ed4d7c29f32bee25b2fc730ca6d7dd3a796313c0f982fc7fab88d63a304a3e65

Analysis

max time kernel
182s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 08:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e666f1aead00688672d4ff4cfe52ac10.exe
Size

313KB
MD5

e666f1aead00688672d4ff4cfe52ac10
SHA1

b050460cc6c3a24511babb57caff8fa844151254
SHA256

ed4d7c29f32bee25b2fc730ca6d7dd3a796313c0f982fc7fab88d63a304a3e65
SHA512

5807cfd39f2a87d624fd41802e08ac2bc6a2f43efcf48bc183d8ee66bff7d9474d26b98238c14f95bc41b91a6a5885b5f5436ec42f797f72353b5b17311bca58
SSDEEP

3072:1YUb5QoJ4g+zp0iBtTy06ZjKIz1ZdW4SrOLVSVpP6ehvcKVTu:1Yk+tT+hKSZI4zLVSVpPzjA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 25 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wgraiguhr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wjjmynx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wregyfn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wguia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wddgne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wexpbrx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wkmaaeam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wjnkurtc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wouict.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wrllqhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wghqnhy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wtpc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wgxdgj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wktske.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wqlmvfqyy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wllogn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wucwxmf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wsxbee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wtwimr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wflpw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wiwxhm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wrbwldf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wmexpi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	NEAS.e666f1aead00688672d4ff4cfe52ac10.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wjqtcshu.exe

Executes dropped EXE 25 IoCs

pid	Process
1588	wjjmynx.exe
2156	wjnkurtc.exe
1468	wouict.exe
4972	wjqtcshu.exe
5000	wregyfn.exe
5024	wllogn.exe
1836	wgxdgj.exe
3080	wktske.exe
4076	wqlmvfqyy.exe
2052	wrllqhid.exe
456	wguia.exe
1440	wucwxmf.exe
3996	wtwimr.exe
4412	wflpw.exe
4360	wiwxhm.exe
4860	wddgne.exe
4028	wmexpi.exe
912	wsxbee.exe
440	wkmaaeam.exe
4932	wrbwldf.exe
4704	wexpbrx.exe
1548	wghqnhy.exe
3888	wtpc.exe
4860	wgraiguhr.exe
3524	wdiseq.exe

Drops file in System32 directory 52 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wqlmvfqyy.exe	wktske.exe
File created	C:\Windows\SysWOW64\wiwxhm.exe	wflpw.exe
File created	C:\Windows\SysWOW64\wouict.exe	wjnkurtc.exe
File opened for modification	C:\Windows\SysWOW64\wouict.exe	wjnkurtc.exe
File created	C:\Windows\SysWOW64\wmexpi.exe	wddgne.exe
File opened for modification	C:\Windows\SysWOW64\wguia.exe	wrllqhid.exe
File opened for modification	C:\Windows\SysWOW64\wgraiguhr.exe	wtpc.exe
File created	C:\Windows\SysWOW64\wtwimr.exe	wucwxmf.exe
File opened for modification	C:\Windows\SysWOW64\wsxbee.exe	wmexpi.exe
File opened for modification	C:\Windows\SysWOW64\wtwimr.exe	wucwxmf.exe
File created	C:\Windows\SysWOW64\wflpw.exe	wtwimr.exe
File opened for modification	C:\Windows\SysWOW64\wddgne.exe	wiwxhm.exe
File opened for modification	C:\Windows\SysWOW64\wdiseq.exe	wgraiguhr.exe
File created	C:\Windows\SysWOW64\wjnkurtc.exe	wjjmynx.exe
File created	C:\Windows\SysWOW64\wucwxmf.exe	wguia.exe
File opened for modification	C:\Windows\SysWOW64\wflpw.exe	wtwimr.exe
File opened for modification	C:\Windows\SysWOW64\wjnkurtc.exe	wjjmynx.exe
File opened for modification	C:\Windows\SysWOW64\wregyfn.exe	wjqtcshu.exe
File opened for modification	C:\Windows\SysWOW64\wrllqhid.exe	wqlmvfqyy.exe
File opened for modification	C:\Windows\SysWOW64\wucwxmf.exe	wguia.exe
File created	C:\Windows\SysWOW64\wrllqhid.exe	wqlmvfqyy.exe
File opened for modification	C:\Windows\SysWOW64\wkmaaeam.exe	wsxbee.exe
File opened for modification	C:\Windows\SysWOW64\wiossrtl.exe	wdiseq.exe
File created	C:\Windows\SysWOW64\wdiseq.exe	wgraiguhr.exe
File created	C:\Windows\SysWOW64\wjjmynx.exe	NEAS.e666f1aead00688672d4ff4cfe52ac10.exe
File opened for modification	C:\Windows\SysWOW64\wjqtcshu.exe	wouict.exe
File opened for modification	C:\Windows\SysWOW64\wgxdgj.exe	wllogn.exe
File opened for modification	C:\Windows\SysWOW64\wiwxhm.exe	wflpw.exe
File opened for modification	C:\Windows\SysWOW64\wrbwldf.exe	wkmaaeam.exe
File created	C:\Windows\SysWOW64\wexpbrx.exe	wrbwldf.exe
File created	C:\Windows\SysWOW64\wghqnhy.exe	wexpbrx.exe
File opened for modification	C:\Windows\SysWOW64\wktske.exe	wgxdgj.exe
File created	C:\Windows\SysWOW64\wtpc.exe	wghqnhy.exe
File opened for modification	C:\Windows\SysWOW64\wjjmynx.exe	NEAS.e666f1aead00688672d4ff4cfe52ac10.exe
File opened for modification	C:\Windows\SysWOW64\wllogn.exe	wregyfn.exe
File created	C:\Windows\SysWOW64\wkmaaeam.exe	wsxbee.exe
File opened for modification	C:\Windows\SysWOW64\wtpc.exe	wghqnhy.exe
File created	C:\Windows\SysWOW64\wllogn.exe	wregyfn.exe
File created	C:\Windows\SysWOW64\wguia.exe	wrllqhid.exe
File created	C:\Windows\SysWOW64\wiossrtl.exe	wdiseq.exe
File created	C:\Windows\SysWOW64\wregyfn.exe	wjqtcshu.exe
File created	C:\Windows\SysWOW64\wddgne.exe	wiwxhm.exe
File created	C:\Windows\SysWOW64\wsxbee.exe	wmexpi.exe
File opened for modification	C:\Windows\SysWOW64\wexpbrx.exe	wrbwldf.exe
File opened for modification	C:\Windows\SysWOW64\wghqnhy.exe	wexpbrx.exe
File created	C:\Windows\SysWOW64\wjqtcshu.exe	wouict.exe
File created	C:\Windows\SysWOW64\wgxdgj.exe	wllogn.exe
File created	C:\Windows\SysWOW64\wktske.exe	wgxdgj.exe
File opened for modification	C:\Windows\SysWOW64\wqlmvfqyy.exe	wktske.exe
File opened for modification	C:\Windows\SysWOW64\wmexpi.exe	wddgne.exe
File created	C:\Windows\SysWOW64\wrbwldf.exe	wkmaaeam.exe
File created	C:\Windows\SysWOW64\wgraiguhr.exe	wtpc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
5052	2064	WerFault.exe	84
1624	1468	WerFault.exe	102
4416	5000	WerFault.exe	111
4220	1468	WerFault.exe	102

