e0731489c63706fe707e1461cbdba0d066b23b307a142910204ed9c1881a045d

Analysis

max time kernel
152s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21e4cde11eb9037beb5fb60a7259b9f7.exe
Size

251KB
MD5

21e4cde11eb9037beb5fb60a7259b9f7
SHA1

840096d30a20e23c1b43b0cc3771de917639cf9c
SHA256

e0731489c63706fe707e1461cbdba0d066b23b307a142910204ed9c1881a045d
SHA512

ec0e50a10b54f967de6172cbc8b53f0bff0dd40a5007314f855bab005175f081caf17fbbdb5b3b9e9752a661755bbbdd5dcd766eb44603b16e13de034d18fd5d
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVp+:ZY7xh6SZI4z7FSVp+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 34 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wpnbihg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wekkqsq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wnxlrao.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wggyubt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wsi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wohhq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wdnotsgk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wpxcb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wqfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	whycktja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wsflg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	whl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wvyejrmdw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wvtwc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wnbnbv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	waje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wyykhcvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wybhw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wwpfqdu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wcetqyoim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wrtuxe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wlxymcd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	whi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wbcrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	weiflo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wxnxnu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wsjuerxax.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wpbhg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	21e4cde11eb9037beb5fb60a7259b9f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wotr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wlyemfo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wntpxa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wxo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	whey.exe

