e7490d25eb3e1553ec66c42b1474a2ff025072f3017eb882f7b15da0379ce9e0

Analysis

max time kernel
2044s
max time network
2059s
platform
windows10-2004_x64
resource
win10v2004-20240221-uk
resource tags

arch:x64arch:x86image:win10v2004-20240221-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
25-02-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WutheringWaves_setup_global.exe
Size

87.1MB
MD5

345d3f20d71c8816444e44a5f3d704fe
SHA1

76a4146523a6e94d06b7b73a11d7f3e59be9d5ec
SHA256

e7490d25eb3e1553ec66c42b1474a2ff025072f3017eb882f7b15da0379ce9e0
SHA512

0a51de32fb07f1ae97eefd2c979562432927dd0694050fbd9ccb683a6f170c8b2cb15ce6ce82467e35c00271e5f47c56b33fc5e0d2676c53c474c2afef6eb596
SSDEEP

1572864:u5Ihe5WrOpKY2V5DaePIqJt4xsmJ87lQ8rGwGjomUjpj5ChO+BJx4ypeksxq+1Hx:uWYWypX9ePIqJtdl12jomU95C9tPpeb5

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

WutheringWaves_setup_global.exe

description ioc process

File opened (read-only) \??\D: WutheringWaves_setup_global.exe

description	ioc	process
File opened (read-only)	\??\D:	WutheringWaves_setup_global.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TQMCenter_64.exeTQMCenter_64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation	TQMCenter_64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation	TQMCenter_64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Executes dropped EXE 7 IoCs

Processes:

launcher.exeKRInstallExternal.exeTQMCenter_64.exelauncher.exeKRInstallExternal.exeTQMCenter_64.exelauncher.exe

pid process

4336 launcher.exe
3948 KRInstallExternal.exe
3232 TQMCenter_64.exe
380 launcher.exe
3992 KRInstallExternal.exe
728 TQMCenter_64.exe
4120 launcher.exe

Loads dropped DLL 64 IoCs

Processes:

WutheringWaves_setup_global.exelauncher.exeKRInstallExternal.exeTQMCenter_64.exe

pid	process
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
3948	KRInstallExternal.exe
3948	KRInstallExternal.exe
3948	KRInstallExternal.exe
3948	KRInstallExternal.exe
3948	KRInstallExternal.exe
3948	KRInstallExternal.exe
3948	KRInstallExternal.exe
3948	KRInstallExternal.exe
3948	KRInstallExternal.exe
3948	KRInstallExternal.exe
3948	KRInstallExternal.exe
3948	KRInstallExternal.exe
3948	KRInstallExternal.exe
3948	KRInstallExternal.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
3232	TQMCenter_64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WutheringWaves_setup_global.exelauncher.exelauncher.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WutheringWaves_setup_global.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WutheringWaves_setup_global.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	WutheringWaves_setup_global.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	WutheringWaves_setup_global.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	launcher.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	launcher.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

launcher.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	launcher.exe

Suspicious behavior: AddClipboardFormatListener 6 IoCs

Processes:

WutheringWaves_setup_global.exelauncher.exeKRInstallExternal.exelauncher.exeKRInstallExternal.exelauncher.exe

pid process

2316 WutheringWaves_setup_global.exe
4336 launcher.exe
3948 KRInstallExternal.exe
380 launcher.exe
3992 KRInstallExternal.exe
4120 launcher.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

WutheringWaves_setup_global.exelauncher.exelauncher.exe

pid	process
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

WutheringWaves_setup_global.exelauncher.exelauncher.exe

pid process

2316 WutheringWaves_setup_global.exe
4336 launcher.exe
380 launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4948	wmic.exe
Token: SeSecurityPrivilege	4948	wmic.exe
Token: SeTakeOwnershipPrivilege	4948	wmic.exe
Token: SeLoadDriverPrivilege	4948	wmic.exe
Token: SeSystemProfilePrivilege	4948	wmic.exe
Token: SeSystemtimePrivilege	4948	wmic.exe
Token: SeProfSingleProcessPrivilege	4948	wmic.exe
Token: SeIncBasePriorityPrivilege	4948	wmic.exe
Token: SeCreatePagefilePrivilege	4948	wmic.exe
Token: SeBackupPrivilege	4948	wmic.exe
Token: SeRestorePrivilege	4948	wmic.exe
Token: SeShutdownPrivilege	4948	wmic.exe
Token: SeDebugPrivilege	4948	wmic.exe
Token: SeSystemEnvironmentPrivilege	4948	wmic.exe
Token: SeRemoteShutdownPrivilege	4948	wmic.exe
Token: SeUndockPrivilege	4948	wmic.exe
Token: SeManageVolumePrivilege	4948	wmic.exe
Token: 33	4948	wmic.exe
Token: 34	4948	wmic.exe
Token: 35	4948	wmic.exe
Token: 36	4948	wmic.exe
Token: SeIncreaseQuotaPrivilege	4948	wmic.exe
Token: SeSecurityPrivilege	4948	wmic.exe
Token: SeTakeOwnershipPrivilege	4948	wmic.exe
Token: SeLoadDriverPrivilege	4948	wmic.exe
Token: SeSystemProfilePrivilege	4948	wmic.exe
Token: SeSystemtimePrivilege	4948	wmic.exe
Token: SeProfSingleProcessPrivilege	4948	wmic.exe
Token: SeIncBasePriorityPrivilege	4948	wmic.exe
Token: SeCreatePagefilePrivilege	4948	wmic.exe
Token: SeBackupPrivilege	4948	wmic.exe
Token: SeRestorePrivilege	4948	wmic.exe
Token: SeShutdownPrivilege	4948	wmic.exe
Token: SeDebugPrivilege	4948	wmic.exe
Token: SeSystemEnvironmentPrivilege	4948	wmic.exe
Token: SeRemoteShutdownPrivilege	4948	wmic.exe
Token: SeUndockPrivilege	4948	wmic.exe
Token: SeManageVolumePrivilege	4948	wmic.exe
Token: 33	4948	wmic.exe
Token: 34	4948	wmic.exe
Token: 35	4948	wmic.exe
Token: 36	4948	wmic.exe
Token: SeIncreaseQuotaPrivilege	4944	wmic.exe
Token: SeSecurityPrivilege	4944	wmic.exe
Token: SeTakeOwnershipPrivilege	4944	wmic.exe
Token: SeLoadDriverPrivilege	4944	wmic.exe
Token: SeSystemProfilePrivilege	4944	wmic.exe
Token: SeSystemtimePrivilege	4944	wmic.exe
Token: SeProfSingleProcessPrivilege	4944	wmic.exe
Token: SeIncBasePriorityPrivilege	4944	wmic.exe
Token: SeCreatePagefilePrivilege	4944	wmic.exe
Token: SeBackupPrivilege	4944	wmic.exe
Token: SeRestorePrivilege	4944	wmic.exe
Token: SeShutdownPrivilege	4944	wmic.exe
Token: SeDebugPrivilege	4944	wmic.exe
Token: SeSystemEnvironmentPrivilege	4944	wmic.exe
Token: SeRemoteShutdownPrivilege	4944	wmic.exe
Token: SeUndockPrivilege	4944	wmic.exe
Token: SeManageVolumePrivilege	4944	wmic.exe
Token: 33	4944	wmic.exe
Token: 34	4944	wmic.exe
Token: 35	4944	wmic.exe
Token: 36	4944	wmic.exe
Token: SeIncreaseQuotaPrivilege	4944	wmic.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

