1c4e3fe2b33c66d0ff8e3375958b9c3c6df2fb43f133fb1e72803a69dd626dfc

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe
Size

261KB
MD5

9ef5bdc61586c73eb4f775ab3bb16c9c
SHA1

f9794ce350f231c5dc20c40a255128bc3147a76c
SHA256

1c4e3fe2b33c66d0ff8e3375958b9c3c6df2fb43f133fb1e72803a69dd626dfc
SHA512

90a92f1381ae5a408e84685e96269100e35884fbd39deb5028e97c1b5888e0f072a38104350c09790220aa6571603b7b69dc2997e6dfe873bbe495e714047145
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpuc:ZY7xh6SZI4z7FSVpuc

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wedtfy.exewxcchvg.exewswjok.exewtoj.exewmsd.exewchei.exewpofn.exewqfj.exewgacqmj.exewuk.exewanfkdfmv.exewlcy.exewigbsmgv.exewvysyytr.exewkqql.exewwwns.exewgtdilji.exewqno.exewaggbkjod.exewhdapkmx.exewdefdxtuv.exewtroikr.exewsca.exewgqlmmoa.exewbeoip.exewbdua.exewrlhqpw.exewprqlm.exewfsn.exewvmiiearp.exewchxpsty.exewchjrdet.exewdfttbxxe.exewelrxjdr.exewcmhicj.exewod.exewlrjlvfjt.exewxv.exewvkl.exewbacwi.exewxlgc.exewwik.exewovbk.exewhkyo.exewexjwxq.exewdgoan.exewvtcmwu.exewcgh.exewccdye.exe9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exewhvhk.exewtdmqbb.exewohlfiv.exewtciri.exewjeuyjmc.exewvgvbk.exewpci.exewkymlrr.exewsnl.exewpwyx.exewjrcpt.exewyggv.exewrotsd.exewvu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wedtfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wxcchvg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wswjok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wtoj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wmsd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wchei.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wpofn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wqfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wgacqmj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wuk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wanfkdfmv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wlcy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wigbsmgv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wvysyytr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wkqql.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wwwns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wgtdilji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wqno.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	waggbkjod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	whdapkmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wdefdxtuv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wtroikr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wsca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wgqlmmoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wbeoip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wbdua.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wrlhqpw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wprqlm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wfsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wvmiiearp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wchxpsty.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wchjrdet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wdfttbxxe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	welrxjdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wcmhicj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wlrjlvfjt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wxv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wvkl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wbacwi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wxlgc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wwik.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wovbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	whkyo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wexjwxq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wdgoan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wvtcmwu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wcgh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wccdye.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	whvhk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wtdmqbb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wohlfiv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wtciri.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wjeuyjmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wvgvbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wpci.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wkymlrr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wsnl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wpwyx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wjrcpt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wyggv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wrotsd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wvu.exe

Executes dropped EXE 64 IoCs

Processes:

wjkhb.exewljetucm.exewkymlrr.exewtfpkt.exewigbsmgv.exewtciri.exewhdubcj.exewugndveih.exewfwtow.exewnbqbay.exewphrw.exewhvtwduxk.exewskxjdwmj.exewllgjnus.exewiiyik.exewwik.exewiypdb.exewovbk.exewhvhk.exewrsoip.exewiuuk.exewtdmqbb.exewhkyo.exewgm.exewvmiiearp.exewolqiowy.exewohlfiv.exewlqa.exewsdbeoe.exewchxpsty.exewmefo.exewchjrdet.exewjeuyjmc.exewhdapkmx.exewdcrphn.exewcmg.exewexjwxq.exewsnl.exewpwyx.exewvysyytr.exewqiix.exewkqql.exewncv.exewkba.exewkoiet.exewedtfy.exewnkl.exewdgoan.exewod.exewbacwi.exewkwjugc.exewpalprq.exewrakxks.exewvtcmwu.exewyggv.exewdefdxtuv.exewgqlmmoa.exewieoua.exewqilgdy.exewuvqq.exewfrwoq.exewpofn.exewbwvtl.exewcgh.exe

pid	process
3408	wjkhb.exe
3604	wljetucm.exe
3400	wkymlrr.exe
1680	wtfpkt.exe
376	wigbsmgv.exe
2964	wtciri.exe
3204	whdubcj.exe
2036	wugndveih.exe
2660	wfwtow.exe
5100	wnbqbay.exe
1760	wphrw.exe
3604	whvtwduxk.exe
4552	wskxjdwmj.exe
4860	wllgjnus.exe
3976	wiiyik.exe
880	wwik.exe
4472	wiypdb.exe
1480	wovbk.exe
2276	whvhk.exe
1924	wrsoip.exe
2000	wiuuk.exe
1632	wtdmqbb.exe
184	whkyo.exe
376	wgm.exe
4840	wvmiiearp.exe
2944	wolqiowy.exe
880	wohlfiv.exe
3376	wlqa.exe
4424	wsdbeoe.exe
4496	wchxpsty.exe
3864	wmefo.exe
3620	wchjrdet.exe
3240	wjeuyjmc.exe
3804	whdapkmx.exe
2336	wdcrphn.exe
1288	wcmg.exe
1428	wexjwxq.exe
4184	wsnl.exe
4436	wpwyx.exe
1924	wvysyytr.exe
5044	wqiix.exe
1472	wkqql.exe
636	wncv.exe
2856	wkba.exe
1188	wkoiet.exe
876	wedtfy.exe
316	wnkl.exe
508	wdgoan.exe
2400	wod.exe
3372	wbacwi.exe
1484	wkwjugc.exe
4688	wpalprq.exe
512	wrakxks.exe
4860	wvtcmwu.exe
2964	wyggv.exe
3432	wdefdxtuv.exe
644	wgqlmmoa.exe
2644	wieoua.exe
3420	wqilgdy.exe
1780	wuvqq.exe
5028	wfrwoq.exe
1556	wpofn.exe
3520	wbwvtl.exe
528	wcgh.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

Processes:

