5019268b1b30531e0081fc7e4934c39abf132723a3481f3d65b69d308d503605

Analysis

max time kernel
152s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1d270cf6a8b1317211c033f3704aa99.exe
Size

270KB
MD5

c1d270cf6a8b1317211c033f3704aa99
SHA1

dbca3f136db30fe02f1b9fd2dcc25a3388b3efe2
SHA256

5019268b1b30531e0081fc7e4934c39abf132723a3481f3d65b69d308d503605
SHA512

ee791ca6eb9d94e744b48205421d5c289916321c9538eb752aa177ecb29c21c2d2348f0ab2296393d8bcea102b1badc7a355ca2099655bb64d7580f279449bd4
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpuJ0:ZY7xh6SZI4z7FSVpuJ0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 49 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wdbfcvo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wywihclh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wxj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wyac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wkeuh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wrp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	weq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wttwlrqy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wnheify.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wivliv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	whedf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wfaana.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wlnrqa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wqpafxp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wdbtqxi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wikaco.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wodiaov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wcjbdsow.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wibbtbkf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wsvekaufo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	waggve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c1d270cf6a8b1317211c033f3704aa99.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wccxuii.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wtdtc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wfknmfci.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wkxnhk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wcgh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wrirbreax.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wwtvya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	whowku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	welrxjdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	whpe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	waynf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wfbrdgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wsroddd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wdnjuvgg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wunvl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wcvp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wmf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wlyocfn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wbeava.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wjoyvax.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wwsgcyjtm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wbsqf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wboeiamx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wklnda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wkfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wesgjiin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wmafenvy.exe

