0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe
Size

107KB
MD5

88bc89ab98e89837bf13a0256671e6da
SHA1

d9a2e91647e217168d3b570f2d247e4e62fb0981
SHA256

0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175
SHA512

3c88c79ff351275ddfb2c274504eced993a21bfd60d9cee323f34d99f35ee8a5b6d192566fe1bd09f419f62ac662b6970f0fac34e7cdee70cde010bf8121b7b6
SSDEEP

1536:2zfXIsxrhzk2nfsW3ou3yWW2dvcW6eHcBwUi6vWE0Dl27b58XBdqaMGxzl4UQ:yfjxrhzk2nfsWhP7dvavi6vWEbh8X9O

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wgl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wqgloj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wwtrnxpgw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wrhrhegia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wlayhdmky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wvpujwe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wggoi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wlueb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wafb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wjxwe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wgyq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	waehfol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wyud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	whgrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wdfkv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	weytb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wtkrruss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wjlgfxsk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wvmf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wuamg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wdyxkyk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wmmuykrfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	woisi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wftex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wiidtka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wdipkaime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wbo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wffmyul.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wyd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wlgckm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wphfetuo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wduqsp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wsgm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wpfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wpgp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	whol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wxoymh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wsx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wwlyokxs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wurc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wstrwp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wgeekhpsg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wasysycf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wkuvonk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wyalmhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wabwxm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wbnsah.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wldfyn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wnfwp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wpmuga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wpqjwfab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wvspged.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wclbxbv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wimipli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wgtbxca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wdjlvpy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wtlttnam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wmnjxmoq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wxfyyvr.exe

Executes dropped EXE 64 IoCs

pid	Process
5096	woisi.exe
564	wrpegdq.exe
1416	wpmuga.exe
320	wcsfqumg.exe
2012	wjlgfxsk.exe
4872	wyg.exe
2040	wclbxbv.exe
3832	wxjtxcu.exe
3240	wbo.exe
2800	wqvxye.exe
228	wxoymh.exe
3236	wyud.exe
4584	wgkl.exe
2000	wnpyw.exe
948	wlueb.exe
3628	wsx.exe
4824	wpfx.exe
3256	wbgmsmlhv.exe
1084	wlgckm.exe
4788	wimipli.exe
3520	whgrv.exe
1300	wdfkv.exe
4224	wgyq.exe
3992	wafb.exe
3624	wgknae.exe
380	wiaadwbc.exe
3056	wpqjwfab.exe
1868	wurc.exe
5016	wxljuxnd.exe
880	wgs.exe
3652	wquqtcwuj.exe
5068	wwlyokxs.exe
2812	winiy.exe
3260	wqgloj.exe
3672	wkuvonk.exe
3288	wjpgtjiel.exe
4620	wvspged.exe
5108	wftex.exe
1576	wixiuu.exe
3600	wffmyul.exe
4156	wcjvtp.exe
4552	wxnxnu.exe
1900	wmnjxmoq.exe
3260	wpgp.exe
2012	wwkdob.exe
1412	whol.exe
568	wbnsah.exe
4160	wstrwp.exe
3448	wsdsvhpy.exe
1712	wwwyrusm.exe
1584	wwyubmy.exe
4464	wdoduu.exe
888	wjempd.exe
3704	wxfyyvr.exe
4428	wjxwe.exe
3488	wdipkaime.exe
4076	waouqy.exe
3508	wgeekhpsg.exe
1072	wnqtsjq.exe
4224	watcd.exe
3220	wyd.exe
3404	wwtrnxpgw.exe
2000	wnwxqjoc.exe
4600	wnfwp.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wswfj.exe	wnfwp.exe
File opened for modification	C:\Windows\SysWOW64\wvmf.exe	wshcqxxuw.exe
File opened for modification	C:\Windows\SysWOW64\wduqsp.exe	wxtxre.exe
File created	C:\Windows\SysWOW64\wgl.exe	wbrokho.exe
File opened for modification	C:\Windows\SysWOW64\wlgckm.exe	wbgmsmlhv.exe
File created	C:\Windows\SysWOW64\wkuvonk.exe	wqgloj.exe
File created	C:\Windows\SysWOW64\whol.exe	wwkdob.exe
File created	C:\Windows\SysWOW64\wwtrnxpgw.exe	wyd.exe
File opened for modification	C:\Windows\SysWOW64\wbrokho.exe	wvpujwe.exe
File created	C:\Windows\SysWOW64\wswfj.exe	wnfwp.exe
File created	C:\Windows\SysWOW64\wumslca.exe	wswfj.exe
File opened for modification	C:\Windows\SysWOW64\wautv.exe	wqpibmmji.exe
File created	C:\Windows\SysWOW64\wkqcfya.exe	wkvsy.exe
File opened for modification	C:\Windows\SysWOW64\wxjtxcu.exe	wclbxbv.exe
File opened for modification	C:\Windows\SysWOW64\wlueb.exe	wnpyw.exe
File opened for modification	C:\Windows\SysWOW64\wpfx.exe	wsx.exe
File opened for modification	C:\Windows\SysWOW64\whol.exe	wwkdob.exe
File opened for modification	C:\Windows\SysWOW64\wwkdob.exe	wpgp.exe
File created	C:\Windows\SysWOW64\wrif.exe	wlrvo.exe
File opened for modification	C:\Windows\SysWOW64\wbo.exe	wxjtxcu.exe
File opened for modification	C:\Windows\SysWOW64\wvrlatd.exe	wkocpxira.exe
File created	C:\Windows\SysWOW64\whowku.exe	wautv.exe
File opened for modification	C:\Windows\SysWOW64\wubr.exe	wsgm.exe
File created	C:\Windows\SysWOW64\wvrlatd.exe	wkocpxira.exe
File created	C:\Windows\SysWOW64\womkysfj.exe	wgl.exe
File opened for modification	C:\Windows\SysWOW64\wojjbk.exe	wkqcfya.exe
File opened for modification	C:\Windows\SysWOW64\wasysycf.exe	wskgn.exe
File opened for modification	C:\Windows\SysWOW64\wcjvtp.exe	wffmyul.exe
File opened for modification	C:\Windows\SysWOW64\wwwyrusm.exe	wsdsvhpy.exe
File created	C:\Windows\SysWOW64\wkbjpvb.exe	wiidtka.exe
File opened for modification	C:\Windows\SysWOW64\wqpibmmji.exe	wlayhdmky.exe
File created	C:\Windows\SysWOW64\wlueb.exe	wnpyw.exe
File opened for modification	C:\Windows\SysWOW64\wgeekhpsg.exe	waouqy.exe
File opened for modification	C:\Windows\SysWOW64\wnwxqjoc.exe	wwtrnxpgw.exe
File created	C:\Windows\SysWOW64\wispd.exe	wsihmm.exe
File opened for modification	C:\Windows\SysWOW64\wskgn.exe	wubr.exe
File opened for modification	C:\Windows\SysWOW64\wgl.exe	wbrokho.exe
File created	C:\Windows\SysWOW64\wtkrruss.exe	wubstbf.exe
File opened for modification	C:\Windows\SysWOW64\wiaadwbc.exe	wgknae.exe
File opened for modification	C:\Windows\SysWOW64\wkuvonk.exe	wqgloj.exe
File created	C:\Windows\SysWOW64\wffmyul.exe	wixiuu.exe
File created	C:\Windows\SysWOW64\wxh.exe	wabwxm.exe
File created	C:\Windows\SysWOW64\woisi.exe	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe
File opened for modification	C:\Windows\SysWOW64\woisi.exe	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe
File opened for modification	C:\Windows\SysWOW64\wkocpxira.exe	wuamg.exe
File opened for modification	C:\Windows\SysWOW64\wgtbxca.exe	wrif.exe
File created	C:\Windows\SysWOW64\wruhq.exe	wtkrruss.exe
File created	C:\Windows\SysWOW64\wclbxbv.exe	wyg.exe
File opened for modification	C:\Windows\SysWOW64\whgrv.exe	wimipli.exe
File created	C:\Windows\SysWOW64\wkj.exe	wldfyn.exe
File created	C:\Windows\SysWOW64\wkvsy.exe	whowku.exe
File created	C:\Windows\SysWOW64\wyud.exe	wxoymh.exe
File opened for modification	C:\Windows\SysWOW64\wbnsah.exe	whol.exe
File created	C:\Windows\SysWOW64\wgeekhpsg.exe	waouqy.exe
File opened for modification	C:\Windows\SysWOW64\wfesxjjfu.exe	wtlttnam.exe
File created	C:\Windows\SysWOW64\whgrv.exe	wimipli.exe
File opened for modification	C:\Windows\SysWOW64\wumslca.exe	wswfj.exe
File created	C:\Windows\SysWOW64\wautv.exe	wqpibmmji.exe
File created	C:\Windows\SysWOW64\wasysycf.exe	wskgn.exe
File created	C:\Windows\SysWOW64\wbo.exe	wxjtxcu.exe
File opened for modification	C:\Windows\SysWOW64\winiy.exe	wwlyokxs.exe
File created	C:\Windows\SysWOW64\wxnxnu.exe	wcjvtp.exe
File created	C:\Windows\SysWOW64\wphfetuo.exe	wwhwek.exe
File opened for modification	C:\Windows\SysWOW64\wabwxm.exe	wduqsp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 17 IoCs

