ec4e5345a52ded495ea579f5adccd5335abf0990f22d7a78fe6373f29ee386b4

Analysis

max time kernel
123s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36f008974b40ac325c50a1b425984e1c.exe
Size

265KB
MD5

36f008974b40ac325c50a1b425984e1c
SHA1

08fc164d41a09066fcc5b85c621089213433412b
SHA256

ec4e5345a52ded495ea579f5adccd5335abf0990f22d7a78fe6373f29ee386b4
SHA512

f18256b99a043f6b914bca3cc032fae75b4aa1f7ae82c7330fa11400937ea0125a6265335069e7858b836e8941ced43d04b2a510b48e9190bf54f4ed8d13a73b
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpjhWv3:ZY7xh6SZI4z7FSVpj+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 26 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wmpiviv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wemqjwy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wnbw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wxhxxe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wbaqixi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wavnbr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wggjcfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wtjx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wlaiejkr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	36f008974b40ac325c50a1b425984e1c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wmwbuvpp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wbtb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wck.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wrxgtyr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wfufhab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wwrln.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wwtijx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wlama.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wukxwv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wnhupmcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wxlsork.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wbncn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wsxr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wxjkv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	waxf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	wcr.exe

Executes dropped EXE 27 IoCs

pid	Process
1480	wcr.exe
3172	wbaqixi.exe
5084	wmpiviv.exe
1096	wavnbr.exe
764	wxlsork.exe
824	wbtb.exe
5084	wwtijx.exe
5036	wxjkv.exe
1544	wlama.exe
1528	wwrln.exe
3144	wbncn.exe
4152	wmwbuvpp.exe
2980	WerFault.exe
3680	wggjcfk.exe
5076	wemqjwy.exe
2848	wnbw.exe
3736	waxf.exe
2760	wfufhab.exe
4652	wck.exe
1432	wtjx.exe
1852	wsxr.exe
3060	wxhxxe.exe
5064	wlaiejkr.exe
1528	wukxwv.exe
4876	wnhupmcs.exe
4280	wrxgtyr.exe
376	wbsgsu.exe

Drops file in System32 directory 56 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wbtb.exe	wxlsork.exe
File opened for modification	C:\Windows\SysWOW64\wxjkv.exe	wwtijx.exe
File created	C:\Windows\SysWOW64\wednyxec.exe	wbsgsu.exe
File created	C:\Windows\SysWOW64\wavnbr.exe	wmpiviv.exe
File created	C:\Windows\SysWOW64\wxjkv.exe	wwtijx.exe
File created	C:\Windows\SysWOW64\wnbw.exe	wemqjwy.exe
File created	C:\Windows\SysWOW64\wfufhab.exe	waxf.exe
File created	C:\Windows\SysWOW64\wcr.exe	36f008974b40ac325c50a1b425984e1c.exe
File created	C:\Windows\SysWOW64\wbaqixi.exe	wcr.exe
File opened for modification	C:\Windows\SysWOW64\wwtijx.exe	wbtb.exe
File opened for modification	C:\Windows\SysWOW64\wlama.exe	wxjkv.exe
File created	C:\Windows\SysWOW64\wwrln.exe	wlama.exe
File opened for modification	C:\Windows\SysWOW64\wmwbuvpp.exe	wbncn.exe
File opened for modification	C:\Windows\SysWOW64\wwrln.exe	wlama.exe
File created	C:\Windows\SysWOW64\wck.exe	wfufhab.exe
File created	C:\Windows\SysWOW64\wxhxxe.exe	wsxr.exe
File opened for modification	C:\Windows\SysWOW64\wcr.exe	36f008974b40ac325c50a1b425984e1c.exe
File opened for modification	C:\Windows\SysWOW64\waxf.exe	wnbw.exe
File opened for modification	C:\Windows\SysWOW64\wnbw.exe	wemqjwy.exe
File created	C:\Windows\SysWOW64\wtjx.exe	wck.exe
File created	C:\Windows\SysWOW64\wrxgtyr.exe	wnhupmcs.exe
File opened for modification	C:\Windows\SysWOW64\wednyxec.exe	wbsgsu.exe
File created	C:\Windows\SysWOW64\wmpiviv.exe	wbaqixi.exe
File created	C:\Windows\SysWOW64\wemqjwy.exe	wggjcfk.exe
File created	C:\Windows\SysWOW64\wbncn.exe	wwrln.exe
File opened for modification	C:\Windows\SysWOW64\wpyx.exe	wmwbuvpp.exe
File created	C:\Windows\SysWOW64\wwtijx.exe	wbtb.exe
File created	C:\Windows\SysWOW64\wggjcfk.exe	WerFault.exe
File opened for modification	C:\Windows\SysWOW64\wemqjwy.exe	wggjcfk.exe
File opened for modification	C:\Windows\SysWOW64\wck.exe	wfufhab.exe
File created	C:\Windows\SysWOW64\wsxr.exe	wtjx.exe
File created	C:\Windows\SysWOW64\wlama.exe	wxjkv.exe
File opened for modification	C:\Windows\SysWOW64\wxhxxe.exe	wsxr.exe
File created	C:\Windows\SysWOW64\wnhupmcs.exe	wukxwv.exe
File opened for modification	C:\Windows\SysWOW64\wbncn.exe	wwrln.exe
File created	C:\Windows\SysWOW64\waxf.exe	wnbw.exe
File opened for modification	C:\Windows\SysWOW64\wsxr.exe	wtjx.exe
File created	C:\Windows\SysWOW64\wbsgsu.exe	wrxgtyr.exe
File opened for modification	C:\Windows\SysWOW64\wbaqixi.exe	wcr.exe
File created	C:\Windows\SysWOW64\wxlsork.exe	wavnbr.exe
File created	C:\Windows\SysWOW64\wpyx.exe	wmwbuvpp.exe
File created	C:\Windows\SysWOW64\wmwbuvpp.exe	wbncn.exe
File created	C:\Windows\SysWOW64\wlaiejkr.exe	wxhxxe.exe
File created	C:\Windows\SysWOW64\wukxwv.exe	wlaiejkr.exe
File opened for modification	C:\Windows\SysWOW64\wnhupmcs.exe	wukxwv.exe
File opened for modification	C:\Windows\SysWOW64\wbsgsu.exe	wrxgtyr.exe
File opened for modification	C:\Windows\SysWOW64\wggjcfk.exe	WerFault.exe
File opened for modification	C:\Windows\SysWOW64\wlaiejkr.exe	wxhxxe.exe
File opened for modification	C:\Windows\SysWOW64\wrxgtyr.exe	wnhupmcs.exe
File opened for modification	C:\Windows\SysWOW64\wfufhab.exe	waxf.exe
File opened for modification	C:\Windows\SysWOW64\wtjx.exe	wck.exe
File opened for modification	C:\Windows\SysWOW64\wukxwv.exe	wlaiejkr.exe
File opened for modification	C:\Windows\SysWOW64\wmpiviv.exe	wbaqixi.exe
File opened for modification	C:\Windows\SysWOW64\wavnbr.exe	wmpiviv.exe
File opened for modification	C:\Windows\SysWOW64\wxlsork.exe	wavnbr.exe
File opened for modification	C:\Windows\SysWOW64\wbtb.exe	wxlsork.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2980	5076	WerFault.exe	145