Executes dropped EXE 34 IoCs

pid	Process
1280	wohhq.exe
3800	wlxymcd.exe
5004	wbcrs.exe
1496	wnxlrao.exe
3088	whi.exe
2940	weiflo.exe
3224	wotr.exe
3668	whycktja.exe
2316	wvyejrmdw.exe
4856	wvtwc.exe
2604	wpnbihg.exe
3848	wdnotsgk.exe
5036	wsflg.exe
2040	wlyemfo.exe
3804	wxnxnu.exe
2932	wsjuerxax.exe
3144	wggyubt.exe
3096	wnbnbv.exe
2316	wpxcb.exe
3996	wsi.exe
2464	waje.exe
4480	wntpxa.exe
4568	wqfj.exe
2764	wyykhcvr.exe
2148	wxo.exe
4088	wybhw.exe
892	whl.exe
3144	wpbhg.exe
4688	wwpfqdu.exe
1984	whey.exe
5052	wcetqyoim.exe
2232	wekkqsq.exe
1952	wrtuxe.exe
1756	wucgvfv.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\whl.exe	wybhw.exe
File created	C:\Windows\SysWOW64\wpbhg.exe	whl.exe
File opened for modification	C:\Windows\SysWOW64\wlxymcd.exe	wohhq.exe
File created	C:\Windows\SysWOW64\weiflo.exe	whi.exe
File created	C:\Windows\SysWOW64\whycktja.exe	wotr.exe
File created	C:\Windows\SysWOW64\wsjuerxax.exe	wxnxnu.exe
File created	C:\Windows\SysWOW64\whi.exe	wnxlrao.exe
File created	C:\Windows\SysWOW64\wntpxa.exe	waje.exe
File created	C:\Windows\SysWOW64\wyykhcvr.exe	wqfj.exe
File created	C:\Windows\SysWOW64\wtmsmqr.exe	wucgvfv.exe
File opened for modification	C:\Windows\SysWOW64\wekkqsq.exe	wcetqyoim.exe
File opened for modification	C:\Windows\SysWOW64\whycktja.exe	wotr.exe
File opened for modification	C:\Windows\SysWOW64\wxnxnu.exe	wlyemfo.exe
File created	C:\Windows\SysWOW64\wqfj.exe	wntpxa.exe
File created	C:\Windows\SysWOW64\wekkqsq.exe	wcetqyoim.exe
File opened for modification	C:\Windows\SysWOW64\whey.exe	wwpfqdu.exe
File created	C:\Windows\SysWOW64\wlyemfo.exe	wsflg.exe
File created	C:\Windows\SysWOW64\wxnxnu.exe	wlyemfo.exe
File opened for modification	C:\Windows\SysWOW64\wggyubt.exe	wsjuerxax.exe
File created	C:\Windows\SysWOW64\wpxcb.exe	wnbnbv.exe
File created	C:\Windows\SysWOW64\wbcrs.exe	wlxymcd.exe
File opened for modification	C:\Windows\SysWOW64\wvyejrmdw.exe	whycktja.exe
File created	C:\Windows\SysWOW64\whey.exe	wwpfqdu.exe
File opened for modification	C:\Windows\SysWOW64\wrtuxe.exe	wekkqsq.exe
File created	C:\Windows\SysWOW64\wggyubt.exe	wsjuerxax.exe
File created	C:\Windows\SysWOW64\waje.exe	wsi.exe
File opened for modification	C:\Windows\SysWOW64\waje.exe	wsi.exe
File opened for modification	C:\Windows\SysWOW64\wsi.exe	wpxcb.exe
File created	C:\Windows\SysWOW64\wybhw.exe	wxo.exe
File opened for modification	C:\Windows\SysWOW64\wybhw.exe	wxo.exe
File opened for modification	C:\Windows\SysWOW64\wqfj.exe	wntpxa.exe
File opened for modification	C:\Windows\SysWOW64\wbcrs.exe	wlxymcd.exe
File created	C:\Windows\SysWOW64\wvyejrmdw.exe	whycktja.exe
File opened for modification	C:\Windows\SysWOW64\wdnotsgk.exe	wpnbihg.exe
File created	C:\Windows\SysWOW64\wnbnbv.exe	wggyubt.exe
File opened for modification	C:\Windows\SysWOW64\wohhq.exe	21e4cde11eb9037beb5fb60a7259b9f7.exe
File opened for modification	C:\Windows\SysWOW64\wnxlrao.exe	wbcrs.exe
File created	C:\Windows\SysWOW64\wxo.exe	wyykhcvr.exe
File opened for modification	C:\Windows\SysWOW64\wxo.exe	wyykhcvr.exe
File opened for modification	C:\Windows\SysWOW64\wcetqyoim.exe	whey.exe
File created	C:\Windows\SysWOW64\wucgvfv.exe	wrtuxe.exe
File opened for modification	C:\Windows\SysWOW64\whi.exe	wnxlrao.exe
File opened for modification	C:\Windows\SysWOW64\wotr.exe	weiflo.exe
File opened for modification	C:\Windows\SysWOW64\wpxcb.exe	wnbnbv.exe
File created	C:\Windows\SysWOW64\wcetqyoim.exe	whey.exe
File created	C:\Windows\SysWOW64\wnxlrao.exe	wbcrs.exe
File created	C:\Windows\SysWOW64\wsflg.exe	wdnotsgk.exe
File opened for modification	C:\Windows\SysWOW64\wsflg.exe	wdnotsgk.exe
File opened for modification	C:\Windows\SysWOW64\whl.exe	wybhw.exe
File created	C:\Windows\SysWOW64\wlxymcd.exe	wohhq.exe
File created	C:\Windows\SysWOW64\wdnotsgk.exe	wpnbihg.exe
File opened for modification	C:\Windows\SysWOW64\wlyemfo.exe	wsflg.exe
File opened for modification	C:\Windows\SysWOW64\wnbnbv.exe	wggyubt.exe
File created	C:\Windows\SysWOW64\wvtwc.exe	wvyejrmdw.exe
File created	C:\Windows\SysWOW64\wpnbihg.exe	wvtwc.exe
File opened for modification	C:\Windows\SysWOW64\wntpxa.exe	waje.exe
File created	C:\Windows\SysWOW64\wwpfqdu.exe	wpbhg.exe
File created	C:\Windows\SysWOW64\wotr.exe	weiflo.exe
File opened for modification	C:\Windows\SysWOW64\wvtwc.exe	wvyejrmdw.exe
File opened for modification	C:\Windows\SysWOW64\wpnbihg.exe	wvtwc.exe
File created	C:\Windows\SysWOW64\wsi.exe	wpxcb.exe
File opened for modification	C:\Windows\SysWOW64\wsjuerxax.exe	wxnxnu.exe
File opened for modification	C:\Windows\SysWOW64\wyykhcvr.exe	wqfj.exe
File opened for modification	C:\Windows\SysWOW64\wpbhg.exe	whl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
4536	3800	WerFault.exe	100
4664	2316	WerFault.exe	128
3116	2040	WerFault.exe	153
5028	3096	WerFault.exe	167
3360	2316	WerFault.exe	170
2620	4688	WerFault.exe	205