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1588	2064	NEAS.e666f1aead00688672d4ff4cfe52ac10.exe	89
PID 2064 wrote to memory of 1588	2064	NEAS.e666f1aead00688672d4ff4cfe52ac10.exe	89
PID 2064 wrote to memory of 1588	2064	NEAS.e666f1aead00688672d4ff4cfe52ac10.exe	89
PID 2064 wrote to memory of 4928	2064	NEAS.e666f1aead00688672d4ff4cfe52ac10.exe	91
PID 2064 wrote to memory of 4928	2064	NEAS.e666f1aead00688672d4ff4cfe52ac10.exe	91
PID 2064 wrote to memory of 4928	2064	NEAS.e666f1aead00688672d4ff4cfe52ac10.exe	91
PID 1588 wrote to memory of 2156	1588	wjjmynx.exe	98
PID 1588 wrote to memory of 2156	1588	wjjmynx.exe	98
PID 1588 wrote to memory of 2156	1588	wjjmynx.exe	98
PID 1588 wrote to memory of 4696	1588	wjjmynx.exe	100
PID 1588 wrote to memory of 4696	1588	wjjmynx.exe	100
PID 1588 wrote to memory of 4696	1588	wjjmynx.exe	100
PID 2156 wrote to memory of 1468	2156	wjnkurtc.exe	102
PID 2156 wrote to memory of 1468	2156	wjnkurtc.exe	102
PID 2156 wrote to memory of 1468	2156	wjnkurtc.exe	102
PID 2156 wrote to memory of 1868	2156	wjnkurtc.exe	103
PID 2156 wrote to memory of 1868	2156	wjnkurtc.exe	103
PID 2156 wrote to memory of 1868	2156	wjnkurtc.exe	103
PID 1468 wrote to memory of 4972	1468	wouict.exe	105
PID 1468 wrote to memory of 4972	1468	wouict.exe	105
PID 1468 wrote to memory of 4972	1468	wouict.exe	105
PID 1468 wrote to memory of 4964	1468	wouict.exe	106
PID 1468 wrote to memory of 4964	1468	wouict.exe	106
PID 1468 wrote to memory of 4964	1468	wouict.exe	106
PID 4972 wrote to memory of 5000	4972	wjqtcshu.exe	111
PID 4972 wrote to memory of 5000	4972	wjqtcshu.exe	111
PID 4972 wrote to memory of 5000	4972	wjqtcshu.exe	111
PID 4972 wrote to memory of 3560	4972	wjqtcshu.exe	112
PID 4972 wrote to memory of 3560	4972	wjqtcshu.exe	112
PID 4972 wrote to memory of 3560	4972	wjqtcshu.exe	112
PID 5000 wrote to memory of 5024	5000	wregyfn.exe	114
PID 5000 wrote to memory of 5024	5000	wregyfn.exe	114
PID 5000 wrote to memory of 5024	5000	wregyfn.exe	114
PID 5000 wrote to memory of 3712	5000	wregyfn.exe	116
PID 5000 wrote to memory of 3712	5000	wregyfn.exe	116
PID 5000 wrote to memory of 3712	5000	wregyfn.exe	116
PID 5024 wrote to memory of 1836	5024	wllogn.exe	119
PID 5024 wrote to memory of 1836	5024	wllogn.exe	119
PID 5024 wrote to memory of 1836	5024	wllogn.exe	119
PID 5024 wrote to memory of 3152	5024	wllogn.exe	120
PID 5024 wrote to memory of 3152	5024	wllogn.exe	120
PID 5024 wrote to memory of 3152	5024	wllogn.exe	120
PID 1836 wrote to memory of 3080	1836	wgxdgj.exe	122
PID 1836 wrote to memory of 3080	1836	wgxdgj.exe	122
PID 1836 wrote to memory of 3080	1836	wgxdgj.exe	122
PID 1836 wrote to memory of 2024	1836	wgxdgj.exe	123
PID 1836 wrote to memory of 2024	1836	wgxdgj.exe	123
PID 1836 wrote to memory of 2024	1836	wgxdgj.exe	123
PID 3080 wrote to memory of 4076	3080	wktske.exe	126
PID 3080 wrote to memory of 4076	3080	wktske.exe	126
PID 3080 wrote to memory of 4076	3080	wktske.exe	126
PID 3080 wrote to memory of 2072	3080	wktske.exe	128
PID 3080 wrote to memory of 2072	3080	wktske.exe	128
PID 3080 wrote to memory of 2072	3080	wktske.exe	128
PID 4076 wrote to memory of 2052	4076	wqlmvfqyy.exe	129
PID 4076 wrote to memory of 2052	4076	wqlmvfqyy.exe	129
PID 4076 wrote to memory of 2052	4076	wqlmvfqyy.exe	129
PID 4076 wrote to memory of 1992	4076	wqlmvfqyy.exe	130
PID 4076 wrote to memory of 1992	4076	wqlmvfqyy.exe	130
PID 4076 wrote to memory of 1992	4076	wqlmvfqyy.exe	130
PID 2052 wrote to memory of 456	2052	wrllqhid.exe	132
PID 2052 wrote to memory of 456	2052	wrllqhid.exe	132
PID 2052 wrote to memory of 456	2052	wrllqhid.exe	132
PID 2052 wrote to memory of 5016	2052	wrllqhid.exe	133

