deb312067fd9bee453cbd984091fc87bad276c008924a495725d0f572e9b5516

Analysis

max time kernel
40s
max time network
86s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2023 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2c8d4e577058e87ff8275b24387356a0.exe
Size

352KB
MD5

2c8d4e577058e87ff8275b24387356a0
SHA1

ba7dcf5bec687b935546fede907d0d2c03bca99a
SHA256

deb312067fd9bee453cbd984091fc87bad276c008924a495725d0f572e9b5516
SHA512

f5176aaae087a6b51b5199e8aaa234f42c2efd893cdd5538bbfa98f8af9513e8fe9de880a64cc58a3a2bdaa6806473f9125e0412b9592e1531142866de43a0d0
SSDEEP

6144:pYFoSUDxyFkhKSZI4zLVSVp3ys9ceiItgAv:aeJVWcKSZhnVep3ys37tgAv

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/memory/3880-0-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022e29-5.dat	family_berbew
behavioral2/files/0x0008000000022e29-9.dat	family_berbew
behavioral2/files/0x0008000000022e29-8.dat	family_berbew
behavioral2/files/0x0006000000022e4d-21.dat	family_berbew
behavioral2/files/0x0006000000022e4d-20.dat	family_berbew
behavioral2/memory/3880-25-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/files/0x000a000000022e4f-34.dat	family_berbew
behavioral2/memory/2536-35-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/memory/1028-39-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/files/0x000a000000022e4f-33.dat	family_berbew
behavioral2/memory/384-49-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/files/0x0015000000022e50-48.dat	family_berbew
behavioral2/files/0x0015000000022e50-47.dat	family_berbew
behavioral2/memory/2808-59-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e4d-58.dat	family_berbew
behavioral2/files/0x0007000000022e4d-57.dat	family_berbew
behavioral2/files/0x0011000000022e5a-68.dat	family_berbew
behavioral2/files/0x0011000000022e5a-67.dat	family_berbew
behavioral2/memory/3444-73-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/files/0x000d000000022e5d-82.dat	family_berbew
behavioral2/files/0x000d000000022e5d-81.dat	family_berbew
behavioral2/files/0x000b000000022e4f-91.dat	family_berbew
behavioral2/files/0x000b000000022e4f-90.dat	family_berbew
behavioral2/memory/4260-102-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/memory/2152-101-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/files/0x000e000000022e66-100.dat	family_berbew
behavioral2/files/0x000e000000022e66-99.dat	family_berbew
behavioral2/memory/2152-119-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/memory/2340-124-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e70-117.dat	family_berbew
behavioral2/files/0x0006000000022e70-116.dat	family_berbew
behavioral2/memory/4720-126-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/memory/2936-142-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/memory/2340-137-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/files/0x0019000000022e5e-135.dat	family_berbew
behavioral2/files/0x0019000000022e5e-134.dat	family_berbew
behavioral2/memory/4604-153-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/memory/4080-152-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/files/0x0009000000022e6b-151.dat	family_berbew
behavioral2/files/0x0009000000022e6b-150.dat	family_berbew
behavioral2/files/0x0008000000022e76-162.dat	family_berbew
behavioral2/memory/4080-164-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/memory/2844-163-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022e76-161.dat	family_berbew
behavioral2/memory/2844-174-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/files/0x0009000000022d55-173.dat	family_berbew
behavioral2/files/0x0009000000022d55-172.dat	family_berbew
behavioral2/files/0x0009000000022d5f-183.dat	family_berbew
behavioral2/files/0x0009000000022d5f-182.dat	family_berbew
behavioral2/files/0x000a000000022d61-192.dat	family_berbew
behavioral2/files/0x000a000000022d61-191.dat	family_berbew
behavioral2/files/0x000d000000022d70-201.dat	family_berbew
behavioral2/files/0x000d000000022d70-200.dat	family_berbew
behavioral2/memory/2272-216-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/memory/4836-217-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/files/0x000d000000022d7f-214.dat	family_berbew
behavioral2/files/0x000d000000022d7f-213.dat	family_berbew
behavioral2/memory/3324-222-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/memory/3636-224-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/files/0x000c000000022d81-234.dat	family_berbew
behavioral2/files/0x000c000000022d81-233.dat	family_berbew
behavioral2/memory/2272-235-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew
behavioral2/memory/384-237-0x0000000000400000-0x0000000000426000-memory.dmp	family_berbew

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	NEAS.2c8d4e577058e87ff8275b24387356a0.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wspeu.exe	NEAS.2c8d4e577058e87ff8275b24387356a0.exe
File opened for modification	C:\Windows\SysWOW64\wspeu.exe	NEAS.2c8d4e577058e87ff8275b24387356a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 24 IoCs

pid	pid_target	Process	procid_target
3148	3880	WerFault.exe	16
2412	1028	WerFault.exe	92
4140	3880	WerFault.exe	16
3540	1028	WerFault.exe	92
2408	1028	WerFault.exe	92
5072	3444	WerFault.exe	121
4860	2936	WerFault.exe	130
1236	2936	WerFault.exe	130
1964	4720	WerFault.exe	131
3868	2936	WerFault.exe	130
4700	3324	WerFault.exe	168
5104	3636	WerFault.exe	171
4448	384	WerFault.exe	176
1152	3260	WerFault.exe	189
2316	3260	WerFault.exe	189
2396	3260	WerFault.exe	189
3796	5116	WerFault.exe	199
2796	5104	WerFault.exe	210
4840	4412	WerFault.exe	217
1556	4412	WerFault.exe	217
3092	4344	WerFault.exe	228
2028	3488	WerFault.exe	241
1852	3488	WerFault.exe	241
2412	2604	WerFault.exe	242

C:\Users\Admin\AppData\Local\Temp\NEAS.2c8d4e577058e87ff8275b24387356a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2c8d4e577058e87ff8275b24387356a0.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3880
- C:\Windows\SysWOW64\wspeu.exe
  "C:\Windows\system32\wspeu.exe"
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\wisdvs.exe
    "C:\Windows\system32\wisdvs.exe"
    3⤵
    PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wisdvs.exe"
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\wcix.exe
      "C:\Windows\system32\wcix.exe"
      4⤵
      PID:384
    - - C:\Windows\SysWOW64\wftex.exe
        