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1480	1544	36f008974b40ac325c50a1b425984e1c.exe	97
PID 1544 wrote to memory of 1480	1544	36f008974b40ac325c50a1b425984e1c.exe	97
PID 1544 wrote to memory of 1480	1544	36f008974b40ac325c50a1b425984e1c.exe	97
PID 1544 wrote to memory of 1812	1544	36f008974b40ac325c50a1b425984e1c.exe	99
PID 1544 wrote to memory of 1812	1544	36f008974b40ac325c50a1b425984e1c.exe	99
PID 1544 wrote to memory of 1812	1544	36f008974b40ac325c50a1b425984e1c.exe	99
PID 1480 wrote to memory of 3172	1480	wcr.exe	103
PID 1480 wrote to memory of 3172	1480	wcr.exe	103
PID 1480 wrote to memory of 3172	1480	wcr.exe	103
PID 1480 wrote to memory of 3740	1480	wcr.exe	105
PID 1480 wrote to memory of 3740	1480	wcr.exe	105
PID 1480 wrote to memory of 3740	1480	wcr.exe	105
PID 3172 wrote to memory of 5084	3172	wbaqixi.exe	108
PID 3172 wrote to memory of 5084	3172	wbaqixi.exe	108
PID 3172 wrote to memory of 5084	3172	wbaqixi.exe	108
PID 3172 wrote to memory of 4544	3172	wbaqixi.exe	107
PID 3172 wrote to memory of 4544	3172	wbaqixi.exe	107
PID 3172 wrote to memory of 4544	3172	wbaqixi.exe	107
PID 5084 wrote to memory of 1096	5084	wmpiviv.exe	109
PID 5084 wrote to memory of 1096	5084	wmpiviv.exe	109
PID 5084 wrote to memory of 1096	5084	wmpiviv.exe	109
PID 5084 wrote to memory of 4224	5084	wmpiviv.exe	110
PID 5084 wrote to memory of 4224	5084	wmpiviv.exe	110
PID 5084 wrote to memory of 4224	5084	wmpiviv.exe	110
PID 1096 wrote to memory of 764	1096	wavnbr.exe	114
PID 1096 wrote to memory of 764	1096	wavnbr.exe	114
PID 1096 wrote to memory of 764	1096	wavnbr.exe	114
PID 1096 wrote to memory of 4972	1096	wavnbr.exe	113
PID 1096 wrote to memory of 4972	1096	wavnbr.exe	113
PID 1096 wrote to memory of 4972	1096	wavnbr.exe	113
PID 764 wrote to memory of 824	764	wxlsork.exe	120
PID 764 wrote to memory of 824	764	wxlsork.exe	120
PID 764 wrote to memory of 824	764	wxlsork.exe	120
PID 764 wrote to memory of 3108	764	wxlsork.exe	119
PID 764 wrote to memory of 3108	764	wxlsork.exe	119
PID 764 wrote to memory of 3108	764	wxlsork.exe	119
PID 824 wrote to memory of 5084	824	wbtb.exe	123
PID 824 wrote to memory of 5084	824	wbtb.exe	123
PID 824 wrote to memory of 5084	824	wbtb.exe	123
PID 824 wrote to memory of 636	824	wbtb.exe	122
PID 824 wrote to memory of 636	824	wbtb.exe	122
PID 824 wrote to memory of 636	824	wbtb.exe	122
PID 5084 wrote to memory of 5036	5084	wwtijx.exe	124
PID 5084 wrote to memory of 5036	5084	wwtijx.exe	124
PID 5084 wrote to memory of 5036	5084	wwtijx.exe	124
PID 5084 wrote to memory of 3972	5084	wwtijx.exe	125
PID 5084 wrote to memory of 3972	5084	wwtijx.exe	125
PID 5084 wrote to memory of 3972	5084	wwtijx.exe	125
PID 5036 wrote to memory of 1544	5036	wxjkv.exe	127
PID 5036 wrote to memory of 1544	5036	wxjkv.exe	127
PID 5036 wrote to memory of 1544	5036	wxjkv.exe	127
PID 5036 wrote to memory of 3108	5036	wxjkv.exe	128
PID 5036 wrote to memory of 3108	5036	wxjkv.exe	128
PID 5036 wrote to memory of 3108	5036	wxjkv.exe	128
PID 1544 wrote to memory of 1528	1544	wlama.exe	130
PID 1544 wrote to memory of 1528	1544	wlama.exe	130
PID 1544 wrote to memory of 1528	1544	wlama.exe	130
PID 1544 wrote to memory of 3612	1544	wlama.exe	132
PID 1544 wrote to memory of 3612	1544	wlama.exe	132
PID 1544 wrote to memory of 3612	1544	wlama.exe	132
PID 1528 wrote to memory of 3144	1528	wwrln.exe	133
PID 1528 wrote to memory of 3144	1528	wwrln.exe	133
PID 1528 wrote to memory of 3144	1528	wwrln.exe	133
PID 1528 wrote to memory of 3964	1528	wwrln.exe	135

