df79805045509d6a2c737e5ffa1df79abb2c079ab411fb304e9807a711f5802d

Analysis

max time kernel
154s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a796738df66d3ce50b73fa7d022c874a_JC.exe
Size

341KB
MD5

a796738df66d3ce50b73fa7d022c874a
SHA1

86227a559a2bba17d5c9359cbcb4e8e42523579b
SHA256

df79805045509d6a2c737e5ffa1df79abb2c079ab411fb304e9807a711f5802d
SHA512

b0b33769c8fbc14424a458d6813732005c3665d26a21564e1fb1cb4599ad49c54b58f2f063ea47cce2bd17b1e9b31506fb0a81d384b89bdb925ca1f42279f76d
SSDEEP

6144:tY7thKSZI4zLVSVp6q1RGHxM8ggq5h7J51OGTP7:OjKSZhnVepH18HxMeq5RJ51OGTz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 29 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wkwihh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wdslngu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wnbag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wnupmj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wmvx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wpqajq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wgrjpyp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wllpqat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	waywdxfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wvqp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wacvmpv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wrtw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wffumc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wgxbb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wfevwn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	a796738df66d3ce50b73fa7d022c874a_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wjjj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wtxuj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wugum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wlurj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wujoijyd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wkwgc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wyyqk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	waqdptn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wcbdfe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wejvsxn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wnliu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wftgnvjv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	webpj.exe

Executes dropped EXE 29 IoCs

pid	Process
2336	wcbdfe.exe
3148	wvqp.exe
1820	wugum.exe
3324	wkwihh.exe
1424	wacvmpv.exe
3056	wejvsxn.exe
492	wnliu.exe
5100	wpqajq.exe
4352	wftgnvjv.exe
4660	wdslngu.exe
2696	wnbag.exe
3784	wgrjpyp.exe
1084	wllpqat.exe
2688	wrtw.exe
4104	waywdxfc.exe
4000	wjjj.exe
1188	wffumc.exe
4628	wfevwn.exe
208	wlurj.exe
2696	wnupmj.exe
2856	webpj.exe
4540	wujoijyd.exe
4240	wtxuj.exe
5100	wkwgc.exe
3000	wyyqk.exe
376	waqdptn.exe
2204	wgxbb.exe
4348	wmvx.exe
888	whfqskbj.exe

Drops file in System32 directory 58 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wujoijyd.exe	webpj.exe
File created	C:\Windows\SysWOW64\wvqp.exe	wcbdfe.exe
File created	C:\Windows\SysWOW64\wgrjpyp.exe	wnbag.exe
File opened for modification	C:\Windows\SysWOW64\wjjj.exe	waywdxfc.exe
File opened for modification	C:\Windows\SysWOW64\wvqp.exe	wcbdfe.exe
File opened for modification	C:\Windows\SysWOW64\wacvmpv.exe	wkwihh.exe
File created	C:\Windows\SysWOW64\wejvsxn.exe	wacvmpv.exe
File opened for modification	C:\Windows\SysWOW64\wdslngu.exe	wftgnvjv.exe
File opened for modification	C:\Windows\SysWOW64\wujoijyd.exe	webpj.exe
File created	C:\Windows\SysWOW64\wtxuj.exe	wujoijyd.exe
File opened for modification	C:\Windows\SysWOW64\wcbdfe.exe	a796738df66d3ce50b73fa7d022c874a_JC.exe
File opened for modification	C:\Windows\SysWOW64\wnupmj.exe	wlurj.exe
File created	C:\Windows\SysWOW64\wkwgc.exe	wtxuj.exe
File created	C:\Windows\SysWOW64\wyyqk.exe	wkwgc.exe
File opened for modification	C:\Windows\SysWOW64\wkwihh.exe	wugum.exe
File created	C:\Windows\SysWOW64\wnbag.exe	wdslngu.exe
File opened for modification	C:\Windows\SysWOW64\wtxuj.exe	wujoijyd.exe
File created	C:\Windows\SysWOW64\wllpqat.exe	weslsl.exe
File created	C:\Windows\SysWOW64\wftgnvjv.exe	wpqajq.exe
File opened for modification	C:\Windows\SysWOW64\wftgnvjv.exe	wpqajq.exe
File created	C:\Windows\SysWOW64\wdslngu.exe	wftgnvjv.exe
File created	C:\Windows\SysWOW64\waywdxfc.exe	wrtw.exe
File created	C:\Windows\SysWOW64\wffumc.exe	wjjj.exe
File created	C:\Windows\SysWOW64\whfqskbj.exe	wmvx.exe
File opened for modification	C:\Windows\SysWOW64\wugum.exe	wvqp.exe
File opened for modification	C:\Windows\SysWOW64\wmvx.exe	wgxbb.exe
File created	C:\Windows\SysWOW64\wkwihh.exe	wugum.exe
File opened for modification	C:\Windows\SysWOW64\wgrjpyp.exe	wnbag.exe
File created	C:\Windows\SysWOW64\wrtw.exe	wllpqat.exe
File created	C:\Windows\SysWOW64\wlurj.exe	wfevwn.exe
File created	C:\Windows\SysWOW64\wgxbb.exe	waqdptn.exe
File opened for modification	C:\Windows\SysWOW64\wllpqat.exe	weslsl.exe
File opened for modification	C:\Windows\SysWOW64\wlurj.exe	wfevwn.exe
File opened for modification	C:\Windows\SysWOW64\waqdptn.exe	wyyqk.exe
File opened for modification	C:\Windows\SysWOW64\wnbag.exe	wdslngu.exe
File created	C:\Windows\SysWOW64\wfevwn.exe	wffumc.exe
File opened for modification	C:\Windows\SysWOW64\wfevwn.exe	wffumc.exe
File created	C:\Windows\SysWOW64\wugum.exe	wvqp.exe
File opened for modification	C:\Windows\SysWOW64\wpqajq.exe	wnliu.exe
File created	C:\Windows\SysWOW64\webpj.exe	wnupmj.exe
File opened for modification	C:\Windows\SysWOW64\webpj.exe	wnupmj.exe
File opened for modification	C:\Windows\SysWOW64\wyyqk.exe	wkwgc.exe
File opened for modification	C:\Windows\SysWOW64\wejvsxn.exe	wacvmpv.exe
File created	C:\Windows\SysWOW64\wjjj.exe	waywdxfc.exe
File opened for modification	C:\Windows\SysWOW64\wkwgc.exe	wtxuj.exe
File created	C:\Windows\SysWOW64\waqdptn.exe	wyyqk.exe
File created	C:\Windows\SysWOW64\wmvx.exe	wgxbb.exe
File opened for modification	C:\Windows\SysWOW64\whfqskbj.exe	wmvx.exe
File created	C:\Windows\SysWOW64\wcbdfe.exe	a796738df66d3ce50b73fa7d022c874a_JC.exe
File created	C:\Windows\SysWOW64\wacvmpv.exe	wkwihh.exe
File created	C:\Windows\SysWOW64\wnliu.exe	wejvsxn.exe
File opened for modification	C:\Windows\SysWOW64\wnliu.exe	wejvsxn.exe
File opened for modification	C:\Windows\SysWOW64\waywdxfc.exe	wrtw.exe
File opened for modification	C:\Windows\SysWOW64\wffumc.exe	wjjj.exe
File created	C:\Windows\SysWOW64\wnupmj.exe	wlurj.exe
File created	C:\Windows\SysWOW64\wpqajq.exe	wnliu.exe
File opened for modification	C:\Windows\SysWOW64\wrtw.exe	wllpqat.exe
File opened for modification	C:\Windows\SysWOW64\wgxbb.exe	waqdptn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
528	1084	WerFault.exe	138
3576	1084	WerFault.exe	138
1032	2696	WerFault.exe	161

