106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd

Analysis

max time kernel
152s
max time network
134s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe
Size

481KB
MD5

ddccc8bafccc484a5cdbda1af42b6424
SHA1

b9165f54c1556a40d045de86e717c00555ca3208
SHA256

106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd
SHA512

c4fda3ccc6139e83be19cf0156986a20ed613cf40407c92d0ec472ca4f3a2eda0f7439625193264d695b9e91aded534d6d0bb242fb66e06d095c8ed1121e5454
SSDEEP

6144:9splTJ5IH3JhAsPFMV10IRcXiklh25FfeLEaC/EHNGtMCzlpUXsNwHxNP7UD/A:MlTbwc10IZiY5leLE5uEqcNwxNP7yA

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

wz.exewz.exeiconAnimate.exeiconAnimate.exeiconTips.exe

pid process

948 wz.exe
1576 wz.exe
1908 iconAnimate.exe
1692 iconAnimate.exe
1628 iconTips.exe

pid	process
948	wz.exe
1576	wz.exe
1908	iconAnimate.exe
1692	iconAnimate.exe
1628	iconTips.exe

Loads dropped DLL 18 IoCs

Processes:

106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exewz.exewz.exeiconAnimate.exeiconAnimate.exeiconTips.exe

pid	process
560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe
560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe
560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe
560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe
560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe
948	wz.exe
948	wz.exe
1576	wz.exe
1576	wz.exe
948	wz.exe
1908	iconAnimate.exe
1908	iconAnimate.exe
560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe
560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe
1692	iconAnimate.exe
1692	iconAnimate.exe
1628	iconTips.exe
1628	iconTips.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

wz.exewz.exe

description ioc process

File opened for modification \??\PhysicalDrive0 wz.exe
File opened for modification \??\PhysicalDrive0 wz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	wz.exe
File opened for modification	\??\PhysicalDrive0	wz.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\37wan\wz\uninst.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\37wan\wz\uninst.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

wz.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\37.com\NumberOfSubdomains = "1"	wz.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\37.com\Total = "63"	wz.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.37.com	wz.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.37.com\ = "63"	wz.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	wz.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\37.com	wz.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage	wz.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	wz.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	wz.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wz.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	wz.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	wz.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

wz.exewz.exe

pid	process
1576	wz.exe
1576	wz.exe
1576	wz.exe
1576	wz.exe
1576	wz.exe
1576	wz.exe
1576	wz.exe
1576	wz.exe
1576	wz.exe
1576	wz.exe
1576	wz.exe
948	wz.exe
948	wz.exe
948	wz.exe
948	wz.exe
948	wz.exe
948	wz.exe
948	wz.exe
948	wz.exe
948	wz.exe
948	wz.exe
948	wz.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

iconAnimate.exeiconAnimate.exeiconTips.exe

description pid process

Token: SeDebugPrivilege 1908 iconAnimate.exe
Token: SeDebugPrivilege 1692 iconAnimate.exe
Token: SeDebugPrivilege 1628 iconTips.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wz.exe

pid process

948 wz.exe
948 wz.exe

description	pid	process
Token: SeDebugPrivilege	1908	iconAnimate.exe
Token: SeDebugPrivilege	1692	iconAnimate.exe
Token: SeDebugPrivilege	1628	iconTips.exe

pid	process
948	wz.exe
948	wz.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exewz.exeiconAnimate.exe

description	pid	process	target process
PID 560 wrote to memory of 948	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 560 wrote to memory of 948	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 560 wrote to memory of 948	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 560 wrote to memory of 948	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 560 wrote to memory of 948	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 560 wrote to memory of 948	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 560 wrote to memory of 948	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 560 wrote to memory of 1576	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 560 wrote to memory of 1576	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 560 wrote to memory of 1576	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 560 wrote to memory of 1576	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 560 wrote to memory of 1576	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 560 wrote to memory of 1576	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 560 wrote to memory of 1576	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 948 wrote to memory of 1908	948	wz.exe	iconAnimate.exe
PID 948 wrote to memory of 1908	948	wz.exe	iconAnimate.exe
PID 948 wrote to memory of 1908	948	wz.exe	iconAnimate.exe
PID 948 wrote to memory of 1908	948	wz.exe	iconAnimate.exe
PID 948 wrote to memory of 1908	948	wz.exe	iconAnimate.exe
PID 948 wrote to memory of 1908	948	wz.exe	iconAnimate.exe
PID 948 wrote to memory of 1908	948	wz.exe	iconAnimate.exe
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 1908 wrote to memory of 1256	1908	iconAnimate.exe	Explorer.EXE
PID 560 wrote to memory of 1692	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconAnimate.exe
PID 560 wrote to memory of 1692	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconAnimate.exe
PID 560 wrote to memory of 1692	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconAnimate.exe
PID 560 wrote to memory of 1692	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconAnimate.exe
PID 560 wrote to memory of 1692	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconAnimate.exe
PID 560 wrote to memory of 1692	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconAnimate.exe
PID 560 wrote to memory of 1692	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconAnimate.exe
PID 560 wrote to memory of 1628	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconTips.exe
PID 560 wrote to memory of 1628	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconTips.exe
PID 560 wrote to memory of 1628	560	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconTips.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe
"C:\Users\Admin\AppData\Local\Temp\106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560