        "C:\Windows\system32\wftex.exe"
        5⤵
        
        PID:2808
      - C:\Windows\SysWOW64\wnppnd.exe
        
        "C:\Windows\system32\wnppnd.exe"
        6⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnppnd.exe"
        7⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 1688
        7⤵
        Program crash
        
        PID:5072
        
        C:\Windows\SysWOW64\wvul.exe
        
        "C:\Windows\system32\wvul.exe"
        7⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\wwaqwqnd.exe
        
        "C:\Windows\system32\wwaqwqnd.exe"
        8⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwaqwqnd.exe"
        9⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1548
        9⤵
        Program crash
        
        PID:1964
        
        C:\Windows\SysWOW64\wendpnr.exe
        
        "C:\Windows\system32\wendpnr.exe"
        9⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\wuudnn.exe
        
        "C:\Windows\system32\wuudnn.exe"
        10⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\wcortk.exe
        
        "C:\Windows\system32\wcortk.exe"
        11⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\wdwgna.exe
        
        "C:\Windows\system32\wdwgna.exe"
        12⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\waqul.exe
        
        "C:\Windows\system32\waqul.exe"
        13⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waqul.exe"
        14⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\wpcymaaxh.exe
        
        "C:\Windows\system32\wpcymaaxh.exe"
        14⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\wrnivv.exe
        
        "C:\Windows\system32\wrnivv.exe"
        15⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\wiefifu.exe
        
        "C:\Windows\system32\wiefifu.exe"
        16⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\wwmsqqbf.exe
        
        "C:\Windows\system32\wwmsqqbf.exe"
        17⤵
        
        PID:384
        
        C:\Windows\SysWOW64\wjcibx.exe
        
        "C:\Windows\system32\wjcibx.exe"
        18⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\wbcrd.exe
        
        "C:\Windows\system32\wbcrd.exe"
        19⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\whrb.exe
        
        "C:\Windows\system32\whrb.exe"
        20⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1680
        21⤵
        Program crash
        
        PID:1152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1668
        21⤵
        Program crash
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whrb.exe"
        21⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\wavqftc.exe
        
        "C:\Windows\system32\wavqftc.exe"
        21⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\wighxg.exe
        
        "C:\Windows\system32\wighxg.exe"
        22⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 1544
        23⤵
        Program crash
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wighxg.exe"
        23⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\wvvutq.exe
        
        "C:\Windows\system32\wvvutq.exe"
        23⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\wtjoophh.exe
        
        "C:\Windows\system32\wtjoophh.exe"
        24⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtjoophh.exe"
        25⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 116
        25⤵
        Program crash
        
        PID:2796
        
        C:\Windows\SysWOW64\wnbvjife.exe
        
        "C:\Windows\system32\wnbvjife.exe"
        25⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1656
        26⤵
        Program crash
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbvjife.exe"
        26⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\wsxkj.exe
        
        "C:\Windows\system32\wsxkj.exe"
        26⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxkj.exe"
        27⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\wdvoq.exe
        
        "C:\Windows\system32\wdvoq.exe"
        27⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\wymjtga.exe
        
        "C:\Windows\system32\wymjtga.exe"
        28⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\wfmddhnt.exe
        
        "C:\Windows\system32\wfmddhnt.exe"
        29⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\wjtbl.exe
        
        "C:\Windows\system32\wjtbl.exe"
        30⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjtbl.exe"
        31⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\wsv.exe
        
        "C:\Windows\system32\wsv.exe"
        31⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\wcjxoh.exe
        
        "C:\Windows\system32\wcjxoh.exe"
        32⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjxoh.exe"
        33⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1432
        33⤵
        Program crash
        
        PID:2412
        
        C:\Windows\SysWOW64\wnkm.exe
        
        "C:\Windows\system32\wnkm.exe"
        33⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnkm.exe"
        34⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\wonhk.exe
        
        "C:\Windows\system32\wonhk.exe"
        34⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wonhk.exe"
        35⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\wqsax.exe
        
        "C:\Windows\system32\wqsax.exe"
        35⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1104
        32⤵
        Program crash
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsv.exe"
        32⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1580
        32⤵
        Program crash
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfmddhnt.exe"
        30⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1280
        29⤵
        Program crash
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymjtga.exe"
        29⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvoq.exe"
        28⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1652
        26⤵
        Program crash
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvvutq.exe"
        24⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wavqftc.exe"
        22⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1108
        21⤵
        Program crash
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbcrd.exe"
        20⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjcibx.exe"
        19⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 116
        18⤵
        Program crash
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwmsqqbf.exe"
        18⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 116
        17⤵
        Program crash
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiefifu.exe"
        17⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1680
        16⤵
        Program crash
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrnivv.exe"
        16⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpcymaaxh.exe"
        15⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdwgna.exe"
        13⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcortk.exe"
        12⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuudnn.exe"
        11⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wendpnr.exe"
        10⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvul.exe"
        8⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1280
        8⤵
        Program crash
        
        PID:4860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1476
        8⤵
        Program crash
        
        PID:1236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1636
        8⤵
        Program crash
        
        PID:3868
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wftex.exe"
        6⤵
        
        PID:5100
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcix.exe"
        5⤵
        
        PID:4760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 116
    3⤵
    - Program crash
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wspeu.exe"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1536
    3⤵
    - Program crash
    PID:3540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 720
    3⤵
    - Program crash
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\NEAS.2c8d4e577058e87ff8275b24387356a0.exe"
  2⤵
  PID:4252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1280
  2⤵
  - Program crash
  PID:3148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 116
  2⤵
  - Program crash
  PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3880 -ip 3880
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1028 -ip 1028
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3880 -ip 3880
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1028 -ip 1028
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1028 -ip 1028
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3444 -ip 3444
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2936 -ip 2936
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2936 -ip 2936
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4720 -ip 4720
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2936 -ip 2936
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3324 -ip 3324
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3636 -ip 3636
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 384 -ip 384
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3260 -ip 3260
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3260 -ip 3260
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3260 -ip 3260
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5116 -ip 5116
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5104 -ip 5104
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4412 -ip 4412
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4412 -ip 4412
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4344 -ip 4344
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3488 -ip 3488
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3488 -ip 3488
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2604 -ip 2604
1⤵
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\waqul.exe