wkwjugc.exewcgh.exewpci.exewhvtwduxk.exewovbk.exewvu.exewxh.exewgacqmj.exewvkrb.exewgm.exewvmiiearp.exewprqlm.exewohlfiv.exewfsn.exewuk.exewxbsf.exewelrxjdr.exewiypdb.exewolqiowy.exewvtcmwu.exewieoua.exewljetucm.exewiiyik.exewfpskff.exewncv.exewypvhhmhe.exewvieaqk.exewiahjhh.exewlnl.exewkymlrr.exewexjwxq.exewqiix.exewbacwi.exewncan.exewlhx.exewtvuko.exewyy.exewmsxws.exewtfpkt.exewhdubcj.exewanykjrt.exewnbqbay.exewnkl.exewbtnbjc.exewwik.exewrkv.exewqpnva.exewnvw.exewghvd.exewqpake.exewkoiet.exewuh.exewcmhicj.exewhdapkmx.exewpofn.exewrlhqpw.exewds.exewjeuyjmc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wpalprq.exe	wkwjugc.exe
File opened for modification	C:\Windows\SysWOW64\wypvhhmhe.exe	wcgh.exe
File created	C:\Windows\SysWOW64\wxwvvcgt.exe	wpci.exe
File opened for modification	C:\Windows\SysWOW64\wskxjdwmj.exe	whvtwduxk.exe
File opened for modification	C:\Windows\SysWOW64\whvhk.exe	wovbk.exe
File created	C:\Windows\SysWOW64\wsca.exe	wvu.exe
File opened for modification	C:\Windows\SysWOW64\wxbsf.exe	wxh.exe
File opened for modification	C:\Windows\SysWOW64\wswjok.exe	wgacqmj.exe
File opened for modification	C:\Windows\SysWOW64\wywv.exe	wvkrb.exe
File created	C:\Windows\SysWOW64\wskxjdwmj.exe	whvtwduxk.exe
File created	C:\Windows\SysWOW64\wvmiiearp.exe	wgm.exe
File opened for modification	C:\Windows\SysWOW64\wolqiowy.exe	wvmiiearp.exe
File opened for modification	C:\Windows\SysWOW64\wanykjrt.exe	wprqlm.exe
File opened for modification	C:\Windows\SysWOW64\wlqa.exe	wohlfiv.exe
File created	C:\Windows\SysWOW64\wyy.exe	wfsn.exe
File opened for modification	C:\Windows\SysWOW64\wqfcp.exe	wuk.exe
File created	C:\Windows\SysWOW64\wqfj.exe	wxbsf.exe
File opened for modification	C:\Windows\SysWOW64\wqpake.exe	welrxjdr.exe
File opened for modification	C:\Windows\SysWOW64\wovbk.exe	wiypdb.exe
File opened for modification	C:\Windows\SysWOW64\wohlfiv.exe	wolqiowy.exe
File opened for modification	C:\Windows\SysWOW64\wyggv.exe	wvtcmwu.exe
File opened for modification	C:\Windows\SysWOW64\wqilgdy.exe	wieoua.exe
File created	C:\Windows\SysWOW64\wkymlrr.exe	wljetucm.exe
File opened for modification	C:\Windows\SysWOW64\wwik.exe	wiiyik.exe
File opened for modification	C:\Windows\SysWOW64\wgae.exe	wfpskff.exe
File created	C:\Windows\SysWOW64\wkba.exe	wncv.exe
File created	C:\Windows\SysWOW64\wxsssc.exe	wypvhhmhe.exe
File opened for modification	C:\Windows\SysWOW64\wuk.exe	wvieaqk.exe
File created	C:\Windows\SysWOW64\wmsxws.exe	wiahjhh.exe
File opened for modification	C:\Windows\SysWOW64\wrkv.exe	wlnl.exe
File created	C:\Windows\SysWOW64\wtfpkt.exe	wkymlrr.exe
File opened for modification	C:\Windows\SysWOW64\wsnl.exe	wexjwxq.exe
File opened for modification	C:\Windows\SysWOW64\wkqql.exe	wqiix.exe
File opened for modification	C:\Windows\SysWOW64\wkwjugc.exe	wbacwi.exe
File opened for modification	C:\Windows\SysWOW64\wwwns.exe	wncan.exe
File opened for modification	C:\Windows\SysWOW64\wlrjlvfjt.exe	wlhx.exe
File opened for modification	C:\Windows\SysWOW64\wgtdilji.exe	wtvuko.exe
File created	C:\Windows\SysWOW64\wxlgc.exe	wyy.exe
File opened for modification	C:\Windows\SysWOW64\wjrcpt.exe	wmsxws.exe
File opened for modification	C:\Windows\SysWOW64\wxwvvcgt.exe	wpci.exe
File opened for modification	C:\Windows\SysWOW64\wigbsmgv.exe	wtfpkt.exe
File opened for modification	C:\Windows\SysWOW64\wugndveih.exe	whdubcj.exe
File created	C:\Windows\SysWOW64\wkqql.exe	wqiix.exe
File opened for modification	C:\Windows\SysWOW64\wapvv.exe	wanykjrt.exe
File created	C:\Windows\SysWOW64\wphrw.exe	wnbqbay.exe
File opened for modification	C:\Windows\SysWOW64\wvmiiearp.exe	wgm.exe
File created	C:\Windows\SysWOW64\wdgoan.exe	wnkl.exe
File opened for modification	C:\Windows\SysWOW64\wyy.exe	wfsn.exe
File created	C:\Windows\SysWOW64\wbphxc.exe	wbtnbjc.exe
File created	C:\Windows\SysWOW64\wiypdb.exe	wwik.exe
File created	C:\Windows\SysWOW64\wds.exe	wrkv.exe
File created	C:\Windows\SysWOW64\wlcy.exe	wqpnva.exe
File created	C:\Windows\SysWOW64\wohlfiv.exe	wolqiowy.exe
File opened for modification	C:\Windows\SysWOW64\wprqlm.exe	wnvw.exe
File opened for modification	C:\Windows\SysWOW64\wtoj.exe	wghvd.exe
File opened for modification	C:\Windows\SysWOW64\wcmhicj.exe	wqpake.exe
File opened for modification	C:\Windows\SysWOW64\wedtfy.exe	wkoiet.exe
File opened for modification	C:\Windows\SysWOW64\welrxjdr.exe	wuh.exe
File created	C:\Windows\SysWOW64\wiahjhh.exe	wcmhicj.exe
File opened for modification	C:\Windows\SysWOW64\wdcrphn.exe	whdapkmx.exe
File opened for modification	C:\Windows\SysWOW64\wbwvtl.exe	wpofn.exe
File created	C:\Windows\SysWOW64\wnvw.exe	wrlhqpw.exe
File opened for modification	C:\Windows\SysWOW64\wednyxec.exe	wds.exe
File opened for modification	C:\Windows\SysWOW64\whdapkmx.exe	wjeuyjmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 19 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3000	3204	WerFault.exe	whdubcj.exe
3064	3204	WerFault.exe	whdubcj.exe
1920	3604	WerFault.exe	whvtwduxk.exe
1852	4424	WerFault.exe	wsdbeoe.exe
2824	3620	WerFault.exe	wchjrdet.exe
4816	3240	WerFault.exe	wjeuyjmc.exe
4160	3240	WerFault.exe	wjeuyjmc.exe
976	1036	WerFault.exe	wypvhhmhe.exe
532	1036	WerFault.exe	wypvhhmhe.exe
1404	2384	WerFault.exe	wncan.exe
3844	4140	WerFault.exe	wkxnhk.exe
4364	4948	WerFault.exe	wanfkdfmv.exe
1148	1852	WerFault.exe	wmgogw.exe
404	3368	WerFault.exe	wmsxws.exe
876	4616	WerFault.exe	wlcy.exe
2336	2880	WerFault.exe	wywv.exe
3448	4400	WerFault.exe	wxwvvcgt.exe
4936	4400	WerFault.exe	wxwvvcgt.exe
2780	3064	WerFault.exe	wpioitt.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exewednyxec.execmd.exewbdua.execmd.exewvkl.exewvgvbk.execmd.exewxv.execmd.exewiuuk.execmd.exewgqlmmoa.execmd.execmd.execmd.execmd.exewvysyytr.execmd.execmd.exewds.exewbeoip.execmd.execmd.execmd.exewgacqmj.exewhkyo.execmd.execmd.exewphrw.execmd.execmd.execmd.execmd.exewccdye.execmd.exewswjok.execmd.execmd.execmd.exewcmg.execmd.execmd.execmd.exewakrraw.execmd.execmd.execmd.execmd.execmd.exewbwvtl.exewwik.exewuh.execmd.exewjkhb.execmd.execmd.exewrkv.exewnvw.exewvkrb.execmd.execmd.exewkba.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wednyxec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbdua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvgvbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiuuk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgqlmmoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvysyytr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgacqmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whkyo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wphrw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wccdye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wswjok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wakrraw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbwvtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjkhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrkv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvkrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkba.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exewjkhb.exewljetucm.exewkymlrr.exewtfpkt.exewigbsmgv.exewtciri.exewhdubcj.exewugndveih.exewfwtow.exewnbqbay.exe