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2336	2180	a796738df66d3ce50b73fa7d022c874a_JC.exe	90
PID 2180 wrote to memory of 2336	2180	a796738df66d3ce50b73fa7d022c874a_JC.exe	90
PID 2180 wrote to memory of 2336	2180	a796738df66d3ce50b73fa7d022c874a_JC.exe	90
PID 2180 wrote to memory of 3644	2180	a796738df66d3ce50b73fa7d022c874a_JC.exe	92
PID 2180 wrote to memory of 3644	2180	a796738df66d3ce50b73fa7d022c874a_JC.exe	92
PID 2180 wrote to memory of 3644	2180	a796738df66d3ce50b73fa7d022c874a_JC.exe	92
PID 2336 wrote to memory of 3148	2336	wcbdfe.exe	94
PID 2336 wrote to memory of 3148	2336	wcbdfe.exe	94
PID 2336 wrote to memory of 3148	2336	wcbdfe.exe	94
PID 2336 wrote to memory of 5068	2336	wcbdfe.exe	95
PID 2336 wrote to memory of 5068	2336	wcbdfe.exe	95
PID 2336 wrote to memory of 5068	2336	wcbdfe.exe	95
PID 3148 wrote to memory of 1820	3148	wvqp.exe	100
PID 3148 wrote to memory of 1820	3148	wvqp.exe	100
PID 3148 wrote to memory of 1820	3148	wvqp.exe	100
PID 3148 wrote to memory of 1188	3148	wvqp.exe	102
PID 3148 wrote to memory of 1188	3148	wvqp.exe	102
PID 3148 wrote to memory of 1188	3148	wvqp.exe	102
PID 1820 wrote to memory of 3324	1820	wugum.exe	104
PID 1820 wrote to memory of 3324	1820	wugum.exe	104
PID 1820 wrote to memory of 3324	1820	wugum.exe	104
PID 1820 wrote to memory of 4608	1820	wugum.exe	105
PID 1820 wrote to memory of 4608	1820	wugum.exe	105
PID 1820 wrote to memory of 4608	1820	wugum.exe	105
PID 3324 wrote to memory of 1424	3324	wkwihh.exe	108
PID 3324 wrote to memory of 1424	3324	wkwihh.exe	108
PID 3324 wrote to memory of 1424	3324	wkwihh.exe	108
PID 3324 wrote to memory of 3864	3324	wkwihh.exe	109
PID 3324 wrote to memory of 3864	3324	wkwihh.exe	109
PID 3324 wrote to memory of 3864	3324	wkwihh.exe	109
PID 1424 wrote to memory of 3056	1424	wacvmpv.exe	111
PID 1424 wrote to memory of 3056	1424	wacvmpv.exe	111
PID 1424 wrote to memory of 3056	1424	wacvmpv.exe	111
PID 1424 wrote to memory of 3168	1424	wacvmpv.exe	112
PID 1424 wrote to memory of 3168	1424	wacvmpv.exe	112
PID 1424 wrote to memory of 3168	1424	wacvmpv.exe	112
PID 3056 wrote to memory of 492	3056	wejvsxn.exe	116
PID 3056 wrote to memory of 492	3056	wejvsxn.exe	116
PID 3056 wrote to memory of 492	3056	wejvsxn.exe	116
PID 3056 wrote to memory of 2300	3056	wejvsxn.exe	117
PID 3056 wrote to memory of 2300	3056	wejvsxn.exe	117
PID 3056 wrote to memory of 2300	3056	wejvsxn.exe	117
PID 492 wrote to memory of 5100	492	wnliu.exe	120
PID 492 wrote to memory of 5100	492	wnliu.exe	120
PID 492 wrote to memory of 5100	492	wnliu.exe	120
PID 492 wrote to memory of 3588	492	wnliu.exe	121
PID 492 wrote to memory of 3588	492	wnliu.exe	121
PID 492 wrote to memory of 3588	492	wnliu.exe	121
PID 5100 wrote to memory of 4352	5100	wpqajq.exe	123
PID 5100 wrote to memory of 4352	5100	wpqajq.exe	123
PID 5100 wrote to memory of 4352	5100	wpqajq.exe	123
PID 5100 wrote to memory of 2056	5100	wpqajq.exe	124
PID 5100 wrote to memory of 2056	5100	wpqajq.exe	124
PID 5100 wrote to memory of 2056	5100	wpqajq.exe	124
PID 4352 wrote to memory of 4660	4352	wftgnvjv.exe	126
PID 4352 wrote to memory of 4660	4352	wftgnvjv.exe	126
PID 4352 wrote to memory of 4660	4352	wftgnvjv.exe	126
PID 4352 wrote to memory of 2588	4352	wftgnvjv.exe	127
PID 4352 wrote to memory of 2588	4352	wftgnvjv.exe	127
PID 4352 wrote to memory of 2588	4352	wftgnvjv.exe	127
PID 4660 wrote to memory of 2696	4660	wdslngu.exe	129
PID 4660 wrote to memory of 2696	4660	wdslngu.exe	129
PID 4660 wrote to memory of 2696	4660	wdslngu.exe	129
PID 4660 wrote to memory of 3628	4660	wdslngu.exe	130