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 1280	4448	21e4cde11eb9037beb5fb60a7259b9f7.exe	95
PID 4448 wrote to memory of 1280	4448	21e4cde11eb9037beb5fb60a7259b9f7.exe	95
PID 4448 wrote to memory of 1280	4448	21e4cde11eb9037beb5fb60a7259b9f7.exe	95
PID 4448 wrote to memory of 2892	4448	21e4cde11eb9037beb5fb60a7259b9f7.exe	97
PID 4448 wrote to memory of 2892	4448	21e4cde11eb9037beb5fb60a7259b9f7.exe	97
PID 4448 wrote to memory of 2892	4448	21e4cde11eb9037beb5fb60a7259b9f7.exe	97
PID 1280 wrote to memory of 3800	1280	wohhq.exe	100
PID 1280 wrote to memory of 3800	1280	wohhq.exe	100
PID 1280 wrote to memory of 3800	1280	wohhq.exe	100
PID 1280 wrote to memory of 1652	1280	wohhq.exe	101
PID 1280 wrote to memory of 1652	1280	wohhq.exe	101
PID 1280 wrote to memory of 1652	1280	wohhq.exe	101
PID 3800 wrote to memory of 5004	3800	wlxymcd.exe	104
PID 3800 wrote to memory of 5004	3800	wlxymcd.exe	104
PID 3800 wrote to memory of 5004	3800	wlxymcd.exe	104
PID 3800 wrote to memory of 4832	3800	wlxymcd.exe	105
PID 3800 wrote to memory of 4832	3800	wlxymcd.exe	105
PID 3800 wrote to memory of 4832	3800	wlxymcd.exe	105
PID 5004 wrote to memory of 1496	5004	wbcrs.exe	108
PID 5004 wrote to memory of 1496	5004	wbcrs.exe	108
PID 5004 wrote to memory of 1496	5004	wbcrs.exe	108
PID 5004 wrote to memory of 4244	5004	wbcrs.exe	109
PID 5004 wrote to memory of 4244	5004	wbcrs.exe	109
PID 5004 wrote to memory of 4244	5004	wbcrs.exe	109
PID 1496 wrote to memory of 3088	1496	wnxlrao.exe	113
PID 1496 wrote to memory of 3088	1496	wnxlrao.exe	113
PID 1496 wrote to memory of 3088	1496	wnxlrao.exe	113
PID 1496 wrote to memory of 3988	1496	wnxlrao.exe	114
PID 1496 wrote to memory of 3988	1496	wnxlrao.exe	114
PID 1496 wrote to memory of 3988	1496	wnxlrao.exe	114
PID 3088 wrote to memory of 2940	3088	whi.exe	116
PID 3088 wrote to memory of 2940	3088	whi.exe	116
PID 3088 wrote to memory of 2940	3088	whi.exe	116
PID 3088 wrote to memory of 4888	3088	whi.exe	117
PID 3088 wrote to memory of 4888	3088	whi.exe	117
PID 3088 wrote to memory of 4888	3088	whi.exe	117
PID 2940 wrote to memory of 3224	2940	weiflo.exe	121
PID 2940 wrote to memory of 3224	2940	weiflo.exe	121
PID 2940 wrote to memory of 3224	2940	weiflo.exe	121
PID 2940 wrote to memory of 792	2940	weiflo.exe	122
PID 2940 wrote to memory of 792	2940	weiflo.exe	122
PID 2940 wrote to memory of 792	2940	weiflo.exe	122
PID 3224 wrote to memory of 3668	3224	wotr.exe	124
PID 3224 wrote to memory of 3668	3224	wotr.exe	124
PID 3224 wrote to memory of 3668	3224	wotr.exe	124
PID 3224 wrote to memory of 3312	3224	wotr.exe	125
PID 3224 wrote to memory of 3312	3224	wotr.exe	125
PID 3224 wrote to memory of 3312	3224	wotr.exe	125
PID 3668 wrote to memory of 2316	3668	whycktja.exe	128
PID 3668 wrote to memory of 2316	3668	whycktja.exe	128
PID 3668 wrote to memory of 2316	3668	whycktja.exe	128
PID 3668 wrote to memory of 4688	3668	whycktja.exe	129
PID 3668 wrote to memory of 4688	3668	whycktja.exe	129
PID 3668 wrote to memory of 4688	3668	whycktja.exe	129
PID 2316 wrote to memory of 4856	2316	wvyejrmdw.exe	132
PID 2316 wrote to memory of 4856	2316	wvyejrmdw.exe	132
PID 2316 wrote to memory of 4856	2316	wvyejrmdw.exe	132
PID 2316 wrote to memory of 1200	2316	wvyejrmdw.exe	135
PID 2316 wrote to memory of 1200	2316	wvyejrmdw.exe	135
PID 2316 wrote to memory of 1200	2316	wvyejrmdw.exe	135
PID 4856 wrote to memory of 2604	4856	wvtwc.exe	142
PID 4856 wrote to memory of 2604	4856	wvtwc.exe	142
PID 4856 wrote to memory of 2604	4856	wvtwc.exe	142
PID 4856 wrote to memory of 2944	4856	wvtwc.exe	144

C:\Users\Admin\AppData\Local\Temp\21e4cde11eb9037beb5fb60a7259b9f7.exe
"C:\Users\Admin\AppData\Local\Temp\21e4cde11eb9037beb5fb60a7259b9f7.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\SysWOW64\wohhq.exe
  "C:\Windows\system32\wohhq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\wlxymcd.exe
    "C:\Windows\system32\wlxymcd.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\SysWOW64\wbcrs.exe
      "C:\Windows\system32\wbcrs.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\SysWOW64\wnxlrao.exe
        
        "C:\Windows\system32\wnxlrao.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Windows\SysWOW64\whi.exe
        
