4dd34b527e763c4d064ba0e88eb1278ca524eac2358a7f083b6913815e96f9ac

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b6bf19114a7bba1048ebc21dd476b47.exe
Size

261KB
MD5

9b6bf19114a7bba1048ebc21dd476b47
SHA1

30025cb96c64532024da0057f9e03d8de76d8a7c
SHA256

4dd34b527e763c4d064ba0e88eb1278ca524eac2358a7f083b6913815e96f9ac
SHA512

5ab096e24edc9e7e8781382941de56ed548ed2f79f23b2a7b91d7b738f8976252bc448f18848fdc0a3b217f0e3357164dd736c77b8404ee4e0cd192c94c2d5ca
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpj7sF:ZY7xh6SZI4z7FSVpHsF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1320	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2868	whbisi.exe
2584	wxrl.exe
2560	wxuib.exe
1012	wfopke.exe
1500	wpjpnyehc.exe
2140	wdafnj.exe
1756	wujqyra.exe
596	wanj.exe
1564	waqf.exe
1320	wmij.exe
1664	wnd.exe
2188	wcxp.exe
300	whmrn.exe
676	wobr.exe
2660	wwtwll.exe
2268	wjarecpl.exe
1192	wctlqi.exe
2928	wjb.exe
2832	wkpnavd.exe
2748	wbv.exe
560	wncwf.exe
1324	web.exe
1532	wrosps.exe
2344	wegxqlwju.exe
2476	wummc.exe
684	wmkofb.exe
2264	wmaunp.exe
2528	wpjebf.exe
2928	wams.exe
2604	wsgwmgale.exe
2788	wbvwde.exe
2200	wvah.exe
1464	wjynsteo.exe
2972	wywbof.exe
2396	wlwgcus.exe
2256	wus.exe
2360	wuiygjbl.exe
884	wyparrti.exe
1588	wamufhx.exe
1128	wdbwepyk.exe
1604	wqotjdhu.exe
968	wlfnreaoi.exe
3028	wjwja.exe
2016	wkbfae.exe
2108	wwdkefvx.exe
3056	wntkvoj.exe
3024	waadpfj.exe
2580	wjncedocw.exe
1564	wamek.exe
2808	wrkfoqh.exe
564	wesyh.exe
2888	wnunqh.exe
2356	wvbjsfxc.exe
2988	whsntyi.exe
796	wxydehl.exe
1580	wxihyy.exe
2944	wxeclo.exe
2796	wccspvluv.exe
2824	wrdcphm.exe
2640	wfymbwbc.exe
1624	wlkqv.exe
1984	wyenr.exe
2760	wjrnhkul.exe
2972	wyqol.exe