description	pid	process	target process
PID 4556 wrote to memory of 3408	4556	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe	wjkhb.exe
PID 4556 wrote to memory of 3408	4556	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe	wjkhb.exe
PID 4556 wrote to memory of 3408	4556	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe	wjkhb.exe
PID 4556 wrote to memory of 4680	4556	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe	cmd.exe
PID 4556 wrote to memory of 4680	4556	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe	cmd.exe
PID 4556 wrote to memory of 4680	4556	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe	cmd.exe
PID 3408 wrote to memory of 3604	3408	wjkhb.exe	wljetucm.exe
PID 3408 wrote to memory of 3604	3408	wjkhb.exe	wljetucm.exe
PID 3408 wrote to memory of 3604	3408	wjkhb.exe	wljetucm.exe
PID 3408 wrote to memory of 3636	3408	wjkhb.exe	cmd.exe
PID 3408 wrote to memory of 3636	3408	wjkhb.exe	cmd.exe
PID 3408 wrote to memory of 3636	3408	wjkhb.exe	cmd.exe
PID 3604 wrote to memory of 3400	3604	wljetucm.exe	wkymlrr.exe
PID 3604 wrote to memory of 3400	3604	wljetucm.exe	wkymlrr.exe
PID 3604 wrote to memory of 3400	3604	wljetucm.exe	wkymlrr.exe
PID 3604 wrote to memory of 1912	3604	wljetucm.exe	cmd.exe
PID 3604 wrote to memory of 1912	3604	wljetucm.exe	cmd.exe
PID 3604 wrote to memory of 1912	3604	wljetucm.exe	cmd.exe
PID 3400 wrote to memory of 1680	3400	wkymlrr.exe	wtfpkt.exe
PID 3400 wrote to memory of 1680	3400	wkymlrr.exe	wtfpkt.exe
PID 3400 wrote to memory of 1680	3400	wkymlrr.exe	wtfpkt.exe
PID 3400 wrote to memory of 3364	3400	wkymlrr.exe	cmd.exe
PID 3400 wrote to memory of 3364	3400	wkymlrr.exe	cmd.exe
PID 3400 wrote to memory of 3364	3400	wkymlrr.exe	cmd.exe
PID 1680 wrote to memory of 376	1680	wtfpkt.exe	wigbsmgv.exe
PID 1680 wrote to memory of 376	1680	wtfpkt.exe	wigbsmgv.exe
PID 1680 wrote to memory of 376	1680	wtfpkt.exe	wigbsmgv.exe
PID 1680 wrote to memory of 4844	1680	wtfpkt.exe	cmd.exe
PID 1680 wrote to memory of 4844	1680	wtfpkt.exe	cmd.exe
PID 1680 wrote to memory of 4844	1680	wtfpkt.exe	cmd.exe
PID 376 wrote to memory of 2964	376	wigbsmgv.exe	wtciri.exe
PID 376 wrote to memory of 2964	376	wigbsmgv.exe	wtciri.exe
PID 376 wrote to memory of 2964	376	wigbsmgv.exe	wtciri.exe
PID 376 wrote to memory of 2512	376	wigbsmgv.exe	cmd.exe
PID 376 wrote to memory of 2512	376	wigbsmgv.exe	cmd.exe
PID 376 wrote to memory of 2512	376	wigbsmgv.exe	cmd.exe
PID 2964 wrote to memory of 3204	2964	wtciri.exe	whdubcj.exe
PID 2964 wrote to memory of 3204	2964	wtciri.exe	whdubcj.exe
PID 2964 wrote to memory of 3204	2964	wtciri.exe	whdubcj.exe
PID 2964 wrote to memory of 4416	2964	wtciri.exe	cmd.exe
PID 2964 wrote to memory of 4416	2964	wtciri.exe	cmd.exe
PID 2964 wrote to memory of 4416	2964	wtciri.exe	cmd.exe
PID 3204 wrote to memory of 2036	3204	whdubcj.exe	wugndveih.exe
PID 3204 wrote to memory of 2036	3204	whdubcj.exe	wugndveih.exe
PID 3204 wrote to memory of 2036	3204	whdubcj.exe	wugndveih.exe
PID 3204 wrote to memory of 3780	3204	whdubcj.exe	cmd.exe
PID 3204 wrote to memory of 3780	3204	whdubcj.exe	cmd.exe
PID 3204 wrote to memory of 3780	3204	whdubcj.exe	cmd.exe
PID 2036 wrote to memory of 2660	2036	wugndveih.exe	wfwtow.exe
PID 2036 wrote to memory of 2660	2036	wugndveih.exe	wfwtow.exe
PID 2036 wrote to memory of 2660	2036	wugndveih.exe	wfwtow.exe
PID 2036 wrote to memory of 1384	2036	wugndveih.exe	cmd.exe
PID 2036 wrote to memory of 1384	2036	wugndveih.exe	cmd.exe
PID 2036 wrote to memory of 1384	2036	wugndveih.exe	cmd.exe
PID 2660 wrote to memory of 5100	2660	wfwtow.exe	wnbqbay.exe
PID 2660 wrote to memory of 5100	2660	wfwtow.exe	wnbqbay.exe
PID 2660 wrote to memory of 5100	2660	wfwtow.exe	wnbqbay.exe
PID 2660 wrote to memory of 2636	2660	wfwtow.exe	cmd.exe
PID 2660 wrote to memory of 2636	2660	wfwtow.exe	cmd.exe
PID 2660 wrote to memory of 2636	2660	wfwtow.exe	cmd.exe
PID 5100 wrote to memory of 1760	5100	wnbqbay.exe	wphrw.exe
PID 5100 wrote to memory of 1760	5100	wnbqbay.exe	wphrw.exe
PID 5100 wrote to memory of 1760	5100	wnbqbay.exe	wphrw.exe
PID 5100 wrote to memory of 3632	5100	wnbqbay.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\SysWOW64\wjkhb.exe
  "C:\Windows\system32\wjkhb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\SysWOW64\wljetucm.exe
    "C:\Windows\system32\wljetucm.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\SysWOW64\wkymlrr.exe
      "C:\Windows\system32\wkymlrr.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3400
    - - C:\Windows\SysWOW64\wtfpkt.exe
        
        "C:\Windows\system32\wtfpkt.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\SysWOW64\wigbsmgv.exe
        
        "C:\Windows\system32\wigbsmgv.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\wtciri.exe
        
        "C:\Windows\system32\wtciri.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\whdubcj.exe
        
        "C:\Windows\system32\whdubcj.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\wugndveih.exe
        
        "C:\Windows\system32\wugndveih.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\wfwtow.exe
        
        "C:\Windows\system32\wfwtow.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\wnbqbay.exe
        
        "C:\Windows\system32\wnbqbay.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\wphrw.exe
        
        "C:\Windows\system32\wphrw.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\whvtwduxk.exe
        
        "C:\Windows\system32\whvtwduxk.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\wskxjdwmj.exe
        
        "C:\Windows\system32\wskxjdwmj.exe"
        14⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\wllgjnus.exe
        
        "C:\Windows\system32\wllgjnus.exe"
        15⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\wiiyik.exe
        
        "C:\Windows\system32\wiiyik.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\wwik.exe
        
        "C:\Windows\system32\wwik.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\wiypdb.exe
        
        "C:\Windows\system32\wiypdb.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\wovbk.exe
        
        "C:\Windows\system32\wovbk.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\whvhk.exe
        
        "C:\Windows\system32\whvhk.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\wrsoip.exe
        
        "C:\Windows\system32\wrsoip.exe"
        21⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\wiuuk.exe
        
        "C:\Windows\system32\wiuuk.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\wtdmqbb.exe
        