C:\Users\Admin\AppData\Local\Temp\NEAS.e666f1aead00688672d4ff4cfe52ac10.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e666f1aead00688672d4ff4cfe52ac10.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\wjjmynx.exe
  "C:\Windows\system32\wjjmynx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\wjnkurtc.exe
    "C:\Windows\system32\wjnkurtc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\wouict.exe
      "C:\Windows\system32\wouict.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\SysWOW64\wjqtcshu.exe
        
        "C:\Windows\system32\wjqtcshu.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Windows\SysWOW64\wregyfn.exe
        
        "C:\Windows\system32\wregyfn.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\wllogn.exe
        
        "C:\Windows\system32\wllogn.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\wgxdgj.exe
        
        "C:\Windows\system32\wgxdgj.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\wktske.exe
        
        "C:\Windows\system32\wktske.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\wqlmvfqyy.exe
        
        "C:\Windows\system32\wqlmvfqyy.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\wrllqhid.exe
        
        "C:\Windows\system32\wrllqhid.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\wguia.exe
        
        "C:\Windows\system32\wguia.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\wucwxmf.exe
        
        "C:\Windows\system32\wucwxmf.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\wtwimr.exe
        
        "C:\Windows\system32\wtwimr.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\wflpw.exe
        
        "C:\Windows\system32\wflpw.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4412
        
        C:\Windows\SysWOW64\wiwxhm.exe
        
        "C:\Windows\system32\wiwxhm.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\wddgne.exe
        
        "C:\Windows\system32\wddgne.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\wmexpi.exe
        
        "C:\Windows\system32\wmexpi.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\wsxbee.exe
        
        "C:\Windows\system32\wsxbee.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\wkmaaeam.exe
        
        "C:\Windows\system32\wkmaaeam.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:440
        
        C:\Windows\SysWOW64\wrbwldf.exe
        
        "C:\Windows\system32\wrbwldf.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\wexpbrx.exe
        
        "C:\Windows\system32\wexpbrx.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\wghqnhy.exe
        
        "C:\Windows\system32\wghqnhy.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\wtpc.exe
        
        "C:\Windows\system32\wtpc.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3888
        
        C:\Windows\SysWOW64\wgraiguhr.exe
        
        "C:\Windows\system32\wgraiguhr.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\wdiseq.exe
        
        "C:\Windows\system32\wdiseq.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgraiguhr.exe"
        26⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtpc.exe"
        25⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghqnhy.exe"
        24⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexpbrx.exe"
        23⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrbwldf.exe"
        22⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkmaaeam.exe"
        21⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxbee.exe"
        20⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmexpi.exe"
        19⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wddgne.exe"
        18⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiwxhm.exe"
        17⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wflpw.exe"
        16⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtwimr.exe"
        15⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wucwxmf.exe"
        14⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wguia.exe"
        13⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrllqhid.exe"
        12⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqlmvfqyy.exe"
        11⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wktske.exe"
        10⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxdgj.exe"
        9⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllogn.exe"
        8⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wregyfn.exe"
        7⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1472
        7⤵
        Program crash
        
        PID:4416
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjqtcshu.exe"
        6⤵
        
        PID:3560
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wouict.exe"
        5⤵
        
        PID:4964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 524
        5⤵
        Program crash
        
        PID:1624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1040
        5⤵
        Program crash
        
        PID:4220
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjnkurtc.exe"
      4⤵
      PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjjmynx.exe"
    3⤵
    PID:4696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\NEAS.e666f1aead00688672d4ff4cfe52ac10.exe"
  2⤵
  PID:4928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1440
  2⤵
  - Program crash
  PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2064 -ip 2064
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1468 -ip 1468
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5000 -ip 5000
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1468 -ip 1468
1⤵
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wddgne.exe

Filesize
313KB

MD5
f6a35d04a570a21d59d32c39e8764202

SHA1
07170d66505f50ee5034691f2ef27a97369d658d

SHA256
d9b40adf9c765d96dc9faa61d9efe6064eddf275aaecaaa9cd4e6e33b1079fc1

SHA512
b587dc17a2819e8cdea31cfc6fdbf1db67685216b33fcc69365be11bfe21df0b601280f25aa3b539cbdb6ac2abee9d865af8772f170aa097a2d01cd97f4085c0

Download Submit
C:\Windows\SysWOW64\wddgne.exe

Filesize
313KB

MD5
f6a35d04a570a21d59d32c39e8764202

SHA1
07170d66505f50ee5034691f2ef27a97369d658d

SHA256
d9b40adf9c765d96dc9faa61d9efe6064eddf275aaecaaa9cd4e6e33b1079fc1

SHA512
b587dc17a2819e8cdea31cfc6fdbf1db67685216b33fcc69365be11bfe21df0b601280f25aa3b539cbdb6ac2abee9d865af8772f170aa097a2d01cd97f4085c0