Loads dropped DLL 64 IoCs

pid	Process
1300	9b6bf19114a7bba1048ebc21dd476b47.exe
1300	9b6bf19114a7bba1048ebc21dd476b47.exe
1300	9b6bf19114a7bba1048ebc21dd476b47.exe
1300	9b6bf19114a7bba1048ebc21dd476b47.exe
2868	whbisi.exe
2868	whbisi.exe
2868	whbisi.exe
2868	whbisi.exe
2584	wxrl.exe
2584	wxrl.exe
2584	wxrl.exe
2584	wxrl.exe
2560	wxuib.exe
2560	wxuib.exe
2560	wxuib.exe
2560	wxuib.exe
1012	wfopke.exe
1012	wfopke.exe
1012	wfopke.exe
1012	wfopke.exe
1500	wpjpnyehc.exe
1500	wpjpnyehc.exe
1500	wpjpnyehc.exe
1500	wpjpnyehc.exe
2140	wdafnj.exe
2140	wdafnj.exe
2140	wdafnj.exe
2140	wdafnj.exe
1756	wujqyra.exe
1756	wujqyra.exe
1756	wujqyra.exe
1756	wujqyra.exe
596	wanj.exe
596	wanj.exe
596	wanj.exe
596	wanj.exe
1564	waqf.exe
1564	waqf.exe
1564	waqf.exe
1564	waqf.exe
1320	wmij.exe
1320	wmij.exe
1320	wmij.exe
1320	wmij.exe
1664	wnd.exe
1664	wnd.exe
1664	wnd.exe
1664	wnd.exe
2188	wcxp.exe
2188	wcxp.exe
2188	wcxp.exe
2188	wcxp.exe
300	whmrn.exe
300	whmrn.exe
300	whmrn.exe
300	whmrn.exe
676	wobr.exe
676	wobr.exe
676	wobr.exe
676	wobr.exe
2660	wwtwll.exe
2660	wwtwll.exe
2660	wwtwll.exe
2660	wwtwll.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wfymbwbc.exe	wrdcphm.exe
File created	C:\Windows\SysWOW64\wyenr.exe	wlkqv.exe
File opened for modification	C:\Windows\SysWOW64\wetiq.exe	wwllpi.exe
File opened for modification	C:\Windows\SysWOW64\wmaunp.exe	wmkofb.exe
File opened for modification	C:\Windows\SysWOW64\wams.exe	wpjebf.exe
File opened for modification	C:\Windows\SysWOW64\wyparrti.exe	wuiygjbl.exe
File created	C:\Windows\SysWOW64\wfymbwbc.exe	wrdcphm.exe
File created	C:\Windows\SysWOW64\wams.exe	wpjebf.exe
File opened for modification	C:\Windows\SysWOW64\wywbof.exe	wjynsteo.exe
File opened for modification	C:\Windows\SysWOW64\wuiygjbl.exe	wus.exe
File created	C:\Windows\SysWOW64\wqotjdhu.exe	wdbwepyk.exe
File created	C:\Windows\SysWOW64\wujqyra.exe	wdafnj.exe
File created	C:\Windows\SysWOW64\wanj.exe	wujqyra.exe
File opened for modification	C:\Windows\SysWOW64\wegxqlwju.exe	wrosps.exe
File created	C:\Windows\SysWOW64\wummc.exe	wegxqlwju.exe
File opened for modification	C:\Windows\SysWOW64\wqfgj.exe	wyqol.exe
File opened for modification	C:\Windows\SysWOW64\wnifsvm.exe	wqfgj.exe
File created	C:\Windows\SysWOW64\wwgyqowr.exe	wetiq.exe
File opened for modification	C:\Windows\SysWOW64\wanj.exe	wujqyra.exe
File created	C:\Windows\SysWOW64\wvah.exe	wbvwde.exe
File created	C:\Windows\SysWOW64\wjwja.exe	wlfnreaoi.exe
File created	C:\Windows\SysWOW64\wamek.exe	wjncedocw.exe
File opened for modification	C:\Windows\SysWOW64\wrdcphm.exe	wccspvluv.exe
File opened for modification	C:\Windows\SysWOW64\wobr.exe	whmrn.exe
File opened for modification	C:\Windows\SysWOW64\wummc.exe	wegxqlwju.exe
File created	C:\Windows\SysWOW64\wsgwmgale.exe	wams.exe
File created	C:\Windows\SysWOW64\wlwgcus.exe	wywbof.exe
File opened for modification	C:\Windows\SysWOW64\wwgyqowr.exe	wetiq.exe
File created	C:\Windows\SysWOW64\wxrl.exe	whbisi.exe
File created	C:\Windows\SysWOW64\whsntyi.exe	wvbjsfxc.exe
File created	C:\Windows\SysWOW64\wyqol.exe	wjrnhkul.exe
File created	C:\Windows\SysWOW64\wabjsox.exe	wnifsvm.exe
File opened for modification	C:\Windows\SysWOW64\wmij.exe	waqf.exe
File created	C:\Windows\SysWOW64\wnifsvm.exe	wqfgj.exe
File opened for modification	C:\Windows\SysWOW64\web.exe	wncwf.exe
File created	C:\Windows\SysWOW64\wpjebf.exe	wmaunp.exe
File created	C:\Windows\SysWOW64\wuiygjbl.exe	wus.exe
File created	C:\Windows\SysWOW64\wwweug.exe	whjlxyr.exe
File created	C:\Windows\SysWOW64\wesyh.exe	wrkfoqh.exe
File created	C:\Windows\SysWOW64\wkpnavd.exe	wjb.exe
File opened for modification	C:\Windows\SysWOW64\wamufhx.exe	wyparrti.exe
File opened for modification	C:\Windows\SysWOW64\wjwja.exe	wlfnreaoi.exe
File opened for modification	C:\Windows\SysWOW64\wkbfae.exe	wjwja.exe
File opened for modification	C:\Windows\SysWOW64\waqf.exe	wanj.exe
File opened for modification	C:\Windows\SysWOW64\wctlqi.exe	wjarecpl.exe
File opened for modification	C:\Windows\SysWOW64\wpjebf.exe	wmaunp.exe
File created	C:\Windows\SysWOW64\wrkfoqh.exe	wamek.exe
File created	C:\Windows\SysWOW64\wjncedocw.exe	waadpfj.exe
File created	C:\Windows\SysWOW64\wxeclo.exe	wxihyy.exe
File created	C:\Windows\SysWOW64\wwllpi.exe	wabjsox.exe
File created	C:\Windows\SysWOW64\waqf.exe	wanj.exe
File created	C:\Windows\SysWOW64\wmij.exe	waqf.exe
File created	C:\Windows\SysWOW64\wkbfae.exe	wjwja.exe
File created	C:\Windows\SysWOW64\wntkvoj.exe	wwdkefvx.exe
File created	C:\Windows\SysWOW64\wlfnreaoi.exe	wqotjdhu.exe
File opened for modification	C:\Windows\SysWOW64\wesyh.exe	wrkfoqh.exe
File created	C:\Windows\SysWOW64\wnunqh.exe	wesyh.exe
File opened for modification	C:\Windows\SysWOW64\wccspvluv.exe	wxeclo.exe
File opened for modification	C:\Windows\SysWOW64\wcxp.exe	wnd.exe
File opened for modification	C:\Windows\SysWOW64\wbv.exe	wkpnavd.exe
File created	C:\Windows\SysWOW64\wmkofb.exe	wummc.exe
File created	C:\Windows\SysWOW64\wywbof.exe	wjynsteo.exe
File created	C:\Windows\SysWOW64\whjlxyr.exe	wmhgiwoth.exe
File created	C:\Windows\SysWOW64\wxuib.exe	wxrl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2712	968	WerFault.exe	154
3016	2396	WerFault.exe	228