        "C:\Windows\system32\wtdmqbb.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\whkyo.exe
        
        "C:\Windows\system32\whkyo.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:184
        
        C:\Windows\SysWOW64\wgm.exe
        
        "C:\Windows\system32\wgm.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:376
        
        C:\Windows\SysWOW64\wvmiiearp.exe
        
        "C:\Windows\system32\wvmiiearp.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\wolqiowy.exe
        
        "C:\Windows\system32\wolqiowy.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\wohlfiv.exe
        
        "C:\Windows\system32\wohlfiv.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\wlqa.exe
        
        "C:\Windows\system32\wlqa.exe"
        29⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\wsdbeoe.exe
        
        "C:\Windows\system32\wsdbeoe.exe"
        30⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\wchxpsty.exe
        
        "C:\Windows\system32\wchxpsty.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\wmefo.exe
        
        "C:\Windows\system32\wmefo.exe"
        32⤵
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\SysWOW64\wchjrdet.exe
        
        "C:\Windows\system32\wchjrdet.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\wjeuyjmc.exe
        
        "C:\Windows\system32\wjeuyjmc.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\whdapkmx.exe
        
        "C:\Windows\system32\whdapkmx.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SysWOW64\wdcrphn.exe
        
        "C:\Windows\system32\wdcrphn.exe"
        36⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\wcmg.exe
        
        "C:\Windows\system32\wcmg.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\wexjwxq.exe
        
        "C:\Windows\system32\wexjwxq.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\wsnl.exe
        
        "C:\Windows\system32\wsnl.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\wpwyx.exe
        
        "C:\Windows\system32\wpwyx.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\wvysyytr.exe
        
        "C:\Windows\system32\wvysyytr.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\wqiix.exe
        
        "C:\Windows\system32\wqiix.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\wkqql.exe
        
        "C:\Windows\system32\wkqql.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\wncv.exe
        
        "C:\Windows\system32\wncv.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\wkba.exe
        
        "C:\Windows\system32\wkba.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\wkoiet.exe
        
        "C:\Windows\system32\wkoiet.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\wedtfy.exe
        
        "C:\Windows\system32\wedtfy.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\wnkl.exe
        
        "C:\Windows\system32\wnkl.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\wdgoan.exe
        
        "C:\Windows\system32\wdgoan.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:508
        
        C:\Windows\SysWOW64\wod.exe
        
        "C:\Windows\system32\wod.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\wbacwi.exe
        
        "C:\Windows\system32\wbacwi.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\wkwjugc.exe
        
        "C:\Windows\system32\wkwjugc.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\wpalprq.exe
        
        "C:\Windows\system32\wpalprq.exe"
        53⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\wrakxks.exe
        
        "C:\Windows\system32\wrakxks.exe"
        54⤵
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\wvtcmwu.exe
        
        "C:\Windows\system32\wvtcmwu.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\wyggv.exe
        
        "C:\Windows\system32\wyggv.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\wdefdxtuv.exe
        
        "C:\Windows\system32\wdefdxtuv.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\wgqlmmoa.exe
        
        "C:\Windows\system32\wgqlmmoa.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\wieoua.exe
        
        "C:\Windows\system32\wieoua.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\wqilgdy.exe
        
        "C:\Windows\system32\wqilgdy.exe"
        60⤵
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\wuvqq.exe
        
        "C:\Windows\system32\wuvqq.exe"
        61⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\wfrwoq.exe
        
        "C:\Windows\system32\wfrwoq.exe"
        62⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\wpofn.exe
        
        "C:\Windows\system32\wpofn.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\wbwvtl.exe
        
        "C:\Windows\system32\wbwvtl.exe"
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\wcgh.exe
        
        "C:\Windows\system32\wcgh.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\wypvhhmhe.exe
        
        "C:\Windows\system32\wypvhhmhe.exe"
        66⤵
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\wxsssc.exe
        
        "C:\Windows\system32\wxsssc.exe"
        67⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\wxcchvg.exe
        
        "C:\Windows\system32\wxcchvg.exe"
        68⤵
        Checks computer location settings
        
        PID:3432
        
        C:\Windows\SysWOW64\wjwkgsrh.exe
        
        "C:\Windows\system32\wjwkgsrh.exe"
        69⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\wdfttbxxe.exe
        
        "C:\Windows\system32\wdfttbxxe.exe"
        70⤵
        Checks computer location settings
        
        PID:3636
        
        C:\Windows\SysWOW64\wrlhqpw.exe
        
        "C:\Windows\system32\wrlhqpw.exe"
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\wnvw.exe
        
        "C:\Windows\system32\wnvw.exe"
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\SysWOW64\wprqlm.exe
        
        "C:\Windows\system32\wprqlm.exe"
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\wanykjrt.exe
        
        "C:\Windows\system32\wanykjrt.exe"
        74⤵
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\wapvv.exe
        
        "C:\Windows\system32\wapvv.exe"
        75⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\wakrraw.exe
        
        "C:\Windows\system32\wakrraw.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\wncan.exe
        
        "C:\Windows\system32\wncan.exe"
        77⤵
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\wwwns.exe
        
        "C:\Windows\system32\wwwns.exe"
        78⤵
        Checks computer location settings
        
        PID:668
        
        C:\Windows\SysWOW64\wxh.exe
        
        "C:\Windows\system32\wxh.exe"
        79⤵
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\wxbsf.exe
        
        "C:\Windows\system32\wxbsf.exe"
        80⤵
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\wqfj.exe
        
        "C:\Windows\system32\wqfj.exe"
        81⤵
        Checks computer location settings
        
        PID:1384
        
        C:\Windows\SysWOW64\wtroikr.exe
        
        "C:\Windows\system32\wtroikr.exe"
        82⤵
        Checks computer location settings
        
        PID:2132
        
        C:\Windows\SysWOW64\wbeoip.exe
        
        "C:\Windows\system32\wbeoip.exe"
        83⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\wccdye.exe
        
        "C:\Windows\system32\wccdye.exe"
        84⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\wkxnhk.exe
        
        "C:\Windows\system32\wkxnhk.exe"
        85⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\wlhx.exe
        
        "C:\Windows\system32\wlhx.exe"
        86⤵
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\wlrjlvfjt.exe
        
        "C:\Windows\system32\wlrjlvfjt.exe"
        87⤵
        Checks computer location settings
        
        PID:3068
        
        C:\Windows\SysWOW64\wrotsd.exe
        
        "C:\Windows\system32\wrotsd.exe"
        88⤵
        Checks computer location settings
        
        PID:856
        
        C:\Windows\SysWOW64\wfsn.exe
        
        "C:\Windows\system32\wfsn.exe"
        89⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\wyy.exe
        
        "C:\Windows\system32\wyy.exe"
        90⤵
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\wxlgc.exe
        
        "C:\Windows\system32\wxlgc.exe"
        91⤵
        Checks computer location settings
        
        PID:2308
        
        C:\Windows\SysWOW64\wxv.exe
        
        "C:\Windows\system32\wxv.exe"
        92⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\wvu.exe
        
        "C:\Windows\system32\wvu.exe"
        93⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\wsca.exe
        
        "C:\Windows\system32\wsca.exe"
        94⤵
        Checks computer location settings
        
        PID:1384
        
        C:\Windows\SysWOW64\wtvuko.exe
        
        "C:\Windows\system32\wtvuko.exe"
        95⤵
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\wgtdilji.exe
        
        "C:\Windows\system32\wgtdilji.exe"
        96⤵
        Checks computer location settings
        
        PID:2024
        
        C:\Windows\SysWOW64\wxvsdyi.exe
        
        "C:\Windows\system32\wxvsdyi.exe"
        97⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\wds.exe
        