pid	pid_target	Process	procid_target
1776	564	WerFault.exe	91
3520	1416	WerFault.exe	96
3624	3628	WerFault.exe	145
60	5016	WerFault.exe	188
380	4156	WerFault.exe	226
1648	4156	WerFault.exe	226
5064	1584	WerFault.exe	260
4744	3704	WerFault.exe	271
1896	4076	WerFault.exe	282
2176	1072	WerFault.exe	290
2768	3220	WerFault.exe	298
208	4600	WerFault.exe	309
3464	1136	WerFault.exe	320
4824	4036	WerFault.exe	424
4892	4284	WerFault.exe	435
3208	1732	WerFault.exe	449
2616	2664	WerFault.exe	484

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkuvonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwkdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkocpxira.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjempd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsxdiwb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsihmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqpibmmji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnqtsjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpqjwfab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wispd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	womkysfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwtrnxpgw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkqcfya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wffmyul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgknae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxjtxcu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlueb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwlyokxs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waouqy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqvxye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnfwp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqgloj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wduqsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wasysycf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 5096	3920	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe	87
PID 3920 wrote to memory of 5096	3920	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe	87
PID 3920 wrote to memory of 5096	3920	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe	87
PID 3920 wrote to memory of 1332	3920	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe	89
PID 3920 wrote to memory of 1332	3920	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe	89
PID 3920 wrote to memory of 1332	3920	0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe	89
PID 5096 wrote to memory of 564	5096	woisi.exe	91
PID 5096 wrote to memory of 564	5096	woisi.exe	91
PID 5096 wrote to memory of 564	5096	woisi.exe	91
PID 5096 wrote to memory of 2656	5096	woisi.exe	92
PID 5096 wrote to memory of 2656	5096	woisi.exe	92
PID 5096 wrote to memory of 2656	5096	woisi.exe	92
PID 564 wrote to memory of 1416	564	wrpegdq.exe	96
PID 564 wrote to memory of 1416	564	wrpegdq.exe	96
PID 564 wrote to memory of 1416	564	wrpegdq.exe	96
PID 564 wrote to memory of 4240	564	wrpegdq.exe	97
PID 564 wrote to memory of 4240	564	wrpegdq.exe	97
PID 564 wrote to memory of 4240	564	wrpegdq.exe	97
PID 1416 wrote to memory of 320	1416	wpmuga.exe	104
PID 1416 wrote to memory of 320	1416	wpmuga.exe	104
PID 1416 wrote to memory of 320	1416	wpmuga.exe	104
PID 1416 wrote to memory of 2156	1416	wpmuga.exe	105
PID 1416 wrote to memory of 2156	1416	wpmuga.exe	105
PID 1416 wrote to memory of 2156	1416	wpmuga.exe	105
PID 320 wrote to memory of 2012	320	wcsfqumg.exe	109
PID 320 wrote to memory of 2012	320	wcsfqumg.exe	109
PID 320 wrote to memory of 2012	320	wcsfqumg.exe	109
PID 320 wrote to memory of 1140	320	wcsfqumg.exe	110
PID 320 wrote to memory of 1140	320	wcsfqumg.exe	110
PID 320 wrote to memory of 1140	320	wcsfqumg.exe	110
PID 2012 wrote to memory of 4872	2012	wjlgfxsk.exe	113
PID 2012 wrote to memory of 4872	2012	wjlgfxsk.exe	113
PID 2012 wrote to memory of 4872	2012	wjlgfxsk.exe	113
PID 2012 wrote to memory of 2000	2012	wjlgfxsk.exe	114
PID 2012 wrote to memory of 2000	2012	wjlgfxsk.exe	114
PID 2012 wrote to memory of 2000	2012	wjlgfxsk.exe	114
PID 4872 wrote to memory of 2040	4872	wyg.exe	116
PID 4872 wrote to memory of 2040	4872	wyg.exe	116
PID 4872 wrote to memory of 2040	4872	wyg.exe	116
PID 4872 wrote to memory of 212	4872	wyg.exe	117
PID 4872 wrote to memory of 212	4872	wyg.exe	117
PID 4872 wrote to memory of 212	4872	wyg.exe	117
PID 2040 wrote to memory of 3832	2040	wclbxbv.exe	119
PID 2040 wrote to memory of 3832	2040	wclbxbv.exe	119
PID 2040 wrote to memory of 3832	2040	wclbxbv.exe	119
PID 2040 wrote to memory of 216	2040	wclbxbv.exe	121
PID 2040 wrote to memory of 216	2040	wclbxbv.exe	121
PID 2040 wrote to memory of 216	2040	wclbxbv.exe	121
PID 3832 wrote to memory of 3240	3832	wxjtxcu.exe	124
PID 3832 wrote to memory of 3240	3832	wxjtxcu.exe	124
PID 3832 wrote to memory of 3240	3832	wxjtxcu.exe	124
PID 3832 wrote to memory of 4824	3832	wxjtxcu.exe	125
PID 3832 wrote to memory of 4824	3832	wxjtxcu.exe	125
PID 3832 wrote to memory of 4824	3832	wxjtxcu.exe	125
PID 3240 wrote to memory of 2800	3240	wbo.exe	127
PID 3240 wrote to memory of 2800	3240	wbo.exe	127
PID 3240 wrote to memory of 2800	3240	wbo.exe	127
PID 3240 wrote to memory of 1696	3240	wbo.exe	128
PID 3240 wrote to memory of 1696	3240	wbo.exe	128
PID 3240 wrote to memory of 1696	3240	wbo.exe	128
PID 2800 wrote to memory of 228	2800	wqvxye.exe	130
PID 2800 wrote to memory of 228	2800	wqvxye.exe	130
PID 2800 wrote to memory of 228	2800	wqvxye.exe	130
PID 2800 wrote to memory of 3056	2800	wqvxye.exe	131