C:\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
"C:\Users\Admin\AppData\Roaming\37wan\wz\wz.exe" /autorun /setuprun
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
"C:\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
"C:\Users\Admin\AppData\Roaming\37wan\wz\wz.exe" /setupsucc
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
C:\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Users\Admin\AppData\Roaming\37wan\wz\iconTips.exe
C:\Users\Admin\AppData\Roaming\37wan\wz\iconTips.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\37wan\wz\Lander.ini
Filesize
434B

MD5
b9b2e58f32321844172b8d895059b2d0

SHA1
8ce5b8c6ca0e2661213c7b21b822e5d31f8786dd

SHA256
2c2ce6af7c59c8b4364127d795523f0a924f48a89b84699556d7898781baffa3

SHA512
51e589f9bd031b60d5e471982f9140e063c589133795144cafee48458f898281922688a6a1f87d3b5ad78aaabe77db6a71456be1df8c8d080bb371688ad5d0f6

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\Lander.ini
Filesize
371B

MD5
77063457c07991fedd5770f0e78a60a5

SHA1
701585d9e7f4ceafc2ac58592fdfd85c522076f4

SHA256
73eb9e6138b95fa74527321aa939ddf6d1762b7f966acb9659d7527de23a8769

SHA512
2fdfd2b63bdfac303f0a463a10ac5957b72c0e341b24e6f9b556329aeae3fd1cbb6c7bca479e8b99c08521671fd634691dfe6f9916a8bc2d54408e4dfd5d3b87

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\Lander.ini
Filesize
434B

MD5
b9b2e58f32321844172b8d895059b2d0

SHA1
8ce5b8c6ca0e2661213c7b21b822e5d31f8786dd

SHA256
2c2ce6af7c59c8b4364127d795523f0a924f48a89b84699556d7898781baffa3

SHA512
51e589f9bd031b60d5e471982f9140e063c589133795144cafee48458f898281922688a6a1f87d3b5ad78aaabe77db6a71456be1df8c8d080bb371688ad5d0f6

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
Filesize
235KB

MD5
5167194a71fff34bb8d770ceaca8a6f8

SHA1
fed6de7db7776638617b77c6b71203914eb53b0f

SHA256
8250ed63a3fdbc4c479906f0da0893c83ea7deb8d81a9fef79e7d3fe5a3e78d9

SHA512
4723bfd5c37280e98e0cd100b48ce2c427dcdc60dc9f6c375785f9a55d345638227612aaf8f5bfde303a6a1712486859bc2c79635aa73a15d3983fb497156bc8

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
Filesize
235KB

MD5
5167194a71fff34bb8d770ceaca8a6f8

SHA1
fed6de7db7776638617b77c6b71203914eb53b0f

SHA256
8250ed63a3fdbc4c479906f0da0893c83ea7deb8d81a9fef79e7d3fe5a3e78d9

SHA512
4723bfd5c37280e98e0cd100b48ce2c427dcdc60dc9f6c375785f9a55d345638227612aaf8f5bfde303a6a1712486859bc2c79635aa73a15d3983fb497156bc8

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
Filesize
235KB

MD5
5167194a71fff34bb8d770ceaca8a6f8

SHA1
fed6de7db7776638617b77c6b71203914eb53b0f

SHA256
8250ed63a3fdbc4c479906f0da0893c83ea7deb8d81a9fef79e7d3fe5a3e78d9

SHA512
4723bfd5c37280e98e0cd100b48ce2c427dcdc60dc9f6c375785f9a55d345638227612aaf8f5bfde303a6a1712486859bc2c79635aa73a15d3983fb497156bc8

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\iconTips.exe
Filesize
267KB