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2868	1300	9b6bf19114a7bba1048ebc21dd476b47.exe	28
PID 1300 wrote to memory of 2868	1300	9b6bf19114a7bba1048ebc21dd476b47.exe	28
PID 1300 wrote to memory of 2868	1300	9b6bf19114a7bba1048ebc21dd476b47.exe	28
PID 1300 wrote to memory of 2868	1300	9b6bf19114a7bba1048ebc21dd476b47.exe	28
PID 1300 wrote to memory of 1320	1300	9b6bf19114a7bba1048ebc21dd476b47.exe	29
PID 1300 wrote to memory of 1320	1300	9b6bf19114a7bba1048ebc21dd476b47.exe	29
PID 1300 wrote to memory of 1320	1300	9b6bf19114a7bba1048ebc21dd476b47.exe	29
PID 1300 wrote to memory of 1320	1300	9b6bf19114a7bba1048ebc21dd476b47.exe	29
PID 2868 wrote to memory of 2584	2868	whbisi.exe	31
PID 2868 wrote to memory of 2584	2868	whbisi.exe	31
PID 2868 wrote to memory of 2584	2868	whbisi.exe	31
PID 2868 wrote to memory of 2584	2868	whbisi.exe	31
PID 2868 wrote to memory of 2236	2868	whbisi.exe	32
PID 2868 wrote to memory of 2236	2868	whbisi.exe	32
PID 2868 wrote to memory of 2236	2868	whbisi.exe	32
PID 2868 wrote to memory of 2236	2868	whbisi.exe	32
PID 2584 wrote to memory of 2560	2584	wxrl.exe	34
PID 2584 wrote to memory of 2560	2584	wxrl.exe	34
PID 2584 wrote to memory of 2560	2584	wxrl.exe	34
PID 2584 wrote to memory of 2560	2584	wxrl.exe	34
PID 2584 wrote to memory of 1816	2584	wxrl.exe	35
PID 2584 wrote to memory of 1816	2584	wxrl.exe	35
PID 2584 wrote to memory of 1816	2584	wxrl.exe	35
PID 2584 wrote to memory of 1816	2584	wxrl.exe	35
PID 2560 wrote to memory of 1012	2560	wxuib.exe	37
PID 2560 wrote to memory of 1012	2560	wxuib.exe	37
PID 2560 wrote to memory of 1012	2560	wxuib.exe	37
PID 2560 wrote to memory of 1012	2560	wxuib.exe	37
PID 2560 wrote to memory of 1332	2560	wxuib.exe	39
PID 2560 wrote to memory of 1332	2560	wxuib.exe	39
PID 2560 wrote to memory of 1332	2560	wxuib.exe	39
PID 2560 wrote to memory of 1332	2560	wxuib.exe	39
PID 1012 wrote to memory of 1500	1012	wfopke.exe	40
PID 1012 wrote to memory of 1500	1012	wfopke.exe	40
PID 1012 wrote to memory of 1500	1012	wfopke.exe	40
PID 1012 wrote to memory of 1500	1012	wfopke.exe	40
PID 1012 wrote to memory of 2244	1012	wfopke.exe	41
PID 1012 wrote to memory of 2244	1012	wfopke.exe	41
PID 1012 wrote to memory of 2244	1012	wfopke.exe	41
PID 1012 wrote to memory of 2244	1012	wfopke.exe	41
PID 1500 wrote to memory of 2140	1500	wpjpnyehc.exe	43
PID 1500 wrote to memory of 2140	1500	wpjpnyehc.exe	43
PID 1500 wrote to memory of 2140	1500	wpjpnyehc.exe	43
PID 1500 wrote to memory of 2140	1500	wpjpnyehc.exe	43
PID 1500 wrote to memory of 2812	1500	wpjpnyehc.exe	45
PID 1500 wrote to memory of 2812	1500	wpjpnyehc.exe	45
PID 1500 wrote to memory of 2812	1500	wpjpnyehc.exe	45
PID 1500 wrote to memory of 2812	1500	wpjpnyehc.exe	45
PID 2140 wrote to memory of 1756	2140	wdafnj.exe	46
PID 2140 wrote to memory of 1756	2140	wdafnj.exe	46
PID 2140 wrote to memory of 1756	2140	wdafnj.exe	46
PID 2140 wrote to memory of 1756	2140	wdafnj.exe	46
PID 2140 wrote to memory of 1600	2140	wdafnj.exe	47
PID 2140 wrote to memory of 1600	2140	wdafnj.exe	47
PID 2140 wrote to memory of 1600	2140	wdafnj.exe	47
PID 2140 wrote to memory of 1600	2140	wdafnj.exe	47
PID 1756 wrote to memory of 596	1756	wujqyra.exe	49
PID 1756 wrote to memory of 596	1756	wujqyra.exe	49
PID 1756 wrote to memory of 596	1756	wujqyra.exe	49
PID 1756 wrote to memory of 596	1756	wujqyra.exe	49
PID 1756 wrote to memory of 2060	1756	wujqyra.exe	50
PID 1756 wrote to memory of 2060	1756	wujqyra.exe	50
PID 1756 wrote to memory of 2060	1756	wujqyra.exe	50
PID 1756 wrote to memory of 2060	1756	wujqyra.exe	50