Executes dropped EXE 49 IoCs

pid	Process
3148	wikaco.exe
3508	waynf.exe
3080	wxj.exe
2476	wdbfcvo.exe
1728	wfbrdgy.exe
2528	wlyocfn.exe
4664	wesgjiin.exe
2396	wboeiamx.exe
4240	wodiaov.exe
888	wywihclh.exe
3004	whedf.exe
4048	wnheify.exe
3908	wklnda.exe
1668	wcgh.exe
1296	wcjbdsow.exe
4424	wccxuii.exe
2880	wbeava.exe
1996	wfaana.exe
3908	wrirbreax.exe
408	wfknmfci.exe
4916	wkxnhk.exe
1324	wtdtc.exe
3440	wdnjuvgg.exe
2004	wwtvya.exe
3952	wunvl.exe
2816	wcvp.exe
2448	wlnrqa.exe
1688	whowku.exe
2984	wibbtbkf.exe
4064	wqpafxp.exe
2396	wkeuh.exe
1996	wdbtqxi.exe
4948	welrxjdr.exe
3440	waggve.exe
2080	wivliv.exe
3148	wkfj.exe
1088	wyac.exe
4528	weq.exe
2624	wjoyvax.exe
2356	wsvekaufo.exe
1952	wwsgcyjtm.exe
4528	wttwlrqy.exe
2116	wrp.exe
1660	wbsqf.exe
1072	wmafenvy.exe
2076	whpe.exe
2880	wsroddd.exe
3100	wmf.exe
5068	wgwss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wikaco.exe	c1d270cf6a8b1317211c033f3704aa99.exe
File opened for modification	C:\Windows\SysWOW64\wtdtc.exe	wkxnhk.exe
File opened for modification	C:\Windows\SysWOW64\wwsgcyjtm.exe	wsvekaufo.exe
File created	C:\Windows\SysWOW64\wkfj.exe	wivliv.exe
File opened for modification	C:\Windows\SysWOW64\wsvekaufo.exe	wjoyvax.exe
File opened for modification	C:\Windows\SysWOW64\wesgjiin.exe	wlyocfn.exe
File created	C:\Windows\SysWOW64\wdnjuvgg.exe	wtdtc.exe
File created	C:\Windows\SysWOW64\wyac.exe	wkfj.exe
File created	C:\Windows\SysWOW64\wwsgcyjtm.exe	wsvekaufo.exe
File created	C:\Windows\SysWOW64\wywihclh.exe	wodiaov.exe
File opened for modification	C:\Windows\SysWOW64\wcvp.exe	wunvl.exe
File created	C:\Windows\SysWOW64\wkeuh.exe	wqpafxp.exe
File opened for modification	C:\Windows\SysWOW64\wsroddd.exe	whpe.exe
File opened for modification	C:\Windows\SysWOW64\wdnjuvgg.exe	wtdtc.exe
File opened for modification	C:\Windows\SysWOW64\wibbtbkf.exe	whowku.exe
File created	C:\Windows\SysWOW64\wsvekaufo.exe	wjoyvax.exe
File opened for modification	C:\Windows\SysWOW64\wikaco.exe	c1d270cf6a8b1317211c033f3704aa99.exe
File opened for modification	C:\Windows\SysWOW64\wboeiamx.exe	wesgjiin.exe
File created	C:\Windows\SysWOW64\wklnda.exe	wnheify.exe
File created	C:\Windows\SysWOW64\wcjbdsow.exe	wcgh.exe
File opened for modification	C:\Windows\SysWOW64\wfknmfci.exe	wrirbreax.exe
File created	C:\Windows\SysWOW64\wbsqf.exe	wrp.exe
File opened for modification	C:\Windows\SysWOW64\wbsqf.exe	wrp.exe
File created	C:\Windows\SysWOW64\wxj.exe	waynf.exe
File created	C:\Windows\SysWOW64\wmf.exe	wsroddd.exe
File opened for modification	C:\Windows\SysWOW64\wmf.exe	wsroddd.exe