C:\Users\Admin\AppData\Local\Temp\a796738df66d3ce50b73fa7d022c874a_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a796738df66d3ce50b73fa7d022c874a_JC.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\wcbdfe.exe
  "C:\Windows\system32\wcbdfe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\wvqp.exe
    "C:\Windows\system32\wvqp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\SysWOW64\wugum.exe
      "C:\Windows\system32\wugum.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1820
    - - C:\Windows\SysWOW64\wkwihh.exe
        
        "C:\Windows\system32\wkwihh.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3324
      - C:\Windows\SysWOW64\wacvmpv.exe
        
        "C:\Windows\system32\wacvmpv.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\wejvsxn.exe
        
        "C:\Windows\system32\wejvsxn.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\wnliu.exe
        
        "C:\Windows\system32\wnliu.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\SysWOW64\wpqajq.exe
        
        "C:\Windows\system32\wpqajq.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\wftgnvjv.exe
        
        "C:\Windows\system32\wftgnvjv.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\wdslngu.exe
        
        "C:\Windows\system32\wdslngu.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\wnbag.exe
        
        "C:\Windows\system32\wnbag.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\wgrjpyp.exe
        
        "C:\Windows\system32\wgrjpyp.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\weslsl.exe
        
        "C:\Windows\system32\weslsl.exe"
        14⤵
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\wllpqat.exe
        
        "C:\Windows\system32\wllpqat.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\wrtw.exe
        
        "C:\Windows\system32\wrtw.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\waywdxfc.exe
        
        "C:\Windows\system32\waywdxfc.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\wjjj.exe
        
        "C:\Windows\system32\wjjj.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\wffumc.exe
        
        "C:\Windows\system32\wffumc.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\wfevwn.exe
        
        "C:\Windows\system32\wfevwn.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\wlurj.exe
        
        "C:\Windows\system32\wlurj.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\wnupmj.exe
        
        "C:\Windows\system32\wnupmj.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\webpj.exe
        
        "C:\Windows\system32\webpj.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\wujoijyd.exe
        
        "C:\Windows\system32\wujoijyd.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\wtxuj.exe
        
        "C:\Windows\system32\wtxuj.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\wkwgc.exe
        
        "C:\Windows\system32\wkwgc.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\wyyqk.exe
        
        "C:\Windows\system32\wyyqk.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\waqdptn.exe
        
        "C:\Windows\system32\waqdptn.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:376
        
        C:\Windows\SysWOW64\wgxbb.exe
        
        "C:\Windows\system32\wgxbb.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\wmvx.exe
        
        "C:\Windows\system32\wmvx.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\whfqskbj.exe
        
        "C:\Windows\system32\whfqskbj.exe"
        31⤵
        Executes dropped EXE
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmvx.exe"
        31⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxbb.exe"
        30⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waqdptn.exe"
        29⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyyqk.exe"
        28⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkwgc.exe"
        27⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxuj.exe"
        26⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujoijyd.exe"
        25⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\webpj.exe"
        24⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnupmj.exe"
        23⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 1636
        23⤵
        Program crash
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlurj.exe"
        22⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfevwn.exe"
        21⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wffumc.exe"
        20⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjjj.exe"
        19⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waywdxfc.exe"
        18⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtw.exe"
        17⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllpqat.exe"
        16⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1280
        16⤵
        Program crash
        
        PID:528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1280
        16⤵
        Program crash
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weslsl.exe"
        15⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrjpyp.exe"
        14⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbag.exe"
        13⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdslngu.exe"
        12⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wftgnvjv.exe"
        11⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpqajq.exe"
        10⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnliu.exe"
        9⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wejvsxn.exe"
        8⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wacvmpv.exe"
        7⤵
        
        PID:3168
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkwihh.exe"
        6⤵
        
        PID:3864
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugum.exe"
        5⤵
        
        PID:4608
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqp.exe"
      4⤵
      PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcbdfe.exe"
    3⤵
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\a796738df66d3ce50b73fa7d022c874a_JC.exe"
  2⤵
  PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1084 -ip 1084
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2696 -ip 2696
1⤵
PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wacvmpv.exe

Filesize
341KB

MD5
131989b19b72b816f892bf089e2fb7d6

SHA1
9ce019ede67d9ae1f8b7b50fdd4aeb19e99bd705

SHA256
2424ebe6f71a924d1a83a0e7f4a61927f636145b1cfa2e20ff3265eb586e797a

SHA512
8bafb9f835e0b66dab27edae009522fc385a6068a9e3e153366488236663dd8f233ee43150da14808e5676b240a06c8835167895dfbe2215ccb4bb375f5d6d91

Download Submit
C:\Windows\SysWOW64\wacvmpv.exe

Filesize
341KB

MD5
131989b19b72b816f892bf089e2fb7d6

SHA1
9ce019ede67d9ae1f8b7b50fdd4aeb19e99bd705

SHA256
2424ebe6f71a924d1a83a0e7f4a61927f636145b1cfa2e20ff3265eb586e797a

SHA512
8bafb9f835e0b66dab27edae009522fc385a6068a9e3e153366488236663dd8f233ee43150da14808e5676b240a06c8835167895dfbe2215ccb4bb375f5d6d91

Download Submit
C:\Windows\SysWOW64\waqdptn.exe

Filesize
341KB

MD5
debb1ac653c3233a48e9200f0800b4cd

SHA1
125c49d060856e38c8160f2865aeeb007d4fee8b

SHA256
40bf67debc0facc62d00aa82a3096912c14c9a174de2a72d850486ca6401437c

SHA512
85440b59e43ba0c7ec6599907bf2441a92dbac718af15aa0408317a62805dc8c1c2fe2787c8576a3e35c91c92bdc11e163d5b5ad0cc475d099fce081de987f84

Download Submit
C:\Windows\SysWOW64\waqdptn.exe

Filesize
341KB

MD5
debb1ac653c3233a48e9200f0800b4cd

SHA1
125c49d060856e38c8160f2865aeeb007d4fee8b

SHA256
40bf67debc0facc62d00aa82a3096912c14c9a174de2a72d850486ca6401437c

SHA512
85440b59e43ba0c7ec6599907bf2441a92dbac718af15aa0408317a62805dc8c1c2fe2787c8576a3e35c91c92bdc11e163d5b5ad0cc475d099fce081de987f84