C:\Users\Admin\AppData\Local\Temp\9b6bf19114a7bba1048ebc21dd476b47.exe
"C:\Users\Admin\AppData\Local\Temp\9b6bf19114a7bba1048ebc21dd476b47.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\whbisi.exe
  "C:\Windows\system32\whbisi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\wxrl.exe
    "C:\Windows\system32\wxrl.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\wxuib.exe
      "C:\Windows\system32\wxuib.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\wfopke.exe
        
        "C:\Windows\system32\wfopke.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1012
      - C:\Windows\SysWOW64\wpjpnyehc.exe
        
        "C:\Windows\system32\wpjpnyehc.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\wdafnj.exe
        
        "C:\Windows\system32\wdafnj.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\wujqyra.exe
        
        "C:\Windows\system32\wujqyra.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\wanj.exe
        
        "C:\Windows\system32\wanj.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:596
        
        C:\Windows\SysWOW64\waqf.exe
        
        "C:\Windows\system32\waqf.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\wmij.exe
        
        "C:\Windows\system32\wmij.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1320
        
        C:\Windows\SysWOW64\wnd.exe
        
        "C:\Windows\system32\wnd.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\wcxp.exe
        
        "C:\Windows\system32\wcxp.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2188
        
        C:\Windows\SysWOW64\whmrn.exe
        
        "C:\Windows\system32\whmrn.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:300
        
        C:\Windows\SysWOW64\wobr.exe
        
        "C:\Windows\system32\wobr.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:676
        
        C:\Windows\SysWOW64\wwtwll.exe
        
        "C:\Windows\system32\wwtwll.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2660
        
        C:\Windows\SysWOW64\wjarecpl.exe
        
        "C:\Windows\system32\wjarecpl.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\wctlqi.exe
        
        "C:\Windows\system32\wctlqi.exe"
        18⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\wjb.exe
        
        "C:\Windows\system32\wjb.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\wkpnavd.exe
        
        "C:\Windows\system32\wkpnavd.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\wbv.exe
        
        "C:\Windows\system32\wbv.exe"
        21⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\wncwf.exe
        
        "C:\Windows\system32\wncwf.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:560
        
        C:\Windows\SysWOW64\web.exe
        
        "C:\Windows\system32\web.exe"
        23⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Windows\SysWOW64\wrosps.exe
        
        "C:\Windows\system32\wrosps.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\wegxqlwju.exe
        
        "C:\Windows\system32\wegxqlwju.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\wummc.exe
        
        "C:\Windows\system32\wummc.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\wmkofb.exe
        