Filesize
352KB

MD5
f70dfb34d9cadb17ce123e7f541a28c7

SHA1
b14ed1ed69bdf0909e78516cc1652d4854d6e61c

SHA256
c33fd9231cfca73874eab1de54ecd7e6dd03ae75b670fd6852bdfcf01aa148a6

SHA512
922dd95dd4c438db46d8318c0ad5f4552f208aa7e2fdaae7c85f1de4a711733239d21781f4ed2e6147d7bbb7b8197199a66ebe750f77a6fdc3abaf2113074b35

Download Submit
C:\Windows\SysWOW64\waqul.exe

Filesize
352KB

MD5
f70dfb34d9cadb17ce123e7f541a28c7

SHA1
b14ed1ed69bdf0909e78516cc1652d4854d6e61c

SHA256
c33fd9231cfca73874eab1de54ecd7e6dd03ae75b670fd6852bdfcf01aa148a6

SHA512
922dd95dd4c438db46d8318c0ad5f4552f208aa7e2fdaae7c85f1de4a711733239d21781f4ed2e6147d7bbb7b8197199a66ebe750f77a6fdc3abaf2113074b35

Download Submit
C:\Windows\SysWOW64\wavqftc.exe

Filesize
352KB

MD5
0ce389f7b36fb5ec0fb7c70932c75ecc

SHA1
fd5b03bf86b6a21d58ba3753602f8e13657facfb

SHA256
5435e500cdb9b1f8824357199a6e865e913911c5fe487a6c3196b2a2ea7ea785

SHA512
f89763e888792bce8a89b28ee88debda2f7b3e5823421625a828caf8ce3e04ce9b2a2609380892206aac11e09c5c524cd97f71f3917c35a693857097f92afc92

Download Submit
C:\Windows\SysWOW64\wavqftc.exe

Filesize
352KB

MD5
0ce389f7b36fb5ec0fb7c70932c75ecc

SHA1
fd5b03bf86b6a21d58ba3753602f8e13657facfb

SHA256
5435e500cdb9b1f8824357199a6e865e913911c5fe487a6c3196b2a2ea7ea785

SHA512
f89763e888792bce8a89b28ee88debda2f7b3e5823421625a828caf8ce3e04ce9b2a2609380892206aac11e09c5c524cd97f71f3917c35a693857097f92afc92

Download Submit
C:\Windows\SysWOW64\wbcrd.exe

Filesize
352KB

MD5
d31acdfe566f102e9b26cb88a948100e

SHA1
5052a517a510193bba36cb282829b6bf092673ee

SHA256
f4ae0f764c4bbc6ebcc85343954db15d067fc3fc6be154a670bb1b83087c1a4f

SHA512
96645ccc58bb681f1d96a1352d01015cc00437270be395bad754c05d711299fc9444d4954a98d39ff06e65f6f1b61e592a7f895871aff09b9e73951dd8b01861

Download Submit
C:\Windows\SysWOW64\wbcrd.exe

Filesize
352KB

MD5
d31acdfe566f102e9b26cb88a948100e

SHA1
5052a517a510193bba36cb282829b6bf092673ee

SHA256
f4ae0f764c4bbc6ebcc85343954db15d067fc3fc6be154a670bb1b83087c1a4f

SHA512
96645ccc58bb681f1d96a1352d01015cc00437270be395bad754c05d711299fc9444d4954a98d39ff06e65f6f1b61e592a7f895871aff09b9e73951dd8b01861

Download Submit
C:\Windows\SysWOW64\wcix.exe

Filesize
352KB

MD5
3cb1363d49460b4049a6b4ab46e76334

SHA1
5e0106edbf054e6a71b8100d338cfad9c74f3454

SHA256
02b71cd2af4ba75bfcf326043848bf1a642932649254e146641ddc06ba5d4615

SHA512
e8e34583eef643474024914cdb831b0281898c63b3f2699bc6d59aea6395567e556844d1b5704aa7cef48b194306b3b94d87d585cc56f692619244daa06012ce

Download Submit
C:\Windows\SysWOW64\wcix.exe

Filesize
352KB

MD5
3cb1363d49460b4049a6b4ab46e76334

SHA1
5e0106edbf054e6a71b8100d338cfad9c74f3454

SHA256
02b71cd2af4ba75bfcf326043848bf1a642932649254e146641ddc06ba5d4615

SHA512
e8e34583eef643474024914cdb831b0281898c63b3f2699bc6d59aea6395567e556844d1b5704aa7cef48b194306b3b94d87d585cc56f692619244daa06012ce

Download Submit
C:\Windows\SysWOW64\wcjxoh.exe

Filesize
353KB

MD5
868b0242738a53fe272789b1f8e1c256

SHA1
d5ea608af551e7f4c37fbc65a73660bd4b9e8237

SHA256
b1edb620484b69ac94676a0ae80b9e7a32d473130f72f5900882b7ba0dd0ca03

SHA512
0752a0ca536fa52042dbb13a8d7c238997f61e9322e989cb249de981c2ef4211d2b82da9752c0d774af8384ad2a2bc9261eb42d86d6957720632357d725f1601

Download Submit
C:\Windows\SysWOW64\wcjxoh.exe

Filesize
353KB

MD5
868b0242738a53fe272789b1f8e1c256

SHA1
d5ea608af551e7f4c37fbc65a73660bd4b9e8237

SHA256
b1edb620484b69ac94676a0ae80b9e7a32d473130f72f5900882b7ba0dd0ca03

SHA512
0752a0ca536fa52042dbb13a8d7c238997f61e9322e989cb249de981c2ef4211d2b82da9752c0d774af8384ad2a2bc9261eb42d86d6957720632357d725f1601

Download Submit
C:\Windows\SysWOW64\wcortk.exe

Filesize
352KB

MD5
3ffac5f73f5c8af96450f300489154c0

SHA1
5bb16863e9d6fc96622f2d554ca0a6a349846d27

SHA256
69dd3997ab15d54ac705f1ecc12f2d7e2e1f82b370a5e610bfe845705946ca13

SHA512
20a39ad316fcc6b405681775bd8f7886d70e68bf408ca112933afef7269c825635ec34076ec4de192ae44d986207799d751fcabe9c459817a5a975abf466386e