        "C:\Windows\system32\wds.exe"
        98⤵
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\wednyxec.exe
        
        "C:\Windows\system32\wednyxec.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\wgacqmj.exe
        
        "C:\Windows\system32\wgacqmj.exe"
        100⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\wswjok.exe
        
        "C:\Windows\system32\wswjok.exe"
        101⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\wfpskff.exe
        
        "C:\Windows\system32\wfpskff.exe"
        102⤵
        Drops file in System32 directory
        
        PID:2512
        
        C:\Windows\SysWOW64\wgae.exe
        
        "C:\Windows\system32\wgae.exe"
        103⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\wdoascgqt.exe
        
        "C:\Windows\system32\wdoascgqt.exe"
        104⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\wanfkdfmv.exe
        
        "C:\Windows\system32\wanfkdfmv.exe"
        105⤵
        Checks computer location settings
        
        PID:4948
        
        C:\Windows\SysWOW64\wmgogw.exe
        
        "C:\Windows\system32\wmgogw.exe"
        106⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\wvkl.exe
        
        "C:\Windows\system32\wvkl.exe"
        107⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\wqno.exe
        
        "C:\Windows\system32\wqno.exe"
        108⤵
        Checks computer location settings
        
        PID:4640
        
        C:\Windows\SysWOW64\wvieaqk.exe
        
        "C:\Windows\system32\wvieaqk.exe"
        109⤵
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\wuk.exe
        
        "C:\Windows\system32\wuk.exe"
        110⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\wqfcp.exe
        
        "C:\Windows\system32\wqfcp.exe"
        111⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\woefi.exe
        
        "C:\Windows\system32\woefi.exe"
        112⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\wghvd.exe
        
        "C:\Windows\system32\wghvd.exe"
        113⤵
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\wtoj.exe
        
        "C:\Windows\system32\wtoj.exe"
        114⤵
        Checks computer location settings
        
        PID:4232
        
        C:\Windows\SysWOW64\wvgvbk.exe
        
        "C:\Windows\system32\wvgvbk.exe"
        115⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\wuh.exe
        
        "C:\Windows\system32\wuh.exe"
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\welrxjdr.exe
        
        "C:\Windows\system32\welrxjdr.exe"
        117⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\wqpake.exe
        
        "C:\Windows\system32\wqpake.exe"
        118⤵
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\wcmhicj.exe
        
        "C:\Windows\system32\wcmhicj.exe"
        119⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\wiahjhh.exe
        
        "C:\Windows\system32\wiahjhh.exe"
        120⤵
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\wmsxws.exe
        
        "C:\Windows\system32\wmsxws.exe"
        121⤵
        Drops file in System32 directory
        
        PID:3368
        
        C:\Windows\SysWOW64\wjrcpt.exe
        
        "C:\Windows\system32\wjrcpt.exe"
        122⤵
        Checks computer location settings
        
        PID:448
        
        C:\Windows\SysWOW64\wqpnva.exe
        
        "C:\Windows\system32\wqpnva.exe"
        123⤵
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\wlcy.exe
        
        "C:\Windows\system32\wlcy.exe"
        124⤵
        Checks computer location settings
        
        PID:4616
        
        C:\Windows\SysWOW64\wvkrb.exe
        
        "C:\Windows\system32\wvkrb.exe"
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\wywv.exe
        
        "C:\Windows\system32\wywv.exe"
        126⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\waggbkjod.exe
        
        "C:\Windows\system32\waggbkjod.exe"
        127⤵
        Checks computer location settings
        
        PID:4980
        
        C:\Windows\SysWOW64\wpci.exe
        
        "C:\Windows\system32\wpci.exe"
        128⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\wxwvvcgt.exe
        
        "C:\Windows\system32\wxwvvcgt.exe"
        129⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\wuhl.exe
        
        "C:\Windows\system32\wuhl.exe"
        130⤵
        
        PID:552
        
        C:\Windows\SysWOW64\wbdua.exe
        
        "C:\Windows\system32\wbdua.exe"
        131⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\wibgjq.exe
        
        "C:\Windows\system32\wibgjq.exe"
        132⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\wlnl.exe
        
        "C:\Windows\system32\wlnl.exe"
        133⤵
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\wrkv.exe
        
        "C:\Windows\system32\wrkv.exe"
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\wds.exe
        
        "C:\Windows\system32\wds.exe"
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\woot.exe
        
        "C:\Windows\system32\woot.exe"
        136⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\wpyesafrp.exe
        
        "C:\Windows\system32\wpyesafrp.exe"
        137⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\wpioitt.exe
        
        "C:\Windows\system32\wpioitt.exe"
        138⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\wmsd.exe
        
        "C:\Windows\system32\wmsd.exe"
        139⤵
        Checks computer location settings
        
        PID:1640
        
        C:\Windows\SysWOW64\wchei.exe
        
        "C:\Windows\system32\wchei.exe"
        140⤵
        Checks computer location settings
        
        PID:4632
        
        C:\Windows\SysWOW64\wbtnbjc.exe
        
        "C:\Windows\system32\wbtnbjc.exe"
        141⤵
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchei.exe"
        141⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmsd.exe"
        140⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpioitt.exe"
        139⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1668
        139⤵
        Program crash
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpyesafrp.exe"
        138⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woot.exe"
        137⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wds.exe"
        136⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkv.exe"
        135⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnl.exe"
        134⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibgjq.exe"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbdua.exe"
        132⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhl.exe"
        131⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwvvcgt.exe"
        130⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 116
        130⤵
        Program crash
        
        PID:3448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1536
        130⤵
        Program crash
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpci.exe"
        129⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waggbkjod.exe"
        128⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywv.exe"
        127⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1468
        127⤵
        Program crash
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkrb.exe"
        126⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlcy.exe"
        125⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 1408
        125⤵
        Program crash
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpnva.exe"
        124⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjrcpt.exe"
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmsxws.exe"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 1328
        122⤵
        Program crash
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiahjhh.exe"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcmhicj.exe"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpake.exe"
        119⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\welrxjdr.exe"
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuh.exe"
        117⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgvbk.exe"
        116⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtoj.exe"
        115⤵
        
        PID:184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghvd.exe"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woefi.exe"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqfcp.exe"
        112⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuk.exe"
        111⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvieaqk.exe"
        110⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqno.exe"
        109⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkl.exe"
        108⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmgogw.exe"
        107⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1628
        107⤵
        Program crash
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wanfkdfmv.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 116
        106⤵
        Program crash
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdoascgqt.exe"
        105⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgae.exe"
        104⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfpskff.exe"
        103⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wswjok.exe"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgacqmj.exe"
        101⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wednyxec.exe"
        100⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wds.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxvsdyi.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtdilji.exe"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvuko.exe"
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsca.exe"
        95⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvu.exe"
        94⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxv.exe"
        93⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxlgc.exe"
        92⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyy.exe"
        91⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfsn.exe"
        90⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrotsd.exe"
        89⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrjlvfjt.exe"
        88⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlhx.exe"
        87⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkxnhk.exe"
        86⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1424
        86⤵
        Program crash
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccdye.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbeoip.exe"
        84⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtroikr.exe"
        83⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqfj.exe"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxbsf.exe"
        81⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxh.exe"
        80⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwwns.exe"
        79⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wncan.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1676
        78⤵
        Program crash
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wakrraw.exe"
        77⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wapvv.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wanykjrt.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wprqlm.exe"
        74⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnvw.exe"
        73⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrlhqpw.exe"
        72⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdfttbxxe.exe"
        71⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwkgsrh.exe"
        70⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxcchvg.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxsssc.exe"
        68⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wypvhhmhe.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 116
        67⤵
        Program crash
        