C:\Users\Admin\AppData\Local\Temp\36f008974b40ac325c50a1b425984e1c.exe
"C:\Users\Admin\AppData\Local\Temp\36f008974b40ac325c50a1b425984e1c.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\wcr.exe
  "C:\Windows\system32\wcr.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\wbaqixi.exe
    "C:\Windows\system32\wbaqixi.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbaqixi.exe"
      4⤵
      PID:4544
  - - C:\Windows\SysWOW64\wmpiviv.exe
      "C:\Windows\system32\wmpiviv.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Windows\SysWOW64\wavnbr.exe
        
        "C:\Windows\system32\wavnbr.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1096
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wavnbr.exe"
        6⤵
        
        PID:4972
      - C:\Windows\SysWOW64\wxlsork.exe
        
        "C:\Windows\system32\wxlsork.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxlsork.exe"
        7⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\wbtb.exe
        
        "C:\Windows\system32\wbtb.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbtb.exe"
        8⤵
        
        PID:636
        
        C:\Windows\SysWOW64\wwtijx.exe
        
        "C:\Windows\system32\wwtijx.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\wxjkv.exe
        
        "C:\Windows\system32\wxjkv.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\wlama.exe
        
        "C:\Windows\system32\wlama.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\wwrln.exe
        
        "C:\Windows\system32\wwrln.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\wbncn.exe
        
        "C:\Windows\system32\wbncn.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbncn.exe"
        13⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\wmwbuvpp.exe
        
        "C:\Windows\system32\wmwbuvpp.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmwbuvpp.exe"
        14⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\wpyx.exe
        
        "C:\Windows\system32\wpyx.exe"
        14⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpyx.exe"
        15⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\wggjcfk.exe
        
        "C:\Windows\system32\wggjcfk.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\wemqjwy.exe
        
        "C:\Windows\system32\wemqjwy.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\wnbw.exe
        
        "C:\Windows\system32\wnbw.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\waxf.exe
        
        "C:\Windows\system32\waxf.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3736
        
        C:\Windows\SysWOW64\wfufhab.exe
        
        "C:\Windows\system32\wfufhab.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\wck.exe
        
        "C:\Windows\system32\wck.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\wtjx.exe
        
        "C:\Windows\system32\wtjx.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtjx.exe"
        22⤵
        
        PID:724
        
        C:\Windows\SysWOW64\wsxr.exe
        
        "C:\Windows\system32\wsxr.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\wxhxxe.exe
        
        "C:\Windows\system32\wxhxxe.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\wlaiejkr.exe
        