launcher.exelauncher.exe

pid	process
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

launcher.exelauncher.exe

pid	process
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe
380	launcher.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

WutheringWaves_setup_global.exelauncher.exeKRInstallExternal.exe

pid	process
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
2316	WutheringWaves_setup_global.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
3948	KRInstallExternal.exe
3948	KRInstallExternal.exe
3948	KRInstallExternal.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe
4336	launcher.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

WutheringWaves_setup_global.exelauncher.exeTQMCenter_64.exelauncher.exeTQMCenter_64.exelauncher.exe

description	pid	process	target process
PID 2316 wrote to memory of 4948	2316	WutheringWaves_setup_global.exe	wmic.exe
PID 2316 wrote to memory of 4948	2316	WutheringWaves_setup_global.exe	wmic.exe
PID 2316 wrote to memory of 4948	2316	WutheringWaves_setup_global.exe	wmic.exe
PID 2316 wrote to memory of 4944	2316	WutheringWaves_setup_global.exe	wmic.exe
PID 2316 wrote to memory of 4944	2316	WutheringWaves_setup_global.exe	wmic.exe
PID 2316 wrote to memory of 4944	2316	WutheringWaves_setup_global.exe	wmic.exe
PID 2316 wrote to memory of 2628	2316	WutheringWaves_setup_global.exe	wmic.exe
PID 2316 wrote to memory of 2628	2316	WutheringWaves_setup_global.exe	wmic.exe
PID 2316 wrote to memory of 2628	2316	WutheringWaves_setup_global.exe	wmic.exe
PID 2316 wrote to memory of 4336	2316	WutheringWaves_setup_global.exe	launcher.exe
PID 2316 wrote to memory of 4336	2316	WutheringWaves_setup_global.exe	launcher.exe
PID 4336 wrote to memory of 216	4336	launcher.exe	wmic.exe
PID 4336 wrote to memory of 216	4336	launcher.exe	wmic.exe
PID 4336 wrote to memory of 3948	4336	launcher.exe	KRInstallExternal.exe
PID 4336 wrote to memory of 3948	4336	launcher.exe	KRInstallExternal.exe
PID 4336 wrote to memory of 2844	4336	launcher.exe	wmic.exe
PID 4336 wrote to memory of 2844	4336	launcher.exe	wmic.exe
PID 4336 wrote to memory of 1468	4336	launcher.exe	wmic.exe
PID 4336 wrote to memory of 1468	4336	launcher.exe	wmic.exe
PID 4336 wrote to memory of 3232	4336	launcher.exe	TQMCenter_64.exe
PID 4336 wrote to memory of 3232	4336	launcher.exe	TQMCenter_64.exe
PID 3232 wrote to memory of 1988	3232	TQMCenter_64.exe	cmd.exe
PID 3232 wrote to memory of 1988	3232	TQMCenter_64.exe	cmd.exe
PID 3232 wrote to memory of 1176	3232	TQMCenter_64.exe	cmd.exe
PID 3232 wrote to memory of 1176	3232	TQMCenter_64.exe	cmd.exe
PID 380 wrote to memory of 4872	380	launcher.exe	wmic.exe
PID 380 wrote to memory of 4872	380	launcher.exe	wmic.exe
PID 380 wrote to memory of 3992	380	launcher.exe	KRInstallExternal.exe
PID 380 wrote to memory of 3992	380	launcher.exe	KRInstallExternal.exe
PID 380 wrote to memory of 1248	380	launcher.exe	wmic.exe
PID 380 wrote to memory of 1248	380	launcher.exe	wmic.exe
PID 380 wrote to memory of 5040	380	launcher.exe	wmic.exe
PID 380 wrote to memory of 5040	380	launcher.exe	wmic.exe
PID 380 wrote to memory of 728	380	launcher.exe	TQMCenter_64.exe
PID 380 wrote to memory of 728	380	launcher.exe	TQMCenter_64.exe
PID 728 wrote to memory of 2940	728	TQMCenter_64.exe	cmd.exe
PID 728 wrote to memory of 2940	728	TQMCenter_64.exe	cmd.exe
PID 4120 wrote to memory of 4836	4120	launcher.exe	wmic.exe
PID 4120 wrote to memory of 4836	4120	launcher.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\WutheringWaves_setup_global.exe
"C:\Users\Admin\AppData\Local\Temp\WutheringWaves_setup_global.exe"
1⤵
- Enumerates connected drives
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic diskdrive where index=0 get SerialNumber
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic cpu get Name
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic cpu get NumberOfCores
2⤵
PID:2628

C:\Wuthering Waves\launcher.exe
"C:\Wuthering Waves\launcher.exe" KuroGameSTARTUP
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\System32\Wbem\wmic.exe
wmic diskdrive where index=0 get SerialNumber
3⤵
PID:216