Download Submit
C:\Windows\SysWOW64\wdiseq.exe

Filesize
314KB

MD5
67382c5ef10abfebf70feaf0bf1389a1

SHA1
214a6a79263f237bfef96e7647692b6e5abcabf7

SHA256
8223b6b60e28a5f5dac20a3f2b7f8cf9d25d53c1d73484b0391a33694d3f0b07

SHA512
384518a78fde0a092cb284f34190eeab39c384fef60d1ea68617322e17808ac4e708e1230019d40e8467e8745cf086c634e073463fedd28dc01541fbc2da2f87

Download Submit
C:\Windows\SysWOW64\wdiseq.exe

Filesize
314KB

MD5
67382c5ef10abfebf70feaf0bf1389a1

SHA1
214a6a79263f237bfef96e7647692b6e5abcabf7

SHA256
8223b6b60e28a5f5dac20a3f2b7f8cf9d25d53c1d73484b0391a33694d3f0b07

SHA512
384518a78fde0a092cb284f34190eeab39c384fef60d1ea68617322e17808ac4e708e1230019d40e8467e8745cf086c634e073463fedd28dc01541fbc2da2f87

Download Submit
C:\Windows\SysWOW64\wexpbrx.exe

Filesize
314KB

MD5
3d0a7653580456918df6f9908a48bda2

SHA1
660b47467f782b3dbdc914d6c077449a903350c2

SHA256
f6086aefee06c3df060de176c121a903aed2ba6b74dd784510b74fb44291dd6c

SHA512
7a619b4cc1c9bf5fe2c6a94b50eb279b3d43e670d4b1e401d4b6f83d1a89a266f6441c6b939e3a913d979008fb77d4b92398a8ce60e68d26a31f6c351b06bf70

Download Submit
C:\Windows\SysWOW64\wexpbrx.exe

Filesize
314KB

MD5
3d0a7653580456918df6f9908a48bda2

SHA1
660b47467f782b3dbdc914d6c077449a903350c2

SHA256
f6086aefee06c3df060de176c121a903aed2ba6b74dd784510b74fb44291dd6c

SHA512
7a619b4cc1c9bf5fe2c6a94b50eb279b3d43e670d4b1e401d4b6f83d1a89a266f6441c6b939e3a913d979008fb77d4b92398a8ce60e68d26a31f6c351b06bf70

Download Submit
C:\Windows\SysWOW64\wflpw.exe

Filesize
313KB

MD5
22b50e4f3133ac954c6d039c772ec925

SHA1
63d6ddd551825a6c735f3e0c3ebb6b645eb4c73d

SHA256
53274711e2e7d007bf48fb70299214bb0baf3d6146e3b781ca62842bdb930966

SHA512
ffb1f56c667411af6f7fa9ac9a72432bcea95819fa22053db7bd97b53660456cf0f71a8410c93a7e46d67b3e0f95356fa7648b42e0514b62451929febe3afb69

Download Submit
C:\Windows\SysWOW64\wflpw.exe

Filesize
313KB

MD5
22b50e4f3133ac954c6d039c772ec925

SHA1
63d6ddd551825a6c735f3e0c3ebb6b645eb4c73d

SHA256
53274711e2e7d007bf48fb70299214bb0baf3d6146e3b781ca62842bdb930966

SHA512
ffb1f56c667411af6f7fa9ac9a72432bcea95819fa22053db7bd97b53660456cf0f71a8410c93a7e46d67b3e0f95356fa7648b42e0514b62451929febe3afb69

Download Submit
C:\Windows\SysWOW64\wghqnhy.exe

Filesize
314KB

MD5
2f647807b4a0dbf7fcd506261c1fb174

SHA1
b5cb58013e1a65ccc74709bc4a78d78f7b13a725

SHA256
bdcf309e3fd4d92b3b03684eafae45a9e458e7b8ea800ad580eeac0457dbbd0b

SHA512
950256a2da0bd8bad8d62d68cd1273865982ed5ef0c7e897eaa49f5d1b072a6ff4e17a482401603a629c03d38c71271fa7f3113dc216656a1eece80ad78558d8

Download Submit
C:\Windows\SysWOW64\wghqnhy.exe

Filesize
314KB

MD5
2f647807b4a0dbf7fcd506261c1fb174

SHA1
b5cb58013e1a65ccc74709bc4a78d78f7b13a725

SHA256
bdcf309e3fd4d92b3b03684eafae45a9e458e7b8ea800ad580eeac0457dbbd0b

SHA512
950256a2da0bd8bad8d62d68cd1273865982ed5ef0c7e897eaa49f5d1b072a6ff4e17a482401603a629c03d38c71271fa7f3113dc216656a1eece80ad78558d8

Download Submit
C:\Windows\SysWOW64\wgraiguhr.exe

Filesize
314KB

MD5
0b593dc292e2df0dede56d8fb4133240

SHA1
92b80cf4e3aa58b9c571fdbe0f14354a67a6b906

SHA256
0ea0223d54dcb125749588fdd53aaadba4253de1560812e8af2a4d0e19ffe071

SHA512
c01a423e8ee6ce36d90045c302b6845f925a73b75332e70430c19adaa32d89681e3711245e0350e82dbba4d83f8828bf1715275affae53daa096c7623cd4eafb

Download Submit
C:\Windows\SysWOW64\wgraiguhr.exe

Filesize
314KB

MD5
0b593dc292e2df0dede56d8fb4133240

SHA1
92b80cf4e3aa58b9c571fdbe0f14354a67a6b906

SHA256
0ea0223d54dcb125749588fdd53aaadba4253de1560812e8af2a4d0e19ffe071

SHA512
c01a423e8ee6ce36d90045c302b6845f925a73b75332e70430c19adaa32d89681e3711245e0350e82dbba4d83f8828bf1715275affae53daa096c7623cd4eafb