        "C:\Windows\system32\wlaiejkr.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlaiejkr.exe"
        25⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\wukxwv.exe
        
        "C:\Windows\system32\wukxwv.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\wnhupmcs.exe
        
        "C:\Windows\system32\wnhupmcs.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\wrxgtyr.exe
        
        "C:\Windows\system32\wrxgtyr.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrxgtyr.exe"
        28⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\wbsgsu.exe
        
        "C:\Windows\system32\wbsgsu.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:376
        
        C:\Windows\SysWOW64\wednyxec.exe
        
        "C:\Windows\system32\wednyxec.exe"
        29⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wednyxec.exe"
        30⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\wsyrqf.exe
        
        "C:\Windows\system32\wsyrqf.exe"
        30⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsyrqf.exe"
        31⤵
        
        PID:740
        
        C:\Windows\SysWOW64\wnktsk.exe
        
        "C:\Windows\system32\wnktsk.exe"
        31⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnktsk.exe"
        32⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\wdnbhb.exe
        
        "C:\Windows\system32\wdnbhb.exe"
        32⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnbhb.exe"
        33⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\wqpake.exe
        
        "C:\Windows\system32\wqpake.exe"
        33⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\wleu.exe
        
        "C:\Windows\system32\wleu.exe"
        34⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpake.exe"
        34⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbsgsu.exe"
        29⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnhupmcs.exe"
        27⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wukxwv.exe"
        26⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxhxxe.exe"
        24⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxr.exe"
        23⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wck.exe"
        21⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfufhab.exe"
        20⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waxf.exe"
        19⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbw.exe"
        18⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemqjwy.exe"
        17⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1656
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Program crash
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wggjcfk.exe"
        16⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrln.exe"
        12⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlama.exe"
        11⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxjkv.exe"
        10⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwtijx.exe"
        9⤵
        
        PID:3972
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpiviv.exe"
        5⤵
        
        PID:4224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcr.exe"
    3⤵
    PID:3740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\36f008974b40ac325c50a1b425984e1c.exe"
  2⤵
  PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5076 -ip 5076
1⤵
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wavnbr.exe

Filesize
265KB

MD5
abe051159aa10f7c48526046cf190ec2

SHA1
53b0515b56c1a88c3e5eda9b8996b49a0848c92f

SHA256
e300af4a1512705359baeb01da8471dd932e874c7b668778d585699477102a80

SHA512
3094675787286dffac32747356eb5390159c535ef263c48a630ad0bc78f3547eb55f7529e822617f83c70db647c696cfac1140ad80fa0d8bc5ddb199fd949819

Download Submit
C:\Windows\SysWOW64\waxf.exe

Filesize
266KB

MD5
88bbed9b4f394cab4733469cf940292a

SHA1
580b31d024b5f06d702f72be3ac4f779161b0762

SHA256
e77f9d0736033de29ba628de5eb831573573d8dcf31005293f620c71be8cd09c

SHA512
51898d5b9a203365eb027ed60cbeddf26634247d1e1871b895c25e9c18e32d891ecac381fa9aeb3836f5636056c593a1d85ef5662f7a866d00e3733e9b902b85

Download Submit
C:\Windows\SysWOW64\wbaqixi.exe

Filesize
265KB

MD5
417e3b9bb6057a4dbc6fd979dc2ed03d

SHA1
f799cc8fbc401bf40c48d6756541ddc6897f7061

SHA256
9530423a3557d589d02939b9cd0830e582428a6b64049e8a5915b56a828b92e4

SHA512
da9952a8f8330de057c86ff1097d6c3ede43a9399685beba6c58ac3854b9d74eb637b59e195b02a56caf592dbc4f3242bcb5bc61c395f3829d7fd5d1c30d5e04

Download Submit
C:\Windows\SysWOW64\wbncn.exe

Filesize
266KB

MD5
ebb426d774a50fe2d682c5fe17a597a5

SHA1
51b4ab4fce4d8bb71b49b3fef4d732f0bb623e85

SHA256
77ece6afd83534df7c08b7b92e04191bc47d0ec12128df36bcef6a35608ccd18

SHA512
1a31133b5fc3320b3956a27258fcaad3b8fd2ce05c69e76e676b672e848d765183b1a7a6fea7ea11870c90d9ddfa99fdd505283f7204fb6a16b51ecb0487d15d

Download Submit
C:\Windows\SysWOW64\wbncn.exe

Filesize
93KB

MD5
876447920007af1daa6fb5779e76110c

SHA1
75bc780e31d3f708a876f4af250c6c7d540f3cd5

SHA256
b1a72e35c6dd44fdecf8da71114153234386f1f1d5046d1577070a2f0b85df05

SHA512
32153266548ecc70c11260ba89ceea99f2c1fb796e8c224d33d8275d41a75e416eb8c1e760d936e9e1b6e0c6d108087c9012debe0a520abe01e0542b675c3d11