        "C:\Windows\system32\wmkofb.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:684
        
        C:\Windows\SysWOW64\wmaunp.exe
        
        "C:\Windows\system32\wmaunp.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\wpjebf.exe
        
        "C:\Windows\system32\wpjebf.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\wams.exe
        
        "C:\Windows\system32\wams.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\wsgwmgale.exe
        
        "C:\Windows\system32\wsgwmgale.exe"
        31⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\wbvwde.exe
        
        "C:\Windows\system32\wbvwde.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\wvah.exe
        
        "C:\Windows\system32\wvah.exe"
        33⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Windows\SysWOW64\wjynsteo.exe
        
        "C:\Windows\system32\wjynsteo.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\wywbof.exe
        
        "C:\Windows\system32\wywbof.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\wlwgcus.exe
        
        "C:\Windows\system32\wlwgcus.exe"
        36⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\wus.exe
        
        "C:\Windows\system32\wus.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\wuiygjbl.exe
        
        "C:\Windows\system32\wuiygjbl.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\wyparrti.exe
        
        "C:\Windows\system32\wyparrti.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\wamufhx.exe
        
        "C:\Windows\system32\wamufhx.exe"
        40⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\wdbwepyk.exe
        
        "C:\Windows\system32\wdbwepyk.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\wqotjdhu.exe
        
        "C:\Windows\system32\wqotjdhu.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\wlfnreaoi.exe
        
        "C:\Windows\system32\wlfnreaoi.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\wjwja.exe
        
        "C:\Windows\system32\wjwja.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\wkbfae.exe
        
        "C:\Windows\system32\wkbfae.exe"
        45⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\wwdkefvx.exe
        
        "C:\Windows\system32\wwdkefvx.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\wntkvoj.exe
        
        "C:\Windows\system32\wntkvoj.exe"
        47⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\waadpfj.exe
        
        "C:\Windows\system32\waadpfj.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\wjncedocw.exe
        
        "C:\Windows\system32\wjncedocw.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\wamek.exe
        
        "C:\Windows\system32\wamek.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\wrkfoqh.exe
        
        "C:\Windows\system32\wrkfoqh.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\wesyh.exe
        
        "C:\Windows\system32\wesyh.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:564
        
        C:\Windows\SysWOW64\wnunqh.exe
        
        "C:\Windows\system32\wnunqh.exe"
        53⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\wvbjsfxc.exe
        
        "C:\Windows\system32\wvbjsfxc.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\whsntyi.exe
        
        "C:\Windows\system32\whsntyi.exe"
        55⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\wxydehl.exe
        
        "C:\Windows\system32\wxydehl.exe"
        56⤵
        Executes dropped EXE
        
        PID:796
        
        C:\Windows\SysWOW64\wxihyy.exe
        
        "C:\Windows\system32\wxihyy.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\wxeclo.exe
        
        "C:\Windows\system32\wxeclo.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\wccspvluv.exe
        
        "C:\Windows\system32\wccspvluv.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\wrdcphm.exe
        
        "C:\Windows\system32\wrdcphm.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\wfymbwbc.exe
        
        "C:\Windows\system32\wfymbwbc.exe"
        61⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\wlkqv.exe
        
        "C:\Windows\system32\wlkqv.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\wyenr.exe
        
        "C:\Windows\system32\wyenr.exe"
        63⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\wjrnhkul.exe
        
        "C:\Windows\system32\wjrnhkul.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\wyqol.exe
        
        "C:\Windows\system32\wyqol.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\wqfgj.exe
        
        "C:\Windows\system32\wqfgj.exe"
        66⤵
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\wnifsvm.exe
        
        "C:\Windows\system32\wnifsvm.exe"
        67⤵
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\wabjsox.exe
        
        "C:\Windows\system32\wabjsox.exe"
        68⤵
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\wwllpi.exe
        
        "C:\Windows\system32\wwllpi.exe"
        69⤵
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\wetiq.exe
        
        "C:\Windows\system32\wetiq.exe"
        70⤵
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\wwgyqowr.exe
        
        "C:\Windows\system32\wwgyqowr.exe"
        71⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\wiyojk.exe
        
        "C:\Windows\system32\wiyojk.exe"
        72⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\wywqnr.exe
        
        "C:\Windows\system32\wywqnr.exe"
        73⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\wikod.exe
        
        "C:\Windows\system32\wikod.exe"
        74⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\wmhgiwoth.exe
        
        "C:\Windows\system32\wmhgiwoth.exe"
        75⤵
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\whjlxyr.exe
        