Download Submit
C:\Windows\SysWOW64\wcortk.exe

Filesize
352KB

MD5
3ffac5f73f5c8af96450f300489154c0

SHA1
5bb16863e9d6fc96622f2d554ca0a6a349846d27

SHA256
69dd3997ab15d54ac705f1ecc12f2d7e2e1f82b370a5e610bfe845705946ca13

SHA512
20a39ad316fcc6b405681775bd8f7886d70e68bf408ca112933afef7269c825635ec34076ec4de192ae44d986207799d751fcabe9c459817a5a975abf466386e

Download Submit
C:\Windows\SysWOW64\wdvoq.exe

Filesize
352KB

MD5
ccaa28cf8e31526e74eed1d8e6a24e32

SHA1
f2fa156eb2f116c7186226753d675cf96dab9fba

SHA256
5b831a33a19e792d49f3a565b45edcba12ef4c919437cc935c61661f17d3f9a8

SHA512
a84c78b003911717acbaade23e894cac7b5e829a58f62cb111cd8c7084d8ee30c70e4455beff548518be02900dd946a77ffe90c2da629e3aa5319db6d4691bb4

Download Submit
C:\Windows\SysWOW64\wdvoq.exe

Filesize
352KB

MD5
ccaa28cf8e31526e74eed1d8e6a24e32

SHA1
f2fa156eb2f116c7186226753d675cf96dab9fba

SHA256
5b831a33a19e792d49f3a565b45edcba12ef4c919437cc935c61661f17d3f9a8

SHA512
a84c78b003911717acbaade23e894cac7b5e829a58f62cb111cd8c7084d8ee30c70e4455beff548518be02900dd946a77ffe90c2da629e3aa5319db6d4691bb4

Download Submit
C:\Windows\SysWOW64\wdwgna.exe

Filesize
352KB

MD5
51dda3210bc81c2579bc2a43b19f474c

SHA1
f5d26e01dda0a1ed65c0966ae3f501b9384eb405

SHA256
993ab6b621cdd5dc7c92c8577418767d021d4dbcd9d76e035ede120533dca109

SHA512
629af830a16d60384c2e1a88584789810e0d967665724508eca3884effcbe7c602f4cf043a715bcb9c472a945793be69c2e42a92724de905a36c715a0f0d31e4

Download Submit
C:\Windows\SysWOW64\wdwgna.exe

Filesize
352KB

MD5
51dda3210bc81c2579bc2a43b19f474c

SHA1
f5d26e01dda0a1ed65c0966ae3f501b9384eb405

SHA256
993ab6b621cdd5dc7c92c8577418767d021d4dbcd9d76e035ede120533dca109

SHA512
629af830a16d60384c2e1a88584789810e0d967665724508eca3884effcbe7c602f4cf043a715bcb9c472a945793be69c2e42a92724de905a36c715a0f0d31e4

Download Submit
C:\Windows\SysWOW64\wendpnr.exe

Filesize
352KB

MD5
cd2e5aba2280b0b07f1c30705f7e7174

SHA1
72772d4fb2f219e538bcdaf9aad7b59a6de209a4

SHA256
a8b0cd4ee3fd38e82c3ba6270b9e112a740e305e4624f91bb20d478edee6da26

SHA512
a6b60ebf4368586f6a591e0ef5f30cc3c37cb48b4e63efeb14555afdcca7d54c260d2b13699d1d3ad63318d8f3979673674f1414175cdf9dd5d16099168c92fd

Download Submit
C:\Windows\SysWOW64\wendpnr.exe

Filesize
352KB

MD5
cd2e5aba2280b0b07f1c30705f7e7174

SHA1
72772d4fb2f219e538bcdaf9aad7b59a6de209a4

SHA256
a8b0cd4ee3fd38e82c3ba6270b9e112a740e305e4624f91bb20d478edee6da26

SHA512
a6b60ebf4368586f6a591e0ef5f30cc3c37cb48b4e63efeb14555afdcca7d54c260d2b13699d1d3ad63318d8f3979673674f1414175cdf9dd5d16099168c92fd

Download Submit
C:\Windows\SysWOW64\wfmddhnt.exe

Filesize
352KB

MD5
9960d241bf7dab46df37ea2d73a62659

SHA1
160b851b80f3ca3bd151afde30fabed865b78999

SHA256
761791c8b821cb10aa68791b052450ddf53f05959080d823dc3d89a39cb8b83f

SHA512
a90b45c4673d18c7f7173ddeb151c5ba930316c369df9683e5e6d6029c90e516c2304010b87c30da15cc0a3d22747112493ca68fcc736493a9e24e5be57707fa

Download Submit
C:\Windows\SysWOW64\wfmddhnt.exe

Filesize
352KB

MD5
9960d241bf7dab46df37ea2d73a62659

SHA1
160b851b80f3ca3bd151afde30fabed865b78999

SHA256
761791c8b821cb10aa68791b052450ddf53f05959080d823dc3d89a39cb8b83f

SHA512
a90b45c4673d18c7f7173ddeb151c5ba930316c369df9683e5e6d6029c90e516c2304010b87c30da15cc0a3d22747112493ca68fcc736493a9e24e5be57707fa

Download Submit
C:\Windows\SysWOW64\wftex.exe

Filesize
352KB

MD5
b60a3a892d1bb49bc865bfc3564c92ed

SHA1
11649d30ec01537432f6cb6bc31405c721825910

SHA256
f57aa85d456a2848a0537eebed4d6ad1934aee8e31c597922218f2b14e8c7171

SHA512
f6b464bf814eab41ef3acca0586d362e973a8a86a5ee4a8adfbfaaa0f3dee56d09d6059e6b88c99baa8de38c728749813c35299908eca28f6907b2c5435a7839

Download Submit
C:\Windows\SysWOW64\wftex.exe

Filesize
352KB

MD5
b60a3a892d1bb49bc865bfc3564c92ed

SHA1
11649d30ec01537432f6cb6bc31405c721825910

SHA256
f57aa85d456a2848a0537eebed4d6ad1934aee8e31c597922218f2b14e8c7171

SHA512
f6b464bf814eab41ef3acca0586d362e973a8a86a5ee4a8adfbfaaa0f3dee56d09d6059e6b88c99baa8de38c728749813c35299908eca28f6907b2c5435a7839

Download Submit
C:\Windows\SysWOW64\whrb.exe

Filesize
352KB

MD5
4df23ed2939bd6fcede216e17f35e56c

SHA1
da19e47c22b6e45219570066b7fd0a410119f162

SHA256
9c075e2b51368ce29d0727e9e917b291115be0ec363af3e67637c65504a348ca

SHA512
d9b27ffe2468c597f8fa344c9eb4c4cb152976dca9df4c587a4229246728be5af10227f934c0f3c29ab443bd1e6a685174a777f2a5d15aa35fc3b159fcc04f9c