Download Submit
C:\Windows\SysWOW64\wguia.exe

Filesize
313KB

MD5
cc82594c510098e9f4efd97e14c20df3

SHA1
af15d75f4aa5129d336bc33e83b845569a150671

SHA256
527b4b86cc00819529c2ea59b992bad47460b987d3658e4a75bf9bb6683b58fe

SHA512
6b02dd02bbe8ae001273d44d55f075265f4e56d8553aa3ebf952d2e9a9c13d3ff86affce83b76d1047ad912dc02879fd95afe0b8c905ea33b8db570c44708b78

Download Submit
C:\Windows\SysWOW64\wguia.exe

Filesize
313KB

MD5
cc82594c510098e9f4efd97e14c20df3

SHA1
af15d75f4aa5129d336bc33e83b845569a150671

SHA256
527b4b86cc00819529c2ea59b992bad47460b987d3658e4a75bf9bb6683b58fe

SHA512
6b02dd02bbe8ae001273d44d55f075265f4e56d8553aa3ebf952d2e9a9c13d3ff86affce83b76d1047ad912dc02879fd95afe0b8c905ea33b8db570c44708b78

Download Submit
C:\Windows\SysWOW64\wgxdgj.exe

Filesize
313KB

MD5
e434c12ef09535b55c3e4e9b194aa2b0

SHA1
30fc47afa268118f106f83c6e4c0508709816b7d

SHA256
9a0d65d28d05d48bc306754b7b00c03db73da10393895eef524b6941c599a4fe

SHA512
074698745faeff77c5876991fd1ad929a34b08b43a4e1b94cdbc15582f01162a29bb70c545597b97a1fcef244de9db3e59c1fff329eb1b5ae1242d2506d4f12c

Download Submit
C:\Windows\SysWOW64\wgxdgj.exe

Filesize
313KB

MD5
e434c12ef09535b55c3e4e9b194aa2b0

SHA1
30fc47afa268118f106f83c6e4c0508709816b7d

SHA256
9a0d65d28d05d48bc306754b7b00c03db73da10393895eef524b6941c599a4fe

SHA512
074698745faeff77c5876991fd1ad929a34b08b43a4e1b94cdbc15582f01162a29bb70c545597b97a1fcef244de9db3e59c1fff329eb1b5ae1242d2506d4f12c

Download Submit
C:\Windows\SysWOW64\wiwxhm.exe

Filesize
313KB

MD5
43e9155da7790e62d7504e149af80ffa

SHA1
68c06e21edc747242a2ece218b7f12fb6b74a49f

SHA256
35190af95454c5951b6f8cc58d57845870ed216b27b46d2fef361e685d52ff50

SHA512
e52dfce48baf14266f3b06f1bc5b0c2ea0e1057ac9c20241c0916750d862a53863c706fedc9493cec0d49d36fb13e87439d58f11bbc8f015b8dad9fb815c7dfd

Download Submit
C:\Windows\SysWOW64\wiwxhm.exe

Filesize
313KB

MD5
43e9155da7790e62d7504e149af80ffa

SHA1
68c06e21edc747242a2ece218b7f12fb6b74a49f

SHA256
35190af95454c5951b6f8cc58d57845870ed216b27b46d2fef361e685d52ff50

SHA512
e52dfce48baf14266f3b06f1bc5b0c2ea0e1057ac9c20241c0916750d862a53863c706fedc9493cec0d49d36fb13e87439d58f11bbc8f015b8dad9fb815c7dfd

Download Submit
C:\Windows\SysWOW64\wjjmynx.exe

Filesize
313KB

MD5
dab577ded5c1b01626a69b3f74f9e307

SHA1
32a16724fa6a2b73416ea1d5d07b1f9dcd682825

SHA256
9949efd11b8eccf5753ecb70d3bce2258689f7acdd7152a9237aba672e5a7f48

SHA512
a960ee21c543fadf112761e5d8653c599b388c0789ed1efef2f6facb7a6993f2d7fe579a262ae1ed718d81c1d91ebab8af47fc1f7286648e0d2d3f0da86f2799

Download Submit
C:\Windows\SysWOW64\wjjmynx.exe

Filesize
313KB

MD5
dab577ded5c1b01626a69b3f74f9e307

SHA1
32a16724fa6a2b73416ea1d5d07b1f9dcd682825

SHA256
9949efd11b8eccf5753ecb70d3bce2258689f7acdd7152a9237aba672e5a7f48

SHA512
a960ee21c543fadf112761e5d8653c599b388c0789ed1efef2f6facb7a6993f2d7fe579a262ae1ed718d81c1d91ebab8af47fc1f7286648e0d2d3f0da86f2799

Download Submit
C:\Windows\SysWOW64\wjjmynx.exe

Filesize
313KB

MD5
dab577ded5c1b01626a69b3f74f9e307

SHA1
32a16724fa6a2b73416ea1d5d07b1f9dcd682825

SHA256
9949efd11b8eccf5753ecb70d3bce2258689f7acdd7152a9237aba672e5a7f48

SHA512
a960ee21c543fadf112761e5d8653c599b388c0789ed1efef2f6facb7a6993f2d7fe579a262ae1ed718d81c1d91ebab8af47fc1f7286648e0d2d3f0da86f2799

Download Submit
C:\Windows\SysWOW64\wjnkurtc.exe

Filesize
313KB

MD5
4dbf81008ab8c201e1b42465f35d5583

SHA1
2b682c07f30b6580111495e9022b3ada15face72

SHA256
b0e6d881375a39b7523c3e104a4c23852fca05da8fd893a4f9a9a88c4dda9aad

SHA512
f9e399c57117c54a89e541761daaec6856d625aae914fb39dc2a363c292817174b8b5830dccc2c3a1dcdeeb1cf79d265d3e7df10fbb6699ba00060fc0443e2eb