C:\Users\Admin\AppData\Local\Temp\0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe
"C:\Users\Admin\AppData\Local\Temp\0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\SysWOW64\woisi.exe
  "C:\Windows\system32\woisi.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\SysWOW64\wrpegdq.exe
    "C:\Windows\system32\wrpegdq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\SysWOW64\wpmuga.exe
      "C:\Windows\system32\wpmuga.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1416
    - - C:\Windows\SysWOW64\wcsfqumg.exe
        
        "C:\Windows\system32\wcsfqumg.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\Windows\SysWOW64\wjlgfxsk.exe
        
        "C:\Windows\system32\wjlgfxsk.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\wyg.exe
        
        "C:\Windows\system32\wyg.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\wclbxbv.exe
        
        "C:\Windows\system32\wclbxbv.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\wxjtxcu.exe
        
        "C:\Windows\system32\wxjtxcu.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\wbo.exe
        
        "C:\Windows\system32\wbo.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\wqvxye.exe
        
        "C:\Windows\system32\wqvxye.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\wxoymh.exe
        
        "C:\Windows\system32\wxoymh.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\wyud.exe
        
        "C:\Windows\system32\wyud.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\wgkl.exe
        
        "C:\Windows\system32\wgkl.exe"
        14⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\wnpyw.exe
        
        "C:\Windows\system32\wnpyw.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\wlueb.exe
        
        "C:\Windows\system32\wlueb.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\wsx.exe
        
        "C:\Windows\system32\wsx.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\wpfx.exe
        
        "C:\Windows\system32\wpfx.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\wbgmsmlhv.exe
        
        "C:\Windows\system32\wbgmsmlhv.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\wlgckm.exe
        
        "C:\Windows\system32\wlgckm.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\wimipli.exe
        
        "C:\Windows\system32\wimipli.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\SysWOW64\whgrv.exe
        
        "C:\Windows\system32\whgrv.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\wdfkv.exe
        
        "C:\Windows\system32\wdfkv.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\wgyq.exe
        
        "C:\Windows\system32\wgyq.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\SysWOW64\wafb.exe
        
        "C:\Windows\system32\wafb.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\wgknae.exe
        
        "C:\Windows\system32\wgknae.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\wiaadwbc.exe
        
        "C:\Windows\system32\wiaadwbc.exe"
        27⤵
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\wpqjwfab.exe
        
        "C:\Windows\system32\wpqjwfab.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\wurc.exe
        
        "C:\Windows\system32\wurc.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\wxljuxnd.exe
        
        "C:\Windows\system32\wxljuxnd.exe"
        30⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\wgs.exe
        
        "C:\Windows\system32\wgs.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\wquqtcwuj.exe
        
        "C:\Windows\system32\wquqtcwuj.exe"
        32⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\wwlyokxs.exe
        
        "C:\Windows\system32\wwlyokxs.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\winiy.exe
        
        "C:\Windows\system32\winiy.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\wqgloj.exe
        
        "C:\Windows\system32\wqgloj.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\wkuvonk.exe
        
        "C:\Windows\system32\wkuvonk.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\wjpgtjiel.exe
        
        "C:\Windows\system32\wjpgtjiel.exe"
        37⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\wvspged.exe
        
        "C:\Windows\system32\wvspged.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\wftex.exe
        
        "C:\Windows\system32\wftex.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\wixiuu.exe
        
        "C:\Windows\system32\wixiuu.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\wffmyul.exe
        
        "C:\Windows\system32\wffmyul.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\wcjvtp.exe
        
        "C:\Windows\system32\wcjvtp.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4156
        
        C:\Windows\SysWOW64\wxnxnu.exe
        
        "C:\Windows\system32\wxnxnu.exe"
        43⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\wmnjxmoq.exe
        
        "C:\Windows\system32\wmnjxmoq.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\wpgp.exe
        
        "C:\Windows\system32\wpgp.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\wwkdob.exe
        
        "C:\Windows\system32\wwkdob.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\whol.exe
        
        "C:\Windows\system32\whol.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1412
        
        C:\Windows\SysWOW64\wbnsah.exe
        
        "C:\Windows\system32\wbnsah.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:568
        
        C:\Windows\SysWOW64\wstrwp.exe
        
        "C:\Windows\system32\wstrwp.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4160
        
        C:\Windows\SysWOW64\wsdsvhpy.exe
        
        "C:\Windows\system32\wsdsvhpy.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\wwwyrusm.exe
        
        "C:\Windows\system32\wwwyrusm.exe"
        51⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\wwyubmy.exe
        
        "C:\Windows\system32\wwyubmy.exe"
        52⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\wdoduu.exe
        