Download Submit
C:\Windows\SysWOW64\whrb.exe

Filesize
352KB

MD5
4df23ed2939bd6fcede216e17f35e56c

SHA1
da19e47c22b6e45219570066b7fd0a410119f162

SHA256
9c075e2b51368ce29d0727e9e917b291115be0ec363af3e67637c65504a348ca

SHA512
d9b27ffe2468c597f8fa344c9eb4c4cb152976dca9df4c587a4229246728be5af10227f934c0f3c29ab443bd1e6a685174a777f2a5d15aa35fc3b159fcc04f9c

Download Submit
C:\Windows\SysWOW64\wiefifu.exe

Filesize
352KB

MD5
9a55369409a0fb5486826335e5b195bf

SHA1
30612f92f78c08ce642ac8aab58967c958c092ff

SHA256
1c62815dcc4b38700ba8a1f20849d24aff832bd398a7b759e89f32ebf241d84e

SHA512
72899eb1af99f026d263f2cf6c53c5f1b69f5427b7ef8a89c42733c90eb660a3e8ea9f931d9e3ab7f40c1c5799adefb45bf6f2a76bb6f582a7742303ae54c472

Download Submit
C:\Windows\SysWOW64\wiefifu.exe

Filesize
352KB

MD5
9a55369409a0fb5486826335e5b195bf

SHA1
30612f92f78c08ce642ac8aab58967c958c092ff

SHA256
1c62815dcc4b38700ba8a1f20849d24aff832bd398a7b759e89f32ebf241d84e

SHA512
72899eb1af99f026d263f2cf6c53c5f1b69f5427b7ef8a89c42733c90eb660a3e8ea9f931d9e3ab7f40c1c5799adefb45bf6f2a76bb6f582a7742303ae54c472

Download Submit
C:\Windows\SysWOW64\wighxg.exe

Filesize
352KB

MD5
ee6b22c24994f174748b390ddfc4b5bd

SHA1
d1d75a38fb642b79bb27b3608657d93da7b1a84b

SHA256
2a71bcab47948ccce88e556fa16a4ce232a8393ab2a6354f90dc12c907aa393c

SHA512
43f7b5d9f050af979d57b4edfd6e86ba0802c163741e9dc98644150d7ddc4606f555459b6c62e74911b6a324515584339840e98ef99304d36cf886e7cb8934ab

Download Submit
C:\Windows\SysWOW64\wighxg.exe

Filesize
352KB

MD5
ee6b22c24994f174748b390ddfc4b5bd

SHA1
d1d75a38fb642b79bb27b3608657d93da7b1a84b

SHA256
2a71bcab47948ccce88e556fa16a4ce232a8393ab2a6354f90dc12c907aa393c

SHA512
43f7b5d9f050af979d57b4edfd6e86ba0802c163741e9dc98644150d7ddc4606f555459b6c62e74911b6a324515584339840e98ef99304d36cf886e7cb8934ab

Download Submit
C:\Windows\SysWOW64\wisdvs.exe

Filesize
352KB

MD5
5449a413e853f5a71519da09b3f2ff30

SHA1
d2db30c0106f4b689518fdd6ab0622890c23164a

SHA256
b6a31d7b1f906637ba918500d86f531245dec4c9a93babf3bda8f534ee1927e2

SHA512
2b06ae8ed95f6e47063ebab66474aaa81f950e0ee9d32f905a9b53dccc18948a5941b18c9ba6d89db9c9c9d9fb3d5e50525739f587d4200ec4ac7565d5ec06f3

Download Submit
C:\Windows\SysWOW64\wisdvs.exe

Filesize
352KB

MD5
5449a413e853f5a71519da09b3f2ff30

SHA1
d2db30c0106f4b689518fdd6ab0622890c23164a

SHA256
b6a31d7b1f906637ba918500d86f531245dec4c9a93babf3bda8f534ee1927e2

SHA512
2b06ae8ed95f6e47063ebab66474aaa81f950e0ee9d32f905a9b53dccc18948a5941b18c9ba6d89db9c9c9d9fb3d5e50525739f587d4200ec4ac7565d5ec06f3

Download Submit
C:\Windows\SysWOW64\wjcibx.exe

Filesize
352KB

MD5
11b228959759dd24a1c6ef9eb2c50a37

SHA1
a0e27c2280a0f67591f582a102581be418b27a86

SHA256
eb06b77f2a498bf15d46902f6f1bba3f1f200c49a470e90e8cf74835ad81f974

SHA512
feb043877ea3fee346fbde84abc58ba3083a02221ec6453cd40e22751a98ddaa12ef58e9811a75074e3df0dd7bb3a74139012daf7ca22289972768a49f00da4b

Download Submit
C:\Windows\SysWOW64\wjcibx.exe

Filesize
352KB

MD5
11b228959759dd24a1c6ef9eb2c50a37

SHA1
a0e27c2280a0f67591f582a102581be418b27a86

SHA256
eb06b77f2a498bf15d46902f6f1bba3f1f200c49a470e90e8cf74835ad81f974

SHA512
feb043877ea3fee346fbde84abc58ba3083a02221ec6453cd40e22751a98ddaa12ef58e9811a75074e3df0dd7bb3a74139012daf7ca22289972768a49f00da4b

Download Submit
C:\Windows\SysWOW64\wjtbl.exe

Filesize
352KB

MD5
77fb71436b651b896e6ccea4ea9ac102

SHA1
8de663291190c6d0535dca53d15705c262718f41

SHA256
cad24450e625e13dbfe45e9eba9cfe946aac1f98ede2f070dd0fe3d431b89c0a

SHA512
d52df8ecb51e5ab854b55d739ea70d8ef97f26b5324151c7c0e5c28fc2fa1c8038b4ef64048fb223615b85fe52d5239354598786bbf0a0c3ec8c618f4a44e310