Download Submit
C:\Windows\SysWOW64\wjnkurtc.exe

Filesize
313KB

MD5
4dbf81008ab8c201e1b42465f35d5583

SHA1
2b682c07f30b6580111495e9022b3ada15face72

SHA256
b0e6d881375a39b7523c3e104a4c23852fca05da8fd893a4f9a9a88c4dda9aad

SHA512
f9e399c57117c54a89e541761daaec6856d625aae914fb39dc2a363c292817174b8b5830dccc2c3a1dcdeeb1cf79d265d3e7df10fbb6699ba00060fc0443e2eb

Download Submit
C:\Windows\SysWOW64\wjqtcshu.exe

Filesize
313KB

MD5
489fdaa7724d85cd0184ee94500bc23b

SHA1
bb7800081c21963609afddb441b9f49d68461eb2

SHA256
60849070b1e3cc03dc3893115eb5f8714be007ee000c49e698360cab6958ee2d

SHA512
fb64a1e13c7023a2a648f5987366682b47dfa7e6fd231ef5152646c9c814cedfc69a1a1a54ec5a2bfa36e2f48024b1c99622ed58afa1de30c8faf309ead3e226

Download Submit
C:\Windows\SysWOW64\wjqtcshu.exe

Filesize
313KB

MD5
489fdaa7724d85cd0184ee94500bc23b

SHA1
bb7800081c21963609afddb441b9f49d68461eb2

SHA256
60849070b1e3cc03dc3893115eb5f8714be007ee000c49e698360cab6958ee2d

SHA512
fb64a1e13c7023a2a648f5987366682b47dfa7e6fd231ef5152646c9c814cedfc69a1a1a54ec5a2bfa36e2f48024b1c99622ed58afa1de30c8faf309ead3e226

Download Submit
C:\Windows\SysWOW64\wkmaaeam.exe

Filesize
313KB

MD5
1cf9668a059cafde3ee4c270af58a001

SHA1
94d7f3d750365812ad381ef3f2bfa24528ae926a

SHA256
d4bc3b8e94d647717f6d6ace1640372289ccdb2a7e16361b6ed26202f018eed9

SHA512
7ef5ec92f70cef6e3495edae6bcb2f1580b6f8a6463a6c0622ac8f0bbb66566adb25dbce18f0193bc936c555fd8b9369fdfb3a1c1dc84e5ee941567905c29a3d

Download Submit
C:\Windows\SysWOW64\wkmaaeam.exe

Filesize
313KB

MD5
1cf9668a059cafde3ee4c270af58a001

SHA1
94d7f3d750365812ad381ef3f2bfa24528ae926a

SHA256
d4bc3b8e94d647717f6d6ace1640372289ccdb2a7e16361b6ed26202f018eed9

SHA512
7ef5ec92f70cef6e3495edae6bcb2f1580b6f8a6463a6c0622ac8f0bbb66566adb25dbce18f0193bc936c555fd8b9369fdfb3a1c1dc84e5ee941567905c29a3d

Download Submit
C:\Windows\SysWOW64\wktske.exe

Filesize
313KB

MD5
8d533be5923d053ed90a26fe76e0cbd6

SHA1
b40c4131e8cb06094e815dbc8e117ba31d7ff188

SHA256
d1cfa807e8a24824ca7bfc751c6a4078248f65ba9c5c69a8309b65961d37a572

SHA512
93b6825b20f0ed103c873cad782e9aa6ee682c88d31f91b438bd346e6c464c0d6fe241955d9f6a645b0e4d472c2ca9b213ad860cedbabc088ff9af56d458a1ab

Download Submit
C:\Windows\SysWOW64\wktske.exe

Filesize
313KB

MD5
8d533be5923d053ed90a26fe76e0cbd6

SHA1
b40c4131e8cb06094e815dbc8e117ba31d7ff188

SHA256
d1cfa807e8a24824ca7bfc751c6a4078248f65ba9c5c69a8309b65961d37a572

SHA512
93b6825b20f0ed103c873cad782e9aa6ee682c88d31f91b438bd346e6c464c0d6fe241955d9f6a645b0e4d472c2ca9b213ad860cedbabc088ff9af56d458a1ab

Download Submit
C:\Windows\SysWOW64\wllogn.exe

Filesize
313KB

MD5
06783d52821aadd309d3d1d20a77336c

SHA1
ba92acbd98bb57aee7cd56806c323b26bf022610

SHA256
69985a557b8e1720be7a18454c6fac2577e69c35efe5c342512893354571adf2

SHA512
ab945619e940b7d8aa5655e944aff07864bc2a2b52fde4fe1c4e6f61f95c1bc84b900167360145c6c0356d5e7d5ccbf6b344373f68ef77d9c1f4c7dbdf940d1a

Download Submit
C:\Windows\SysWOW64\wllogn.exe

Filesize
313KB

MD5
06783d52821aadd309d3d1d20a77336c

SHA1
ba92acbd98bb57aee7cd56806c323b26bf022610

SHA256
69985a557b8e1720be7a18454c6fac2577e69c35efe5c342512893354571adf2

SHA512
ab945619e940b7d8aa5655e944aff07864bc2a2b52fde4fe1c4e6f61f95c1bc84b900167360145c6c0356d5e7d5ccbf6b344373f68ef77d9c1f4c7dbdf940d1a

Download Submit
C:\Windows\SysWOW64\wmexpi.exe

Filesize
313KB

MD5
a7c5f95cce41649773db9ce3e38c58ad

SHA1
311d86280a06153f2e7ec9d5c6c73a075d270fd8

SHA256
fe18743e10569d5b7e84fde9c6c405d883ebdef5d429eb58c4eecdc87468bfa4

SHA512
9e896d40fe862391d9db8edf966139f9c7398e9ae8f7327249a51b4e5dde2d94894029a4232f598dcdeff57f3e4d304de8b272d6c1034fb137257f0b3ecb66db