Download Submit
C:\Windows\SysWOW64\waywdxfc.exe

Filesize
341KB

MD5
30cc95904d795264dd5f90d1f4b78fbf

SHA1
2ec5e440db38a006123d65a6d449646f58a8f539

SHA256
5b2b0a777a5a669b2fc91081451a878eff1349a79c316dbc73b371ee0187571a

SHA512
28bf1cc983b9f79beb919c398e47e9b4efae2d4cf79872907fd3d92888601a4c254a5e9b5b4b018b9db458a76cc5bf2c390907d3e999dfabb39400a2e6aa56e6

Download Submit
C:\Windows\SysWOW64\waywdxfc.exe

Filesize
341KB

MD5
30cc95904d795264dd5f90d1f4b78fbf

SHA1
2ec5e440db38a006123d65a6d449646f58a8f539

SHA256
5b2b0a777a5a669b2fc91081451a878eff1349a79c316dbc73b371ee0187571a

SHA512
28bf1cc983b9f79beb919c398e47e9b4efae2d4cf79872907fd3d92888601a4c254a5e9b5b4b018b9db458a76cc5bf2c390907d3e999dfabb39400a2e6aa56e6

Download Submit
C:\Windows\SysWOW64\wcbdfe.exe

Filesize
341KB

MD5
ed6e233a3c6f119f3998b3e7645659e1

SHA1
38b43449d36fd8a1e68ed0bcbb989981fa611d25

SHA256
9cb4dc33d69a2f8f510a4613d49b6fbf984feb6e465db7ce02237982ada1076b

SHA512
d40158360654b3e7465f72f52164fa81e166583e52af804bd2262dc1467d98fee75b68a9c64dad30c0b71fb2b47201a17033fe92965a0490a356aa1c5213b47f

Download Submit
C:\Windows\SysWOW64\wcbdfe.exe

Filesize
341KB

MD5
ed6e233a3c6f119f3998b3e7645659e1

SHA1
38b43449d36fd8a1e68ed0bcbb989981fa611d25

SHA256
9cb4dc33d69a2f8f510a4613d49b6fbf984feb6e465db7ce02237982ada1076b

SHA512
d40158360654b3e7465f72f52164fa81e166583e52af804bd2262dc1467d98fee75b68a9c64dad30c0b71fb2b47201a17033fe92965a0490a356aa1c5213b47f

Download Submit
C:\Windows\SysWOW64\wcbdfe.exe

Filesize
341KB

MD5
ed6e233a3c6f119f3998b3e7645659e1

SHA1
38b43449d36fd8a1e68ed0bcbb989981fa611d25

SHA256
9cb4dc33d69a2f8f510a4613d49b6fbf984feb6e465db7ce02237982ada1076b

SHA512
d40158360654b3e7465f72f52164fa81e166583e52af804bd2262dc1467d98fee75b68a9c64dad30c0b71fb2b47201a17033fe92965a0490a356aa1c5213b47f

Download Submit
C:\Windows\SysWOW64\wdslngu.exe

Filesize
341KB

MD5
740c930f1dc224e1e50e17221cf6d0b7

SHA1
22c01429021b45d1eb9bc65168f0d223227927d4

SHA256
d15ce2c245f67cc5d81237b2978cfbab4b1a3769925f5dd212a6ad413b639dbf

SHA512
7c352392bea2af93a7c01344f9e279fd0a849ed84fd04c62aab68eb8479a162b79293236fb64ebd5ac9a416f498071da087b404ad3649300f46d39dba4eeac0b

Download Submit
C:\Windows\SysWOW64\wdslngu.exe

Filesize
341KB

MD5
740c930f1dc224e1e50e17221cf6d0b7

SHA1
22c01429021b45d1eb9bc65168f0d223227927d4

SHA256
d15ce2c245f67cc5d81237b2978cfbab4b1a3769925f5dd212a6ad413b639dbf

SHA512
7c352392bea2af93a7c01344f9e279fd0a849ed84fd04c62aab68eb8479a162b79293236fb64ebd5ac9a416f498071da087b404ad3649300f46d39dba4eeac0b

Download Submit
C:\Windows\SysWOW64\webpj.exe

Filesize
341KB

MD5
ef675e26facfacb3dbacce858245d6a2

SHA1
c3fa322628fde20576b4590bc910cb11ac58cbb4

SHA256
a2e99a5219d57ce15e89bafae01cdfcd5ac545ca369bbb99000a217b0c62f660

SHA512
1f2e2da4fa4731a1bc1288a5b155cbacc64fc1ee57218ade2200c8ff102729f2a653317809d9c316764b1f1e19db3ea1d2e183a6606df69f55dba3e5e6d1eb2d

Download Submit
C:\Windows\SysWOW64\webpj.exe

Filesize
341KB

MD5
ef675e26facfacb3dbacce858245d6a2

SHA1
c3fa322628fde20576b4590bc910cb11ac58cbb4

SHA256
a2e99a5219d57ce15e89bafae01cdfcd5ac545ca369bbb99000a217b0c62f660

SHA512
1f2e2da4fa4731a1bc1288a5b155cbacc64fc1ee57218ade2200c8ff102729f2a653317809d9c316764b1f1e19db3ea1d2e183a6606df69f55dba3e5e6d1eb2d

Download Submit
C:\Windows\SysWOW64\wejvsxn.exe

Filesize
341KB

MD5
939b0f991bba4d5c178778d7afe72e2c

SHA1
c5d3d0329013fbf9ea56d8f93033d8faa36fc865

SHA256
da054adb93dd46aef2bbb37454d05dfa6b7817707ee0806226b76680c1254e2d

SHA512
f65f18404d9ddc7adac9fc6e8469a4d6f29338e8965fb8d64f4f8ea96cf56b001c11b9536b83ba75b7081c1637783900e777988fc01947492c8e1ee9c9c44a78

Download Submit
C:\Windows\SysWOW64\wejvsxn.exe

Filesize
341KB

MD5
939b0f991bba4d5c178778d7afe72e2c

SHA1
c5d3d0329013fbf9ea56d8f93033d8faa36fc865

SHA256
da054adb93dd46aef2bbb37454d05dfa6b7817707ee0806226b76680c1254e2d

SHA512
f65f18404d9ddc7adac9fc6e8469a4d6f29338e8965fb8d64f4f8ea96cf56b001c11b9536b83ba75b7081c1637783900e777988fc01947492c8e1ee9c9c44a78