        "C:\Windows\system32\whi.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\weiflo.exe
        
        "C:\Windows\system32\weiflo.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\wotr.exe
        
        "C:\Windows\system32\wotr.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\whycktja.exe
        
        "C:\Windows\system32\whycktja.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\wvyejrmdw.exe
        
        "C:\Windows\system32\wvyejrmdw.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\wvtwc.exe
        
        "C:\Windows\system32\wvtwc.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\wpnbihg.exe
        
        "C:\Windows\system32\wpnbihg.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\wdnotsgk.exe
        
        "C:\Windows\system32\wdnotsgk.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\wsflg.exe
        
        "C:\Windows\system32\wsflg.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\wlyemfo.exe
        
        "C:\Windows\system32\wlyemfo.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\wxnxnu.exe
        
        "C:\Windows\system32\wxnxnu.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SysWOW64\wsjuerxax.exe
        
        "C:\Windows\system32\wsjuerxax.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\wggyubt.exe
        
        "C:\Windows\system32\wggyubt.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\wnbnbv.exe
        
        "C:\Windows\system32\wnbnbv.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\wpxcb.exe
        
        "C:\Windows\system32\wpxcb.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\wsi.exe
        
        "C:\Windows\system32\wsi.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\waje.exe
        
        "C:\Windows\system32\waje.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\wntpxa.exe
        
        "C:\Windows\system32\wntpxa.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\wqfj.exe
        
        "C:\Windows\system32\wqfj.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\wyykhcvr.exe
        
        "C:\Windows\system32\wyykhcvr.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\wxo.exe
        
        "C:\Windows\system32\wxo.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\wybhw.exe
        
        "C:\Windows\system32\wybhw.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\whl.exe
        
        "C:\Windows\system32\whl.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:892
        
        C:\Windows\SysWOW64\wpbhg.exe
        
        "C:\Windows\system32\wpbhg.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\wwpfqdu.exe
        
        "C:\Windows\system32\wwpfqdu.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\whey.exe
        
        "C:\Windows\system32\whey.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\wcetqyoim.exe
        
        "C:\Windows\system32\wcetqyoim.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\wekkqsq.exe
        
        "C:\Windows\system32\wekkqsq.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\wrtuxe.exe
        
        "C:\Windows\system32\wrtuxe.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\wucgvfv.exe
        
        "C:\Windows\system32\wucgvfv.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtuxe.exe"
        35⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekkqsq.exe"
        34⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcetqyoim.exe"
        33⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whey.exe"
        32⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwpfqdu.exe"
        31⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 1160
        31⤵
        Program crash
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbhg.exe"
        30⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whl.exe"
        29⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybhw.exe"
        28⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxo.exe"
        27⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyykhcvr.exe"
        26⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqfj.exe"
        25⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntpxa.exe"
        24⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waje.exe"
        23⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsi.exe"
        22⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpxcb.exe"
        21⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1064
        21⤵
        Program crash
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbnbv.exe"
        20⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 1448
        20⤵
        Program crash
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wggyubt.exe"
        19⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjuerxax.exe"
        18⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxnxnu.exe"
        17⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyemfo.exe"
        16⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1452
        16⤵
        Program crash
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsflg.exe"
        15⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnotsgk.exe"
        14⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpnbihg.exe"
        13⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtwc.exe"
        12⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvyejrmdw.exe"
        11⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1592
        11⤵
        Program crash
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whycktja.exe"
        10⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wotr.exe"
        9⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weiflo.exe"
        8⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whi.exe"
        7⤵
        
        PID:4888
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnxlrao.exe"
        6⤵
        
        PID:3988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbcrs.exe"
        5⤵
        
        PID:4244
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlxymcd.exe"
      4⤵
      PID:4832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1432
      4⤵
      Program crash
      PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohhq.exe"
    3⤵
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\21e4cde11eb9037beb5fb60a7259b9f7.exe"
  2⤵
  PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3800 -ip 3800
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2316 -ip 2316
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2040 -ip 2040
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3096 -ip 3096
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2316 -ip 2316
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4688 -ip 4688
1⤵
PID:312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\waje.exe

Filesize
252KB

MD5
a7fb63475aea852aa5598486b7e08555

SHA1
d82026df56b34bac684df4793cab7fa5aa3d9cce

SHA256
47887ed5245ef48d5684319cdcd9c0f720445900c5dab22d678cd075431d4124

SHA512
816ecab36982b0ba35e612433fcc8b18790a630fe005c225761650114d062b22446bf43fcfd0f85983c2268abc0a51efe47d06b4090d4782b592810c2b4b9f21