Download Submit
C:\Windows\SysWOW64\wbsgsu.exe

Filesize
266KB

MD5
9e45c88a3cfe57e6abb752dde2c765a3

SHA1
675669c12fb1dd8c52e941727b9e0a2c937a120e

SHA256
7f1c4c1c20cb788b2f096b9948de103f9f7a9b2a51c33954b43091219d6c11d5

SHA512
fa4c79d699638143d2a77a22e9393dc2ae7283a947fc6b317acd8b6056c39b816ff6ed838cb825667ee0bf15fcb2196f7069b6479863fd79cf1a0e65c4f3bcea

Download Submit
C:\Windows\SysWOW64\wbtb.exe

Filesize
266KB

MD5
5fb49e9bb9da634098c892e577b61ed1

SHA1
66e7cecce49ff4bb82262dcf2036c32d9c52eed6

SHA256
b1d8faff07ba6d115073ca631daa091948394bfc5022bc03012adb1c52ec61ce

SHA512
99939dd3405a318511a5d34eec47e40db502d8ccfc8bd8a3761f2dff36c00d1774d42e3b8a663aaa1eb9895d17e6eaaa20c73771a69f4e341d60ccc23fa4d372

Download Submit
C:\Windows\SysWOW64\wck.exe

Filesize
266KB

MD5
344f4904cd8eaead64316e2fa9891d57

SHA1
4d53b08d81193c6ece941ddea85f7c363424ebf3

SHA256
73fda14faea4eb8b2446c28554b66e4d2a42373d7de8039fcc2b5a820a1d0f23

SHA512
335ca4da5e1b32e3097ed8615dcfd5cf486a409c5d80282f6236a288b1eb18cff0b37d3a934a78edb67d2d7a122278481ff9f5b4a6edccf93c35441537c097bd

Download Submit
C:\Windows\SysWOW64\wcr.exe

Filesize
265KB

MD5
fdf253316111abd6e4832c6ee4d3770f

SHA1
bb4fc5003bf2e00bf470f524812b4d1c40b8dbaa

SHA256
241cc4a8e9354df526870b240d919e58038e7243cf9b3b668cb66c61af1d022b

SHA512
14b99921ee9c923c1e4e2c96fe9e021e4bbcfcc77f3b55137b60144546f30228b533b446f04056abd14be7004131a8580fa77b4afb5218decd99293c9ec384e8

Download Submit
C:\Windows\SysWOW64\wdnbhb.exe

Filesize
266KB

MD5
e6ae42dd407be355e1ee0065325e93f3

SHA1
1ddd764de74d270fb2d6a0b88c3f671ddc37885a

SHA256
f44d71278eb2589ed7a1dc0e73d80d894b6d871c65191d1b28dd309d78c33b55

SHA512
94169e7f40d99ce2baf76ae96b7ff849b6fb3b62c616591385671ebf8f41a7177fa80b7b1bdf48c5e2f82f04627842e5d184c06f8078ad3bfa97f1cae1ace81e

Download Submit
C:\Windows\SysWOW64\wednyxec.exe

Filesize
266KB

MD5
091cd8df22091753fed1e1b59a1a96ec

SHA1
e03e14962554c9c84bd2f9e7704bcd9a779dcbcf

SHA256
ffdc89a54534badf48844e3881d584167e3f9aed9ed1a3873367c473404c334f

SHA512
27a7707d3b06dd4fb28c30f34a1c6478a232e9597c0970915b3064c65ef3ce978d49ba66d3c7c366a271a94ffe47aec3656445dbf133b643b0fc993082fdabf1

Download Submit
C:\Windows\SysWOW64\wemqjwy.exe

Filesize
1KB

MD5
a53bb0b1282d7d38e921b590b777bada

SHA1
15258dc07732e9de7a91adc2580733d67393da67

SHA256
e6dd58f983c69bdcdb23f3d4078bed503613028b37485de276a8d5a7fda363d0

SHA512
d99715cf29b993fdeae3ead592a0f50a6d99e843699ff4686e2a054c9ca67d3da26aa73fcf50688b069513becc65a636d6b0898cb64618a6fd32fa160448a6d1

Download Submit
C:\Windows\SysWOW64\wemqjwy.exe

Filesize
9KB

MD5
0cdb476a1a85005f903edfeded11640e

SHA1
542461d37b7339f95ffaa4acf3b1c93c840b7249

SHA256
7fe88f38e751d4a4e156e5541636f8f5aa2ca9920e100e952cf2db5258f2234e

SHA512
4453a256c9652de23a5509ebdd2123c3b5d4d3de0c13f4f4fdd56f9d3f7a61da732942aaf25d0b46bc66ca44f8e6384b0e832935290305fae8b8ab1866446c30

Download Submit
C:\Windows\SysWOW64\wfufhab.exe

Filesize
266KB

MD5
f7b816d4fc323148c0e2eccf7f55657f

SHA1
e834fb0b6b2cbdf95392ae489196c4131b30fc1f

SHA256
599c5860996aa01501eef66c87d61178de3e9607b201839051a3207bd42912e1

SHA512
29e401633a5baa781fbdcc43cd30582547ae3e9feb9566ec2307cef04507e11e4582bf4f53a4aa70c427494e01208cfff9918818a4e6bc0da80099f59f3391ce