Download Submit
C:\Windows\SysWOW64\wfevwn.exe

Filesize
341KB

MD5
5a9434256bedc75eeba70108e841ea28

SHA1
dad774192af01f5eae34c41fde70358ccb7c18de

SHA256
23e649379ea717f3cd09e667f8fa05b6ff02338e35164c4c32628d8d081d8c61

SHA512
1b854d35d09de12d219aabdca41be6a806d6d7de1ad2556b5dbb9c54595d66052e9e0002b8fd0243f212157f6c7c8d3962d3dee112250cbfc6708987032ccb61

Download Submit
C:\Windows\SysWOW64\wfevwn.exe

Filesize
341KB

MD5
5a9434256bedc75eeba70108e841ea28

SHA1
dad774192af01f5eae34c41fde70358ccb7c18de

SHA256
23e649379ea717f3cd09e667f8fa05b6ff02338e35164c4c32628d8d081d8c61

SHA512
1b854d35d09de12d219aabdca41be6a806d6d7de1ad2556b5dbb9c54595d66052e9e0002b8fd0243f212157f6c7c8d3962d3dee112250cbfc6708987032ccb61

Download Submit
C:\Windows\SysWOW64\wffumc.exe

Filesize
341KB

MD5
f7e59b5aba9eee4cdc8c0a0017cf5cf7

SHA1
7be47e97c84a084222fe6fcddd57130e5fa75656

SHA256
b1fd6d2a0aeab25be5c19d05c0f21dbc3069c90a9b24ba524818b686ce27dd16

SHA512
f67e2ff4c0af1e93dcc1918d2eb0c50fe236d2085881ae62c83a7d393c7b8cc5c6fcb0ee14662dd174c8e9ab56572d64def608c00ca7517b17d0753161cefe39

Download Submit
C:\Windows\SysWOW64\wffumc.exe

Filesize
341KB

MD5
f7e59b5aba9eee4cdc8c0a0017cf5cf7

SHA1
7be47e97c84a084222fe6fcddd57130e5fa75656

SHA256
b1fd6d2a0aeab25be5c19d05c0f21dbc3069c90a9b24ba524818b686ce27dd16

SHA512
f67e2ff4c0af1e93dcc1918d2eb0c50fe236d2085881ae62c83a7d393c7b8cc5c6fcb0ee14662dd174c8e9ab56572d64def608c00ca7517b17d0753161cefe39

Download Submit
C:\Windows\SysWOW64\wftgnvjv.exe

Filesize
341KB

MD5
658b6b806baf4dd9226edd1cf1b0302e

SHA1
625e689d69b4ebde1e11a8628cc90d83c14a206b

SHA256
d4e6b7eb781174505938b9bd755d87d28d5679ed6230ab779c27637260c4ea40

SHA512
f167487f15fa50c2a87bf703a735d479768f073f29033047538f9ff289e6eb917d8055af5f4cf5e34b8b64c78c4d27ba7cceb1073ce0f75755f799a4421ad4af

Download Submit
C:\Windows\SysWOW64\wftgnvjv.exe

Filesize
341KB

MD5
658b6b806baf4dd9226edd1cf1b0302e

SHA1
625e689d69b4ebde1e11a8628cc90d83c14a206b

SHA256
d4e6b7eb781174505938b9bd755d87d28d5679ed6230ab779c27637260c4ea40

SHA512
f167487f15fa50c2a87bf703a735d479768f073f29033047538f9ff289e6eb917d8055af5f4cf5e34b8b64c78c4d27ba7cceb1073ce0f75755f799a4421ad4af

Download Submit
C:\Windows\SysWOW64\wgrjpyp.exe

Filesize
341KB

MD5
169493aa688b85917651bd0f81e3a947

SHA1
3e04668892774cd7a310ec1a89bb59b102b26265

SHA256
dd0c6c5afdde20393b83ef0f89d2ab6fdb237983631619b60185c0905d8df48f

SHA512
26e65bf7b2530af0c1873fafd8e6ae4939809f948a778b173d5d0687d1bee1e55518b17d5f9c7db596bb619e8525d852190cc2585701d201482ced8a7d81427d

Download Submit
C:\Windows\SysWOW64\wgrjpyp.exe

Filesize
341KB

MD5
169493aa688b85917651bd0f81e3a947

SHA1
3e04668892774cd7a310ec1a89bb59b102b26265

SHA256
dd0c6c5afdde20393b83ef0f89d2ab6fdb237983631619b60185c0905d8df48f

SHA512
26e65bf7b2530af0c1873fafd8e6ae4939809f948a778b173d5d0687d1bee1e55518b17d5f9c7db596bb619e8525d852190cc2585701d201482ced8a7d81427d

Download Submit
C:\Windows\SysWOW64\wgxbb.exe

Filesize
341KB

MD5
d786bd405d2d51f6db6beef85cfa37c4

SHA1
7e8330b1531065d72c691c7085060f95ff567a6f

SHA256
87f401619241a5a7d89a7b9a6923d3e421f955b3cff0da9fc57834e4e42c6a44

SHA512
b8748dcec722b84e0bab070e2503e44fa31cd6db05c4a9a4b81abc22e3e25ffc2b9e26eaee5a9fc5ca84c1e459bf186b6a0fdccb8a398a8d0f2cf7926239f315

Download Submit
C:\Windows\SysWOW64\wgxbb.exe

Filesize
341KB

MD5
d786bd405d2d51f6db6beef85cfa37c4

SHA1
7e8330b1531065d72c691c7085060f95ff567a6f

SHA256
87f401619241a5a7d89a7b9a6923d3e421f955b3cff0da9fc57834e4e42c6a44

SHA512
b8748dcec722b84e0bab070e2503e44fa31cd6db05c4a9a4b81abc22e3e25ffc2b9e26eaee5a9fc5ca84c1e459bf186b6a0fdccb8a398a8d0f2cf7926239f315

Download Submit
C:\Windows\SysWOW64\whfqskbj.exe

Filesize
341KB

MD5
8628fd655215066fd3520e6a5757a94c

SHA1
b8061c4d49a5bd7c8803692aa4309d36f1009ee0

SHA256
25f64174fe0e830e23af95bfbdc1962c3d0f1f494e3a8bcd65b601c9c32d63cf

SHA512
116bbc37e5f0fdc470885e8d8b34d381ca8932e1caa6c63952bb77dbbec255ae59f78393d98db2bde827e76b7cec9652bc4afc77e2b453218e78c4d597d248e0