Download Submit
C:\Windows\SysWOW64\wjtbl.exe

Filesize
352KB

MD5
77fb71436b651b896e6ccea4ea9ac102

SHA1
8de663291190c6d0535dca53d15705c262718f41

SHA256
cad24450e625e13dbfe45e9eba9cfe946aac1f98ede2f070dd0fe3d431b89c0a

SHA512
d52df8ecb51e5ab854b55d739ea70d8ef97f26b5324151c7c0e5c28fc2fa1c8038b4ef64048fb223615b85fe52d5239354598786bbf0a0c3ec8c618f4a44e310

Download Submit
C:\Windows\SysWOW64\wnbvjife.exe

Filesize
352KB

MD5
fdfa19327dde91ade5981dc38e483dfe

SHA1
5fb510d5e0b1109ee281df7cef6f12988149194b

SHA256
51ab5c903e90a347bda6c5b60c820fc321784a5d042bb22bea66af128a4bcd05

SHA512
2ed05e6eb6adcb90ef60a8643f3d0e402d79cf5f1f54c892b2e4ad0ba21e741afaca5a25929dc8d9ff10de3a769acf2daa9c762fbfa8e3a9248dab2f5ffbefe8

Download Submit
C:\Windows\SysWOW64\wnbvjife.exe

Filesize
352KB

MD5
fdfa19327dde91ade5981dc38e483dfe

SHA1
5fb510d5e0b1109ee281df7cef6f12988149194b

SHA256
51ab5c903e90a347bda6c5b60c820fc321784a5d042bb22bea66af128a4bcd05

SHA512
2ed05e6eb6adcb90ef60a8643f3d0e402d79cf5f1f54c892b2e4ad0ba21e741afaca5a25929dc8d9ff10de3a769acf2daa9c762fbfa8e3a9248dab2f5ffbefe8

Download Submit
C:\Windows\SysWOW64\wnkm.exe

Filesize
92KB

MD5
bd4fce828a803af6134fc4cfac64cf0c

SHA1
a60ae88c9f88b05648232159ac0cb33f96a8ecbc

SHA256
676c95ae13200f238c9d591e3352f0ff74c17ccb63f7d187152e1948cf8a51fc

SHA512
6b2e9993e87a31cb23a1d411689427f139953104a8e7b9f1536650ce8f0d4ab37b98a18eb5e90e636c0b45b746ef30dbb36d2cf49f5896910d9c80aa2c401005

Download Submit
C:\Windows\SysWOW64\wnkm.exe

Filesize
353KB

MD5
b6226aa67e6ec77bc6d3f2e1e62362ee

SHA1
461cd6cbb1c28e1a4242fa7cc7f605188c61e6ce

SHA256
f8ccdc75d21e01d698c3958b7b47c0e126112c5fb36096bf3009678878494012

SHA512
aea94bcf1049faf4bca766de5d9fd0fd92b7e7a83e787a464be2d03956f7486ce56ae7217617e8c05012babd29fe6005edbd4e343d383b07beed2e75586701c8

Download Submit
C:\Windows\SysWOW64\wnppnd.exe

Filesize
352KB

MD5
2dcf72a0f10666cea9b5d8e246dacdc5

SHA1
3fb9670011fb28e708592e0608651c38f392250b

SHA256
09ed27da818b51c3fee3e10d46b6d11123fef63154a51863fc65c8e80889063b

SHA512
4d46fb36422b0c170495bdc74994e88e02362377ced3a24e34c9b6e8f92316dacea76f575fe81187a3126e52f531b03e96032b94f4348ea73dfac22dbaf3929a

Download Submit
C:\Windows\SysWOW64\wnppnd.exe

Filesize
352KB

MD5
2dcf72a0f10666cea9b5d8e246dacdc5

SHA1
3fb9670011fb28e708592e0608651c38f392250b

SHA256
09ed27da818b51c3fee3e10d46b6d11123fef63154a51863fc65c8e80889063b

SHA512
4d46fb36422b0c170495bdc74994e88e02362377ced3a24e34c9b6e8f92316dacea76f575fe81187a3126e52f531b03e96032b94f4348ea73dfac22dbaf3929a

Download Submit
C:\Windows\SysWOW64\wpcymaaxh.exe

Filesize
352KB

MD5
e693afd498edc00a20707f44b23fa32c

SHA1
b9fc669762e1250ff8bbdb9dfdbdc1156ddcb272

SHA256
ba1861780923d9418f871c9c7a016dbee9204aae77a0041898b800e178226309

SHA512
ea5affbe02466880242e6fcbda9b47eceb4c03493c8b9fd200581753635ae916349fc57c884c9b7afad69cd0dec6d65d28bae46dd617c4954507c6733a40b12e

Download Submit
C:\Windows\SysWOW64\wpcymaaxh.exe

Filesize
352KB

MD5
e693afd498edc00a20707f44b23fa32c

SHA1
b9fc669762e1250ff8bbdb9dfdbdc1156ddcb272

SHA256
ba1861780923d9418f871c9c7a016dbee9204aae77a0041898b800e178226309

SHA512
ea5affbe02466880242e6fcbda9b47eceb4c03493c8b9fd200581753635ae916349fc57c884c9b7afad69cd0dec6d65d28bae46dd617c4954507c6733a40b12e

Download Submit
C:\Windows\SysWOW64\wrnivv.exe

Filesize
352KB

MD5
8f437a4b17bfeb00a55c5904c19b472d

SHA1
ec70e6db40cd293ac0781d1661c272023996404b

SHA256
88847080817bd7d74b19cb9dbc072a885cf1b3b4b8680d8a0d8ac80f1b796e65

SHA512
583b18247068188b5707b6d5441c47ec0729a282d3327d071b450380fee0136b8098e6fb086572378c77f789d7dfb35bf7fe1e4a5dfd1d7ae147c277402eccbe

Download Submit
C:\Windows\SysWOW64\wrnivv.exe

Filesize
352KB

MD5
8f437a4b17bfeb00a55c5904c19b472d

SHA1
ec70e6db40cd293ac0781d1661c272023996404b

SHA256
88847080817bd7d74b19cb9dbc072a885cf1b3b4b8680d8a0d8ac80f1b796e65

SHA512
583b18247068188b5707b6d5441c47ec0729a282d3327d071b450380fee0136b8098e6fb086572378c77f789d7dfb35bf7fe1e4a5dfd1d7ae147c277402eccbe