File created	C:\Windows\SysWOW64\wdbtqxi.exe	wkeuh.exe
File opened for modification	C:\Windows\SysWOW64\wdbtqxi.exe	wkeuh.exe
File opened for modification	C:\Windows\SysWOW64\wodiaov.exe	wboeiamx.exe
File opened for modification	C:\Windows\SysWOW64\wxj.exe	waynf.exe
File created	C:\Windows\SysWOW64\weq.exe	wyac.exe
File created	C:\Windows\SysWOW64\wqpafxp.exe	wibbtbkf.exe
File opened for modification	C:\Windows\SysWOW64\whpe.exe	wmafenvy.exe
File created	C:\Windows\SysWOW64\wfbrdgy.exe	wdbfcvo.exe
File created	C:\Windows\SysWOW64\wlyocfn.exe	wfbrdgy.exe
File opened for modification	C:\Windows\SysWOW64\wklnda.exe	wnheify.exe
File created	C:\Windows\SysWOW64\wcgh.exe	wklnda.exe
File created	C:\Windows\SysWOW64\wmafenvy.exe	wbsqf.exe
File opened for modification	C:\Windows\SysWOW64\wdbfcvo.exe	wxj.exe
File opened for modification	C:\Windows\SysWOW64\wbeava.exe	wccxuii.exe
File created	C:\Windows\SysWOW64\wibbtbkf.exe	whowku.exe
File opened for modification	C:\Windows\SysWOW64\wkfj.exe	wivliv.exe
File created	C:\Windows\SysWOW64\wtdtc.exe	wkxnhk.exe
File created	C:\Windows\SysWOW64\wgwss.exe	wmf.exe
File opened for modification	C:\Windows\SysWOW64\weq.exe	wyac.exe
File created	C:\Windows\SysWOW64\wdbfcvo.exe	wxj.exe
File opened for modification	C:\Windows\SysWOW64\wfbrdgy.exe	wdbfcvo.exe
File opened for modification	C:\Windows\SysWOW64\wjoyvax.exe	weq.exe
File created	C:\Windows\SysWOW64\wrp.exe	wttwlrqy.exe
File created	C:\Windows\SysWOW64\wkxnhk.exe	wfknmfci.exe
File opened for modification	C:\Windows\SysWOW64\wwtvya.exe	wdnjuvgg.exe
File created	C:\Windows\SysWOW64\wbeava.exe	wccxuii.exe
File created	C:\Windows\SysWOW64\whowku.exe	wlnrqa.exe
File created	C:\Windows\SysWOW64\whpe.exe	wmafenvy.exe
File created	C:\Windows\SysWOW64\wcvp.exe	wunvl.exe
File created	C:\Windows\SysWOW64\welrxjdr.exe	wdbtqxi.exe
File opened for modification	C:\Windows\SysWOW64\welrxjdr.exe	wdbtqxi.exe
File created	C:\Windows\SysWOW64\wsroddd.exe	whpe.exe
File opened for modification	C:\Windows\SysWOW64\wgwss.exe	wmf.exe
File opened for modification	C:\Windows\SysWOW64\wlyocfn.exe	wfbrdgy.exe
File created	C:\Windows\SysWOW64\whedf.exe	wywihclh.exe
File opened for modification	C:\Windows\SysWOW64\wccxuii.exe	wcjbdsow.exe
File created	C:\Windows\SysWOW64\wlnrqa.exe	wcvp.exe
File opened for modification	C:\Windows\SysWOW64\wcgh.exe	wklnda.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2256	3148	WerFault.exe	100
2004	408	WerFault.exe	170
5008	1996	WerFault.exe	209
3948	3100	WerFault.exe	268