Download Submit
C:\Windows\SysWOW64\whfqskbj.exe

Filesize
341KB

MD5
8628fd655215066fd3520e6a5757a94c

SHA1
b8061c4d49a5bd7c8803692aa4309d36f1009ee0

SHA256
25f64174fe0e830e23af95bfbdc1962c3d0f1f494e3a8bcd65b601c9c32d63cf

SHA512
116bbc37e5f0fdc470885e8d8b34d381ca8932e1caa6c63952bb77dbbec255ae59f78393d98db2bde827e76b7cec9652bc4afc77e2b453218e78c4d597d248e0

Download Submit
C:\Windows\SysWOW64\wjjj.exe

Filesize
341KB

MD5
3603018d5973976cd623c12df40549bd

SHA1
7a1d3ef667d30064a03d39d3b3df9a78564961ce

SHA256
b7a52067a0a64a7f17ebc78cd95d48868e3bb5481c754abed57f699c7e5b253b

SHA512
66656499e22e25c547c35f3580ca9d296388eab687115a75cb9599d16029368a3709aa23299aa1c056f43aa05a7c62a0a9e479ce9b0149ffb4125497dafed188

Download Submit
C:\Windows\SysWOW64\wjjj.exe

Filesize
341KB

MD5
3603018d5973976cd623c12df40549bd

SHA1
7a1d3ef667d30064a03d39d3b3df9a78564961ce

SHA256
b7a52067a0a64a7f17ebc78cd95d48868e3bb5481c754abed57f699c7e5b253b

SHA512
66656499e22e25c547c35f3580ca9d296388eab687115a75cb9599d16029368a3709aa23299aa1c056f43aa05a7c62a0a9e479ce9b0149ffb4125497dafed188

Download Submit
C:\Windows\SysWOW64\wkwgc.exe

Filesize
341KB

MD5
dda9f3c561272bc939c2598676d848b2

SHA1
355f0c6da635baf8cbf572973ae4f90a5367f4bd

SHA256
2883044dbf7c111354d5d0e6630e2ba293f8d48e85031a799b690daa22b90338

SHA512
39d6bfe151dd83b772f7d4516cdfbad58340aab0338053af1a9d2e499b149fc35ec9d428dc45e0d199da013055ba26a5a8f4c4fa61bc52273e31bfd30a964783

Download Submit
C:\Windows\SysWOW64\wkwgc.exe

Filesize
341KB

MD5
dda9f3c561272bc939c2598676d848b2

SHA1
355f0c6da635baf8cbf572973ae4f90a5367f4bd

SHA256
2883044dbf7c111354d5d0e6630e2ba293f8d48e85031a799b690daa22b90338

SHA512
39d6bfe151dd83b772f7d4516cdfbad58340aab0338053af1a9d2e499b149fc35ec9d428dc45e0d199da013055ba26a5a8f4c4fa61bc52273e31bfd30a964783

Download Submit
C:\Windows\SysWOW64\wkwihh.exe

Filesize
341KB

MD5
fef7b24a28bdcac60f5410eb3719c4a5

SHA1
709aabde748067cea434a6429cd854bb8b313758

SHA256
e4202e30a15ebf3009695867ec7a8cd6560fb570d3f63a1d35efa748bef24132

SHA512
ec7dd2d8cc5853bfd43c269df17b2e50533db24796f47272ffe351d7c775fb746c3f2ab9b646d136fa91f3c18294fbeb3960f5f6e80ffda4229f649fe74841d9

Download Submit
C:\Windows\SysWOW64\wkwihh.exe

Filesize
341KB

MD5
fef7b24a28bdcac60f5410eb3719c4a5

SHA1
709aabde748067cea434a6429cd854bb8b313758

SHA256
e4202e30a15ebf3009695867ec7a8cd6560fb570d3f63a1d35efa748bef24132

SHA512
ec7dd2d8cc5853bfd43c269df17b2e50533db24796f47272ffe351d7c775fb746c3f2ab9b646d136fa91f3c18294fbeb3960f5f6e80ffda4229f649fe74841d9

Download Submit
C:\Windows\SysWOW64\wllpqat.exe

Filesize
341KB

MD5
624bdf33b1199eb52f6a8147767a56ca

SHA1
94b455ca002b5a8322b1375d9d632eb70f614e27

SHA256
f8059d046969c953eec1dc61b6dea7dea3fecb790fcf4d393a012577121f8c18

SHA512
a22f3ddfd046741d2f3cac7bff3fe65726737e10ed1d196ae5445869b1048fbf85787071588854973662653982f0e2a2e5091900ec36b7ecbf6ac3ece2230c80

Download Submit
C:\Windows\SysWOW64\wllpqat.exe

Filesize
341KB

MD5
624bdf33b1199eb52f6a8147767a56ca

SHA1
94b455ca002b5a8322b1375d9d632eb70f614e27

SHA256
f8059d046969c953eec1dc61b6dea7dea3fecb790fcf4d393a012577121f8c18

SHA512
a22f3ddfd046741d2f3cac7bff3fe65726737e10ed1d196ae5445869b1048fbf85787071588854973662653982f0e2a2e5091900ec36b7ecbf6ac3ece2230c80

Download Submit
C:\Windows\SysWOW64\wlurj.exe

Filesize
341KB

MD5
12e45483edd555075fbe1c6012f5fea0

SHA1
db6a8991a0029f98613c211e95b4a91cdd174060

SHA256
0dc9f0c9f5939d5c58b68d7227b17a9336c07adc2cb265142ffb31d3d8451373

SHA512
967791084e9b7594943374cfd9fd6ad26a5ba85b4d23f700ef0cc9268b36374aa1fb534a181c417a36495c5a05637e8ad7e743cd9bc58e61ff70e0753c9e6301

Download Submit
C:\Windows\SysWOW64\wlurj.exe

Filesize
341KB

MD5
12e45483edd555075fbe1c6012f5fea0

SHA1
db6a8991a0029f98613c211e95b4a91cdd174060

SHA256
0dc9f0c9f5939d5c58b68d7227b17a9336c07adc2cb265142ffb31d3d8451373

SHA512
967791084e9b7594943374cfd9fd6ad26a5ba85b4d23f700ef0cc9268b36374aa1fb534a181c417a36495c5a05637e8ad7e743cd9bc58e61ff70e0753c9e6301