        "C:\Windows\system32\wdoduu.exe"
        53⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\wjempd.exe
        
        "C:\Windows\system32\wjempd.exe"
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\wxfyyvr.exe
        
        "C:\Windows\system32\wxfyyvr.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\wjxwe.exe
        
        "C:\Windows\system32\wjxwe.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\wdipkaime.exe
        
        "C:\Windows\system32\wdipkaime.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\waouqy.exe
        
        "C:\Windows\system32\waouqy.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\wgeekhpsg.exe
        
        "C:\Windows\system32\wgeekhpsg.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\wnqtsjq.exe
        
        "C:\Windows\system32\wnqtsjq.exe"
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\watcd.exe
        
        "C:\Windows\system32\watcd.exe"
        61⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\SysWOW64\wyd.exe
        
        "C:\Windows\system32\wyd.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\wwtrnxpgw.exe
        
        "C:\Windows\system32\wwtrnxpgw.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\wnwxqjoc.exe
        
        "C:\Windows\system32\wnwxqjoc.exe"
        64⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\wnfwp.exe
        
        "C:\Windows\system32\wnfwp.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\wswfj.exe
        
        "C:\Windows\system32\wswfj.exe"
        66⤵
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\wumslca.exe
        
        "C:\Windows\system32\wumslca.exe"
        67⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\wshcqxxuw.exe
        
        "C:\Windows\system32\wshcqxxuw.exe"
        68⤵
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\wvmf.exe
        
        "C:\Windows\system32\wvmf.exe"
        69⤵
        Checks computer location settings
        
        PID:4316
        
        C:\Windows\SysWOW64\wuamg.exe
        
        "C:\Windows\system32\wuamg.exe"
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\wkocpxira.exe
        
        "C:\Windows\system32\wkocpxira.exe"
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\wvrlatd.exe
        
        "C:\Windows\system32\wvrlatd.exe"
        72⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\wwhwek.exe
        
        "C:\Windows\system32\wwhwek.exe"
        73⤵
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\wphfetuo.exe
        
        "C:\Windows\system32\wphfetuo.exe"
        74⤵
        Checks computer location settings
        
        PID:1868
        
        C:\Windows\SysWOW64\wsbmbhxe.exe
        
        "C:\Windows\system32\wsbmbhxe.exe"
        75⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\wrhrhegia.exe
        
        "C:\Windows\system32\wrhrhegia.exe"
        76⤵
        Checks computer location settings
        
        PID:3920
        
        C:\Windows\SysWOW64\wsxdiwb.exe
        
        "C:\Windows\system32\wsxdiwb.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\weytb.exe
        
        "C:\Windows\system32\weytb.exe"
        78⤵
        Checks computer location settings
        
        PID:2368
        
        C:\Windows\SysWOW64\wlrvo.exe
        
        "C:\Windows\system32\wlrvo.exe"
        79⤵
        Drops file in System32 directory
        
        PID:3332
        
        C:\Windows\SysWOW64\wrif.exe
        
        "C:\Windows\system32\wrif.exe"
        80⤵
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\wgtbxca.exe
        
        "C:\Windows\system32\wgtbxca.exe"
        81⤵
        Checks computer location settings
        
        PID:4316
        
        C:\Windows\SysWOW64\wyalmhe.exe
        
        "C:\Windows\system32\wyalmhe.exe"
        82⤵
        Checks computer location settings
        
        PID:4764
        
        C:\Windows\SysWOW64\wiidtka.exe
        
        "C:\Windows\system32\wiidtka.exe"
        83⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\wkbjpvb.exe
        
        "C:\Windows\system32\wkbjpvb.exe"
        84⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\wldfyn.exe
        
        "C:\Windows\system32\wldfyn.exe"
        85⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\wkj.exe
        
        "C:\Windows\system32\wkj.exe"
        86⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\wlayhdmky.exe
        
        "C:\Windows\system32\wlayhdmky.exe"
        87⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\wqpibmmji.exe
        
        "C:\Windows\system32\wqpibmmji.exe"
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\wautv.exe
        
        "C:\Windows\system32\wautv.exe"
        89⤵
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\whowku.exe
        
        "C:\Windows\system32\whowku.exe"
        90⤵
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\wkvsy.exe
        
        "C:\Windows\system32\wkvsy.exe"
        91⤵
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\wkqcfya.exe
        
        "C:\Windows\system32\wkqcfya.exe"
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\wojjbk.exe
        
        "C:\Windows\system32\wojjbk.exe"
        93⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\wdyxkyk.exe
        
        "C:\Windows\system32\wdyxkyk.exe"
        94⤵
        Checks computer location settings
        
        PID:2312
        
        C:\Windows\SysWOW64\wxtxre.exe
        
        "C:\Windows\system32\wxtxre.exe"
        95⤵
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\wduqsp.exe
        
        "C:\Windows\system32\wduqsp.exe"
        96⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\wabwxm.exe
        
        "C:\Windows\system32\wabwxm.exe"
        97⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\wxh.exe
        
        "C:\Windows\system32\wxh.exe"
        98⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\wew.exe
        
        "C:\Windows\system32\wew.exe"
        99⤵
        Checks computer location settings
        
        PID:3536
        
        C:\Windows\SysWOW64\wsihmm.exe
        
        "C:\Windows\system32\wsihmm.exe"
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\wispd.exe
        
        "C:\Windows\system32\wispd.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\wmmuykrfa.exe
        
        "C:\Windows\system32\wmmuykrfa.exe"
        102⤵
        Checks computer location settings
        
        PID:4036
        
        C:\Windows\SysWOW64\wyeuee.exe
        
        "C:\Windows\system32\wyeuee.exe"
        103⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\wppbuph.exe
        
        "C:\Windows\system32\wppbuph.exe"
        104⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\waehfol.exe
        
        "C:\Windows\system32\waehfol.exe"
        105⤵
        Checks computer location settings
        
        PID:4284
        
        C:\Windows\SysWOW64\wck.exe
        
        "C:\Windows\system32\wck.exe"
        106⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\whrsyn.exe
        
        "C:\Windows\system32\whrsyn.exe"
        107⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\wsgm.exe
        
        "C:\Windows\system32\wsgm.exe"
        108⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\wubr.exe
        
        "C:\Windows\system32\wubr.exe"
        109⤵
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\wskgn.exe
        
        "C:\Windows\system32\wskgn.exe"
        110⤵
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\wasysycf.exe
        
        "C:\Windows\system32\wasysycf.exe"
        111⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\wdjlvpy.exe
        