        PID:976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1536
        67⤵
        Program crash
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcgh.exe"
        66⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwvtl.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpofn.exe"
        64⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfrwoq.exe"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuvqq.exe"
        62⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqilgdy.exe"
        61⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wieoua.exe"
        60⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqlmmoa.exe"
        59⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdefdxtuv.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyggv.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtcmwu.exe"
        56⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrakxks.exe"
        55⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpalprq.exe"
        54⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkwjugc.exe"
        53⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbacwi.exe"
        52⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wod.exe"
        51⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdgoan.exe"
        50⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnkl.exe"
        49⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wedtfy.exe"
        48⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkoiet.exe"
        47⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkba.exe"
        46⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wncv.exe"
        45⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkqql.exe"
        44⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqiix.exe"
        43⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvysyytr.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpwyx.exe"
        41⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsnl.exe"
        40⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexjwxq.exe"
        39⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcmg.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcrphn.exe"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdapkmx.exe"
        36⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjeuyjmc.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 1080
        35⤵
        Program crash
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 1472
        35⤵
        Program crash
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchjrdet.exe"
        34⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1280
        34⤵
        Program crash
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmefo.exe"
        33⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchxpsty.exe"
        32⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsdbeoe.exe"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1368
        31⤵
        Program crash
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqa.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohlfiv.exe"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wolqiowy.exe"
        28⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvmiiearp.exe"
        27⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgm.exe"
        26⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whkyo.exe"
        25⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtdmqbb.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiuuk.exe"
        23⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrsoip.exe"
        22⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whvhk.exe"
        21⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovbk.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiypdb.exe"
        19⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwik.exe"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiiyik.exe"
        17⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllgjnus.exe"
        16⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wskxjdwmj.exe"
        15⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whvtwduxk.exe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 1420
        14⤵
        Program crash
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphrw.exe"
        13⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbqbay.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfwtow.exe"
        11⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugndveih.exe"
        10⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdubcj.exe"
        9⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 116
        9⤵
        Program crash
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1536
        9⤵
        Program crash
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtciri.exe"
        8⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigbsmgv.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtfpkt.exe"
        6⤵
        
        PID:4844
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkymlrr.exe"
        5⤵
        
        PID:3364
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wljetucm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjkhb.exe"
    3⤵
    PID:3636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe"
  2⤵
  PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3204 -ip 3204
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3204 -ip 3204
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3604 -ip 3604
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4424 -ip 4424
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3620 -ip 3620
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3240 -ip 3240
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3240 -ip 3240
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1036 -ip 1036
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1036 -ip 1036
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2384 -ip 2384
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4140 -ip 4140
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4948 -ip 4948
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1852 -ip 1852
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3368 -ip 3368
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4616 -ip 4616
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2880 -ip 2880
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4400 -ip 4400
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4400 -ip 4400
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3064 -ip 3064
1⤵
PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Windows\SysWOW64\wchjrdet.exe

Filesize
262KB

MD5
e535f86d2449e666064e664eb208c401

SHA1
38195bad911dc6b450a32f312ecb04160231da26

SHA256
fa4db14e6c41b250de65bfd3bc0205901d28c6790122a98ebcfbdbaec265129d

SHA512
6e69b45e0dd50c3137d69565951ccc7aff65fab15531271a6fac97cdc8c8d831c1410381ec94867dcbb608663acbd4ff62e1a73a4de8d8973485bd25ca1e870c

Download Submit
C:\Windows\SysWOW64\wchxpsty.exe

Filesize
262KB

MD5
7b9ddf1c5a7d02eb846b1cf3dd3090ab

SHA1
0975589101b454bdad617e23a807b1da42b72395

SHA256
a5ccb77e2a41309e569b09939afb36df0f1cf4cf5bc10a6ae7c4bfdd2c0b5f6e

SHA512
62d86088fcddc3e07d3b5d20b5f527462bcc2a42d61949e3c60f22dbcffce24cb214c63a88a66fec266e1ff59d86b80058e608350f1652474216b98d30f92552

Download Submit
C:\Windows\SysWOW64\wfwtow.exe

Filesize
261KB

MD5
bfb6fdbd81d10a0b1b0efb4e602b4395

SHA1
b9bfca08f5a4558a9b09007028805b4b18fd4485

SHA256
c1753e74cb321428066cac0a747632b24de6b4cbdaf695b422217dc3c6b9148b

SHA512
a5df175f7d5fa2ade5741687060d327a03baaab93c3e30f564be82762c8f92200219d222dda1df96c0b6b1f7b3a9466e2ed99ec6393f60178969d3bfdbd966ba

Download Submit
C:\Windows\SysWOW64\wgm.exe

Filesize
262KB

MD5
2941fc9133f8ffcd53a8cc4ed6597eaa

SHA1
490f2e5b85afa81509fc01f4eb070efc02a76691

SHA256
a5ed469901c4ff841e344481ba9050e674e57d22223ccf8819cbcf1fa3f3dd66

SHA512
3a468ef3bec9e52edc8436af290301867988bc85ca3f97500faf9ae8629fe698750342daba7d4d4b36fca8164ed3db24f8db264d719626ce1f95bfb85cded151

Download Submit
C:\Windows\SysWOW64\whdubcj.exe

Filesize
261KB

MD5
80cc7ed1518ab6e7e7269e5a5a20e6c5

SHA1
c998b79c2c2696a3ad33cd2d4f352f324d727e34

SHA256
fdf31905ddbccf990954ebcc3715eb4d8a6c1fc4b234f7851cb06f435f6f5c09

SHA512
a0164ac8cc9a569721cf24cc7aa7d4bbde44189f2250ccc90891f775cda7a7df0b4b8d84052c19a8004217294faf4929057b3362a81eb0443c9f2bd16a40499c

Download Submit
C:\Windows\SysWOW64\whkyo.exe

Filesize
261KB

MD5
7c371ba3bf90a5960be4fcd0e3d9b32d

SHA1
0329ab3091fb731eacb95fdd565dca8c40e10679

SHA256
65b097b49b9d81ef225ed789c53d7e7c2a31211eeb728e0a9b3e96e96d6c6ebf

SHA512
92356197ab3fd954bb18210c4457c41d1a1e0555ddb0dca23018f5b9bc491e86041cba5a79c4b67cbd1b9b5a2ec71d41e62341cbb2f40cc7ac4989dd21cfe284

Download Submit
C:\Windows\SysWOW64\whvhk.exe

Filesize
261KB

MD5
f9bddf34c0f33bc7de5f2307d344f3ef

SHA1
657ae3077623f4f9b29622130ce5673130352df7

SHA256
e1f1156247b2cee3e46fd6d2de940d204cd96a004d325ddd1512cffae2fa3a51

SHA512
368681cf75ae85b8bd25a47de6da02a49b1a6b71b7d906a9deee5087e6a348f63f9636aa6fb0c51c004d7b13659a4d0e451f43513cc1d54f0d891d50c9235911

Download Submit
C:\Windows\SysWOW64\whvtwduxk.exe

Filesize
261KB

MD5
abb700b96ad09ec243dfb0fedd227367

SHA1
ff6c9c548f3a87c6501708573a6f88a268d0d420

SHA256
75609745d7082804447064cdffa0b5c392c0240265f1b3ef605c503c8fb01b80

SHA512
8a776dce00a5e0fd4777238cba5a2a6f9fe1e9fc05de14b04ec1508ba6361610d8aee4f4a2d70939761c092305721856d8cb07a78f0f70cea34a8a2936841e44