Download Submit
C:\Windows\SysWOW64\wmvx.exe

Filesize
341KB

MD5
779d2b090e9e80a2672d1baedde704db

SHA1
6dff44039dfffd6bc93813bf02c4207cd8621e18

SHA256
cfaa72bc91dbb97bda9e8c954be518ffd5fc52bf8c1559b475ada07adc92871a

SHA512
e7924870ad26ccc82fff8529a20a21d90b873dc91c6ad8582412fd8e386d345156a41f1144e5f910efd7b2c0939b2c9509c69425d1de5889fccef1c3c7aa1798

Download Submit
C:\Windows\SysWOW64\wmvx.exe

Filesize
341KB

MD5
779d2b090e9e80a2672d1baedde704db

SHA1
6dff44039dfffd6bc93813bf02c4207cd8621e18

SHA256
cfaa72bc91dbb97bda9e8c954be518ffd5fc52bf8c1559b475ada07adc92871a

SHA512
e7924870ad26ccc82fff8529a20a21d90b873dc91c6ad8582412fd8e386d345156a41f1144e5f910efd7b2c0939b2c9509c69425d1de5889fccef1c3c7aa1798

Download Submit
C:\Windows\SysWOW64\wnbag.exe

Filesize
341KB

MD5
32ff92736d587c292da0a3c0f3f47bc9

SHA1
523edd48c649b9f8f7d525d02fb28964d4d8fff8

SHA256
230a54b6918d9b47251867e982b2f95afb956a53c94479a59d0b3ead9233c572

SHA512
5a5d62723a2b393e4624a013eaf37fc9d08821c4f1f155a713633ed39f08228283441d388b14c1d976cc29a157b8d185b52e9f487d9da1a274980c28a43ab81a

Download Submit
C:\Windows\SysWOW64\wnbag.exe

Filesize
341KB

MD5
32ff92736d587c292da0a3c0f3f47bc9

SHA1
523edd48c649b9f8f7d525d02fb28964d4d8fff8

SHA256
230a54b6918d9b47251867e982b2f95afb956a53c94479a59d0b3ead9233c572

SHA512
5a5d62723a2b393e4624a013eaf37fc9d08821c4f1f155a713633ed39f08228283441d388b14c1d976cc29a157b8d185b52e9f487d9da1a274980c28a43ab81a

Download Submit
C:\Windows\SysWOW64\wnliu.exe

Filesize
341KB

MD5
90c39ec79a74b01e8968d59974ee6ec5

SHA1
b9a5075079fa5368219af065edd59c2a2c9bcff3

SHA256
e9a1848c411571d3031b299aaccdea2c4cea355bdceebc05156fbea21700e51d

SHA512
e3902fa0abc19d1a2a002dc8f64aa763bb2e11c29817c5b678485554e090b62a6aedf30f874549af49bf13bd703d4309e175b49a84219188d17be358b4e7e09d

Download Submit
C:\Windows\SysWOW64\wnliu.exe

Filesize
341KB

MD5
90c39ec79a74b01e8968d59974ee6ec5

SHA1
b9a5075079fa5368219af065edd59c2a2c9bcff3

SHA256
e9a1848c411571d3031b299aaccdea2c4cea355bdceebc05156fbea21700e51d

SHA512
e3902fa0abc19d1a2a002dc8f64aa763bb2e11c29817c5b678485554e090b62a6aedf30f874549af49bf13bd703d4309e175b49a84219188d17be358b4e7e09d

Download Submit
C:\Windows\SysWOW64\wnupmj.exe

Filesize
341KB

MD5
6aaf7998b0f14e78028b70360c99b70a

SHA1
524fdd30ba9f1cc504bff68766db2b9c7b85bdf8

SHA256
c77677862d47b8869bdcd28fcfeda9f1a8f1981f80455e96d09347de29192ba6

SHA512
79327da003693cacb39679ce50f0ce52f59b0de501a71210a84427d607691d3f076012b56e13b3e4226d0b6e6b6d7eea1459d90f9db6868ec480229f0e51b639

Download Submit
C:\Windows\SysWOW64\wnupmj.exe

Filesize
341KB

MD5
6aaf7998b0f14e78028b70360c99b70a

SHA1
524fdd30ba9f1cc504bff68766db2b9c7b85bdf8

SHA256
c77677862d47b8869bdcd28fcfeda9f1a8f1981f80455e96d09347de29192ba6

SHA512
79327da003693cacb39679ce50f0ce52f59b0de501a71210a84427d607691d3f076012b56e13b3e4226d0b6e6b6d7eea1459d90f9db6868ec480229f0e51b639

Download Submit
C:\Windows\SysWOW64\wpqajq.exe

Filesize
341KB

MD5
6e6a02e0a837c43da5626c3b91f41348

SHA1
0a57d4a24a1d3dcad9734c60798c224680da8671

SHA256
f0ed29c50eb7a4e60778024ac8ea81399c2f0c4c6e4f747b85d247623bffda89

SHA512
198d0442a224aedd7d91f7c31b77cc08613c10adb4ace173a1794e3a9a74a10e2ac873b7551342705574999ffdc635f2fdcdb1d8395bcc014485327a4c7113db

Download Submit
C:\Windows\SysWOW64\wpqajq.exe

Filesize
341KB

MD5
6e6a02e0a837c43da5626c3b91f41348

SHA1
0a57d4a24a1d3dcad9734c60798c224680da8671

SHA256
f0ed29c50eb7a4e60778024ac8ea81399c2f0c4c6e4f747b85d247623bffda89

SHA512
198d0442a224aedd7d91f7c31b77cc08613c10adb4ace173a1794e3a9a74a10e2ac873b7551342705574999ffdc635f2fdcdb1d8395bcc014485327a4c7113db

Download Submit
C:\Windows\SysWOW64\wrtw.exe

Filesize
341KB

MD5
cf7be62f459c57d7ea02d1e129521876

SHA1
06448a2a57296bacc0775450c858d86146eeb055

SHA256
2a10bee26c536d8bcc7da17b6e6f760c56860174960fa994d8f14984d96db552

SHA512
d27746d52eb2d0aedeb498efafc966fe540dfbd9137146341b1ea1d1e8afbda050de8149383f704f372c7b7d8f05dc582074ac82ba8eb58283e4f246de13bd27

Download Submit
C:\Windows\SysWOW64\wrtw.exe

Filesize
341KB

MD5
cf7be62f459c57d7ea02d1e129521876

SHA1
06448a2a57296bacc0775450c858d86146eeb055

SHA256
2a10bee26c536d8bcc7da17b6e6f760c56860174960fa994d8f14984d96db552

SHA512
d27746d52eb2d0aedeb498efafc966fe540dfbd9137146341b1ea1d1e8afbda050de8149383f704f372c7b7d8f05dc582074ac82ba8eb58283e4f246de13bd27