        "C:\Windows\system32\wdjlvpy.exe"
        112⤵
        Checks computer location settings
        
        PID:1472
        
        C:\Windows\SysWOW64\wvpujwe.exe
        
        "C:\Windows\system32\wvpujwe.exe"
        113⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\wbrokho.exe
        
        "C:\Windows\system32\wbrokho.exe"
        114⤵
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\wgl.exe
        
        "C:\Windows\system32\wgl.exe"
        115⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:320
        
        C:\Windows\SysWOW64\womkysfj.exe
        
        "C:\Windows\system32\womkysfj.exe"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\wubstbf.exe
        
        "C:\Windows\system32\wubstbf.exe"
        117⤵
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\wtkrruss.exe
        
        "C:\Windows\system32\wtkrruss.exe"
        118⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\wruhq.exe
        
        "C:\Windows\system32\wruhq.exe"
        119⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\wtlttnam.exe
        
        "C:\Windows\system32\wtlttnam.exe"
        120⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\wfesxjjfu.exe
        
        "C:\Windows\system32\wfesxjjfu.exe"
        121⤵
        
        PID:956
        
        C:\Windows\SysWOW64\wggoi.exe
        
        "C:\Windows\system32\wggoi.exe"
        122⤵
        Checks computer location settings
        
        PID:2392
        
        C:\Windows\SysWOW64\wjyu.exe
        
        "C:\Windows\system32\wjyu.exe"
        123⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wggoi.exe"
        123⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfesxjjfu.exe"
        122⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtlttnam.exe"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1596
        121⤵
        Program crash
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wruhq.exe"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtkrruss.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wubstbf.exe"
        118⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womkysfj.exe"
        117⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgl.exe"
        116⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbrokho.exe"
        115⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvpujwe.exe"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdjlvpy.exe"
        113⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wasysycf.exe"
        112⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wskgn.exe"
        111⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wubr.exe"
        110⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1680
        110⤵
        Program crash
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsgm.exe"
        109⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whrsyn.exe"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wck.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waehfol.exe"
        106⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1328
        106⤵
        Program crash
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wppbuph.exe"
        105⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyeuee.exe"
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmuykrfa.exe"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1460
        103⤵
        Program crash
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wispd.exe"
        102⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsihmm.exe"
        101⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wew.exe"
        100⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxh.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wabwxm.exe"
        98⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wduqsp.exe"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxtxre.exe"
        96⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdyxkyk.exe"
        95⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wojjbk.exe"
        94⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkqcfya.exe"
        93⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvsy.exe"
        92⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whowku.exe"
        91⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wautv.exe"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpibmmji.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlayhdmky.exe"
        88⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkj.exe"
        87⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wldfyn.exe"
        86⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbjpvb.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiidtka.exe"
        84⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyalmhe.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtbxca.exe"
        82⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrif.exe"
        81⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrvo.exe"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weytb.exe"
        79⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxdiwb.exe"
        78⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhrhegia.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsbmbhxe.exe"
        76⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphfetuo.exe"
        75⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhwek.exe"
        74⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvrlatd.exe"
        73⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkocpxira.exe"
        72⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuamg.exe"
        71⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvmf.exe"
        70⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wshcqxxuw.exe"
        69⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 536
        69⤵
        Program crash
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wumslca.exe"
        68⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wswfj.exe"
        67⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnfwp.exe"
        66⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1392
        66⤵
        Program crash
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwxqjoc.exe"
        65⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwtrnxpgw.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyd.exe"
        63⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 1148
        63⤵
        Program crash
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\watcd.exe"
        62⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqtsjq.exe"
        61⤵
        
        PID:428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1612
        61⤵
        Program crash
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgeekhpsg.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waouqy.exe"
        59⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 536
        59⤵
        Program crash
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdipkaime.exe"
        58⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjxwe.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxfyyvr.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1668
        56⤵
        Program crash
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjempd.exe"
        55⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdoduu.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwyubmy.exe"
        53⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 1552
        53⤵
        Program crash
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwwyrusm.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsdsvhpy.exe"
        51⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wstrwp.exe"
        50⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbnsah.exe"
        49⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whol.exe"
        48⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwkdob.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpgp.exe"
        46⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmnjxmoq.exe"
        45⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxnxnu.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjvtp.exe"
        43⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 116
        43⤵
        Program crash
        
        PID:380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 1536
        43⤵
        Program crash
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wffmyul.exe"
        42⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wixiuu.exe"
        41⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wftex.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvspged.exe"
        39⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjpgtjiel.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkuvonk.exe"
        37⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgloj.exe"
        36⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winiy.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwlyokxs.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wquqtcwuj.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgs.exe"
        32⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxljuxnd.exe"
        31⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 116
        31⤵
        Program crash
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wurc.exe"
        30⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpqjwfab.exe"
        29⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiaadwbc.exe"
        28⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgknae.exe"
        27⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wafb.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgyq.exe"
        25⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdfkv.exe"
        24⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whgrv.exe"
        23⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimipli.exe"
        22⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlgckm.exe"
        21⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbgmsmlhv.exe"
        20⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpfx.exe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsx.exe"
        18⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 1408
        18⤵
        Program crash
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlueb.exe"
        17⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnpyw.exe"
        16⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkl.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyud.exe"
        14⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxoymh.exe"
        13⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqvxye.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbo.exe"
        11⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxjtxcu.exe"
        10⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wclbxbv.exe"
        9⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyg.exe"
        8⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjlgfxsk.exe"
        7⤵
        
        PID:2000
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcsfqumg.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpmuga.exe"
        5⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1704
        5⤵
        Program crash
        
        PID:3520
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrpegdq.exe"
      4⤵
      PID:4240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1220
      4⤵
      Program crash
      PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woisi.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\0e818c90559237778a3ca9856b4cb67b973af59caf027bb801658bab79879175.exe"
  2⤵
  PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 564 -ip 564
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1416 -ip 1416
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3628 -ip 3628
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5016 -ip 5016
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4156 -ip 4156
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4156 -ip 4156
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1584 -ip 1584
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3704 -ip 3704
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4076 -ip 4076
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1072 -ip 1072
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3220 -ip 3220
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4600 -ip 4600
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1136 -ip 1136
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4036 -ip 4036
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4284 -ip 4284
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1732 -ip 1732
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2664 -ip 2664
1⤵
PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Windows\SysWOW64\wafb.exe

Filesize
107KB

MD5
7037089493d39046adaf5f0c41753060

SHA1
76adb807743329afccd991452ecc72d694e86a2c

SHA256
2281203a16d876ff688a765f37e84dcd28d31adc6e3f773e7ac2d390b68f8395

SHA512
f36c7c6db8b4eb6b6d508edf3512e481f0cafa0de9ec760739eaedbe3a395800e95e80ca46b904d9bd15faa89ac6986f98230d4ea1b2eed3ef8bdb973f07c9f4