MD5
ea46e372c56e5196467f59156f5e8623

SHA1
ec86ba62ea412a14e676ccd62c85ae256c4713ba

SHA256
2efb0d881f2a919994c89e22e7b6114f6f9ec52efc6fd6e7d8bd3abfb2390e0f

SHA512
833baca0e66e5bfc3f7247fb32395a751684b1afeafef0786e81462db56630709b1317505d8e5a9313f20f31690f30fb212c51e8bb2f267ad981b8bfafa21c4c

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\iconTips.exe
Filesize
267KB

MD5
ea46e372c56e5196467f59156f5e8623

SHA1
ec86ba62ea412a14e676ccd62c85ae256c4713ba

SHA256
2efb0d881f2a919994c89e22e7b6114f6f9ec52efc6fd6e7d8bd3abfb2390e0f

SHA512
833baca0e66e5bfc3f7247fb32395a751684b1afeafef0786e81462db56630709b1317505d8e5a9313f20f31690f30fb212c51e8bb2f267ad981b8bfafa21c4c

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
Filesize
2.0MB

MD5
700c030a09ce92d03a187e2b0d4324e6

SHA1
0fd4a401e98b5f47c3bb5ef75e054eb24c81ff83

SHA256
88739dc040e7f717ebd06d2b992b39a8d3b42dddcdf6f82e2de0d369342fc122

SHA512
c10e9f2bffb5a89ccd213a75fe85c8b4145ff74b4e57eec043c375070f0d7f37f95ce7718ae03d24a75d49e0d5643551b2fdc6b65ea172810d17a798a6f175c6

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
Filesize
2.0MB

MD5
700c030a09ce92d03a187e2b0d4324e6

SHA1
0fd4a401e98b5f47c3bb5ef75e054eb24c81ff83

SHA256
88739dc040e7f717ebd06d2b992b39a8d3b42dddcdf6f82e2de0d369342fc122

SHA512
c10e9f2bffb5a89ccd213a75fe85c8b4145ff74b4e57eec043c375070f0d7f37f95ce7718ae03d24a75d49e0d5643551b2fdc6b65ea172810d17a798a6f175c6

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
Filesize
2.0MB

MD5
700c030a09ce92d03a187e2b0d4324e6

SHA1
0fd4a401e98b5f47c3bb5ef75e054eb24c81ff83

SHA256
88739dc040e7f717ebd06d2b992b39a8d3b42dddcdf6f82e2de0d369342fc122

SHA512
c10e9f2bffb5a89ccd213a75fe85c8b4145ff74b4e57eec043c375070f0d7f37f95ce7718ae03d24a75d49e0d5643551b2fdc6b65ea172810d17a798a6f175c6

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
Filesize
235KB

MD5
5167194a71fff34bb8d770ceaca8a6f8

SHA1
fed6de7db7776638617b77c6b71203914eb53b0f

SHA256
8250ed63a3fdbc4c479906f0da0893c83ea7deb8d81a9fef79e7d3fe5a3e78d9

SHA512
4723bfd5c37280e98e0cd100b48ce2c427dcdc60dc9f6c375785f9a55d345638227612aaf8f5bfde303a6a1712486859bc2c79635aa73a15d3983fb497156bc8

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
Filesize
235KB

MD5
5167194a71fff34bb8d770ceaca8a6f8

SHA1
fed6de7db7776638617b77c6b71203914eb53b0f

SHA256
8250ed63a3fdbc4c479906f0da0893c83ea7deb8d81a9fef79e7d3fe5a3e78d9

SHA512
4723bfd5c37280e98e0cd100b48ce2c427dcdc60dc9f6c375785f9a55d345638227612aaf8f5bfde303a6a1712486859bc2c79635aa73a15d3983fb497156bc8

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
Filesize
235KB

MD5
5167194a71fff34bb8d770ceaca8a6f8

SHA1
fed6de7db7776638617b77c6b71203914eb53b0f

SHA256
8250ed63a3fdbc4c479906f0da0893c83ea7deb8d81a9fef79e7d3fe5a3e78d9

SHA512
4723bfd5c37280e98e0cd100b48ce2c427dcdc60dc9f6c375785f9a55d345638227612aaf8f5bfde303a6a1712486859bc2c79635aa73a15d3983fb497156bc8

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
Filesize
235KB

MD5
5167194a71fff34bb8d770ceaca8a6f8

SHA1
fed6de7db7776638617b77c6b71203914eb53b0f

SHA256
8250ed63a3fdbc4c479906f0da0893c83ea7deb8d81a9fef79e7d3fe5a3e78d9

SHA512
4723bfd5c37280e98e0cd100b48ce2c427dcdc60dc9f6c375785f9a55d345638227612aaf8f5bfde303a6a1712486859bc2c79635aa73a15d3983fb497156bc8