Download Submit
C:\Windows\SysWOW64\wggjcfk.exe

Filesize
151KB

MD5
6bc9a8d604317153f8849661ba178e09

SHA1
09d4532e8c064bb6d8f0ef8e4976dc1d2398f546

SHA256
437dc12c2062aa7ecb097fe8418b8504e8e47264786136f7ac350560204aa5d1

SHA512
3608a44af1224cb62e9319c8dc790164c8f1fd2800f159b9fbd2621b3f3b463416863b88be5b558bbe71e9d03fd49921da2e3db9d19ba30badd3a6655a971f3a

Download Submit
C:\Windows\SysWOW64\wggjcfk.exe

Filesize
23KB

MD5
11ff04ab2cb7347c8ed5d44ceb038bb1

SHA1
2169f1302eb2b876b9b689896e7fd92f39ecd0e3

SHA256
d3ba24f8d431dc9e065a8365b6382b3dc9d4cadb1b81df0a8c6064ad9d4a1d3d

SHA512
f509fd5d49f47d09dc00a26d0a7f24540aa891c8bdc8eb6b8a10267c3bc4ec63a6c022014063d05de7c1e861fb57fd375b5a8df9b6256c011b391036a134a21c

Download Submit
C:\Windows\SysWOW64\wlaiejkr.exe

Filesize
266KB

MD5
ca28c9ea8d7bbe328bea6bc8f2cffd1d

SHA1
10bee388b7cb80fb601f9b4d72b0bbc5372c1eeb

SHA256
542993b47b48c181e9afa95a9db7ef05cb8adcc465ea857abc56159a62297196

SHA512
3466641609e7af180af74b1a804b61c125b26a7c1fb7b8307f417823332f6e81953f3403af38f7858e89a147c7b175e097b9ad7fea5943d1a477bb586d61dd9e

Download Submit
C:\Windows\SysWOW64\wlama.exe

Filesize
266KB

MD5
02c5c18b0969d52a5e4d018c42242946

SHA1
d6dd3cf3f776d5681bd2a45da7373946bb942d34

SHA256
0402d7d36325f4bf56b3335d750b9f48dc30ba059b1576f7eb9ad5e691780e3c

SHA512
681114764b41f17118b4c5f79794a42fc0e4988255cf2c5fa45a403f9b744b85dd5edea0a139de9fc4e79aa93594237f851274fdd0f981018d8c57c8df9d90b3

Download Submit
C:\Windows\SysWOW64\wmpiviv.exe

Filesize
265KB

MD5
b0874ec2066ca67deff9e9e7120fa05c

SHA1
9866e466cd21595c957df59b311388abed4eda96

SHA256
d86b9a3faac9ad773a4d5f158584d7a8c55bb35d446741a50a007099787590ec

SHA512
167e96b3ac44bd49d38f9a937a0133cd5bcd766d91fb25c26c32c387a3da5107b8f315cea9cb0b33b0b3dd8526f71bf1605c2778a0441e799b0ec1886f6b1588

Download Submit
C:\Windows\SysWOW64\wmwbuvpp.exe

Filesize
86KB

MD5
62ef9a362ff9b90e60a239a51f207a58

SHA1
dbded3320d329aa4886063d06d1b3ee50321260e

SHA256
bcb27c5398e5cf596b58a41d83b57de08a84f0a980711c187686500a6ea64883

SHA512
93447a8d95b69363692510f4ad72cd701643ae027f2a7766b30d4cd447fefc693dcc32eeb87408e85ffedd41b4fa357a1d01c9e2024a69fa7b1524711db173a1

Download Submit
C:\Windows\SysWOW64\wmwbuvpp.exe

Filesize
30KB

MD5
4e60ac3f65a259465ddca23d7922b4e8

SHA1
080331eac55ec3c291d053a4dbec35dcf47b383b

SHA256
e79046e77f1306b57b2578fbb11878a1f4a2e9b4803e40113ad08e97092254f7

SHA512
7aebea31fba85178c0907e2fbc5a8bf79c066f5b06c1a0f8dd6cdcc760523c6e9298e5aee40c797ce3021f933e7f22defbd4dd5b31a9c3ea3240d21502227b1c

Download Submit
C:\Windows\SysWOW64\wnbw.exe

Filesize
266KB

MD5
0da2b3d4c03cddf4019718fa6c846fb3

SHA1
81bc31adaa636f965bbb53f3fd470e78a2600e87

SHA256
21b863f59f582e8346262adad27d7e134b7c51be245fcf69e22860a1ce5769b1

SHA512
cf3c9e4660cb1f82791172aa93733cded925ef713f00ae25b2606ff43b10c09652bf97f5beb6d95954a73a89b9a59518aa51684f862f34d5a93390c8a0f629ed