Download Submit
C:\Windows\SysWOW64\wmexpi.exe

Filesize
313KB

MD5
a7c5f95cce41649773db9ce3e38c58ad

SHA1
311d86280a06153f2e7ec9d5c6c73a075d270fd8

SHA256
fe18743e10569d5b7e84fde9c6c405d883ebdef5d429eb58c4eecdc87468bfa4

SHA512
9e896d40fe862391d9db8edf966139f9c7398e9ae8f7327249a51b4e5dde2d94894029a4232f598dcdeff57f3e4d304de8b272d6c1034fb137257f0b3ecb66db

Download Submit
C:\Windows\SysWOW64\wouict.exe

Filesize
313KB

MD5
d19dc96543d9d4a9b513054a4073130e

SHA1
5ba69d5a568216ca634e04fe23cd3797df3c32f8

SHA256
a37543c4c64a2a6faff433c8021269a9075ddda3230687eaf18e02e772b81bc4

SHA512
21bb3951deb68795a2e1a6f31bf609095e170f9add372e136093d73e8ffa195b85e8c8d0311be73c10cc51d1870e1d41c50b2ec139f55e94935e89f41f8b8b97

Download Submit
C:\Windows\SysWOW64\wouict.exe

Filesize
313KB

MD5
d19dc96543d9d4a9b513054a4073130e

SHA1
5ba69d5a568216ca634e04fe23cd3797df3c32f8

SHA256
a37543c4c64a2a6faff433c8021269a9075ddda3230687eaf18e02e772b81bc4

SHA512
21bb3951deb68795a2e1a6f31bf609095e170f9add372e136093d73e8ffa195b85e8c8d0311be73c10cc51d1870e1d41c50b2ec139f55e94935e89f41f8b8b97

Download Submit
C:\Windows\SysWOW64\wqlmvfqyy.exe

Filesize
313KB

MD5
311edbf1323c2527a258c54313421432

SHA1
24f8def8180b1a8ee729442a6e94193b49473bb8

SHA256
a62ace23ffb4de1c3e395774d66782ab438a6ab012a22dba1d583b63a5b7297d

SHA512
f9035d792ead34cc74a5a96dbd5c142f38319df38d2bf06de14731523374897fd593048092244701b7ce3cdda0e6ed226b920d46f02064de063cfc6cc8fe1d42

Download Submit
C:\Windows\SysWOW64\wqlmvfqyy.exe

Filesize
313KB

MD5
311edbf1323c2527a258c54313421432

SHA1
24f8def8180b1a8ee729442a6e94193b49473bb8

SHA256
a62ace23ffb4de1c3e395774d66782ab438a6ab012a22dba1d583b63a5b7297d

SHA512
f9035d792ead34cc74a5a96dbd5c142f38319df38d2bf06de14731523374897fd593048092244701b7ce3cdda0e6ed226b920d46f02064de063cfc6cc8fe1d42

Download Submit
C:\Windows\SysWOW64\wrbwldf.exe

Filesize
313KB

MD5
a262908759e8e5dda05ab953c3e0f556

SHA1
a4ad6448dc5452998a333a7f5723ab201324457e

SHA256
be926e916289b0e04caaf7d8b0e7da44949306e613ad01a525f992f890f6581b

SHA512
4da4b21430cc02aa7e7db22a82828756c7a21b0fd24597729860505c1752464de59d7fede064ca47d32dfea1b2effa6e1f17cfa1c34af50d0d4d5d80ce3b86a6

Download Submit
C:\Windows\SysWOW64\wrbwldf.exe

Filesize
313KB

MD5
a262908759e8e5dda05ab953c3e0f556

SHA1
a4ad6448dc5452998a333a7f5723ab201324457e

SHA256
be926e916289b0e04caaf7d8b0e7da44949306e613ad01a525f992f890f6581b

SHA512
4da4b21430cc02aa7e7db22a82828756c7a21b0fd24597729860505c1752464de59d7fede064ca47d32dfea1b2effa6e1f17cfa1c34af50d0d4d5d80ce3b86a6

Download Submit
C:\Windows\SysWOW64\wregyfn.exe

Filesize
313KB

MD5
6153d864fbabb2d6afcd5b70d6db6104

SHA1
63b2737396ed96bed3fc113f8ee634e36d43e069

SHA256
09fa71ec1dec781b3d8bc7817447bc35de5e0afe5f353512738df3dfa9d3f75d

SHA512
ea48ae55e2f550e882c8b86939de1f81a1939ea3ca0247daa4b4991262ca9f19c04cbd6e7cf4d7a494f9ea7563d3e955fec4bd8120e785af576fe8d2426f26be

Download Submit
C:\Windows\SysWOW64\wregyfn.exe

Filesize
313KB

MD5
6153d864fbabb2d6afcd5b70d6db6104

SHA1
63b2737396ed96bed3fc113f8ee634e36d43e069

SHA256
09fa71ec1dec781b3d8bc7817447bc35de5e0afe5f353512738df3dfa9d3f75d

SHA512
ea48ae55e2f550e882c8b86939de1f81a1939ea3ca0247daa4b4991262ca9f19c04cbd6e7cf4d7a494f9ea7563d3e955fec4bd8120e785af576fe8d2426f26be

Download Submit
C:\Windows\SysWOW64\wrllqhid.exe

Filesize
313KB

MD5
0c47fa983e41838370b835d52529e611

SHA1
83b333de4d38f8474d2ac4f206facab2aaa6c4e1

SHA256
d9d66f505b8d16f6b81993ae0c93df60f1f92a1860dab216d7e2fb4f3ab480e0

SHA512
dc4d1a3067ebc9a7209422135952dd2a935140f2eeb5fba561c08b32ae79f63abc141f084d2d461b5f7b8e4fb1bbc6735cc0960d94a0b546673a37843bd5b41f