C:\Wuthering Waves\KRInstallExternal.exe
"C:\Wuthering Waves\KRInstallExternal.exe" ewogICAgImRiX3BhdGgiOiAiQzpcXFVzZXJzXFxBZG1pblxcQXBwRGF0YVxcUm9hbWluZ1xcS1JMYXVuY2hlclxcRzE1M1xcQzUwMDA0XFwiLAogICAgImRpZCI6ICJkNTVjMDI1YS01ZmVjLTRkYTAtOGRjYS0xMzRkNWJlNjg0NGIiLAogICAgInJlcG9ydF9pZCI6ICI1ZDQ4MTNkZTBlODk0MDJmYTI2ZWE2MmU0YjkzZDNjYSIsCiAgICAicmVwb3J0X2tleSI6ICJNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURDSy9MMStnc2YvWXFJcXNLbElLSDhLOGRmRitPSlVmdzRJdkNuNU9sbytyRUszYlowclMrMncvKzl4TS90c3d2ZDU1Y1BWVUhzWkQ3a1RzbUl2K0dnNTdKanFQZmJYMW5Ub2FXZkNHdEVuWE11TWNtU3JkblBDOUZwNGs1WXlCY2ROV3lSb2Q3bGp5M1g1TGRudkVpWEQ0Qjk4WjRpVzg1YjFVODVseURjUFFJREFRQUIiLAogICAgInJlcG9ydF91cmwiOiAiaHR0cHM6Ly9xY2xvdWQtc2ctZGF0YXJlY2VpdmVyLmt1cm9nYW1lLnh5ei8iLAogICAgInV1aWQiOiAiezZmYTMwNzRmLTczYmItNGU5MS05Y2Y0LWU0YTU5ZGU2M2UwMX0iCn0K
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3948

C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
3⤵
PID:2844

C:\Windows\System32\Wbem\wmic.exe
wmic cpu get NumberOfCores
3⤵
PID:1468

C:\Wuthering Waves\tqm64\TQMCenter_64.exe
"C:\Wuthering Waves\tqm64\TQMCenter_64.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir /s /q "C:\Wuthering Waves\tqm64\stm\"
4⤵
PID:1988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir /s /q "C:\Wuthering Waves\tqm64\stm\"
4⤵
PID:1176

C:\Wuthering Waves\launcher.exe
"C:\Wuthering Waves\launcher.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\System32\Wbem\wmic.exe
wmic diskdrive where index=0 get SerialNumber
2⤵
PID:4872

C:\Wuthering Waves\KRInstallExternal.exe
"C:\Wuthering Waves\KRInstallExternal.exe" ewogICAgImRiX3BhdGgiOiAiQzpcXFVzZXJzXFxBZG1pblxcQXBwRGF0YVxcUm9hbWluZ1xcS1JMYXVuY2hlclxcRzE1M1xcQzUwMDA0XFwiLAogICAgImRpZCI6ICJkNTVjMDI1YS01ZmVjLTRkYTAtOGRjYS0xMzRkNWJlNjg0NGIiLAogICAgInJlcG9ydF9pZCI6ICI1ZDQ4MTNkZTBlODk0MDJmYTI2ZWE2MmU0YjkzZDNjYSIsCiAgICAicmVwb3J0X2tleSI6ICJNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURDSy9MMStnc2YvWXFJcXNLbElLSDhLOGRmRitPSlVmdzRJdkNuNU9sbytyRUszYlowclMrMncvKzl4TS90c3d2ZDU1Y1BWVUhzWkQ3a1RzbUl2K0dnNTdKanFQZmJYMW5Ub2FXZkNHdEVuWE11TWNtU3JkblBDOUZwNGs1WXlCY2ROV3lSb2Q3bGp5M1g1TGRudkVpWEQ0Qjk4WjRpVzg1YjFVODVseURjUFFJREFRQUIiLAogICAgInJlcG9ydF91cmwiOiAiaHR0cHM6Ly9xY2xvdWQtc2ctZGF0YXJlY2VpdmVyLmt1cm9nYW1lLnh5ei8iLAogICAgInV1aWQiOiAie2U1ZDI0NDFhLTBjNzAtNGNhMi04ZmQ3LWM0MzFmZmI1YmU5Zn0iCn0K
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3992

C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
2⤵
PID:1248

C:\Windows\System32\Wbem\wmic.exe
wmic cpu get NumberOfCores
2⤵
PID:5040

C:\Wuthering Waves\tqm64\TQMCenter_64.exe
"C:\Wuthering Waves\tqm64\TQMCenter_64.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir /s /q "C:\Wuthering Waves\tqm64\stm\"
3⤵
PID:2940

C:\Wuthering Waves\launcher.exe
"C:\Wuthering Waves\launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\System32\Wbem\wmic.exe
wmic diskdrive where index=0 get SerialNumber
2⤵
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\KRPlugin_aki.dll

Filesize
768KB

MD5
10d286b7768c96278a57c94d03185afc

SHA1
8916d5b2b41b65fa2736fc2ae550472aeda7bd63

SHA256
8bba735f17de2bb94961489c97dfd9b59c04f123b40dfba23d04aa164a9297e4

SHA512
c4bbae72b68f9369b0ac1abde79dea98ac40d9d317d4fdc04f12cc2d16e7bc5ceb986b66360e5c994e84eacd4b3ba38aeb13c5b7c6bcb4093fecec1c8378ad76

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\Qt5Core.dll

Filesize
384KB

MD5
133b67cc0e002893da630742a78282f2

SHA1
a544db39965bcd93165c58a8f60d577288941a9c

SHA256
03de61760a096f8cabc47e2be73e97e36eebdf5f5fc7ea7287bd8ffbb9d3e284

SHA512
b13c0949d774a1c9a1e6df24851b0dd89aa1df46b354cae6c1df7f6ef633b88baf567bebceb360e217ea1ec7340470d513e437527933a66751b407b11dcee6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\Qt5Gui.dll