        "C:\Windows\system32\whjlxyr.exe"
        76⤵
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmhgiwoth.exe"
        76⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikod.exe"
        75⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywqnr.exe"
        74⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiyojk.exe"
        73⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwgyqowr.exe"
        72⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wetiq.exe"
        71⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwllpi.exe"
        70⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wabjsox.exe"
        69⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 872
        68⤵
        Program crash
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnifsvm.exe"
        68⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqfgj.exe"
        67⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyqol.exe"
        66⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjrnhkul.exe"
        65⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyenr.exe"
        64⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkqv.exe"
        63⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfymbwbc.exe"
        62⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrdcphm.exe"
        61⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccspvluv.exe"
        60⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxeclo.exe"
        59⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxihyy.exe"
        58⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxydehl.exe"
        57⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whsntyi.exe"
        56⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvbjsfxc.exe"
        55⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnunqh.exe"
        54⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wesyh.exe"
        53⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkfoqh.exe"
        52⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wamek.exe"
        51⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjncedocw.exe"
        50⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waadpfj.exe"
        49⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntkvoj.exe"
        48⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwdkefvx.exe"
        47⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbfae.exe"
        46⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwja.exe"
        45⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfnreaoi.exe"
        44⤵
        
        PID:512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 204
        44⤵
        Program crash
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqotjdhu.exe"
        43⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbwepyk.exe"
        42⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wamufhx.exe"
        41⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyparrti.exe"
        40⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuiygjbl.exe"
        39⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wus.exe"
        38⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwgcus.exe"
        37⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywbof.exe"
        36⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjynsteo.exe"
        35⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvah.exe"
        34⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvwde.exe"
        33⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsgwmgale.exe"
        32⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wams.exe"
        31⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpjebf.exe"
        30⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmaunp.exe"
        29⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmkofb.exe"
        28⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wummc.exe"
        27⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wegxqlwju.exe"
        26⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrosps.exe"
        25⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\web.exe"
        24⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wncwf.exe"
        23⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbv.exe"
        22⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkpnavd.exe"
        21⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjb.exe"
        20⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctlqi.exe"
        19⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjarecpl.exe"
        18⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwtwll.exe"
        17⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobr.exe"
        16⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whmrn.exe"
        15⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcxp.exe"
        14⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnd.exe"
        13⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmij.exe"
        12⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waqf.exe"
        11⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wanj.exe"
        10⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujqyra.exe"
        9⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdafnj.exe"
        8⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpjpnyehc.exe"
        7⤵
        
        PID:2812
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfopke.exe"
        6⤵
        
        PID:2244
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxuib.exe"
        5⤵
        
        PID:1332
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxrl.exe"
      4⤵
      PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whbisi.exe"
    3⤵
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\9b6bf19114a7bba1048ebc21dd476b47.exe"
  2⤵
  - Deletes itself
  PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AF9O3QJT.txt

Filesize
98B

MD5
0f3ed0eaa57ca6d1ed7b896dae768c44

SHA1
a8bbe005af61dd687e0496f912fea09c085ded09

SHA256
449a9de1fc689dbef3bb1c8d18308fc59c5af731fbc4be5d020bbbbaa62fff86

SHA512
a9e81b8c027092a1ce482bf8fcc6a17f217a55a0823959504c857694daa861330eac00d8e63e467c17a125e406f5e5c97f813b94ac46f76c1da44f02ce6fcbd5

Download Submit
\Windows\SysWOW64\wanj.exe

Filesize
261KB

MD5
1f397f195af400419c7e6e48404fe6fb

SHA1
e0b9deaf59b1b094dfbacb0f478dc1148bf21c6a

SHA256
cc2bc0341f2d60953a203cd9ca660d469cfc4211c466f83cc5f3dc64caf1d0c7

SHA512
0054bd261b2ba6d86c816dd9294f2f934896c5424a16241a72b997e14ac0e71ef1918052a0f6ace6e70368b019f30778133c9a764b42adf1bf19d4712f43e743

Download Submit
\Windows\SysWOW64\waqf.exe

Filesize
261KB

MD5
cda4ce1c01d3b30302b3b3417c5bce1f

SHA1
734ddfeec4da90c044c308fa9f32ff89dd3dc112

SHA256
a787690a67c8d5d47311589c83904cb69bf5251219a2fa92021e9b0eaeeb824c

SHA512
e11ac76d5f7b9d900521817e67f9df5a805040e76878e361a353ecef5fab3e6c6e110f1372fa48587c0d6f9fb13d7e0bd545435262e5bb94ac13bb2a82a90c4b