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 3148	4884	c1d270cf6a8b1317211c033f3704aa99.exe	100
PID 4884 wrote to memory of 3148	4884	c1d270cf6a8b1317211c033f3704aa99.exe	100
PID 4884 wrote to memory of 3148	4884	c1d270cf6a8b1317211c033f3704aa99.exe	100
PID 4884 wrote to memory of 1396	4884	c1d270cf6a8b1317211c033f3704aa99.exe	102
PID 4884 wrote to memory of 1396	4884	c1d270cf6a8b1317211c033f3704aa99.exe	102
PID 4884 wrote to memory of 1396	4884	c1d270cf6a8b1317211c033f3704aa99.exe	102
PID 3148 wrote to memory of 3508	3148	wikaco.exe	106
PID 3148 wrote to memory of 3508	3148	wikaco.exe	106
PID 3148 wrote to memory of 3508	3148	wikaco.exe	106
PID 3148 wrote to memory of 3392	3148	wikaco.exe	107
PID 3148 wrote to memory of 3392	3148	wikaco.exe	107
PID 3148 wrote to memory of 3392	3148	wikaco.exe	107
PID 3508 wrote to memory of 3080	3508	waynf.exe	112
PID 3508 wrote to memory of 3080	3508	waynf.exe	112
PID 3508 wrote to memory of 3080	3508	waynf.exe	112
PID 3508 wrote to memory of 3620	3508	waynf.exe	113
PID 3508 wrote to memory of 3620	3508	waynf.exe	113
PID 3508 wrote to memory of 3620	3508	waynf.exe	113
PID 3080 wrote to memory of 2476	3080	wxj.exe	116
PID 3080 wrote to memory of 2476	3080	wxj.exe	116
PID 3080 wrote to memory of 2476	3080	wxj.exe	116
PID 3080 wrote to memory of 3748	3080	wxj.exe	117
PID 3080 wrote to memory of 3748	3080	wxj.exe	117
PID 3080 wrote to memory of 3748	3080	wxj.exe	117
PID 2476 wrote to memory of 1728	2476	wdbfcvo.exe	120
PID 2476 wrote to memory of 1728	2476	wdbfcvo.exe	120
PID 2476 wrote to memory of 1728	2476	wdbfcvo.exe	120
PID 2476 wrote to memory of 4920	2476	wdbfcvo.exe	121
PID 2476 wrote to memory of 4920	2476	wdbfcvo.exe	121
PID 2476 wrote to memory of 4920	2476	wdbfcvo.exe	121
PID 1728 wrote to memory of 2528	1728	wfbrdgy.exe	125
PID 1728 wrote to memory of 2528	1728	wfbrdgy.exe	125
PID 1728 wrote to memory of 2528	1728	wfbrdgy.exe	125
PID 1728 wrote to memory of 888	1728	wfbrdgy.exe	126
PID 1728 wrote to memory of 888	1728	wfbrdgy.exe	126
PID 1728 wrote to memory of 888	1728	wfbrdgy.exe	126
PID 2528 wrote to memory of 4664	2528	wlyocfn.exe	128
PID 2528 wrote to memory of 4664	2528	wlyocfn.exe	128
PID 2528 wrote to memory of 4664	2528	wlyocfn.exe	128
PID 2528 wrote to memory of 4044	2528	wlyocfn.exe	129
PID 2528 wrote to memory of 4044	2528	wlyocfn.exe	129
PID 2528 wrote to memory of 4044	2528	wlyocfn.exe	129
PID 4664 wrote to memory of 2396	4664	wesgjiin.exe	131
PID 4664 wrote to memory of 2396	4664	wesgjiin.exe	131
PID 4664 wrote to memory of 2396	4664	wesgjiin.exe	131
PID 4664 wrote to memory of 1096	4664	wesgjiin.exe	132
PID 4664 wrote to memory of 1096	4664	wesgjiin.exe	132
PID 4664 wrote to memory of 1096	4664	wesgjiin.exe	132
PID 2396 wrote to memory of 4240	2396	wboeiamx.exe	135
PID 2396 wrote to memory of 4240	2396	wboeiamx.exe	135
PID 2396 wrote to memory of 4240	2396	wboeiamx.exe	135
PID 2396 wrote to memory of 3392	2396	wboeiamx.exe	136
PID 2396 wrote to memory of 3392	2396	wboeiamx.exe	136
PID 2396 wrote to memory of 3392	2396	wboeiamx.exe	136
PID 4240 wrote to memory of 888	4240	wodiaov.exe	138
PID 4240 wrote to memory of 888	4240	wodiaov.exe	138
PID 4240 wrote to memory of 888	4240	wodiaov.exe	138
PID 4240 wrote to memory of 2476	4240	wodiaov.exe	139
PID 4240 wrote to memory of 2476	4240	wodiaov.exe	139
PID 4240 wrote to memory of 2476	4240	wodiaov.exe	139
PID 888 wrote to memory of 3004	888	wywihclh.exe	141
PID 888 wrote to memory of 3004	888	wywihclh.exe	141
PID 888 wrote to memory of 3004	888	wywihclh.exe	141
PID 888 wrote to memory of 3904	888	wywihclh.exe	142