Filesize
192KB

MD5
93744194fe675c7bea654f6d91e520a0

SHA1
67dec9d57bdb04105cdcf518575c7a3dbc6ff598

SHA256
098d3063bab5c4620ca8eb547aa48c931b6cd88791ca8150adfb8262f669ee93

SHA512
acf8c6e1c3230cba9eb05c0186cf8bebddcf441b0766f8743a65b272646f75874b4b0eca4633c4f8ce9b5a8f6fdf3d1045b1765d7f40bc7939c7bd38fedc70cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\Qt5Network.dll

Filesize
704KB

MD5
144787ced91f45568f1910a28951c260

SHA1
e72f818bcebf51e077715de2dcb1122f91f6c280

SHA256
85f599bf7b53720bbbb8e5a9e9449623d95f77364ffa058e42f4614d7d970912

SHA512
802b02b5646dac771575bbd050634ad97f58c6df80f02bc4c89843d39438608c349f40349cd1d78bdcb5fd3af1d8870fc3740db2cf5a06bfc2968ea4d76977fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\Qt5Widgets.dll

Filesize
192KB

MD5
249f58e0b65f1d9e11b49853bb125978

SHA1
59c37ef1f0306fcf4d39d1b2c9109bd77b795466

SHA256
c27cec4878cb962fe31c5b867252c20d92468a0d58e22c9b74e9e08b57f64c72

SHA512
7c3d45b4f4602e1e745164c3d11ab31880b4bdca6385195f3e8d037b2f5b5a6ffad713b1095c79bfee848a6324b4aaa3e2145d003fb062d25166b0617814011f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\imageformats\qgif.dll

Filesize
35KB

MD5
e070dbf1a9253bde7910e040dfd5d4bc

SHA1
43f396528d643bd2c9fd8e1b63c4151bbb23c980

SHA256
7ac66b0c813585b7cd3645ad3bcab0b225006cee9076b05a21cb6b8db176462d

SHA512
317af40137f8f1d475349a926067bfb6b776c0e26352e164d6cf1fa95293b865ca6e07cf3cb305eff122c1033cd3cd7e2931b8c0083424ebc91be111d6b89a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\imageformats\qicns.dll

Filesize
43KB

MD5
d617d449bff841e9e56ae5d66733c1f0

SHA1
57f9104c906d88b5193475286b9a1e9d55cd3fe1

SHA256
3587d149b774835aaebf9122945d432cb97a01f923c2bdf45c8ddf7db46fde6f

SHA512
1b4f7be9b650aa5658dde24da392262055b867525f8a2e61a2656c2617651f29dc5b61dd41f57ba84be030616d2060185f4790c7dd4a29d07b1e62af16b7f565

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\imageformats\qico.dll

Filesize
35KB

MD5
77b5eee567d88078024e3b535d6196f1

SHA1
db155287e3a3fcff2d280b5a4aa555784c2bea91

SHA256
ae2d373da197c94fd6aff5b56baf3df754722926af4f71279688ce563fe6ef31

SHA512
811b1654a0b17eada09e37d4d29a3297d5aaf9f2eae1f3cf48cb6b7c5d36f28450ca80084aec94765bee0b02c03854c3e489327911de9d96f8189a6e92c6648c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\imageformats\qjpeg.dll

Filesize
383KB

MD5
1f8c4a04573e26286ee2fafdf03f8f85

SHA1
b3d3ed2615d63ea26ed035ad191164e0297f088f

SHA256
18706a0bff940116731de4a55d8312c054771271c49fe47f77e07b0d73529053

SHA512
699c66b862675ef4e519e962bc8ffb87536fe81f5870f91f4179d9dd34c222e9107f92fc3e6138a8ed005293f90fb993144f4eaf9ab1518072718b730d1dd91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\imageformats\qsvg.dll

Filesize
30KB

MD5
7ba0979da56479bd964810e8ce794e9e

SHA1
68465868b7f9e944c6d5c57e4bc1d9383e234a74

SHA256
099eef1d161e9c4bb957d73678d471cc276337233a8e715e181a352760346701

SHA512
31edacc55c659571b473ac41041bd2779fcb36576882f9250790a7a5419cd64271560f5bf9039cb49ef621e970b2db028cca653ac8e83696e5b7822f6d287400

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\libcrypto-1_1.dll

Filesize
101KB

MD5
09a8032669481a766f671912210410a8

SHA1
0995371232b6c992d8a08b214b26f9c9907d10d7

SHA256
910092376e997a7cd0fb5614dd3fd45839ceef5dc45e464d704b6f098a55d56d

SHA512
a15a75c11445b4fcbaa3e59a525a0e90b771691f00a549ded41e0eef28b8ad45cf27e5518621acdbebb0361bcd4295ef8f7ee62ebfa1484b062bef7e45f89418

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\libcrypto-3.dll

Filesize
3.5MB

MD5
3b4dce9348385fbb3dee25e3e0db7efb

SHA1
f760a89a8bbeff22d3a837ee50089a616c9e247d

SHA256
b99f87138165561775b29283879722333082c5f12f4716ee423da880aefc9fb9

SHA512
dac1a728dd9388120b05ec79bcc6005a1a50f28a4051500acca24217e9efccec8529e377537d6bc5f6cc9a87a1aa3e5ce7206a04b5283848499f5f46eb8ca800

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\libcurl.dll

Filesize
460KB

MD5
fe5e6aecb98bbcb2cb0e826526dea007

SHA1
936f0e2ade5a909e714c307c1e2aa2702f1e464c

SHA256
ec5f18199dc57130082315bfb6baedb8614da92ae256019a30b5880dded9ae47

SHA512
7ae9fa473e612791a606f6fd7043a5385b3b4eb3bc612652c05d8520d2b2f766232c03de436636362c60b08cbdfec919a35dc07075b2877753ca4779c9cdf0d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\msvcp140.dll

Filesize
14KB

MD5
788c1a7e2edf70091cb41ba36b05c64c

SHA1
c92e64493424c298f0f92179bc782c57af87283a

SHA256
d5bb98bc1ccedd9594c05d33cb3d0778f67eab50592c08ae0f632a4baa299441

SHA512
31167196ed488dc17b2cd81f837ccee87a0d7154e19a77ce7c0482581d25a439021936982c9a2e83a6e3fb6be6b4cc28885d344220d6c79c36425e3d2b24c776