Download Submit
C:\Windows\SysWOW64\wbcrs.exe

Filesize
251KB

MD5
9ea9c5bfa5923f9fae488249cdb62a37

SHA1
7607ec99a823cc378c6206aa9fdab16148f375e1

SHA256
8234cf382f664b1fe8e1ed5304975f5ee33f4be64052a3a19489e2dab53c76a2

SHA512
a2fe38fe617bebc9b5985e66148551cdf5437acd3ab7c568bd1dbff00c79683a03040a5c50c4c13a5f92810d905ac658be15a5fa6d361bfebd3bd225a6290cb6

Download Submit
C:\Windows\SysWOW64\wcetqyoim.exe

Filesize
252KB

MD5
ef5e48b8e0b1fb8bb2e13f33897d24e6

SHA1
fda9731521417249eac3d8aa483c796f98fba455

SHA256
5bd63736769f0b3ad9de73a53b2d3da1aff6d0751550ba215528da652084dba0

SHA512
be487e4980e018b5783bf87da2f4b1f9f92ba2cc1dae5327fa2480b99765a804cb6824b74bb2e88ea94d95465151f32725d14d5a832b96edd96d426e250c4152

Download Submit
C:\Windows\SysWOW64\wdnotsgk.exe

Filesize
251KB

MD5
e75436144d8d940869c4018a125ed568

SHA1
88d0f453e4c7f13f0d88cd8be7332c59c768b281

SHA256
f4fffa7e4e222a833c03d5ca7cc7ae7ba7b7fe5a9d3c10f767e4350d6b0738bb

SHA512
5eb0205b2f1668e1f941fddcf0da1507dbf58397b4f91fcbba0a5551031cfee47bcc3d6b7fa958744b61a87c460360291901937fc37025289d012b8930994157

Download Submit
C:\Windows\SysWOW64\weiflo.exe

Filesize
251KB

MD5
9fb0e1e85efa4f06f72e86f012a8fd91

SHA1
18408a2f9eac5c6f858510efb9f3838ef2e4ff8f

SHA256
ee938ae19285116f8f7c43407f43e4a25d93ba8ab03a185cadf38650093fb6f3

SHA512
d293e147390e1a37d30edd87d52aaa5058ec49130292a18ba10515dcdab0c5cf5a66a375b3b3d9065d37e2e9114904e6136d524767a923fe705962d87a6c021c

Download Submit
C:\Windows\SysWOW64\wekkqsq.exe

Filesize
252KB

MD5
1af46fef1c5f5275b5db280f33b98ce0

SHA1
a2e139c33b55047ea2e09e70b5cf4831aba7f2d1

SHA256
2e5f05dd699821adc0cf653329e4fdb5c5da647e983004989cc8a401e816bd7c

SHA512
96eca07482fc2e1f0f3a4f76c4fcdea02ce22569dffdefb7a9f5017579b6749146f12a203bb89ed6e269b5ef6bdfbb4b0abab7930b9b848e83ce3ea824571f13

Download Submit
C:\Windows\SysWOW64\wggyubt.exe

Filesize
252KB

MD5
684c1167e09b3f01cb4a62689caa088d

SHA1
37940bbd93531213cff26743d8a12d3714cd68df

SHA256
5adf34f5cea348984abd59e70372eceb7e4189a5bffbe3233b8d9c56bffb9b4b

SHA512
76e4987edbd834a782e0a527cb434df3c8cf247dddd2f49508f0b2992f1dba4b6dd5a773289e8ff3ad192d09109daffc8cd9a670ceabbd84915a2f26e2468720

Download Submit
C:\Windows\SysWOW64\whey.exe

Filesize
252KB

MD5
4918bad0ffabdadc4f485b30a4e7979d

SHA1
50a0083d1d2ffd89e65d8c436d918563e0fb8665

SHA256
86bb390ee003a6da237c110d717257a9ad3a0c97cf9ebaacde31fee28e9ca938

SHA512
eaec114b85cd837defa23f6ff2d0b770722a300e90604a2107ea249c0f17a08d4d926ae598d86f87b598f33ff9ef8c1019361e6ad46ed42bad8ee0011dde211d

Download Submit
C:\Windows\SysWOW64\whi.exe

Filesize
251KB

MD5
27ff430245f155abbfa6fed3d67eb79d

SHA1
f0888ea0eb0decb2896842ddd96c30fc9a39a116

SHA256
5e2d7313ce84cf6ef086f2aafcb9cfc839f28773eac8da3dd1ae6dae5386c18b

SHA512
7114089cc1163d7039b0cd1845c25930305068fdbe9760975ad56861a8f6d2875792a329eb5b115992d42ae06be431c24956b53929b975d1e90c4dde726f8f71

Download Submit
C:\Windows\SysWOW64\whl.exe

Filesize
252KB

MD5
2bac0272408090ac66c5b9eb1f643318

SHA1
5dbbe6052441943fdc2c71c4e4257ad35331388f

SHA256
4ed89e1faa5a56e20f1fae8e1baf73b852d0a377d567f37d5d91ab76c1691fab

SHA512
125420ba38ac15fd58b127fe73c46e6428153f56cd0ddde2b7ca070e07eb53e28fb48f465b04ba0ac7867a4a801a77c316661756fdd179586f24c7365a1bb230