C:\Users\Admin\AppData\Local\Temp\c1d270cf6a8b1317211c033f3704aa99.exe
"C:\Users\Admin\AppData\Local\Temp\c1d270cf6a8b1317211c033f3704aa99.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SysWOW64\wikaco.exe
  "C:\Windows\system32\wikaco.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\SysWOW64\waynf.exe
    "C:\Windows\system32\waynf.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\SysWOW64\wxj.exe
      "C:\Windows\system32\wxj.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Windows\SysWOW64\wdbfcvo.exe
        
        "C:\Windows\system32\wdbfcvo.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - C:\Windows\SysWOW64\wfbrdgy.exe
        
        "C:\Windows\system32\wfbrdgy.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\wlyocfn.exe
        
        "C:\Windows\system32\wlyocfn.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\wesgjiin.exe
        
        "C:\Windows\system32\wesgjiin.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\wboeiamx.exe
        
        "C:\Windows\system32\wboeiamx.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\wodiaov.exe
        
        "C:\Windows\system32\wodiaov.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\wywihclh.exe
        
        "C:\Windows\system32\wywihclh.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\whedf.exe
        
        "C:\Windows\system32\whedf.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\wnheify.exe
        
        "C:\Windows\system32\wnheify.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\wklnda.exe
        
        "C:\Windows\system32\wklnda.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\wcgh.exe
        
        "C:\Windows\system32\wcgh.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\wcjbdsow.exe
        
        "C:\Windows\system32\wcjbdsow.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\wccxuii.exe
        
        "C:\Windows\system32\wccxuii.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\wbeava.exe
        
        "C:\Windows\system32\wbeava.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\wfaana.exe
        
        "C:\Windows\system32\wfaana.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\wrirbreax.exe
        
        "C:\Windows\system32\wrirbreax.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\wfknmfci.exe
        
        "C:\Windows\system32\wfknmfci.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\wkxnhk.exe
        
        "C:\Windows\system32\wkxnhk.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\wtdtc.exe
        
        "C:\Windows\system32\wtdtc.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1324
        
        C:\Windows\SysWOW64\wdnjuvgg.exe
        
        "C:\Windows\system32\wdnjuvgg.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\wwtvya.exe
        
        "C:\Windows\system32\wwtvya.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\wunvl.exe
        
        "C:\Windows\system32\wunvl.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\wcvp.exe
        
        "C:\Windows\system32\wcvp.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\wlnrqa.exe
        
        "C:\Windows\system32\wlnrqa.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\whowku.exe
        
        "C:\Windows\system32\whowku.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\wibbtbkf.exe
        
        "C:\Windows\system32\wibbtbkf.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\wqpafxp.exe
        
        "C:\Windows\system32\wqpafxp.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\wkeuh.exe
        
        "C:\Windows\system32\wkeuh.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\wdbtqxi.exe
        
        "C:\Windows\system32\wdbtqxi.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\welrxjdr.exe
        
        "C:\Windows\system32\welrxjdr.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\waggve.exe
        
        "C:\Windows\system32\waggve.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\wivliv.exe
        
        "C:\Windows\system32\wivliv.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\wkfj.exe
        
        "C:\Windows\system32\wkfj.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\wyac.exe
        
        "C:\Windows\system32\wyac.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\weq.exe
        
        "C:\Windows\system32\weq.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\wjoyvax.exe
        
        "C:\Windows\system32\wjoyvax.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2624
        
        C:\Windows\SysWOW64\wsvekaufo.exe
        
        "C:\Windows\system32\wsvekaufo.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\wwsgcyjtm.exe
        
        "C:\Windows\system32\wwsgcyjtm.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\wttwlrqy.exe
        
        "C:\Windows\system32\wttwlrqy.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\wrp.exe
        
        "C:\Windows\system32\wrp.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\wbsqf.exe
        
        "C:\Windows\system32\wbsqf.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\wmafenvy.exe
        
        "C:\Windows\system32\wmafenvy.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\whpe.exe
        
        "C:\Windows\system32\whpe.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\wsroddd.exe
        
        "C:\Windows\system32\wsroddd.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\wmf.exe
        
        "C:\Windows\system32\wmf.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\wgwss.exe
        
        "C:\Windows\system32\wgwss.exe"
        50⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmf.exe"
        50⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 116
        50⤵
        Program crash
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsroddd.exe"
        49⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whpe.exe"
        48⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmafenvy.exe"
        47⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbsqf.exe"
        46⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrp.exe"
        45⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wttwlrqy.exe"
        44⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwsgcyjtm.exe"
        43⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsvekaufo.exe"
        42⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjoyvax.exe"
        41⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weq.exe"
        40⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyac.exe"
        39⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkfj.exe"
        38⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivliv.exe"
        37⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waggve.exe"
        36⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\welrxjdr.exe"
        35⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbtqxi.exe"
        34⤵
        