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
Filesize
235KB

MD5
5167194a71fff34bb8d770ceaca8a6f8

SHA1
fed6de7db7776638617b77c6b71203914eb53b0f

SHA256
8250ed63a3fdbc4c479906f0da0893c83ea7deb8d81a9fef79e7d3fe5a3e78d9

SHA512
4723bfd5c37280e98e0cd100b48ce2c427dcdc60dc9f6c375785f9a55d345638227612aaf8f5bfde303a6a1712486859bc2c79635aa73a15d3983fb497156bc8

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
Filesize
235KB

MD5
5167194a71fff34bb8d770ceaca8a6f8

SHA1
fed6de7db7776638617b77c6b71203914eb53b0f

SHA256
8250ed63a3fdbc4c479906f0da0893c83ea7deb8d81a9fef79e7d3fe5a3e78d9

SHA512
4723bfd5c37280e98e0cd100b48ce2c427dcdc60dc9f6c375785f9a55d345638227612aaf8f5bfde303a6a1712486859bc2c79635aa73a15d3983fb497156bc8

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\iconTips.exe
Filesize
267KB

MD5
ea46e372c56e5196467f59156f5e8623

SHA1
ec86ba62ea412a14e676ccd62c85ae256c4713ba

SHA256
2efb0d881f2a919994c89e22e7b6114f6f9ec52efc6fd6e7d8bd3abfb2390e0f

SHA512
833baca0e66e5bfc3f7247fb32395a751684b1afeafef0786e81462db56630709b1317505d8e5a9313f20f31690f30fb212c51e8bb2f267ad981b8bfafa21c4c

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\iconTips.exe
Filesize
267KB

MD5
ea46e372c56e5196467f59156f5e8623

SHA1
ec86ba62ea412a14e676ccd62c85ae256c4713ba

SHA256
2efb0d881f2a919994c89e22e7b6114f6f9ec52efc6fd6e7d8bd3abfb2390e0f

SHA512
833baca0e66e5bfc3f7247fb32395a751684b1afeafef0786e81462db56630709b1317505d8e5a9313f20f31690f30fb212c51e8bb2f267ad981b8bfafa21c4c

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\iconTips.exe
Filesize
267KB

MD5
ea46e372c56e5196467f59156f5e8623

SHA1
ec86ba62ea412a14e676ccd62c85ae256c4713ba

SHA256
2efb0d881f2a919994c89e22e7b6114f6f9ec52efc6fd6e7d8bd3abfb2390e0f

SHA512
833baca0e66e5bfc3f7247fb32395a751684b1afeafef0786e81462db56630709b1317505d8e5a9313f20f31690f30fb212c51e8bb2f267ad981b8bfafa21c4c

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\uninst.exe
Filesize
64KB

MD5
9bc0a87a2d8c05501e84317349727fec

SHA1
93648fddf82c3d4f54124e599ce7b192a7009c7b

SHA256
d24e268f1c99dca12d4d960f763fdc5cf3a0c2cb5ed4bd9e48cb0793d86fbfbd

SHA512
6ec052ae8c79c74bec336b441ebd05f5af6f9a4dfbf888c7699ce425e7eecefa94106d4923cc34c5e7123dd327c8c273ef51dda3022a527148d2eaaa5c4b035e

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
Filesize
2.0MB

MD5
700c030a09ce92d03a187e2b0d4324e6

SHA1
0fd4a401e98b5f47c3bb5ef75e054eb24c81ff83

SHA256
88739dc040e7f717ebd06d2b992b39a8d3b42dddcdf6f82e2de0d369342fc122

SHA512
c10e9f2bffb5a89ccd213a75fe85c8b4145ff74b4e57eec043c375070f0d7f37f95ce7718ae03d24a75d49e0d5643551b2fdc6b65ea172810d17a798a6f175c6

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
Filesize
2.0MB

MD5
700c030a09ce92d03a187e2b0d4324e6

SHA1
0fd4a401e98b5f47c3bb5ef75e054eb24c81ff83

SHA256
88739dc040e7f717ebd06d2b992b39a8d3b42dddcdf6f82e2de0d369342fc122

SHA512
c10e9f2bffb5a89ccd213a75fe85c8b4145ff74b4e57eec043c375070f0d7f37f95ce7718ae03d24a75d49e0d5643551b2fdc6b65ea172810d17a798a6f175c6