Download Submit
C:\Windows\SysWOW64\whycktja.exe

Filesize
230KB

MD5
95b38f115dd4960a6a5d774f58cce142

SHA1
8840ac602d3578ee6920c6422647b00423f1f2a5

SHA256
10fca1ce1c60559d8b4546f19555329b974f17d3f32b8306e1fc722a45defcf6

SHA512
85acbb1390ece8df5cceb50491af0a27337f258eb362f9bd526570af1bd6cd9761c422d785c829286d84232399181d962a3e1d57a5e3b15a195d7fe79777e07c

Download Submit
C:\Windows\SysWOW64\whycktja.exe

Filesize
251KB

MD5
5cb83e4ae23843c185cf72afbbb0acda

SHA1
c34c8fb008b6c80e2a51092f0c42099e4ab750ab

SHA256
c5fff951f338a7bd67f68d92824f51917ecc6bfc0da40fd2932b5577484f1d96

SHA512
4e52d9cac9b81cd64edd9f7af46b971a023e482e59b6ccda468813e0367f1fbe5428235f3a0c48ef04923efe26c0431437b1b17a53395c376ac2ce1c6c2eb4ed

Download Submit
C:\Windows\SysWOW64\wlxymcd.exe

Filesize
251KB

MD5
a5ca3ea96238781589b4dfcd649a15a5

SHA1
cf51af7b7752cc6064a9948311441d5185f89418

SHA256
99896b368f3db4430aefbb49fa960d8de86a523ff818d1e23b7252f1f8d7236c

SHA512
68f3a1856235e3b2faf393e14ab9c4419bb5e045a84956f49aab212259654b61e40aebc6debf7b04181dbcef6f1e7dc4b0c70f438b24ed0083c4970e2629aeab

Download Submit
C:\Windows\SysWOW64\wlyemfo.exe

Filesize
251KB

MD5
a62cf7cd6ad3f51722266fe028e84364

SHA1
4626161b02b866382b9b792d88b131994d683ac7

SHA256
82df0f6822a3d489e15e45e9bc06f74d879bf25ce9ed85be9927ed971d4d46a2

SHA512
d2c3fe108506f319257289dcbe691433e90b7e982920a06a609d3b29eb7a8f1463fffc38b22c11d77b36102966d875ed771a1f073e80c3427f524fe533f7ae76

Download Submit
C:\Windows\SysWOW64\wnbnbv.exe

Filesize
252KB

MD5
c1dfbbd05e9cc7699f330cf14c7f3fbc

SHA1
7d89a94403e1dac021ba636f582b1f9a6eba772d

SHA256
e81f072be8ae49e73afe76787fee7ae6ee0914f3513d71c155e507ae75924d53

SHA512
a11098a9e1352d2ae0d7e206c10cf6a8aa8478ae1be4bd5c8e537a05f15a0f2793b6be35e334463449710406a8364992e22090a20d40e7d5cd03797d9c42bf03

Download Submit
C:\Windows\SysWOW64\wntpxa.exe

Filesize
252KB

MD5
ec99dbb87b3136a7587a9035d0f4cac4

SHA1
d82885a3e75c753ba3d2eec6e6f79dba2ce5e66f

SHA256
0a7cb973f16edb69499ac5b534aab659e0a53cc5af8ab51a9cd7d68dca104fb7

SHA512
da81d30967552ce3ed2ecd41d8da098fdd69d26c38e926d08b5528a9817b26b825d08e1f1fb2dfc5815a293e1662ec9ffc031908628038870e4f821206bae9dc

Download Submit
C:\Windows\SysWOW64\wnxlrao.exe

Filesize
251KB

MD5
da08146a51d90d49e0fcf273f7070c68

SHA1
c541ee3a2be0bee58a54a14e6c5af4700ab89a5c

SHA256
3dd51b620f61106f300c4ce29df00029ae56056052a92d288d322dd1481ffdbc

SHA512
fb0400f4449a9d6ce61745f607f561c127ced4ea5524b8427851c377adfa0e83c0019b628b8a114e4540368d78820e46fb36d46a77dc5d8263e25fc21d44b4d3

Download Submit
C:\Windows\SysWOW64\wohhq.exe

Filesize
251KB

MD5
a4ab26850e060ffedb9b1b3a28c030e9

SHA1
6356ec97d9e6bf556bb98feb842b23abc35b76f7

SHA256
5d195891f19a0b26a7ef17551fde122bf78630f1163610798086ca02d9d2a752

SHA512
69b40f47812127aa81a32a0f2bd328a5dccfdf67fe1444382049211b8c44f1719a8759cc942b5bebdd8aee232b5183f90324ab9fbeac8f0f57a726125819070f