        PID:784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1456
        34⤵
        Program crash
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkeuh.exe"
        33⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpafxp.exe"
        32⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibbtbkf.exe"
        31⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whowku.exe"
        30⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnrqa.exe"
        29⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvp.exe"
        28⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunvl.exe"
        27⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwtvya.exe"
        26⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnjuvgg.exe"
        25⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtdtc.exe"
        24⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkxnhk.exe"
        23⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfknmfci.exe"
        22⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1504
        22⤵
        Program crash
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrirbreax.exe"
        21⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfaana.exe"
        20⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbeava.exe"
        19⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccxuii.exe"
        18⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjbdsow.exe"
        17⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcgh.exe"
        16⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wklnda.exe"
        15⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnheify.exe"
        14⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whedf.exe"
        13⤵
        
        PID:100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywihclh.exe"
        12⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wodiaov.exe"
        11⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wboeiamx.exe"
        10⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wesgjiin.exe"
        9⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyocfn.exe"
        8⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfbrdgy.exe"
        7⤵
        
        PID:888
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbfcvo.exe"
        6⤵
        
        PID:4920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxj.exe"
        5⤵
        
        PID:3748
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waynf.exe"
      4⤵
      PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikaco.exe"
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1456
    3⤵
    - Program crash
    PID:2256
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\c1d270cf6a8b1317211c033f3704aa99.exe"
  2⤵
  PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3148 -ip 3148
1⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3896 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 408 -ip 408
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1996 -ip 1996
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3100 -ip 3100
1⤵
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\waynf.exe

Filesize
270KB

MD5
ba676fc3bbb1d8f186943180c1028340

SHA1
eec3438dce063c717a88f5d98bad6cb1cae9a2d7

SHA256
0613f5708c207ea04a7442d75a0489b9b89572f639609774ce7413f0530f956c

SHA512
2cdc5a7f420cc357393f4c2fab0318b14782adce53adcb74e9ef5db87b7b35e30c8be7844ce288f9fc657756e107ec4ec2fc3be849a9fbed3b2550cfe1f81f70

Download Submit
C:\Windows\SysWOW64\wbeava.exe

Filesize
270KB

MD5
7c074784dcc73857e125ad89528be01a

SHA1
c9bb9c5558df5d17d7d94956ef16ad910a6fe097

SHA256
f1260e8ad1c52ce8760e5b5ce2c04caba2988419741d3a4e977c211d0217c111

SHA512
fe5ddf1663916e8c2a4e9103ea0d24ea990a4a7977ff012b8ccb230f6e063b753371da272c8175016f94e5bd82b27707355d2e592d8b1dc3ac34d077002c9ce5

Download Submit
C:\Windows\SysWOW64\wboeiamx.exe

Filesize
270KB

MD5
3ee8371935ea4108e855f2b3abfd0f17

SHA1
43d31f098f2de025cf4c00e30b336a8b58b73690

SHA256
f03862d7583a8fc9f46f9c8e7d1f4ca6517c5a386116d495104cc89e2396b2b5

SHA512
be4fefbee9da9b81b593f325d51167396fb008a8d877609076a0f9e1d22f7b12a0ce65ff9ed079826001408c6754da4c717b1d05b97d6c426c4b24c05cf730c8

Download Submit
C:\Windows\SysWOW64\wccxuii.exe

Filesize
270KB

MD5
831220fe5289a728f4caa1ace98e4136

SHA1
655818579f28b8b6155506d5eef57d088340ab69

SHA256
580afb48bfe466120566d8722f7b8f23d8a079b25d0b843ac903e59ad3931f30

SHA512
508ffbbc030474561ce7936202f772a71b158b257b7c8ec8bc527947baa832da3f38c7f077ff012cbf4933e154a5dc4a0ed61c270d362d436e6f0e43967e5211

Download Submit
C:\Windows\SysWOW64\wcgh.exe

Filesize
270KB

MD5
6f205445da6c366fecf653101fa6446b

SHA1
ce24994ebd6dec7a8bbd855b22b7962c55d23cb6

SHA256
5da500548a5ee7ea85e101bafd863652dde47a9141ceae9e02b58f8b563fd366

SHA512
a79f26e4e13bac3e251c91308c7b52b1a2a2b8794d7f21010d3797d57692d45d0c3343b2a91df3ac7628694c1581548fe160101ffecea728067062998ab40c7c