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
Filesize
2.0MB

MD5
700c030a09ce92d03a187e2b0d4324e6

SHA1
0fd4a401e98b5f47c3bb5ef75e054eb24c81ff83

SHA256
88739dc040e7f717ebd06d2b992b39a8d3b42dddcdf6f82e2de0d369342fc122

SHA512
c10e9f2bffb5a89ccd213a75fe85c8b4145ff74b4e57eec043c375070f0d7f37f95ce7718ae03d24a75d49e0d5643551b2fdc6b65ea172810d17a798a6f175c6

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
Filesize
2.0MB

MD5
700c030a09ce92d03a187e2b0d4324e6

SHA1
0fd4a401e98b5f47c3bb5ef75e054eb24c81ff83

SHA256
88739dc040e7f717ebd06d2b992b39a8d3b42dddcdf6f82e2de0d369342fc122

SHA512
c10e9f2bffb5a89ccd213a75fe85c8b4145ff74b4e57eec043c375070f0d7f37f95ce7718ae03d24a75d49e0d5643551b2fdc6b65ea172810d17a798a6f175c6

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
Filesize
2.0MB

MD5
700c030a09ce92d03a187e2b0d4324e6

SHA1
0fd4a401e98b5f47c3bb5ef75e054eb24c81ff83

SHA256
88739dc040e7f717ebd06d2b992b39a8d3b42dddcdf6f82e2de0d369342fc122

SHA512
c10e9f2bffb5a89ccd213a75fe85c8b4145ff74b4e57eec043c375070f0d7f37f95ce7718ae03d24a75d49e0d5643551b2fdc6b65ea172810d17a798a6f175c6

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
Filesize
2.0MB

MD5
700c030a09ce92d03a187e2b0d4324e6

SHA1
0fd4a401e98b5f47c3bb5ef75e054eb24c81ff83

SHA256
88739dc040e7f717ebd06d2b992b39a8d3b42dddcdf6f82e2de0d369342fc122

SHA512
c10e9f2bffb5a89ccd213a75fe85c8b4145ff74b4e57eec043c375070f0d7f37f95ce7718ae03d24a75d49e0d5643551b2fdc6b65ea172810d17a798a6f175c6

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
Filesize
2.0MB

MD5
700c030a09ce92d03a187e2b0d4324e6

SHA1
0fd4a401e98b5f47c3bb5ef75e054eb24c81ff83

SHA256
88739dc040e7f717ebd06d2b992b39a8d3b42dddcdf6f82e2de0d369342fc122

SHA512
c10e9f2bffb5a89ccd213a75fe85c8b4145ff74b4e57eec043c375070f0d7f37f95ce7718ae03d24a75d49e0d5643551b2fdc6b65ea172810d17a798a6f175c6

Download Submit
\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
Filesize
2.0MB

MD5
700c030a09ce92d03a187e2b0d4324e6

SHA1
0fd4a401e98b5f47c3bb5ef75e054eb24c81ff83

SHA256
88739dc040e7f717ebd06d2b992b39a8d3b42dddcdf6f82e2de0d369342fc122

SHA512
c10e9f2bffb5a89ccd213a75fe85c8b4145ff74b4e57eec043c375070f0d7f37f95ce7718ae03d24a75d49e0d5643551b2fdc6b65ea172810d17a798a6f175c6

Download Submit
memory/560-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/948-59-0x0000000000000000-mapping.dmp

Download
memory/1256-88-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-95-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-106-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-105-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-104-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-103-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-99-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-98-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-97-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-94-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-93-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-92-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-91-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-90-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-89-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-110-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-87-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-86-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-85-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-84-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-83-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-82-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-81-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-108-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-140-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1256-107-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-100-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-144-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1256-102-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-101-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-96-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-109-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-80-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1256-146-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1256-122-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1256-126-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1256-127-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1256-128-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1256-129-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1256-130-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1256-132-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1256-131-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1256-133-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1256-134-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1256-136-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1256-137-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1256-135-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1256-139-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1256-138-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1256-141-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1256-143-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1256-142-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1256-145-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1256-147-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1256-149-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1256-148-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1256-150-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1576-63-0x0000000000000000-mapping.dmp

Download
memory/1628-117-0x0000000000000000-mapping.dmp

Download
memory/1692-113-0x0000000000000000-mapping.dmp

Download
memory/1908-75-0x0000000000000000-mapping.dmp

Download