Download Submit
C:\Windows\SysWOW64\wotr.exe

Filesize
251KB

MD5
cc2819db04fa868a174f60d8b9c40ade

SHA1
94b252a1dfc72f4cb1a7a88a9ce748a74f7f2ac7

SHA256
8ea78d1095e90de9433bd0d0c66729760c5c8bf4a757744dfd5670196d44d04d

SHA512
d3677e07d90b13e77c15838b9f7a81f8dabfd00eb647a347ee8a295db998eb3dcbfdd8be074e7848407321294a94ebe63a683026777856f9933f3b139c49c476

Download Submit
C:\Windows\SysWOW64\wpbhg.exe

Filesize
252KB

MD5
4ffe12e1e15203836844236e2e802235

SHA1
682f3bfd365cd333fadcf5c557fb2c979437d906

SHA256
e572864df6c77c3ceb5632aa94320f2390dd8c48c0442f1bc0fc3359df1df849

SHA512
110f7731f5ea7160a273a6889fbd787777d3f7a72a75f0152b590a2842e26f19a25bb458c7a81f9b81933adf4705315bf166a01957308f5c02d2df1abb7ec5eb

Download Submit
C:\Windows\SysWOW64\wpnbihg.exe

Filesize
251KB

MD5
7728c71732e74b7d4e67a76ee8d45b1c

SHA1
7dbe41eacfb9032c6cce72a277fa2610b2141b6e

SHA256
1e1caaa904490c6843d2c5a5e0054b639dba683d798bb43b09fd5160b0dc67b0

SHA512
96edecbde85595233f19e1d7ce63c29641ee0df4e7cee3c5a71448913e6b74bb442a72ef138b20e136fceb94a8efb7bf1380808156dc3c908eeb7537f4f2bd49

Download Submit
C:\Windows\SysWOW64\wpxcb.exe

Filesize
252KB

MD5
29280dce926e76646eb44d1071dc91ea

SHA1
bcb19958fb8e82882dab264a27fee94e29d0a258

SHA256
1574fba16bc3f423a2c72cdb7472806337898103380aa9a11d2f60312b7877e8

SHA512
64e4dc987af7366e78fa8d48858c5505befdd489398a9f9e3093fa3c116c41ffd7491c78b7a09ee82279a7e3dd6a4640f7e54a506ae2fba729e204321b73bf4b

Download Submit
C:\Windows\SysWOW64\wqfj.exe

Filesize
252KB

MD5
8fc738521ec3ece174e9eacf001e6458

SHA1
da793282a14536aa11965a5bd9098ca27777ed41

SHA256
4fc72e9bb1da0155c3a4841bbc542414f64cac8ba15fd4894c3a72866564ece8

SHA512
274ff7da3db47766cbfc3abfc1e0197898ce67b6132d40164d136b4d8accf6be14446632bcd967d546e069fbf24f5d334aa566e35343e845e07366039e267c16

Download Submit
C:\Windows\SysWOW64\wsflg.exe

Filesize
251KB

MD5
69372adccaf34ae51b0064d34ed9cda4

SHA1
09f843f7c6b4ba2b29db44bb217ec5f8e69ddf30

SHA256
f3b4104e6affe095d8caa7109b412b7396af4eadf2e7205739d7b4aed3821e46

SHA512
6ee1c5189797e23f1fe2f73f3aa13fce75cfd4da614b32d558dd7b4533af6386669b68b2f14de2d11db5f0f37a0ec85918d709874a3b15a89843434bf8fc64e6

Download Submit
C:\Windows\SysWOW64\wsi.exe

Filesize
252KB

MD5
a353bf8245e1dc071defee1401a2cb5e

SHA1
c84b4c8dbfcb58e6a0ade393191c06a29cd2523c

SHA256
18db5f0ce0b87e852f6516f2c21bdc5dfa6c6cf96cdd026d499dde52e4562520

SHA512
e7ae67c2699d1c54146f8957301163623f3730f4655e286eb053a6b617a54cafd5fa4921eac06363117d1e078f45f3807dab1f1673a3f24b0891fd603be84135

Download Submit
C:\Windows\SysWOW64\wsjuerxax.exe

Filesize
251KB

MD5
046ae46011fbaace9e2310574fd9fe65

SHA1
64a35b27afeea1f832c508c3627d12ff069a292e

SHA256
713cf69dff92e6f33e0ba3b2505e245f1acab4a997aa218a5b7b03a37857a727

SHA512
2faf563a4155cccfab7381f5a7bb85b05c4413bd09361d437eabd52d20f2d3e4454ccdccf94ddb2ba48b859c11b130b97ef8c0457bac4e9113d9f6488aebab7b