Download Submit
C:\Windows\SysWOW64\wnhupmcs.exe

Filesize
266KB

MD5
223fcea5d817afce89b3fc5c8b2c85b5

SHA1
43a47ba62933a00c3021f9741ebf6abaeda587f1

SHA256
0b92968b3cd737c948a5070a2407bac45b869620ad3eb432f6810190c10cfe80

SHA512
60a58e8beb473848a199d6af3d35719d4f75e568966415d6dd446f27996e58108dad26907350e6513f01935235e5570855ea46901f408543ef09d83b3b550728

Download Submit
C:\Windows\SysWOW64\wnktsk.exe

Filesize
266KB

MD5
34dcc7ff767fadb2b872699a7ae8698d

SHA1
d8c84742726af30abfed8d7e1fa1e1bb08642efa

SHA256
52ee598f053d7ae68d3c99254c078103c513d95a98069952c6b7c1ac2d5f7fe8

SHA512
42f36561c0fad8f99c9b78af3ba256e8289d955c5516f9d47ae61199d460350c24cce97418ca9f5f263f230976826469fe0c4e5d3bb0fe557ec151b0d6391a5d

Download Submit
C:\Windows\SysWOW64\wpyx.exe

Filesize
266KB

MD5
e7a33f5887776485141ad9661463c598

SHA1
7193d84fadc3663116f9094e063b763fe556450d

SHA256
64ff61809b893c81a7bdc233ea3ead07d99afa89849fc7e74bb6771577905c24

SHA512
d88dc3992b5226c7bfe8871c14f9111a6e0b010488150dabbc75a7abc3388c62929d39f78a6432babc25e42f9c8d707c1146e0654921dc83a396f6d6a13256bf

Download Submit
C:\Windows\SysWOW64\wqpake.exe

Filesize
122KB

MD5
1c7e43baf6e822d26225b552d860ec84

SHA1
25b2131d9adaba09134330d7c1ddf53fefc2ad8e

SHA256
871cfde7c29bc4a7e9fbe70c50d30fcf93a714167f2ac743f45b7399f7bc7a7f

SHA512
bb192b9135e617fba67d18552945b7fe5c00547c535095f06e3683045c58adfbc89a9b9a423d972d213d94778c169113cf997c546e5c4a1da158c624fe8048f0

Download Submit
C:\Windows\SysWOW64\wqpake.exe

Filesize
221KB

MD5
09f3e99b88449a48f80e046aa10a068d

SHA1
491afb4625f939dfa5adf5e22da9e3eb780ecdb8

SHA256
6f1086c187bae1aecdc8d8027240fdfc2ce5ad1a6cab86334f0835e5dc5eb186

SHA512
7e9e39dba533f0e734cc0824fe1c22a781829e01811ce37b94dde7b2bc2c1f1dbc1b747b47ad2685c76e33806a25555702adc5f124804cc7988b7009cb145ab1

Download Submit
C:\Windows\SysWOW64\wrxgtyr.exe

Filesize
266KB

MD5
161c231206dd50e308cf6e2be75c3de0

SHA1
55e88e407ba56bd5c724712930a1875bc127e8b8

SHA256
56aeb4945607c357b6f473f583fe42e348df6b2a2d355a4af582656350ea9230

SHA512
35e659ba1ff7f487a98da700639c62bc96fb59300152a4ed6c1fd32aeee87a09182bdd420bbbe1410bce3cb41a592df2fb751d019741cb567d1c2672f5f43a75

Download Submit
C:\Windows\SysWOW64\wsxr.exe

Filesize
175KB

MD5
0ddff1156fa6b89d9fd867865b807a41

SHA1
ec74b2fca670c275fccfdc5cb087f5c8d173d085

SHA256
a7021c258f0154319373522c10630ce0bd0380d430a2416b960e6cf5d6083439

SHA512
bb8e9b50ebbdecda12491a620579b3048832b58009b9cffc564f446b61334a4510ec5ca23765ceb5e763eaf76375dc03d2bc0c33c0a44ab73cad532e06ae1f63

Download Submit
C:\Windows\SysWOW64\wsxr.exe

Filesize
135KB

MD5
cb62985568ac02bd681be8bb3323219a

SHA1
11dce62aa1ab0da1a77bef5cf5f31bac84641577

SHA256
939671c84a3891af90635eff07e1b64653a77bbc3c8b4efab9bb4be23e9ae105

SHA512
48d6c576f9c7ce05413d5b25d4a3fc8abbc6f2b4f6f098462f542c8027e18bd98d406a77dd5ebd2fa58075ce4cbb966722ce5ce79e29fc760e2395fbd5bc56fe

Download Submit
C:\Windows\SysWOW64\wsyrqf.exe

Filesize
266KB

MD5
a0399fae0c2b35b0ca18f5705aa77220

SHA1
a1ade7be9a9d5aee873c3822646dbdb06312a85e

SHA256
3ffe2b7c9b6f1f7dc9810f5745665de0dac04e49f11701b4f823fee2e18d7321

SHA512
e5a11de7f642c36b475ab5ada21013b51e031394f6e0bba10dc97db307dad10051393d27ca453ba2e86df238e57091535ee2d2a47a603effc04f51891c84b8ce