Download Submit
C:\Windows\SysWOW64\wspeu.exe

Filesize
352KB

MD5
3163ffae81c2fa578cca7f5f82085c25

SHA1
b454b18e58085b3d1b32723383091f19c91f9789

SHA256
27de1e7ed7e22e8632119734f4f48a7a7c364305bac727b22750d609a01d0d2a

SHA512
6f56fa09b5848b9d8d5c4a8414db8057756ff0c13d3ce9807f737b690136edbf7f8f790f7e2fff7013ce8b3498e432568152ceead81dceb51f8513f8bc004171

Download Submit
C:\Windows\SysWOW64\wspeu.exe

Filesize
352KB

MD5
3163ffae81c2fa578cca7f5f82085c25

SHA1
b454b18e58085b3d1b32723383091f19c91f9789

SHA256
27de1e7ed7e22e8632119734f4f48a7a7c364305bac727b22750d609a01d0d2a

SHA512
6f56fa09b5848b9d8d5c4a8414db8057756ff0c13d3ce9807f737b690136edbf7f8f790f7e2fff7013ce8b3498e432568152ceead81dceb51f8513f8bc004171

Download Submit
C:\Windows\SysWOW64\wspeu.exe

Filesize
352KB

MD5
3163ffae81c2fa578cca7f5f82085c25

SHA1
b454b18e58085b3d1b32723383091f19c91f9789

SHA256
27de1e7ed7e22e8632119734f4f48a7a7c364305bac727b22750d609a01d0d2a

SHA512
6f56fa09b5848b9d8d5c4a8414db8057756ff0c13d3ce9807f737b690136edbf7f8f790f7e2fff7013ce8b3498e432568152ceead81dceb51f8513f8bc004171

Download Submit
C:\Windows\SysWOW64\wsv.exe

Filesize
353KB

MD5
9530f1a3f12b4d129ea78b07202962e2

SHA1
d32ed613b6eb591dc6c560f7348f339541489ca0

SHA256
b4c185e47205adbf821982fad24bc6c9c5088250dd60cb835ff8fdcb747119ac

SHA512
a4f650c6716e77cfa042b7d594f7cfeab4894f167c865d60d781eee8b16df0a443d3c69ed2d23efe91ed6ad699420c5bace8036a5ae829da1efec0ec6999a60d

Download Submit
C:\Windows\SysWOW64\wsv.exe

Filesize
353KB

MD5
9530f1a3f12b4d129ea78b07202962e2

SHA1
d32ed613b6eb591dc6c560f7348f339541489ca0

SHA256
b4c185e47205adbf821982fad24bc6c9c5088250dd60cb835ff8fdcb747119ac

SHA512
a4f650c6716e77cfa042b7d594f7cfeab4894f167c865d60d781eee8b16df0a443d3c69ed2d23efe91ed6ad699420c5bace8036a5ae829da1efec0ec6999a60d

Download Submit
C:\Windows\SysWOW64\wsxkj.exe

Filesize
352KB

MD5
5421805429d652cca90c5790848b2434

SHA1
7e71673595e98380acb142eb4a7599e9dfde44fc

SHA256
92cf0b5c28d73fbfd7dc3a08d5a885b3ebb48a0f7ed3a27f7e7aeff2bbe11e3d

SHA512
f372b89cfe30bf8b70328d173832cf79117677f743ee6867fbe5435d014ebcf8d4cc2b8e3800e3da8464f9074fe198ed4c6d12b4df32927b5af1861bac276260

Download Submit
C:\Windows\SysWOW64\wsxkj.exe

Filesize
352KB

MD5
5421805429d652cca90c5790848b2434

SHA1
7e71673595e98380acb142eb4a7599e9dfde44fc

SHA256
92cf0b5c28d73fbfd7dc3a08d5a885b3ebb48a0f7ed3a27f7e7aeff2bbe11e3d

SHA512
f372b89cfe30bf8b70328d173832cf79117677f743ee6867fbe5435d014ebcf8d4cc2b8e3800e3da8464f9074fe198ed4c6d12b4df32927b5af1861bac276260

Download Submit
C:\Windows\SysWOW64\wtjoophh.exe

Filesize
352KB

MD5
09479c633d75b0a7c2f53022a55ef0d8

SHA1
52d7dd2f6eed9bb3fb90e7c9297c628fe7eb608e

SHA256
dc0576a0352a3cb9ef40c70847dac006d41f4c4aabb4e4478e4d8ce946887065

SHA512
b201603691709ecb6a0ebd83dc6f659ad00222bc694522515879160273c44bdbe0625bf56fbe09c9ee31c3f5838bf2a1335da99ed39be556ef861a7c4b0c1810

Download Submit
C:\Windows\SysWOW64\wtjoophh.exe

Filesize
352KB

MD5
09479c633d75b0a7c2f53022a55ef0d8

SHA1
52d7dd2f6eed9bb3fb90e7c9297c628fe7eb608e

SHA256
dc0576a0352a3cb9ef40c70847dac006d41f4c4aabb4e4478e4d8ce946887065

SHA512
b201603691709ecb6a0ebd83dc6f659ad00222bc694522515879160273c44bdbe0625bf56fbe09c9ee31c3f5838bf2a1335da99ed39be556ef861a7c4b0c1810

Download Submit
C:\Windows\SysWOW64\wuudnn.exe

Filesize
352KB

MD5
be16d51f00e1d7b22e39054e87fed75c

SHA1
c37bd8668c2357ed0ededfd5a139854d0488fd14

SHA256
469450737d68dda99c621925cea3f9845ff3313b3de2f220575eaeb174c8e0f1

SHA512
69f7b5d62b0693a7e6c0e500db29cb17ba3bfa00d3ae8198e21bb553a9b37d601bc8aa887bb3cfb4b18c014dc53d429ee1396cdb7f5bf018a8b770ddf90732bf

Download Submit
C:\Windows\SysWOW64\wuudnn.exe

Filesize
352KB

MD5
be16d51f00e1d7b22e39054e87fed75c

SHA1
c37bd8668c2357ed0ededfd5a139854d0488fd14

SHA256
469450737d68dda99c621925cea3f9845ff3313b3de2f220575eaeb174c8e0f1

SHA512
69f7b5d62b0693a7e6c0e500db29cb17ba3bfa00d3ae8198e21bb553a9b37d601bc8aa887bb3cfb4b18c014dc53d429ee1396cdb7f5bf018a8b770ddf90732bf