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\platforms\qwindows.dll

Filesize
1.2MB

MD5
f52d1908e2d1f5b03b72cc87df48c8ad

SHA1
aa50aa22dbe42f20e0f67f2102cb37eb39d86dc6

SHA256
60085c5b61554a1e9d96350f039597a1b77a7576a81a12a24ace9de4c323bb8d

SHA512
70a67a052c4daa445ca200768f9675ebbc987d86efcdef8bc6b35fbf8b907c4dd48bcde890476001bdeb655606fe00a804de7f5d1b08505bcf7883a5326aa0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\sqlite3.dll

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\styles\qwindowsvistastyle.dll

Filesize
129KB

MD5
cea2589b96f6a9f02fccc0bc0786965f

SHA1
dc115c308579d59f31346b3535fbc3e0338e0dd8

SHA256
a0b0177a40b1c74ac79bf31c9f26ab0770d54c2297d68a53d289c48ff5b23edb

SHA512
7865d1ee088cc880670bebb90ed13f5bb55b14affc98dac1ff9bdfcc94aacc84b1379dedcd1ffc992b8f45df40434bdb1c3a3e396410f2f292fd9c83d7d2c338

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\thinkingdata.dll

Filesize
294KB

MD5
e295bbb7c68f5cb535d72983227b12cd

SHA1
d42a6214e46e95f082426f52af52ddbe46725a12

SHA256
e988ebfb5798d712ca21fb8986c06a364b1d1f3b9397277898bf2e80b5818e2b

SHA512
a84ed487c75b012cd863f044865c4fb9e7cffe354737176f9626ac027d843c763be5668391219c7019fcb419267393f4dc5244020c953cf9ecdf4a68fb67b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\vcruntime140.dll

Filesize
64KB

MD5
d98817fae03f2bb497bf4550e7d32a2b

SHA1
9ba0660f1b19068fc2b5d93a71f7986aac6f9582

SHA256
52d3ce4dc926c4befe81fe39a627355556911d92fedf86652199a45fa3f4c333

SHA512
851ff5719d3d36a9106d5f99c522ce0a6f40f80d475569c98816b90890cf8f9ac4887adf013c8db2b003f12d51c014a521faf381d7bc3f73fdfd7c10dfa6aacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82AE.tmp\zlibwapi.dll

Filesize
469KB

MD5
5b56b325dbd6a7284d2ecf09d4cc0623

SHA1
38c86384096b428f127117fe58284a03f5f09fc1

SHA256
14aca2bf23b47996f630a1c5175fa6003e5898612411eeb6cad5abf96bc27b8c

SHA512
3d5d7bf4196ffd20b1a6e747ebd0dd7f2ab83458b4360d2c003e306fe1bbf5de48ddae2404fcf297deef06ae9acd0067314e1abef8433735776805e9b1093d88

Download Submit
C:\Users\Admin\AppData\Roaming\KRLauncher\G153\C50004\5d4813de0e89402fa26ea62e4b93d3ca_accountId_tag

Filesize
38B

MD5
83bb76f6b5da42fc38dd2f0e9610a9e0

SHA1
8cc5a7c1c82223e7d44b3ee1a84c901031a76a50

SHA256
ac4821d7d14ffbc59d94d1a73cd089bcd532747b77b1cfc36f6b0565ca88ea4b

SHA512
6d3d1fc874694d543b6d7c874f55138d1029bed34e589b25a68f1114d92a84feb4ae0adcdc5f0d8cf7f366e9c593edb147b2d1c8bad07d41485d694ab38ae011

Download Submit
C:\Users\Admin\AppData\Roaming\KRLauncher\G153\C50004\kr_starter_cached.json

Filesize
46B

MD5
6be5183b08cd575411292c79e15c0439

SHA1
23d7ef13b273c3825bcbcc3128aabc980ecd4724

SHA256
6d310686482e44d2ee6971e77b5e48b8a41a261368e48fc1684994c0080225a2

SHA512
b19c20ea2526df0753e798168bb835cbbb427bc2212046ff7687952ee440efef6c338ec00628f7d1b9f9bc4babf8f37cf214724a989264eef3f4f4900f262720

Download Submit
C:\Users\Admin\AppData\Roaming\KRLauncher\G153\C50004\kr_starter_language.json

Filesize
17B

MD5
328e0e1fad82abfe205b19a36153dc2f

SHA1
e228898ef0eb8a2740d86d07920633d4d6b2fa19

SHA256
114a6e8f5c43bea09a4a73b24b44b030440a6f3be212bbe943becdb363f15e29

SHA512
6b38ad8681bead6a5a58db08ffdf916e0eb6cb51c3f94fb2451a272e433aaf90dcfb5db8f15a1ee6458690e29faa3a4de65b1a427b45d364afdd45bc3ef15d58

Download Submit
C:\Users\Admin\AppData\Roaming\KRLauncher\G153\C50004\log\2024-02-25\kr_launcher_2024-02-25-20.log

Filesize
16KB

MD5
f4b214acb2b8a5ec168672e989ddd602

SHA1
be017c369f5dc44b74f452676f816e332e55f7bc

SHA256
08ef97414e937bb64ae5dcb4ef792f4c0dcf6e8cfdbcaa36a3b09c571a35fd73

SHA512
cc26ec956631ee14643e474ff1ce36c8cb46d84d6f236117b37cf96794c041306c415b4f9e71e3a7361075b344c8243e2b765d801aa17b4768807359c2957f71

Download Submit
C:\Users\Admin\AppData\Roaming\KRLauncher\G153\C50004\log\2024-02-25\kr_launcher_2024-02-25-21.log

Filesize
5KB

MD5
61268a0dd78b4d402e55a8052ce38839

SHA1
2eb821b11f2c257f2cba3c9b535fde5bd2ec7ef8

SHA256
7acff308aaef13ef275084941aadd4f2643b593e62e32e977b74945412f49062

SHA512
dfdf3ac1d91de9a02377d490f22a12674d4f36a63b16260a4b1efba4df9bd734920ee7c651ee58be236fcc0c28588e8088863675aae33be52e158d4c61795755