Download Submit
C:\Windows\SysWOW64\wtjx.exe

Filesize
266KB

MD5
85462b4e7ca71c944c24ceb24f427ed5

SHA1
f1bd290985eae852f9c62d4eaec911527b34449e

SHA256
a5d51c93a01d10f6baf9f4b85271aebab8904f1bce43ab2ea4e6b0a787ecb738

SHA512
f00b9f929a345ceeb73faf4583535ccf61bb8f4233a0eb3f585d49b6c2625ca8f21157cbb0ca2899563dffacc8b8281c70b994a587c2bd9b6a248c7df1a03305

Download Submit
C:\Windows\SysWOW64\wukxwv.exe

Filesize
266KB

MD5
4cd257c9402407161772ea31d450b2fb

SHA1
c6c92e12aec24f468f631a490c7e8a1040e5e767

SHA256
8fb8498252907842347c189be0c06abc9c9b82091eb6a83b2638cc95ea05e1f2

SHA512
7ca06da66113093e03940985a9e8d710735bab4f021c399b0e63546a8c393ad32ad2086a8a2541c663147581d5f24cd86425995cef92561adbe9b8a7c16c3b76

Download Submit
C:\Windows\SysWOW64\wwrln.exe

Filesize
266KB

MD5
0c1549dd9013384768fa548fdcf4a15e

SHA1
4647dad19dadcb9f1ecc9f7d7d26f01d718a7739

SHA256
c0b17adafc1490b3478fac922b3f900d5f3c6ea0a45c9e2c7b0d514471413c3e

SHA512
c3f1eaaf9a61cf2c53159cc1419a357c36ed1bf8f52fd76e0389fa617a03cdf5ad759c0080e953b225891dfec9b7446098b9dea3dafbf7d7f8534453aa43e643

Download Submit
C:\Windows\SysWOW64\wwtijx.exe

Filesize
266KB

MD5
3f42cfc832899edf9a85fc085d6f68d0

SHA1
37b9e7215a64cb60dd304d1cb6c6327e959f13a7

SHA256
5c5f8fd709d4a37363576e78e6b3f74ba2eda2aae248da14c5edf11b0c6cb50d

SHA512
b9d9532b3411cd73c9d87e7ef474e6c859e9619c7004103962dfa5ba976f0d89294951ffd91ff551d5b3774074829db248fdc825e81142f09b5fb56527ba561b

Download Submit
C:\Windows\SysWOW64\wxhxxe.exe

Filesize
266KB

MD5
645d174644546fef5e3f05ae93d6c6d3

SHA1
4a107d56a6acfb4c62d299bd66b3794c5197c489

SHA256
144493a0e668290b101fb1ba0e96c05604842be210c5c5323fb4f957c158041f

SHA512
b0f874372199952522a763cffe4998e1393bee63738428c292b16ad3ad004dcd6901bda71ca8588956104c3792f1500d254d93986ce0bdb707825e6079d49168

Download Submit
C:\Windows\SysWOW64\wxjkv.exe

Filesize
266KB

MD5
b29164b0a05e78ed126517af3bc32fe5

SHA1
11f2fea47d4539407ea32037b32afe6ad6b27a02

SHA256
f7ecc0a091e37686ff87d58fc5a8419ac5aa38247ee6318fc569d2aeb1989de0

SHA512
6d75d7a934b0a4b039032abf7ff60e08066fdc61510d5b29df215d03951ac1a7efbd7be011a142c16691eb34f480922afab812c268ff6e123eb326e015c5cd09

Download Submit
C:\Windows\SysWOW64\wxlsork.exe

Filesize
265KB

MD5
2a72ca44bfc2b7ce08a7b15ebaddc235

SHA1
08b40ee9bd482c8f1106e115ecc2ba688f4ebc18

SHA256
fcb6d3110e1c92a3993b98942fb11689d8edb4cde838e70569ca5e534386ce9c

SHA512
f176b1fd4d19fe01f13d1967557cf7ee489c69867f0eab348d119f0db7bf61b76fb5a14adbb0c4b479cbcb30d52462093e632f63dd88c37e2bfdf41e37cd93be

Download Submit
memory/376-276-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/376-287-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/764-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/824-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1096-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1432-216-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1480-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1480-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1528-256-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1528-102-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1528-114-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1544-91-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1544-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1544-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1544-103-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1852-226-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1856-336-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1896-298-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-196-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-318-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2848-176-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2848-165-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2980-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3060-236-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3132-297-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3132-308-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3144-113-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3144-124-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3172-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3680-144-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3680-155-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3736-186-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4152-134-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4280-277-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4376-328-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4652-206-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4876-266-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5036-92-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5064-246-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5076-166-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5084-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5084-81-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download