Download Submit
C:\Windows\SysWOW64\wbgmsmlhv.exe

Filesize
107KB

MD5
0bb72d3083a14bea57d9deb7efba03fd

SHA1
e8d984751fd9ace0a9d7dbe97e86716aa941cd42

SHA256
b135b72c93a4832dadfad1adb6210aa97cadd51667606889944e42615f4966b1

SHA512
57a278ec3cb7dd198e52cb230394779e911404c53d92922af2e4ac8e34cb14e35359fbbf58cc33a0ee5e0885f8c6e68bd05c0d6e6735fc6091b06043c03f7253

Download Submit
C:\Windows\SysWOW64\wbo.exe

Filesize
107KB

MD5
e73a8eacca5fa10f52a0b46b4acdfc34

SHA1
c317f4f222e4996f585c65fa73335bf45df66f20

SHA256
d866652622bae38a643532fd45df3c1fa75badd20ed189c525cc3cfeb695cc74

SHA512
de02cb35d2d33a896e76ffca1720a119d851169fc41280f7b804465963e52f91dca35a988afd24db6bc678e5ec8bd98ee417e6afc287845a6f36c3c7b3f3f880

Download Submit
C:\Windows\SysWOW64\wclbxbv.exe

Filesize
107KB

MD5
99544cbc02c8b520f2f9519dc4ed3b27

SHA1
4d3f8ae4d1a185ac104349acab9368d406081089

SHA256
384e039a29f0cf8cefd32e6eb7e8f44f63e5414c61e5ab93ae506e4ad8d4df9c

SHA512
cbbeb6ceb3f99d846128ac17ba2eb630eab02b2d0223787b1fd98a2d95904549b881e54cc5dd78345c27f15aa61a6ee382c9d152feb34afe00320af71093374d

Download Submit
C:\Windows\SysWOW64\wcsfqumg.exe

Filesize
107KB

MD5
b06fce61f91e9621d5ecc0588e764bad

SHA1
fd1517a756c5f06e9444c6a2e6c51a4e520f8f04

SHA256
28349b8684b7557184b17dd6fc8312b4e280751c5d749f4db5dd423fb6f2d24b

SHA512
8677d75c4dfdacd8d449e2be7659bf6d8044e915f6a6958946ca313725d6a257265526fe5eeb57d209b0b0f1530193a52540692f3ae62379e51b86a0dc238169

Download Submit
C:\Windows\SysWOW64\wdfkv.exe

Filesize
107KB

MD5
99cacc24c81504d63c0fbab4ffb1ee53

SHA1
b814f72dbe4729f9c12614f2147ccfac26a0a900

SHA256
16d918d4d7786cb20fafba5940a4b571689dd62ccfb1a22d7cbb279e7272f6fe

SHA512
623c7b2133dfd668af6425694cee6ca16d0c36acca40b9c9b8cf0d5e8382bf1424b17d38d4a7d54f899b16b7db8aebbdf1a6177b21ebab60f6ece0ff74d99d96

Download Submit
C:\Windows\SysWOW64\wgkl.exe

Filesize
107KB

MD5
2d42a4f197f2102f378c56987bc5f56f

SHA1
f519e8c5309e735148d3d3fbb55af603be959427

SHA256
ca921e052a21983d9f3d5afd89a479591f74fc40acd3cef4c9c385cd906b5be2

SHA512
9fb40946768baf77d62fb9409a2ca1ec1815e40ec876963fe78df29a04787358ce76cc5f19a0340c07c576eee8c180bcf9fe5877bbb5cf9ec9685e04be3d89ae

Download Submit
C:\Windows\SysWOW64\wgknae.exe

Filesize
107KB

MD5
9f09a8842c2aadd1d41e964f600e3eeb

SHA1
565ce09f236ef027bd0af12cd7ff4dc79ce38802

SHA256
9403de715e0c5f4450e53df53bcf11e4125cd1e199e3f4ee78ace5be75ae367e

SHA512
0a571a3fdd9b54b08e895a3137ebad4794bf439a67313e503f31da4da04068bc2b0cb0909e2d3c4caace68733f0a0d681edd379e6b5a1c9f457c6971bcac63f8

Download Submit
C:\Windows\SysWOW64\wgs.exe

Filesize
108KB

MD5
8a2e04f780a6ea00b1c65e0e74882055

SHA1
f8fa0a66c4e31ea806358eea63234bde60bba388

SHA256
dff154b059d001d677c6066ebe6bca741ab4d229bdc72720b0e140e0d5dd338f

SHA512
9c7bfccffbb025db3f3c35d1b5f498f5cb3301bf59c60b84e1db6e6a614699ebe244690f49acb03c9e061877aad75c2ec501a8e3533f4b2409743b83490c3446

Download Submit
C:\Windows\SysWOW64\wgyq.exe

Filesize
107KB

MD5
f903e1cc31988c5938080020921f8915

SHA1
16a6fb5aac4cac86f1ba6a2cd7757001c177c7c4

SHA256
ff27d00d442b810f14d58241a90aaad0dc7f272618f48421ae23be1a2416b0ed

SHA512
b7fc91d2ffef10f6f227753938db2ce75b5180f94f1452aa4c24adbbc40de61f2a4bd7a6ee14cbda99fba9e0520b8c2648a9a2b8242209a8c464f842ffefe4ef

Download Submit
C:\Windows\SysWOW64\whgrv.exe

Filesize
107KB

MD5
753b5fbb8bdb0cd2f943f969ef637f6f

SHA1
bd1b87832ef3261b28582af90d713639fa64ed1f

SHA256
222a750a12bafd7fa948fae8d571c5a8b4984d965e2b5233b5f7615cabfc88a0

SHA512
3c0074acd28a4e2a155207bcdce85f3fa1ac1148271c44f8f4cb4c052928ad18fdfd592b31913f8b60a6a11f79fd4b539756792e7910ba6c5a751e88f26e2ea9

Download Submit
C:\Windows\SysWOW64\wiaadwbc.exe

Filesize
108KB

MD5
2de66c0ed32501cdd289be906ca609d2

SHA1
f00d5d606f66527609ccb9c76ade263b8c5065dd

SHA256
0c11d84d462c1b42a54e398826edc160351c9d34a2b34a0946e5d92ead20b956

SHA512
2ef460b7bcfe0c00e6683e1f02487443081d43fc7d07459d14bfcfbea3ff52fee16bd6dcc1ac96a3a84d7c677a03b658405d2fce5f2127bbcd83965b08bebffe