Download Submit
C:\Windows\SysWOW64\wtxuj.exe

Filesize
341KB

MD5
66b60bcd50e8feea3f4467a1f31f8fe7

SHA1
9e8cb5e4714438e452baf553d02a852fab7128cc

SHA256
276992d2fefbf81e1c29bfb29b647efaa4373d40f8821ee25113b59541a8885a

SHA512
5713af1cbdc955f5c6711fab6a2a22f41b10c30581a714dbf7fb049dae6acdcb1a0701705256651b7a19f1119387045979b365c2cd1f4435cbe29581e2a51fb4

Download Submit
C:\Windows\SysWOW64\wtxuj.exe

Filesize
341KB

MD5
66b60bcd50e8feea3f4467a1f31f8fe7

SHA1
9e8cb5e4714438e452baf553d02a852fab7128cc

SHA256
276992d2fefbf81e1c29bfb29b647efaa4373d40f8821ee25113b59541a8885a

SHA512
5713af1cbdc955f5c6711fab6a2a22f41b10c30581a714dbf7fb049dae6acdcb1a0701705256651b7a19f1119387045979b365c2cd1f4435cbe29581e2a51fb4

Download Submit
C:\Windows\SysWOW64\wugum.exe

Filesize
341KB

MD5
bf0ad1d898f789d54bec47c9f3a81998

SHA1
68a477c7fb215acd8c44ee4485888a514606fee2

SHA256
31100c414470f3f354706649f1e11d4e102b601e577af025094b44c0895bf864

SHA512
5640937575d24a6e202a7170dd53d8a21e301299fe4db82380ca68f7bd524e32908fd4457975bce1b9faa5a4742af8bca3c1cdc9470835075d0a887c1dd60db5

Download Submit
C:\Windows\SysWOW64\wugum.exe

Filesize
341KB

MD5
bf0ad1d898f789d54bec47c9f3a81998

SHA1
68a477c7fb215acd8c44ee4485888a514606fee2

SHA256
31100c414470f3f354706649f1e11d4e102b601e577af025094b44c0895bf864

SHA512
5640937575d24a6e202a7170dd53d8a21e301299fe4db82380ca68f7bd524e32908fd4457975bce1b9faa5a4742af8bca3c1cdc9470835075d0a887c1dd60db5

Download Submit
C:\Windows\SysWOW64\wujoijyd.exe

Filesize
341KB

MD5
b6f2e8755930bf07e0d24ba1215d8d14

SHA1
eebd5d966a3dca838cf225ca5899dfa615a09926

SHA256
a2b9961a737efb2f2689c9416d83842fe54da916a2a855c4a6ff7cba7d40c251

SHA512
f6a18bd47234172d3bc4485e23cdf43635d625d778ab0b86888405d73daaae7899484cbfa5f8703be3cb8550fe85266376ff059a309b74d16e832df786e04354

Download Submit
C:\Windows\SysWOW64\wujoijyd.exe

Filesize
341KB

MD5
b6f2e8755930bf07e0d24ba1215d8d14

SHA1
eebd5d966a3dca838cf225ca5899dfa615a09926

SHA256
a2b9961a737efb2f2689c9416d83842fe54da916a2a855c4a6ff7cba7d40c251

SHA512
f6a18bd47234172d3bc4485e23cdf43635d625d778ab0b86888405d73daaae7899484cbfa5f8703be3cb8550fe85266376ff059a309b74d16e832df786e04354

Download Submit
C:\Windows\SysWOW64\wvqp.exe

Filesize
341KB

MD5
4a3286130c8fa13197a71fb9ae883b67

SHA1
6153ba255042df1437e574620e8f08c8ca91b8d3

SHA256
79e236dffc2d67deba12ea8cc01976c940131af613ffc0488f2d973c309e78be

SHA512
0821be0f605560dc014fe59a7bb4abbd1c742c68a90b2c7539754427a1011c4ed454c32a11ef907bbd4cf1bb98615bf98150bf9f3824f2621e703fa335b5609a

Download Submit
C:\Windows\SysWOW64\wvqp.exe

Filesize
341KB

MD5
4a3286130c8fa13197a71fb9ae883b67

SHA1
6153ba255042df1437e574620e8f08c8ca91b8d3

SHA256
79e236dffc2d67deba12ea8cc01976c940131af613ffc0488f2d973c309e78be

SHA512
0821be0f605560dc014fe59a7bb4abbd1c742c68a90b2c7539754427a1011c4ed454c32a11ef907bbd4cf1bb98615bf98150bf9f3824f2621e703fa335b5609a

Download Submit
C:\Windows\SysWOW64\wyyqk.exe

Filesize
341KB

MD5
1455a96c463a29ccfb1002d52e6d6a61

SHA1
f17e7c9351e7ad1c87ee126abd62794b22b065c0

SHA256
26e139ca9432cfbf625f18bc34eebc70f21c57593fc13b0728101db5983257e5

SHA512
a6e74a684609cf9871be2257c1c76c7055d3c9da64f13ecb8ba103b944adda25ae0c46862556056ed916896b914024d16e219fe284b47ee23751f151a9ef7d80

Download Submit
C:\Windows\SysWOW64\wyyqk.exe

Filesize
341KB

MD5
1455a96c463a29ccfb1002d52e6d6a61

SHA1
f17e7c9351e7ad1c87ee126abd62794b22b065c0

SHA256
26e139ca9432cfbf625f18bc34eebc70f21c57593fc13b0728101db5983257e5

SHA512
a6e74a684609cf9871be2257c1c76c7055d3c9da64f13ecb8ba103b944adda25ae0c46862556056ed916896b914024d16e219fe284b47ee23751f151a9ef7d80

Download Submit
memory/208-208-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/376-288-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/492-83-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/492-71-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1084-154-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1188-187-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1424-61-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1820-41-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2180-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2180-3-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2180-17-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2204-298-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2336-21-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2672-134-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-155-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2696-225-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2696-122-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2856-234-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3000-278-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3000-268-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3056-72-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3148-31-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3324-51-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3784-123-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4000-177-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4104-167-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4104-156-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4240-250-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4240-256-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4348-308-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4352-103-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4540-233-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4540-245-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4628-198-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4660-113-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5100-93-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5100-82-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5100-267-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download