Download Submit
C:\Windows\SysWOW64\wvul.exe

Filesize
352KB

MD5
42bbfc21bd2f666cb84c7e456bf78e68

SHA1
7dd3bf014195aad2bedb01c0b112044a548d5a04

SHA256
164007da6b1d683b31d7c596f675a22768abf964e0cc400ac9615832bb654412

SHA512
fea5b9d130599b2ea76c2bc611f124da9c65198b76cdb4194b82f3e61473d58eeefa04b0b842bfce4ebc5763821733d29a44024fc2c543aed29df387eca78b43

Download Submit
C:\Windows\SysWOW64\wvul.exe

Filesize
352KB

MD5
42bbfc21bd2f666cb84c7e456bf78e68

SHA1
7dd3bf014195aad2bedb01c0b112044a548d5a04

SHA256
164007da6b1d683b31d7c596f675a22768abf964e0cc400ac9615832bb654412

SHA512
fea5b9d130599b2ea76c2bc611f124da9c65198b76cdb4194b82f3e61473d58eeefa04b0b842bfce4ebc5763821733d29a44024fc2c543aed29df387eca78b43

Download Submit
C:\Windows\SysWOW64\wvvutq.exe

Filesize
352KB

MD5
4535f1b8b68f4855bd7cdb6d25bf2b51

SHA1
c41864e677332f4293701e66f3f66e478d8b0d74

SHA256
0dd2dce7419f00ec17670023ce011dc4fe358bc818425c97e47a225af22f8fad

SHA512
de29616912cb3f789e445ab4b46b6a0ca02c26a84a92f1a71d895dbe06a4ac7eb5099224ce6d68daee8a635edbcbfb93ff2c59959ebf699dae423d0b1b63dcc2

Download Submit
C:\Windows\SysWOW64\wvvutq.exe

Filesize
352KB

MD5
4535f1b8b68f4855bd7cdb6d25bf2b51

SHA1
c41864e677332f4293701e66f3f66e478d8b0d74

SHA256
0dd2dce7419f00ec17670023ce011dc4fe358bc818425c97e47a225af22f8fad

SHA512
de29616912cb3f789e445ab4b46b6a0ca02c26a84a92f1a71d895dbe06a4ac7eb5099224ce6d68daee8a635edbcbfb93ff2c59959ebf699dae423d0b1b63dcc2

Download Submit
C:\Windows\SysWOW64\wwaqwqnd.exe

Filesize
352KB

MD5
5e85c91447409687e9b93a02913dd217

SHA1
f1a85e3f88e9651e07b2c0c6ace353e444e7713a

SHA256
c64be365acc44d941aab553655d7a5c8df7ce794323cb3fe53970f0cca01d2fe

SHA512
acef3a0c7b053792d34e4f23bfd9eca28b2c190824886e8de71ac7cf29d96e133629be8f2ea6aff7404ec25613e7b0a940af339813e5946909fdf7200de0d34b

Download Submit
C:\Windows\SysWOW64\wwaqwqnd.exe

Filesize
352KB

MD5
5e85c91447409687e9b93a02913dd217

SHA1
f1a85e3f88e9651e07b2c0c6ace353e444e7713a

SHA256
c64be365acc44d941aab553655d7a5c8df7ce794323cb3fe53970f0cca01d2fe

SHA512
acef3a0c7b053792d34e4f23bfd9eca28b2c190824886e8de71ac7cf29d96e133629be8f2ea6aff7404ec25613e7b0a940af339813e5946909fdf7200de0d34b

Download Submit
C:\Windows\SysWOW64\wwmsqqbf.exe

Filesize
352KB

MD5
88f8f6746bf3057bd34c33be1effb401

SHA1
806f55b48a030b0edc708e2e14c64da06544a1dd

SHA256
3355810758cad147926a3fc6d9a23ab2bdce0f62b061334973c071f46101717d

SHA512
40be609e7d4111bc06e1fd75d617e7beb6bc44da6efaf0e349a2e4508b0826b4d159df63db3c322f90a3986853b86d4b9d953951660f7198702e9327d1bceea2

Download Submit
C:\Windows\SysWOW64\wwmsqqbf.exe

Filesize
352KB

MD5
88f8f6746bf3057bd34c33be1effb401

SHA1
806f55b48a030b0edc708e2e14c64da06544a1dd

SHA256
3355810758cad147926a3fc6d9a23ab2bdce0f62b061334973c071f46101717d

SHA512
40be609e7d4111bc06e1fd75d617e7beb6bc44da6efaf0e349a2e4508b0826b4d159df63db3c322f90a3986853b86d4b9d953951660f7198702e9327d1bceea2

Download Submit
C:\Windows\SysWOW64\wymjtga.exe

Filesize
352KB

MD5
847818bbd77e0b56cdae59bd6bdf670f

SHA1
44abb593e7d0e579a42afdf90d32dc1ed1e0b7e7

SHA256
32932fecd32b1e26978979f0c244b29d9a8bc094dec89729482cd5be909a00fd

SHA512
b9aa3af4202599a3aedfc42f5f0d2e4d6ea88b15162b57d429a59998aee62d7c6cbe51c869f339085b6068e485e107b45523c52dc90be67cce096341d70f8cee

Download Submit
C:\Windows\SysWOW64\wymjtga.exe

Filesize
352KB

MD5
847818bbd77e0b56cdae59bd6bdf670f

SHA1
44abb593e7d0e579a42afdf90d32dc1ed1e0b7e7

SHA256
32932fecd32b1e26978979f0c244b29d9a8bc094dec89729482cd5be909a00fd

SHA512
b9aa3af4202599a3aedfc42f5f0d2e4d6ea88b15162b57d429a59998aee62d7c6cbe51c869f339085b6068e485e107b45523c52dc90be67cce096341d70f8cee

Download Submit
memory/384-237-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/384-49-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1028-39-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1628-256-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2032-281-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2152-101-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2152-119-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2272-216-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2272-235-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2340-137-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2340-410-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2340-124-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2536-35-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2808-59-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2844-174-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2844-163-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2936-142-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3260-287-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3324-222-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3444-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3488-412-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3636-224-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3680-331-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3880-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3880-25-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4080-152-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4080-164-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4092-365-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4260-102-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4344-355-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4384-375-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4412-321-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4604-153-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4720-126-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4836-217-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4992-401-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5092-341-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5104-306-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5104-280-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5116-289-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download