Download Submit
C:\Windows\SysWOW64\wimipli.exe

Filesize
107KB

MD5
c80d08a1f28626cbceafd4a6688a5aa0

SHA1
227bcb9ae4b2e7c2ad4a1a5042b0561451ca5999

SHA256
cdf59185bf6021f905c3000114e3d1b0f4d1d33cf8048f789af9fc683afb6ebf

SHA512
9fc40197f5bf47d01281bb92aadfc42443d9b3e95879ad0e384b7f2061c9562681a262010d0115b10c7f47bcf8366e01ecd640fada962b9d990edb36656c7598

Download Submit
C:\Windows\SysWOW64\wjlgfxsk.exe

Filesize
107KB

MD5
04516f97c55d9e3826dd629921ff9606

SHA1
eea7f236ebc1b3cbde93c41b1ebc616831969176

SHA256
aa9a745b77a236dcfc2c3a86b1d689f7847dab91f0146d8c2d3b3ee09952ec43

SHA512
5769dd6d1acdce42fa48c12cee5c32b271dac4d240daf96fd2a0a5efcaed6fe775962bdba438df9632660934e0d7b03a9fa6bfb5af50a57f93cc497e486bea7a

Download Submit
C:\Windows\SysWOW64\wlgckm.exe

Filesize
107KB

MD5
770d3c1805d8aefa5efd338aeb4930ca

SHA1
6f61c1c840827159eaa8343e7179372fcc0a8de5

SHA256
605ae2668a56d4a3a37f3e9b1a5edb06b675fddb8ff3f5f1b818e438b2087159

SHA512
b5d5207f5de4cb3392c1a6399e251bc8f14d8620b979b61f11c06abf70e13a62fac82993915c6223e016efc5ca878f6acc26604aaef3c9387a42286020d0cfaf

Download Submit
C:\Windows\SysWOW64\wlueb.exe

Filesize
107KB

MD5
1da9791bfcb9800a662b3ec0b2b6d17f

SHA1
a03f904b2863a21a0a426d2388195ca2439daa85

SHA256
af966dd4ed5d006b8f57c09f9983ae9523a12be47d5c97d1b53b26ea5dff3f59

SHA512
4c0b8f748848cb6e312e86a930f41099a58c3c5c3b832aeb28616f046d5e84e8f6cc4de172bfe2f1d45bf4f92c533f742626020be5e83bec7f6bfb09a29eea3a

Download Submit
C:\Windows\SysWOW64\wnpyw.exe

Filesize
107KB

MD5
2dd90986067f9d04462e9d6932a31f2e

SHA1
63526ee439725f8bf91380a167c98c2fa0c5ed8b

SHA256
6cb777bce69e4158da63c343e6a3c41359b4c6781c3ac505e0d078b48a39a83e

SHA512
52a032f46400788f27db6d598d2557cddade30c4d3f5599d7123601e81d28748ae6b6b47a6bd9fdec41930713c0f7b107233e51233d67f9a1b756c8f2929e750

Download Submit
C:\Windows\SysWOW64\woisi.exe

Filesize
107KB

MD5
d909fe7b28bcc9ba72984e2a6f4004de

SHA1
ca4ee0adf1a4bc98b9203946cbd1c40272f21a1b

SHA256
300b56931aeb90f3a9f0d596b0f8895d12a51e269595c068332ead3b8fbee5f5

SHA512
6f902c77fb3b3019116c0155f19320a358b74f16cc5fb33f420ea446542facd34a30d6b2618c925ef85b998c3139cde32956c220f50f0ac4b07edf44d1b5bfe1

Download Submit
C:\Windows\SysWOW64\wpfx.exe

Filesize
107KB

MD5
a1f92e1c59f0668b99d8932b4a03c353

SHA1
31a99ee7d87fa30c0acf89e03dd660a671427bbc

SHA256
bafb0d7a9a8540b3a31984a0582857489a8c47f1d1e7022e2f0fff49fdc14cb0

SHA512
80daafa5f68e488da98c6ee41d010fc96fee7479cceed2efdc23476446e062513628e52ae2a990f6ed4bcc379dc946434a41c90ed4077db0f72ec2c3e8b96dd2

Download Submit
C:\Windows\SysWOW64\wpmuga.exe

Filesize
107KB

MD5
5c362a8821ca0aacc53aceb89e780792

SHA1
4c6730dc411e5b6dcfdd8b916e627fefae0642ab

SHA256
31f0cf8f2c47a9aefbfab121d7ddb110993e10caec1f7265754e8b8276b7de3c

SHA512
cf88a494b1dbdf80a6205edac2360b031efa47e641a57b763c673af4a9d3c567c4d66129ba5e4329508eb36502ee4d130f1131b76b87fc45b910ad892b9e98bc

Download Submit
C:\Windows\SysWOW64\wpqjwfab.exe

Filesize
108KB

MD5
0248f75cf41ed1dcddc046232d21b215

SHA1
f4fcce970ffcb5d91deb718d81cf20dfc9b9623e

SHA256
506dec47ca8dd332199b442a00b3de09d4b9b593bfeeb1d2aa6102b13749450d

SHA512
ca1247424d44ccb8379eaf7546f7b1f54112286788305f8938841a3b39e7670c165f1b981805baff39e2437544962a064d9c5ce4c8e02ec252d908c9569e95c9

Download Submit
C:\Windows\SysWOW64\wquqtcwuj.exe

Filesize
108KB

MD5
52fa2f6b74d744267dd9e5e1610c28c4

SHA1
f6db7bbbcb12b9960ecdb8caeae9cda2c381b2ee

SHA256
e4e011e17ae51e6b716480514564e0d51affb8210091e30a50cd137b24fedc2e

SHA512
3e01cd9dc9bb8bde4df8c092575c6e3917cd7c2d3d391f9a361a48fb7e516753e0967a2e5b702bec2139f0ec2c57cdebed588624ea5e08ea1ee829489d0e2a77

Download Submit
C:\Windows\SysWOW64\wqvxye.exe

Filesize
107KB

MD5
13e2ed49e877046da25ea4cc3e81eea3

SHA1
09d7d486472de5f2925d198b6c7446b36ebbcf8b

SHA256
6fb998e598450d652dea33457ba54c359a772059c72e1e83f47874aa86e4fe5b

SHA512
70e7a1df870d322a4e1e900e5088265d3e54373935f14f7fca54e027fb33d6649ab965de2b6049f09a9559cbaacbe8a53ee65f9a2e71d39b249ed1f034e1b0b5