Download Submit
C:\Wuthering Waves\KRInstallExternal.exe

Filesize
466KB

MD5
ceac0231282a64ed0798c4dd7e0379f3

SHA1
0f5e98581059ed76f9e10226f0fdb3f36c198ffe

SHA256
ffaf93dd4810c878373b4663b7d90a9872230c7982260a65eb4347b242533ab8

SHA512
9ce7a0d59ee758c4ac8617c1937297df9a60f24c03df0a15480122f74580708aff3ab9e41d9b54fad049bb8abb97efd9012a958782c306212a8d19e17a2be1c5

Download Submit
C:\Wuthering Waves\KRShmq.dll

Filesize
43KB

MD5
91e64868d9f89d3282d9fe5f70d3af60

SHA1
0dfef08302d1b946b1b9cadac2cfa84aaad4df56

SHA256
f177c55114e7b7d740327a9f292597ad3f6a9ec059a3aab6d052befd1d3e383c

SHA512
e01b893140c3780d55753db14754c1196df6d4839a1f8ea0f5a61f082309d6f67bfb89d2ba61102d2199846fe1dd48439dbf1cf8d3563b468478abbfd9b65718

Download Submit
C:\Wuthering Waves\MSVCP140.dll

Filesize
576KB

MD5
87c98b9010db50fc5b12fe798bb5d4f1

SHA1
2980c34046390d95d307efc3d1646902a15d5168

SHA256
a4f39ea5dd5a46f85de58e0b6f3d74b7f5a81f1e3c4e1bb6c8dfae80691fc387

SHA512
05f7d7b5481117714b52b011061794c9eb7b505ee71c0b8b839907ee061feedfd2c0953f11ff448ca5b62aa637ee1b284ecc734109b2917af4c797b959dda30b

Download Submit
C:\Wuthering Waves\OutputDebugInfo

Filesize
3.8MB

MD5
34de044b56af1cc5392936ffd86021c3

SHA1
a4d2f3b3318798260b04c6ffc778a3bfd4773a29

SHA256
3a089e7e4f5b7076bff45dfe539f86251a0ca4967c823892eedbd5436086a65f

SHA512
a1e1a9d841a3df4818aa62d1d9d0d45c8b47a6e7c4124d946f9b097a741421405c76b7c442f5be53ff5c3d8cc17760cbe070873b47741ec389260766898c4869

Download Submit
C:\Wuthering Waves\Qt5Core.dll

Filesize
768KB

MD5
9e60e368a7142f7116e2b1f4575710f6

SHA1
a2b177db77ca04c45141c8992e2fda1ee9b1ba06

SHA256
3bd830a0ae36ca4462c4cf489622dbd4794f70fe520dd42c47b25abd5aa473c4

SHA512
94c3a6bfa280a97b7553a3dd31bfebd438adc50b51482b3d615c58021abc3251ddede84f86223f68aa0f29baf3e027fbb67bf7a2b8d7ed8dbc102545478d4bae

Download Submit
C:\Wuthering Waves\Qt5Core.dll

Filesize
448KB

MD5
3839db6f912f8e29d58300fa9db0842e

SHA1
65bc3bfefe161892f22b9ddcb08925e9b04f81c6

SHA256
a64b07e27d0cf185d8a79c579bc9414301674b8116eca3662c598ec7af9d0256

SHA512
c6ef0a0bb4d0b6e31aeffe539d1a8d1a859fd53dfcbf899dc4ec473cd888bea422a004f3464a3c1e97f40a96ea702b07d65f118d91e93bd094134fd7243ef335

Download Submit
C:\Wuthering Waves\Qt5Core.dll

Filesize
3.3MB

MD5
c221ba9a9f52513b4b59aea9f618cc9d

SHA1
a15460c5b9bef8ad891e10c29236a3374713f048

SHA256
b0a45aea6292d97e5feef552146822b99f0bfa1cbcb2aefaa145359a55f14200

SHA512
c499c9f4b5d7b8c64796706530c844b2c515c29cb86881030bcde996b4d31bec7696ff67a19b5c65036314a447ecd354fc923bf01cfec1af81d2320331853588

Download Submit
C:\Wuthering Waves\Qt5Gui.dll

Filesize
768KB

MD5
853124723a5300112d9fb21828bf62d3

SHA1
91c3750c926e000d43ffdfc4f3022b7dfddef0ee

SHA256
dea1670afd9241258c3d42d9f555d80fb9a55e2faaf8af34e91f318cd0edf0a9

SHA512
3342f405f2ac67ceb5b3409d1432570780c722a1a9fed9edb8f043a69782953a558e3049964219b4d8f60f99ed0d499d4372600c70b4ed1305b727d16fdee393

Download Submit
C:\Wuthering Waves\Qt5Gui.dll

Filesize
576KB

MD5
cc0ce841cdf6e699780f82f9c1935d8f

SHA1
0fb555e4b56dfb5e2c7e0dbace1c552a1382a5c7

SHA256
dbfb6510ef5de4833417b2f70288ce1b79e302c5ad0f1415b9967fea5ad4ca17

SHA512
fa20fb27f4ea1684240746ed778315f709e30f778958e2db5c8701119abba79593f4ccecacd61ad0e4c7f6b3751d201799400c803c1bf09d82757b4ef835db94

Download Submit
C:\Wuthering Waves\Qt5Gui.dll

Filesize
3.8MB

MD5
3a3e56171a90bc0e9350f310801185f1

SHA1
72c1c76f177a885a411ad736c8aca8771349617f

SHA256
112a84ff52f1c94aeca467eddcb42168582994a5b7c7f1ca70deaf30c15f31a0

SHA512
61226c5381fc03bb219095f8cc1965b59856d28dd9ce2b88b39ce6cd8d869e69a52fd078c2a220c3e42e338e7d805afc04c069f8ce7bdc41f37513fcd48421dc