Download Submit
C:\Windows\SysWOW64\wrllqhid.exe

Filesize
313KB

MD5
0c47fa983e41838370b835d52529e611

SHA1
83b333de4d38f8474d2ac4f206facab2aaa6c4e1

SHA256
d9d66f505b8d16f6b81993ae0c93df60f1f92a1860dab216d7e2fb4f3ab480e0

SHA512
dc4d1a3067ebc9a7209422135952dd2a935140f2eeb5fba561c08b32ae79f63abc141f084d2d461b5f7b8e4fb1bbc6735cc0960d94a0b546673a37843bd5b41f

Download Submit
C:\Windows\SysWOW64\wsxbee.exe

Filesize
313KB

MD5
a718a2257d9ff5ce63a372983ce498fe

SHA1
bee5b1fd2e68669917b373802d418bc754d2a796

SHA256
8042daca11b2e53b329008ec8f621dbed1d1b9b836b38a8b8193033608d0730e

SHA512
0b71bb3cdf3bb5fda944ea251346877892f3ea9a51db2c17b51b5c11644cff28301e8fa4183fb91edf007ac261e2ff9f4fd7405cb9f4706f138dcd94767237a1

Download Submit
C:\Windows\SysWOW64\wsxbee.exe

Filesize
313KB

MD5
a718a2257d9ff5ce63a372983ce498fe

SHA1
bee5b1fd2e68669917b373802d418bc754d2a796

SHA256
8042daca11b2e53b329008ec8f621dbed1d1b9b836b38a8b8193033608d0730e

SHA512
0b71bb3cdf3bb5fda944ea251346877892f3ea9a51db2c17b51b5c11644cff28301e8fa4183fb91edf007ac261e2ff9f4fd7405cb9f4706f138dcd94767237a1

Download Submit
C:\Windows\SysWOW64\wtpc.exe

Filesize
314KB

MD5
c377c2101dcb529af37cde5b510e8d93

SHA1
71bc1490131a444fdff2ad38c0e4c26e0eadd900

SHA256
b99bba24b32afde7963048210b671415d6f761ec4f8b21177f17ec8e9124afe4

SHA512
1bc36206d8357a3ce20a1d2eb6984ac6b49683217fed860f1819d2bb17268eedca33315c5581e5e4f70a0820345b021d21986c69e32361ec8214569e349e9918

Download Submit
C:\Windows\SysWOW64\wtpc.exe

Filesize
314KB

MD5
c377c2101dcb529af37cde5b510e8d93

SHA1
71bc1490131a444fdff2ad38c0e4c26e0eadd900

SHA256
b99bba24b32afde7963048210b671415d6f761ec4f8b21177f17ec8e9124afe4

SHA512
1bc36206d8357a3ce20a1d2eb6984ac6b49683217fed860f1819d2bb17268eedca33315c5581e5e4f70a0820345b021d21986c69e32361ec8214569e349e9918

Download Submit
C:\Windows\SysWOW64\wtwimr.exe

Filesize
313KB

MD5
5458756cc3731b85568cbb38e393b174

SHA1
8db104af190fac4a94248cba86742d375fde4be8

SHA256
a5f50e1d1afa03b8f6ddf39073e587760e0fb7cb0314e8bfcb78bb5331776b36

SHA512
7f5ae19929945918460c31a09ab583b0c122706fc53ce06711058c41cfe180283dd6858e4b00c128008cc2d84ed6b4ef28e725e67de554076bc927d4a6e274ce

Download Submit
C:\Windows\SysWOW64\wtwimr.exe

Filesize
313KB

MD5
5458756cc3731b85568cbb38e393b174

SHA1
8db104af190fac4a94248cba86742d375fde4be8

SHA256
a5f50e1d1afa03b8f6ddf39073e587760e0fb7cb0314e8bfcb78bb5331776b36

SHA512
7f5ae19929945918460c31a09ab583b0c122706fc53ce06711058c41cfe180283dd6858e4b00c128008cc2d84ed6b4ef28e725e67de554076bc927d4a6e274ce

Download Submit
C:\Windows\SysWOW64\wucwxmf.exe

Filesize
313KB

MD5
375cc76be3f9476f4a6dd7aa14164d0d

SHA1
72764cc9f3e7527bd4c044b4441677a24bf70b7c

SHA256
d36b845a8da644a0e4852912b226d88e2cdc43b688d8145ff1f90deabed41120

SHA512
b6425d81efb01d737cd7c9998e8b6424415e0961297ca051029ac307a4828b2fac1a1b2209c319e744831a6664797ddf707c1a0eb944d1157924812c4f2832fa

Download Submit
C:\Windows\SysWOW64\wucwxmf.exe

Filesize
313KB

MD5
375cc76be3f9476f4a6dd7aa14164d0d

SHA1
72764cc9f3e7527bd4c044b4441677a24bf70b7c

SHA256
d36b845a8da644a0e4852912b226d88e2cdc43b688d8145ff1f90deabed41120

SHA512
b6425d81efb01d737cd7c9998e8b6424415e0961297ca051029ac307a4828b2fac1a1b2209c319e744831a6664797ddf707c1a0eb944d1157924812c4f2832fa

Download Submit
memory/440-205-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/440-194-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/456-121-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/912-195-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1440-132-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1440-126-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1468-237-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1468-39-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1548-236-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1588-20-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1836-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2052-111-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2064-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2064-168-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2064-3-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2156-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3080-91-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3888-247-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3996-143-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4028-184-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4076-101-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4360-163-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4412-153-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4412-142-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4704-226-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4860-174-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4860-257-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4932-216-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4932-213-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4972-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4972-41-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5000-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5024-70-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download