Download Submit
C:\Windows\SysWOW64\wrpegdq.exe

Filesize
107KB

MD5
d7edcae16c80dbb06a61696e91e5bb99

SHA1
b62423df20c4b74c29d816466b1e52fd5a1389f3

SHA256
88b3d8b27e61bb4817df194e93b10a4808966a8ad20c50b2003851c250135c9c

SHA512
12a93e106bfb90b838942e7f182ae25a64054a08a40d980d86e432d1955759fe539dfab6b61c43899eb55748a0fbf313eb136750ff28f753ecedd00425ef4c05

Download Submit
C:\Windows\SysWOW64\wsx.exe

Filesize
107KB

MD5
31fb1c8a4bda241ed9b77e6d7802aaa3

SHA1
a3d380aa3812e1c685b865c5a9e7bc23ab66401f

SHA256
f076df891c71395d5e61c48e475a928ea4cf2ff40699cd3eb7840cb7150a3ccf

SHA512
5cfb7b91df2dcf81b0491da7e4335af850f6021e2e07dcf7a68644567fd37c5fb80d26c668c8a0e5de85e301e36d9d875cecc2cb0ff283c01d1db72d1bdbb8f6

Download Submit
C:\Windows\SysWOW64\wurc.exe

Filesize
108KB

MD5
f72211fe4be0247f0be73513da0b32bb

SHA1
99814e613af35f89481d0f641d21964a5ec46d04

SHA256
600b675cc883fb7bae804d8ca94a3e42e918428792804e21f37cf3f14117125b

SHA512
461884cdca7a30554128d137af0766ead660681c175e062560a6379b0187cfb5e5211a0586ba169e10d45f58a0c6028fbb5c9d15d852a163aa02b7cfeec75c56

Download Submit
C:\Windows\SysWOW64\wwlyokxs.exe

Filesize
108KB

MD5
3df4e1aa9298aa7ed524583abe2d9dc1

SHA1
907c1d775200ff7542cdd68984d5bbd718104a58

SHA256
4a9e1d16d0a74de17bba490697dbb673ba06a9b7df7de0c81ed6c79fec757b53

SHA512
38402fa1419f1f01702774b5faf40d40957373faebb0cdc462925c1de0e9cb3e9310b376fe06d69f6313fef17a6c95c5b1982da7249b797d9b866ed7d2fc81af

Download Submit
C:\Windows\SysWOW64\wxjtxcu.exe

Filesize
107KB

MD5
021d00061352f24a734695a3017df0a7

SHA1
67561c8491973d2a88b08eef4ed3542670675e42

SHA256
968e0e23e26980e4c00a32134e10847e102198b52771424842f66aecb6615bd3

SHA512
dedba3f0eedd11af8c20a6241dd109dce51688385034f8ff349f29a24c23f9a35ba141c63dae8f9efc3480ebaece702734575a565d2756cb22ef07b10cd5ffb7

Download Submit
C:\Windows\SysWOW64\wxljuxnd.exe

Filesize
108KB

MD5
75e065a3ea6816b228a18bcba791326c

SHA1
56f3b144e03593785ad8344097a82dede900e67b

SHA256
933c664828f2cda24b0d90699d0c9f778155622991ae427413c3d0354ea8436d

SHA512
15124fcc8ff47b6b411b744ec1d48d5c527f49c152230f85b014b1646d4478f4e1807302db322dd198c11e294c604065b910bf6c1b3f1d8e73d40dbbb6293884

Download Submit
C:\Windows\SysWOW64\wxoymh.exe

Filesize
107KB

MD5
1c59394d89095ced7f89c88b9a26460d

SHA1
07dfe30cf4e656cea67ef0e0040275792b4ee73d

SHA256
b3be9324d924ddcd51c1964ea9f12b418d43cdad465188d6e1f2add7a241a710

SHA512
54f9c168b83770e0b1391acf515b4e3bce6e78a5a4acd565f131929eb059c5cfcefe8bca908b9fe0c20c9c844018e92db1b5eb58e7c6cb9fd0ef214332db46d5

Download Submit
C:\Windows\SysWOW64\wyg.exe

Filesize
107KB

MD5
241e7603b957c993ce974042faab6614

SHA1
b86f08500ce07b4cd8ff6f9bb2ed15ed143668e1

SHA256
8d802d21b9ab1a2e64aca4dd262a20d2f37810a7f02949059b009dd848c239ad

SHA512
bed9b7b5479872632c15f48b819adb12efa2d2c618cab4b8317671dbccd66ece4f61e0f63a41574f0f7152cf08d548d26ded19fec3a5bcb7593013c67791b35a

Download Submit
C:\Windows\SysWOW64\wyud.exe

Filesize
107KB

MD5
a246b00b67e79fc3285c09d38d71390f

SHA1
6144d680c7401ac7f6a4023e443ea275029886da

SHA256
e74350f6b43db712fd1ff689f1fbd7aa4de8623f12ce983d8ecb2db68f25ffd6

SHA512
556138b1720c0bed960b352ae59eedfcd6cff35051fc191cff9ac1a3116c68f9e96714946e3c559632fa212b73bf2dfe5b3ab9b38c36bb92d35da76739bbfe5e

Download Submit
memory/228-127-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/320-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/380-283-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/564-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/568-473-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/880-324-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/888-523-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/948-169-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1028-844-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1072-573-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1084-210-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1136-640-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1172-817-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1300-242-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1412-464-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1416-53-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1576-403-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1584-514-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1596-790-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1688-683-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1712-498-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1728-826-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1868-305-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1868-691-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1900-438-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1988-835-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2000-607-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2000-159-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2012-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2012-455-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2040-86-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-884-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2312-860-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2316-852-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2368-724-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2624-699-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2800-117-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2812-353-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2936-674-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3056-294-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3220-590-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3236-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3236-782-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3240-107-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3252-774-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3256-199-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3260-362-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3260-447-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3280-740-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3288-379-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3332-732-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3404-599-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3448-490-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3488-547-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3508-564-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3520-232-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3600-412-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3624-273-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3628-179-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3652-335-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3672-371-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3704-531-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3832-96-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3920-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3920-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3920-707-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3976-766-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3992-263-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4028-808-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4036-631-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4040-716-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4060-868-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4068-658-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4076-555-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4156-420-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4160-482-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4224-581-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4224-253-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4280-623-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4316-749-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4316-649-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4428-539-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4464-513-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4552-429-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4584-148-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4620-387-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4764-758-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4788-221-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4812-799-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4824-189-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4872-75-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4880-876-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4976-666-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5068-344-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5096-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5108-395-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download