Download Submit
C:\Wuthering Waves\Qt5Network.dll

Filesize
768KB

MD5
f29fd5beb2a31554b582c6b1d95b2617

SHA1
38c963ea45396ded7e3e00dd9e41e6c571bf2869

SHA256
240a3621d9f03f380d285d37cbf4c2d9e15c42faf991044d3315bb14a4fd62e3

SHA512
d210fea01e5b78d1212ef461b0f57975c5a8c90b7ed2dd50f2740c2eadcab6c9d735e72ecbc436dc629a3df1a0aa685ece8e105d94f5982b9c9f7dfbc3270455

Download Submit
C:\Wuthering Waves\Qt5Network.dll

Filesize
512KB

MD5
7e838303435200277b773456b6024446

SHA1
46b2a7cb4b75b831f71c32fca5b0c9036d14bca3

SHA256
85b6473f61582053828766ae58f90382dba8a7119d41e97fa974c59fcbd0e786

SHA512
8458c860ee97c2e714a389341667f5433e9bc6ae6ae42d34ef89c174315a5af936a42f23efc2d430920a51cdb3dc528a6d4aa954f2c58054a5ab81090e7fe620

Download Submit
C:\Wuthering Waves\Qt5Widgets.dll

Filesize
768KB

MD5
468ac82457a2dcf8f4ea8ff059cd8b6c

SHA1
f0b77a29e5bf9a9c42937d6e67e8a1a36d941618

SHA256
00f9bd67760802d40750c3df01a7745a157a34d567fd2f60ebf10e09550ffe52

SHA512
62ac9a0a8f64bf7c06fc4aa3c36c4616d265c4f2f2515fdb78657ea84b9e875abca6f27fc8505c5ca7171b9d37862e8f661cafb8076ca4a6dda75b255fbca4d1

Download Submit
C:\Wuthering Waves\Qt5Widgets.dll

Filesize
448KB

MD5
49717172e4ffb6ed5413e00d7845b5fa

SHA1
1b5b22bdfedcf2de77d22253aa365e46c4dbb53b

SHA256
474d2bc1e3ef6e2d70cf02bd1cda872dcdbcec296b4b5969e631fb1d30642ff3

SHA512
2d10fbe02ca2a77234d6ac5497bbc9a66ff12cdb750255bae9398610f3051914d1c86a0de17b127e7c09e5633fb8383629821f7b9cf614f102754e1668a5a7c7

Download Submit
C:\Wuthering Waves\Qt5Widgets.dll

Filesize
4.7MB

MD5
ecc37cd9c7f6f90d5efd42a853ed022a

SHA1
90a1d43fae44bde17e05dea1f8f83324547787a5

SHA256
0849964c210da868cc0951520f4436cb23ae160cb1353613fb667b90ff164788

SHA512
25e4aa04e8a61b93f9777b0846e72a699b64fc0a2d7be08d1e20ef8226b45bed7f80fbef54636d6dfe77e39e0e58fa13d460ba9a2390187a26cb7694d536e477

Download Submit
C:\Wuthering Waves\bearer\qgenericbearer.dll

Filesize
55KB

MD5
f5c0f40371076790320a963fe3794221

SHA1
9fd44234d90fe79b7024ee045624575c35e08af9

SHA256
0a4978a5af3b68068ba5945af231e68040d91fb4bb9139b8b7a8ec514e2e4d88

SHA512
712fc97ee7aada1ae0e35c60f686211246e9c04a0a71ae407eb415fb5838f121d30347881bf4fd66f137c85f00a1474c79a96218705d18ea4999da37ba3fb4a4

Download Submit
C:\Wuthering Waves\kr_game_cache\kr_check_list\3_kr_hash_check_list_cached.json

Filesize
250B

MD5
7cc700547510e4afaf718700b16d46d4

SHA1
0f785228bb31eeba0eac4ad98eef3c5705575538

SHA256
518a5ced8cb313f7b8023664300f759591bc98ba6bd0b3b6ea58aaa11a3ccaff

SHA512
61a1d931b6a39a2cd6dc60e023dea85b2ab73cfc1106be49b93f622cc1787fe8529edc2329c960d4d2faa6c5f96a8e18dc3773c3b7a75254bbbb92f5783de860

Download Submit
C:\Wuthering Waves\launcher.exe

Filesize
8.1MB

MD5
4f3291da7e2dedcf0e931b76b6e0eccd

SHA1
0e1c7034356d918d60aece15576cbf35ff739cc8

SHA256
8c2dca5182969d61aaf2cdf31507c61a4c85dd928a2caa39e57f299df7358a50

SHA512
d4039d30b52437da4859e33d2696ceddd395fff1c0effaf8ab9677a9cf5131813a283da204e94f663d42ecba5166d6a7829ed37a0f809ff1f4142f5fa21ede45

Download Submit
C:\Wuthering Waves\launcher.exe

Filesize
1.9MB

MD5
60df3e94f3d1a8c15fe0ae97e20aa4a8

SHA1
fbbbc29b7de0acb659c2632a2dec4d20938bb269

SHA256
04aa361360611adbbde48ee296986e3db99139454d5498db13295b9fff759853

SHA512
ca734138b777becf334f00e4eb4eb0ded5848cd00d1c996f7735959243df9e93c6c0e2a7723ed95f2a444b4d6183b75c1be7ebdd84846ec07fe3336b5f3e8892

Download Submit
C:\Wuthering Waves\launcher.exe

Filesize
896KB

MD5
9ec352ad766189a64d7cf56b3fb8a217

SHA1
9f8a1da1328c7f87e76c3e5f225c3ba4ee9fd5c5

SHA256
49b2041988389485dd8ef88e81ffa7f053d9a854cef2a0599452c80da3279371

SHA512
7f32132bb1a9b020c3b6628fd5d5549d3b04eed92df6c1064b2563cb0afe00686f55a234f1a47fa1d5ab35ce2c9d088b64dc506b0cdbd091ccd0d1e0d57a0704