Download Submit
C:\Windows\SysWOW64\wigbsmgv.exe

Filesize
261KB

MD5
6e35fdd0d4b963eb8088e9e642a2f07e

SHA1
1941de6ed64ca88269e951842d87e8d84f8a0884

SHA256
fec9502f59748321f43ace7236920002b3e7b8dded3243d67bdb9e05a7e72bc1

SHA512
947253c50a913cf8413f31bfae3f379c9c3d4da15c2adc6f6cf6a9d5add0b95a609dcef0967514441b8b7992206f5ca540c1d8a433076f13e4588c10cb9a6b6c

Download Submit
C:\Windows\SysWOW64\wiiyik.exe

Filesize
261KB

MD5
a54b2e1d08a2d977432447bf4af1ddd5

SHA1
9cc87c671acdf4c856a975ca336ffd8718ed959a

SHA256
94f6ac096a119e1f52d8204bdffb6e3f5a527297e90dbddb84f31ff9fe100653

SHA512
274c9a5a9f6e167d97f3b8ecd38350489cd786b1156874a45503e6449df1a995081669d66010aba75b27dabb61753018a0cc4d8e9465923bb5c3a026d1ecb24a

Download Submit
C:\Windows\SysWOW64\wiuuk.exe

Filesize
261KB

MD5
268816e0cec99cd5fe268e5877519ec5

SHA1
163bfcbff510a3203427f7b300f86f5567600485

SHA256
b3c23537c29fd1d05914c0db67274016e5f17b1985d61057628a1b14a5edf57e

SHA512
bca0b7b423f1d8cd568c3aa9d9fda6e97ce4c6ac133dcd5a6e26df2caf0eb3ad4d744412aca590e3513513e8a7d579f3659f814c76bad368717bd573bd1f8b29

Download Submit
C:\Windows\SysWOW64\wiypdb.exe

Filesize
261KB

MD5
f49a628abc8bd6ce88a84a026c34f121

SHA1
50128903300d05da823d3d9850e1de20fb0cdaa3

SHA256
4240369775dca33accd4c4712dfbd7877e423cdd2fdde96c7aca90fa51e14bd1

SHA512
77fd4d17c4736bec2d730a7f1a0c9703803ac65bfbf3c58d3b991e42c9713f27d1aabfcbb5302018b855c9af8797232f7694d14013ace7960526b10297fd6643

Download Submit
C:\Windows\SysWOW64\wjkhb.exe

Filesize
261KB

MD5
b20d40cef0140d315f21be12101b97b4

SHA1
26f8da4fc8f7939a6921ba66fb9f6bba09e09e45

SHA256
af5624a073194d98538e99a848f6179a8e1a8c4afe9175cd4c94181cd98dccd0

SHA512
0852fb32eaa8d39a9836a33fb6bd7935cf2c688ee7d0bfc1669202ede9e2de159365adac69641a0be01848a04352c971ffbf47f4e498876479fb6ade4d9902cd

Download Submit
C:\Windows\SysWOW64\wkymlrr.exe

Filesize
261KB

MD5
af81f28587e5dd03b1765d91fc1519b2

SHA1
7c0605b2ca7000ec39fc39d03e57ba1c67442246

SHA256
ff3bfa57fcbe73156578f3baeeb8b4511316600fc511bb626f474703e37c74dc

SHA512
0e45cf4d2e95d79ce9ad8c517bce58e6e8134554aa03101332032391df3bc1ba5c7a71ba822b11d44989ab0f0e430707cebf69abb253f673553969075d38c356

Download Submit
C:\Windows\SysWOW64\wljetucm.exe

Filesize
261KB

MD5
d2bffee63454e6f56d5df8ac10babbf2

SHA1
bff75f4cd91c994ccb71c048379824e8685caa77

SHA256
633e208f4889b7206b451997eeed105ed4f2d871bd2127d5be665ed018fc4eea

SHA512
dc6cc133342bdc3918ad60a559d0f9597bf98994677efdeff448e4da77068a9132445db3a2b660a65bb2de6675dc63f2cdbdb06afbd56e752ad9598c9aee020b

Download Submit
C:\Windows\SysWOW64\wllgjnus.exe

Filesize
261KB

MD5
b92bc2d13833dea092c052c5ead77057

SHA1
bc7f6a29d4a073ff74631905f4fe74858763fa80

SHA256
a09de26c83bd538f962c5e50745cca7681c44a1f94630c8057f32af8c5e30ee7

SHA512
5ebc38cc28d76cdf6976fca5beb7a16fa410ff72225ff07f75e66de371d1170e1a4212f5aa9d8c7648ca30d6ece68ca78d888e4d5cb63e505b97f1274c76516c

Download Submit
C:\Windows\SysWOW64\wlqa.exe

Filesize
262KB

MD5
d6cc064d3dc610bb79b8b97498f7032f

SHA1
c5015864ee6e103f9c7398457ba5a384cf4c2b3a

SHA256
d4d1ff6f78c97fac5b9cf05af8c9bad701b6f8e00cd92fa94548938764dbf7b7

SHA512
7786f1447434bc1ffee26a1ab3ed39bfed92974e23ce4fa3e26e5ee1b89c72a5a40f1354f23cedfd5867e69d8aa58be7a02ecebcd07dba11801b3e1b752add63

Download Submit
C:\Windows\SysWOW64\wmefo.exe

Filesize
262KB

MD5
38ef4cf6f5b3e4bf529045c3be37b3de

SHA1
6cc6cfa9abcb4f724bcfea5bd3885b97f5b616c2

SHA256
8dff58da62b5ae16b47f4121eade66f01904abba21221a9e76d5616dfc088b6c

SHA512
4eac7fdb94d8fd19be8207a3951b88a03ca64dc1871732d2afa438f499681233e9b005270c4515539766dd59bed991215eabdb4f403345299fc73cc952d58272

Download Submit
C:\Windows\SysWOW64\wnbqbay.exe

Filesize
261KB

MD5
9948594cfe5b7ef7ddc8b5b3aeb64b8a

SHA1
32593773695d89fccf0708c55f543b1e99e1e904

SHA256
fbed36bc23eee9ea7920cc654516e53f1aaaae043754e49952d308c4359d7bb3

SHA512
ef8fc77a4a3dbb18e12980a520cae1c59c71a06af8e050dc9857f2d71290be98bfcff2dcee59121775a332185f6214c78be5c995d6a39622014320bf32b385a4

Download Submit
C:\Windows\SysWOW64\wohlfiv.exe

Filesize
262KB

MD5
0475e9e862aa10edaddbec8e2eaf0244

SHA1
c314f0fbf3ad72f70a57a570c61992aa77345f96

SHA256
d5fb041e6eed11528e1cde3f90b5a2042b20c6229864d0af5ac7fe8f394d9ad5

SHA512
cb12b3be9509afddbb1a944c699ddcf0ba5a9544d97864acc3917cef9e9441e30961a0242884c748dfef4848958a6f4385ec77f0fdc96cb0c75390a015babbd0

Download Submit
C:\Windows\SysWOW64\wolqiowy.exe

Filesize
262KB

MD5
416a071a73b26080c2cd6b949872b895

SHA1
699d1afc1e9f699ad4ffb1adf00a3e523f657967

SHA256
80e89ae183d5fba83e191644be5011406fb14f6d5b03c2946605373fb910bf8f

SHA512
2c28e32938ecad18e05eeece61d0fc3ab813915a4fa88c10f84d8441583ec094b503021da33ea41f7db75171c22239e248da603bd80f44cbfe48f92c14b5af9e