Download Submit
\Windows\SysWOW64\wdafnj.exe

Filesize
261KB

MD5
b18ad3c352fab0c80ea2bee165359079

SHA1
015b57ec97c75d4da745bf603176e30302f39a7d

SHA256
7d672ae6cfbaefe46f12208a348b152f0550b4c15785da84a6e773d6a7d356df

SHA512
a25d0680459f665d67b09bfae05e552b038ca3b710374a78c77deec5319bb993ee140e017b6da377fd9823bab4fb3c61147248c68fbf9ef29c55899a28b14134

Download Submit
\Windows\SysWOW64\wfopke.exe

Filesize
261KB

MD5
34f134c088964f633c684c33ac114c01

SHA1
d9302bcbaf867abe1f4c4535f6d5f3c8ab283031

SHA256
1372d5f723cf5915137519fcdee19670c7eb7a2e4d1b68c92cc022eaaaf510d5

SHA512
cc8f7406e0a73641502702333de7881eb6343131214aec997c02fff448a9777e89fe05cab0fb188b92eeca5bcf01f002e37ed04cfde8cb2e458591c5955a888c

Download Submit
\Windows\SysWOW64\whbisi.exe

Filesize
261KB

MD5
7b84c7761d2483a8d0ba8feb4e252841

SHA1
8f7b6bdf6090df4a6ec963ee2339dc722fc671cd

SHA256
5e2d0ff1f225bc0d32456dfcad2422a19ce2c34c2233dd7419bf3c288de04f37

SHA512
a6e2fb7fce00c3a6369fe0f4669816d838981d945829b96cde6c09240d5545fc0c5b935c829b10235b5686352e5221e5b2c4a8fe5ff91be2ac57e4e3945cb2b9

Download Submit
\Windows\SysWOW64\wmij.exe

Filesize
261KB

MD5
d7f894427a6caf4eb42aed846743711c

SHA1
1ab101c11532b91a1767cba51a86347094d5e74d

SHA256
71714d7c20e8fee235919c6ced60af1aedd667690d517821094eac81f8def377

SHA512
b8400b4c14c6aff0fe5de1c781757a30806d6052c16c5fe348a2279dfbdff9b19a0fcd6af0a7de2376d4b845768933d296b4412ff87ad326902dd8a06b688f5e

Download Submit
\Windows\SysWOW64\wnd.exe

Filesize
261KB

MD5
a84e6829792bfbb0482b08e4c21ed698

SHA1
7869aad2b5947d4718dc5297e0a363a0a4993a50

SHA256
01eb3218a343775b17341e26a1238d7edff4413a048b5b695060223d15368212

SHA512
cd40bf7c572e8b83083dfbf0317e5115bca164dfc7e55f604d838313bd93e25d1c91219ae74439e8406f5abbb40a5e59af6d6b0ba6473bb4bdbe152b95ace40d

Download Submit
\Windows\SysWOW64\wpjpnyehc.exe

Filesize
261KB

MD5
bafaee959aae0f72c105ce5fc371174c

SHA1
a55d8165f5d3371234eabe92321d356d7b90c197

SHA256
36a8ed18587ba779662f4cd47ebb45c6a45b637857850a6c84cae3dc35190bb5

SHA512
7b962134df1148fc62bc537d1c714a9693b80ed0f53fc4f5d73e9a019698bf6910880a6ddcdc8ecc7d5d3317289e0c47906b25ec22d6a0d1cfb5f65510d6c2d8

Download Submit
\Windows\SysWOW64\wujqyra.exe

Filesize
261KB

MD5
6d0f8da2dc9fe5516efb2d9d788a8ec7

SHA1
6638f53574a40531bfbaf60292a8db8c125ff5a5

SHA256
84f3c2207d92ec9cdd51e71c58db064889e046df4a26a5de4f967eaca2cbabfc

SHA512
639b2f6f21fcefe664e735a8cca84f8afa3c0c74daf83f0ca2709945d2c58aec5270b83fcb1ad184c872587b3ba9d16ef6c45154780f123a9039ef9764b385bf

Download Submit
\Windows\SysWOW64\wxrl.exe

Filesize
261KB

MD5
c33b2e77df254a705b819a8a227c73fa

SHA1
277d57433f676e620425354837fec407eb517775

SHA256
2e687f793d7b43951a542b6fca2d6416ed0c20f535ce5359926c10ebfa0a9497

SHA512
2c794db315406da40f1e202bab566479a530ece398c2f0632b55876d4de4689a1a1b0f0ccd070f20d2336d443c87d216e0acdba6943332cbf1fe37cc31372ebf