Download Submit
C:\Wuthering Waves\libcrypto-1_1-x64.dll

Filesize
3.3MB

MD5
ad7eb78deb617d95d69b9d58dfeaf62d

SHA1
655bc2b7b077fce5303ed22166233315f4bd20df

SHA256
5e0571359a22563aa748268a910aa193437fda551f6325714f8e2216c1bff645

SHA512
4a3aec1bbebdbd4f0be5b7f7371a0a79b12319ca58ef4621753210772ccc68991dfdfd086e08ee382bce1a9072720adea4e32e7842be91d357a71c2d606d1f58

Download Submit
C:\Wuthering Waves\libcrypto-1_1-x64.dll

Filesize
3.2MB

MD5
0e71bb58ddd95722305071bfdab84d31

SHA1
f0ba15791f6072f412706907aed6a0a4aabfb4c1

SHA256
210df0f3fdf9b87e057cca8904f8c0c4fac1e7ece28d2eb2e33b878264fb88ce

SHA512
5c22a09b6886e72728b95d5132524b4067e59bc3a9563d587aab87f60f4fbd12bb394c5e0123a772b2e2786abddc35aa609b647cc724cb28abbaf3fbb163dda0

Download Submit
C:\Wuthering Waves\libssl-1_1-x64.dll

Filesize
690KB

MD5
16f75756bcdc99aa8ea1ecf549d9b8cd

SHA1
924f868919e15aab1766af35a04df917a1390e14

SHA256
4c593cdac689621127bd8a05b97df462c55a3da9a7a6f0f4e51febb9f0fad569

SHA512
56c1ea7e9060c515a152ed4642e9e75bbdf698eaffdfd6ae414c9413a7813b5129c6d45c67a5b47a295ebd3bf13096b978ae136145b196249ee322aa74e95d59

Download Submit
C:\Wuthering Waves\msvcp140.dll

Filesize
512KB

MD5
4468b8f795cedba26996ee19c437a5c1

SHA1
587ed8e3569b4ac886f5266b003aa854cc1e3054

SHA256
691266a21645e4a3f89a8aaeee77bef8e6a73f32b2e2f7c2d392131ad3e20c8f

SHA512
68d7d40501b9aa01706ec53fad0af2e37873458998d9bbc48e5166b791df7c4fd66a499671655ca126013ad65589c69f76344159f6238afe647b7704a2a49a73

Download Submit
C:\Wuthering Waves\msvcp140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Wuthering Waves\platforms\qwindows.dll

Filesize
1024KB

MD5
882e123515ce31d056b90fdb8a30a17e

SHA1
a6359b62110ad441fbdb04220b4464f8fc75121d

SHA256
1a7c541d41fce2233d26006acda2cac3903d4a3fcb393889c01bc7e5d6ebc71d

SHA512
944757ecc3d10d972abc672f6b84536bf63537bddcd0952fb19d736838ce97be14889a5d19ae07ee2e79fa2510f3dde55a93be9dfd6c5b610e351fe5e69d4427

Download Submit
C:\Wuthering Waves\platforms\qwindows.dll

Filesize
1.4MB

MD5
ac584cbeb327e9d2364873f451e074be

SHA1
eb2d7b7f38c880ae4bc4f32c50e10e73ee15c816

SHA256
1fa4d2f13d22d9a859503d7b7c87ba39d379d9a14afcea7299d572eabb2bdf57

SHA512
4fca1fa9494799f382318d329a3040bc067d55e7cd99be6d768e975fb585f61f8c1360908284bb04c055dcf21a164464305e9255d52b1c57a0cfc49eea003203

Download Submit
C:\Wuthering Waves\styles\qwindowsvistastyle.dll

Filesize
142KB

MD5
085087d668776333d78d87ff579fce87

SHA1
861af820e28c6070fa22defbb527e55cdbe3590f

SHA256
59f3183245e4ea6a93f04eb3dc7460b3911397cb5a9f7aa429921b7957b62684

SHA512
10b2492ec88f0682264169478b966cb6584276d4dfb6a49d62ce21dff68013b3d1e17cfc51c658f5773d5cb9b374ec90205f1ebd07db70e8f0c76a96cda80e2e

Download Submit
C:\Wuthering Waves\thinkingdata.dll

Filesize
334KB

MD5
c0a3fefffe9f407a2a257966cd92da52

SHA1
90424515844c4f6166f19505f94733a8896835ea

SHA256
bb424f14ca1907e42db116eefb493c814d38543b126ef0409e64f5b54a928447

SHA512
7c04487c57a49cb22a01004047d04c035e0d491a8e442596147e47eb698ec27453a876499a616f40ea9068dce2571608050d7104b40a35da32a6b13ad475417e

Download Submit
C:\Wuthering Waves\vcruntime140.dll

Filesize
83KB

MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
memory/380-428-0x00007FFD64FB0000-0x00007FFD65505000-memory.dmp

Filesize
5.3MB

Download
memory/380-452-0x00007FFD818B0000-0x00007FFD818B1000-memory.dmp

Filesize
4KB

Download
memory/380-453-0x00007FFD818B0000-0x00007FFD818B1000-memory.dmp

Filesize
4KB

Download
memory/2316-275-0x0000000061E00000-0x0000000061EF8000-memory.dmp

Filesize
992KB

Download
memory/2316-273-0x0000000061E00000-0x0000000061EF8000-memory.dmp

Filesize
992KB

Download
memory/2316-95-0x0000000061E00000-0x0000000061EF8000-memory.dmp

Filesize
992KB

Download
memory/3948-298-0x00007FFD63D40000-0x00007FFD64295000-memory.dmp

Filesize
5.3MB

Download
memory/3992-432-0x00007FFD64FB0000-0x00007FFD65505000-memory.dmp

Filesize
5.3MB

Download
memory/4120-512-0x00007FFD64FB0000-0x00007FFD65505000-memory.dmp

Filesize
5.3MB

Download
memory/4336-412-0x00007FFD818B0000-0x00007FFD818B1000-memory.dmp

Filesize
4KB

Download
memory/4336-321-0x00007FFD818B0000-0x00007FFD818B1000-memory.dmp

Filesize
4KB

Download
memory/4336-269-0x00007FFD63D40000-0x00007FFD64295000-memory.dmp

Filesize
5.3MB

Download