579470a6a5095d268da72b5be7e7247054ccb6b629a8c71c3 |
memory/1832-323-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wgue.exe
| MD5 | e91d47e0740aa951479982a95ae6bd18 |
| SHA1 | 7d6d4681c44eef42fd0814447e04f8e7bff1e521 |
| SHA256 | 9874f6b5102ed9a033c7dd7ebc13de4187c1e2acbe7f2bd40de7759ad6fc1f7d |
| SHA512 | 6397331f303e8291af94e499a9519ed1d2adcfd43d29da9c0232f72aea086dd8e4135f8c7193ad3fe8908471d95315054f026276eeae04eaab3d31bce9a81631 |
memory/3224-333-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\wgeoqm.exe
| MD5 | d3a817900f014dc63d338596f85f7c69 |
| SHA1 | ab0036cffa3ce87390006d95b7bde45361d1b4b6 |
| SHA256 | 18d3928f565c8b8c75c402edfddabd56c7bb0ca43d65ac24e8b4bb1a950a71a9 |
| SHA512 | 55cd68059b7a070f721fe1e049a83b313dd377ec638d76dd8cb7b4ce96cd04eee3e7b96a96ff61c557efee5495f21f7d32d00241f5b314501f528b5f828ce6ee |
memory/1500-344-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4324-352-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4232-360-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1628-368-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3900-376-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4008-385-0x0000000000400000-0x0000000000417000-memory.dmp
memory/212-394-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2268-403-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3584-412-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3500-421-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1380-429-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1292-437-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3568-445-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3900-453-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2120-461-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3236-469-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1996-477-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1644-485-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1156-493-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3124-501-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3964-509-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3348-517-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3768-525-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4228-533-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2972-541-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4600-549-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3792-557-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4920-565-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3028-573-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2368-581-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1032-589-0x0000000000400000-0x0000000000417000-memory.dmp
memory/972-597-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1332-605-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1364-613-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1992-621-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3756-629-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3760-644-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1520-652-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3900-660-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1796-668-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1924-676-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3424-684-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1580-692-0x0000000000400000-0x0000000000417000-memory.dmp
memory/528-700-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2116-708-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1708-716-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3456-724-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3976-732-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2648-740-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4396-748-0x0000000000400000-0x0000000000417000-memory.dmp
memory/5052-756-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4392-764-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4412-765-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4392-773-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4992-781-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2908-789-0x0000000000400000-0x0000000000417000-memory.dmp
memory/448-797-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1904-805-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3392-813-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4544-821-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4896-829-0x0000000000400000-0x0000000000417000-memory.dmp