Download Submit
C:\Windows\SysWOW64\wvtwc.exe

Filesize
251KB

MD5
565692baaa7feae2844483f28109ef69

SHA1
abf060500dd777f52d05ccf5e619decd04a988be

SHA256
e509231c1581ac559e3a0bc4e5ce8971becd5fc852cbb3036bc9358271d85345

SHA512
0c11be5540f2f0640141cc1d29948ec5d84bc1e74773c399556df8b454b37497e05031e9fc0cd2dd80e804a6d7b1df2c1914ee2422950c4aa413b2b352f12900

Download Submit
C:\Windows\SysWOW64\wvyejrmdw.exe

Filesize
251KB

MD5
80d57092cda60661b359129dec64fefa

SHA1
4a90ddda515447e171267c4d2840b8fef3a63408

SHA256
d6ebd6055bbc667424d8483255e4b85d26e61c4baf0699b18961c31936dec1bf

SHA512
20a7beef9dd3ac472783748ab14728c1cb5811e65e90b40d3c6a6166d4317df2a21d074bf4037d6b5570ae3a39e3f6bd6dabb6f591db1130b2868126d321d9f2

Download Submit
C:\Windows\SysWOW64\wwpfqdu.exe

Filesize
252KB

MD5
4e4420acba91230c48cd26bcd536cd79

SHA1
2ee55e1b42cfb17ab86774ef8315cec7f2b483de

SHA256
e9b2cd7a188ffa8f37dbecb1a056a4cbc47ef16d29f6ef36c55d806ee770cd76

SHA512
89a62f54f2226f7a41fdce620eed6138b7ffb5d4131cc1c98a2f7ac4ba6049a1907ba4d6efb18c476d3f5303be4c39836ee9d306144a75d3bde9110a4ba1dbff

Download Submit
C:\Windows\SysWOW64\wxnxnu.exe

Filesize
251KB

MD5
cc3aac807b913d81f548d40c93668445

SHA1
993498d74c5c3f03bc79d5237d2521536228b919

SHA256
bc12b325144a431eeced4a9852d587232f9d9f77c52333957071a64c746e093b

SHA512
4d095c5682802688ca171fb711522b5494ae5fa153ddf315bf7a1f20d99553ed78fefe48c7e696e6f15fc2fe8787704aa95db9243820cf5a2a185f0a4b068b29

Download Submit
C:\Windows\SysWOW64\wxo.exe

Filesize
252KB

MD5
8d55ca73076eac80e536a620e635c3c1

SHA1
baf4a7e793cef0d7942d74a2748ddda0d6c366f7

SHA256
92fad6da49413adf4affb9eb638e3d0e9fec8ba8c574b1aab68092c950f1288b

SHA512
a8e1a397a3d19b53506ec194087e8232ac8c93236d3b837c940ff7c3faa2f9221edc5a98bad7220198c39c681bd1963bc5ef19d3e2d919e7223edf3b385084f9

Download Submit
C:\Windows\SysWOW64\wybhw.exe

Filesize
252KB

MD5
c1affb89afb0e7018502f7499c0060ef

SHA1
32141d64429d17d0912b4ccd197f83b6131fa56d

SHA256
c1292a243ba7c4a1aaa0339a4a195a429de5a90e7e25694629775e48771708b5

SHA512
448e848d0b8d57324817677ae7e20869bb8f7706ba3eee3fc556307d996af455432bc7da0a4f062bfb364d6b337fc33faf074cb2d01eb33c772e10a23dd6c84b

Download Submit
C:\Windows\SysWOW64\wyykhcvr.exe

Filesize
252KB

MD5
7298430ed680d3dd04536201e9b43511

SHA1
2cb326fc0ab856ce0714b14b1d82c56410419d33

SHA256
af92ce08b5097fd1d6a5fe59bb7df57109f1200d18f105bbeb99bfd572e40bf5

SHA512
77c6924df85e77dfa08820d7d241a2451e1766741e5be9f9ee68b7fa65fcbd06d6e247c448b6d358e478f6208d0557aec9ecd6d8c43a9dc441f49999847989e3

Download Submit
memory/892-289-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/892-300-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1280-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1280-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1496-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1496-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1952-362-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1984-332-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2040-158-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2148-268-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2148-279-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2232-354-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2316-107-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2316-246-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2464-236-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2604-127-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2764-269-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2932-178-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2940-75-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3088-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3096-216-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3144-311-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3144-188-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3224-74-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3224-84-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3668-96-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3800-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3804-168-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3848-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3996-211-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3996-226-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4088-290-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4448-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4448-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4480-248-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4568-258-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4568-247-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4688-310-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4688-343-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4688-350-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4856-106-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4856-117-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5004-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5004-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5036-137-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5036-148-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5052-342-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download