Download Submit
\Windows\SysWOW64\wxuib.exe

Filesize
261KB

MD5
b7c01182a5cd3e553674cdd28b6407d6

SHA1
b7a713fb8247d129a0b2de55f7bb5d5a6fb20190

SHA256
bf6c4090a0fd908c5f52b572ba1c032892d6c6065fc280f376c5d57929be63e8

SHA512
f1b4f4212e4af8c4c6742e6da6653e47e6a8a3dcfbb39d4012c871759c20a08b03dfc24f5ad8c3c8209b625596c1af70712659c20b97a1faa30d2dd46c7d3a02

Download Submit
memory/300-279-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/300-264-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/300-277-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/596-193-0x0000000003240000-0x0000000003257000-memory.dmp

Filesize
92KB

Download
memory/596-276-0x0000000003240000-0x0000000003257000-memory.dmp

Filesize
92KB

Download
memory/596-172-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/596-192-0x0000000003240000-0x0000000003257000-memory.dmp

Filesize
92KB

Download
memory/596-191-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/676-280-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/676-292-0x0000000003710000-0x0000000003727000-memory.dmp

Filesize
92KB

Download
memory/676-293-0x0000000003710000-0x0000000003727000-memory.dmp

Filesize
92KB

Download
memory/1012-85-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1012-105-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1012-102-0x0000000003B30000-0x0000000003B47000-memory.dmp

Filesize
92KB

Download
memory/1012-101-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/1300-11-0x0000000003AE0000-0x0000000003AF7000-memory.dmp

Filesize
92KB

Download
memory/1300-19-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1300-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1320-231-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1320-229-0x0000000003BC0000-0x0000000003BD7000-memory.dmp

Filesize
92KB

Download
memory/1320-232-0x0000000003BC0000-0x0000000003BD7000-memory.dmp

Filesize
92KB

Download
memory/1320-230-0x0000000003BC0000-0x0000000003BD7000-memory.dmp

Filesize
92KB

Download
memory/1320-214-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1320-233-0x0000000003BC0000-0x0000000003BD7000-memory.dmp

Filesize
92KB

Download
memory/1500-126-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1500-125-0x00000000032F0000-0x0000000003307000-memory.dmp

Filesize
92KB

Download
memory/1500-123-0x00000000032F0000-0x0000000003307000-memory.dmp

Filesize
92KB

Download
memory/1500-112-0x00000000032F0000-0x0000000003307000-memory.dmp

Filesize
92KB

Download
memory/1500-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1564-194-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1564-278-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/1564-213-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1564-204-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/1664-235-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1664-247-0x0000000003C20000-0x0000000003C37000-memory.dmp

Filesize
92KB

Download
memory/1664-250-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1664-248-0x0000000003C30000-0x0000000003C47000-memory.dmp

Filesize
92KB

Download
memory/1756-170-0x0000000003BC0000-0x0000000003BD7000-memory.dmp

Filesize
92KB

Download
memory/1756-171-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1756-168-0x0000000003BC0000-0x0000000003BD7000-memory.dmp

Filesize
92KB

Download
memory/1756-150-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2140-148-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2140-146-0x0000000003C30000-0x0000000003C47000-memory.dmp

Filesize
92KB

Download
memory/2140-149-0x0000000003C30000-0x0000000003C47000-memory.dmp

Filesize
92KB

Download
memory/2140-145-0x0000000003C20000-0x0000000003C37000-memory.dmp

Filesize
92KB

Download
memory/2140-234-0x0000000003C30000-0x0000000003C47000-memory.dmp

Filesize
92KB

Download
memory/2140-144-0x0000000003C20000-0x0000000003C37000-memory.dmp

Filesize
92KB

Download
memory/2140-127-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2188-249-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2188-263-0x0000000001FC0000-0x0000000001FD7000-memory.dmp

Filesize
92KB

Download
memory/2188-262-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2560-84-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2560-162-0x0000000003B30000-0x0000000003B47000-memory.dmp

Filesize
92KB

Download
memory/2560-78-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/2560-83-0x0000000003B30000-0x0000000003B47000-memory.dmp

Filesize
92KB

Download
memory/2560-80-0x0000000003B30000-0x0000000003B47000-memory.dmp

Filesize
92KB

Download
memory/2560-79-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/2560-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-57-0x00000000035F0000-0x0000000003607000-memory.dmp

Filesize
92KB

Download
memory/2584-60-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-58-0x00000000035F0000-0x0000000003607000-memory.dmp

Filesize
92KB

Download
memory/2868-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2868-39-0x0000000003B30000-0x0000000003B47000-memory.dmp

Filesize
92KB

Download
memory/2868-33-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download