Download Submit
C:\Windows\SysWOW64\wovbk.exe

Filesize
261KB

MD5
72287362403550fc8bb11bd8e404736f

SHA1
243bdb375d2125f0841ecdb0b4f0d3394083b7b0

SHA256
15948588fa33d3c9af0f0c0cb793d8553bb03baf3a45cacfbad362608a170d75

SHA512
60a4388010892a2c43445380674bfcf320355efac48e174d1c4587aca0156a6675567e3ca381c3a237175661b779035d1f4cbadfd42ec36c75fd999f3b775da5

Download Submit
C:\Windows\SysWOW64\wphrw.exe

Filesize
261KB

MD5
e200854b9e7c0f6b91c891651b54065f

SHA1
c9531db71f927806a2075b909011833805aad2d9

SHA256
8f1a4f49b8456cc234f4740ead91ec2f1df8d47edf9be3021de5b53debe10e48

SHA512
58052429cf303f03d5f64b3fd8d7ffecb61399ff5d417424f277c3e0a520c911ba0253fed80629c3f8e0ab4c823d29762521b99cb9255ed6374b2be682241052

Download Submit
C:\Windows\SysWOW64\wrsoip.exe

Filesize
261KB

MD5
fd8cc8ea2b228b731ceb29b3b2527eaa

SHA1
d4d8509af618626300f09e31bcb19a1cdde405e3

SHA256
8e94e9d9c52a2497b80400995c4761aecac1ceb41ffe36a3ef6613004cafa4ad

SHA512
9b467a6f0f49792966c3f5ae7526ced29d93757d7686d7e9a8f24404b99a43cc7f9e5fcc038b1b6b1acb89461fc97a18ef26745972a4fd3d18201d4eed057472

Download Submit
C:\Windows\SysWOW64\wsdbeoe.exe

Filesize
262KB

MD5
e1e6d0bfbf82f2c2e2c051a64ecb26a7

SHA1
6afb4c4ea5c59f6f4b700caadce80bb966588de4

SHA256
3bacf477f19bd0ad28d0ae18eaa93e2d7dd5f3ccf2426c3759c0875c6b44e1bd

SHA512
867b416304d8bbfbd895faa9a09137266abc7e2bd793eb3160ed2d37135a12fefccc7885797237deb1b67fcdf9ccbe0dc82283db4313216502453247f70b72cb

Download Submit
C:\Windows\SysWOW64\wskxjdwmj.exe

Filesize
261KB

MD5
110a3bcb15feb83d2cb946b43a5e9267

SHA1
64500d317caf52db785cde7f3a86b690c7e98e83

SHA256
744670b63e6a244453da3cb68198424e652f57952b483f3d6cb5874cc1785f88

SHA512
47f48647e11fe9ad66306b638fcfccd8c42a75e772b82b670d0fba81cffadb11291ab4ac4c063cf557b1b867b1f0d7e959f4b26af7a2b0fee36b78d73038c202

Download Submit
C:\Windows\SysWOW64\wtciri.exe

Filesize
261KB

MD5
53c6ca27e8ce1fd3267a32a10076530b

SHA1
95fa97ba1c6f6986c3b80845e467318b316ffb10

SHA256
6bb1d4a1d2823c658031a990ea06accf33951274990b5cf5702aa0bd0c1d8859

SHA512
dfdfb76238accfa506d6c545af592cb4a149e5578b6313b3611dc6c53064d2a9f36b03c6b69cac8765e07745e9f0d4705cf2401311acade7b20a3e00ea7cf105

Download Submit
C:\Windows\SysWOW64\wtdmqbb.exe

Filesize
261KB

MD5
49df162bf0aa4f44ee77abfcaf5d8a3a

SHA1
abcc4d1ce8e3903030bebf455797a39bd8079678

SHA256
03d55e326a1f1969470bb5cdbf4fd1632e534409412daf3f98394772bee45978

SHA512
2ca512145e6897974392a7e45c99ffa416e0239b5b9f7399e24310aa4637d137da41be3617ddcecd44d9e1fde004d4dfac0df083d1b2eced197891476bb8c8ac

Download Submit
C:\Windows\SysWOW64\wtfpkt.exe

Filesize
261KB

MD5
e155a2b3341e0b191a1b093154b71441

SHA1
3c53b6db1c656850ef54547b93139e94e99b13b6

SHA256
7c3997856760f3fa89490bb5c042e00b1569fc64114121ab5d206a28df86cdef

SHA512
e968bf6b55ed63d22c501fa71c9d3552fac357e39e05db640805a996b64ac9e8823df92b5e7af537c9f9490f91b048b407a610eb97e14faec8fc7c88831f7cb9

Download Submit
C:\Windows\SysWOW64\wugndveih.exe

Filesize
261KB

MD5
b228ae8c57e6a6fba9fffa3e10207bcb

SHA1
e6e320961c4e6db216e726428506e1ada661e030

SHA256
b289c6de63e6bb5019313e3f3eae441e70a347481026e9be7c97f307c2da005c

SHA512
1dbede97f05ff80026ff257f27bfef4734cad0e2514324d1abd0b7daf870dea2e426e80a9d67d6ac7c3ece06573b2e5d68eaf2736d73e2b2e7d3be7d4911cfed

Download Submit
C:\Windows\SysWOW64\wvmiiearp.exe

Filesize
262KB

MD5
a9b58d7e7452ae52bd0d4d0337779238

SHA1
6f75e58c3b07ae205350c253938c76f8e471fbeb

SHA256
18bb889e7b03fb068ea174f51917e090b84a13da3d534af9d56e965b93addff5

SHA512
f1ef23dd4edb4341c6bb95fdfd514e31fe5a11140bda765f35caf677d7a7ba75485eb76b72a7cc09b0f41866b78341310fa12621d2862740f9c8d03974cfb705

Download Submit
C:\Windows\SysWOW64\wwik.exe

Filesize
261KB

MD5
dc3881c20fd090e064317fbb8c92ba72

SHA1
acbea9bc50c43bde83164f81c25ecb30bbdebfc2

SHA256
8f4186fc8a4e1b7165f36960297a2678dab2dc79253fb5e0e7379e933375388c

SHA512
3ef9df596ee09529d41e8cd9d556ac35474b49c811a980ac991cd09f47a8ad7185c5b1b3598d5b1c8ab09ab16917d26c3570515ad0f4bc4f8ed2aded27342c2c

Download Submit
memory/184-249-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/316-471-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/376-259-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/376-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/508-480-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/512-522-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/528-617-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/636-435-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/644-556-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/668-727-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/856-813-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/876-462-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/880-290-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/880-174-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1036-625-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1188-453-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1288-375-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-864-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-753-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1428-383-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1472-426-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1480-195-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1484-505-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1556-600-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1632-239-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1668-855-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1668-744-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1680-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1760-122-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1780-583-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1896-796-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1924-217-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1924-409-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1948-634-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2000-228-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2036-91-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2132-652-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2132-762-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2276-206-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2308-838-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2336-367-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2384-710-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2384-719-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2400-489-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2644-565-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-102-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2856-444-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2944-279-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2964-539-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2964-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3068-804-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3196-822-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3204-92-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3220-711-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3240-350-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3292-735-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3292-847-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3372-497-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3376-300-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3400-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3408-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3420-574-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3432-643-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3432-548-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3476-830-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3520-608-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3604-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3604-132-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3620-341-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3636-660-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3804-358-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3852-677-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3864-333-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3976-163-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4140-787-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4184-392-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4348-771-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4388-686-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4424-311-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4436-400-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4472-184-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4488-702-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4496-322-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4552-143-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4556-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4556-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4644-779-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4688-513-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4744-668-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4840-269-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4860-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4860-530-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5028-592-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5044-418-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5096-694-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5100-112-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download