Download Submit
C:\Windows\SysWOW64\wcjbdsow.exe

Filesize
270KB

MD5
91d7b7f7cf7fd933cb44cbe06b04dea6

SHA1
9869b54235141d44b45d7658a8733c0d499dd223

SHA256
f5bef9f6b79ac0e106ef9017baa9cc7ad89cd38b2c2497966b9b2dd6c66ae5fa

SHA512
767b5b079db3b30a524c4a6e570ca0a9aaccc58e9d1ab6b16a09c923d1da4368d8a4c2b35642efdd6f022c4f4865a9e62589cbbf368f492b9ec378c33ad5f95f

Download Submit
C:\Windows\SysWOW64\wcvp.exe

Filesize
271KB

MD5
56b188cf80e7e52c8d67e9c5d0ec470c

SHA1
d22b8ca6c49bb6a8877e8e96871d857e166e6866

SHA256
c4f0c19b13eb2e5c008716f99a242b2a67925181b8cd3beb0f27bd4a5d9f60f6

SHA512
f5f881580af66f9ae1f2b870482fa0a2785d3560762b85949520ce083724e377377db4a2ba50d21d9644b83e22d8190b4191b82924daa619c5e91874bd5a82e6

Download Submit
C:\Windows\SysWOW64\wdbfcvo.exe

Filesize
270KB

MD5
f24616fe657d8604d02c9891e81beaeb

SHA1
f4e5b12f62ba7cf0c54735af67ae99eb27cbc8ae

SHA256
65fece7a55675be5f901c58288d5f9512b9094f02b500982bc07ef1361495166

SHA512
28ee3d49976529cbc4d64acb5fb41cccb935442ff9af4e0f7b938cc29cf609eca04c495117066d876e228c4bc96a6882bd645a3904efcd295009931ae9c68ee5

Download Submit
C:\Windows\SysWOW64\wdbtqxi.exe

Filesize
271KB

MD5
e1cd5e8c9948c9c5248da58cd2aace6b

SHA1
44edb790aca1da5714445093debf683353823e73

SHA256
4e17e663084d5047eec0cce0ee222df9b34e7231618088a9171d6b88ecee6b05

SHA512
eaa778f75643472771778c758e7885e3bc32d3236a83eb0aef25a7d32c775113c2f2e7a935f702dc92d60d2fb2323e8ec19665e7536208feed5c618f19a99ffc

Download Submit
C:\Windows\SysWOW64\wdnjuvgg.exe

Filesize
271KB

MD5
76b7ecd19fc3f2534be2560b8a10d93b

SHA1
b4a997fb8bdcdd6ee09562927a4ce10216d6ca52

SHA256
9e6855a56aacbc21a875a23d0c76c5676053e07b0c050906e83c362f5021d945

SHA512
e7c878557001d92e0f516fb223b2b667627538d4a502644738f9dc88ee050bf557c938a4e1003bf0eaf9f6408355edf1f903418630bd02f7f5c4aba5a7347ae4

Download Submit
C:\Windows\SysWOW64\wesgjiin.exe

Filesize
270KB

MD5
d100c1fa7c39b056928f6dd9888f5f54

SHA1
8d83472243e0f3d23fb74a6dc221011014e77161

SHA256
c2a5f02c48beefcfe275f15d0dece828817f8e7ecce4fbd25bf4c6d5c214ce93

SHA512
fdbc6dd2186832249d72349259c2bc18e068475541c4c9f9e6c184a328aa21e37f11f03bcf06981b607cedaa640722f269e69ded136722c8bb33430492832355

Download Submit
C:\Windows\SysWOW64\wfaana.exe

Filesize
270KB

MD5
7ffe6d59ef4ca700e426c0d358bfe82f

SHA1
5635c92432136124e1ec2d8c4e84ef74cf07cad2

SHA256
0b6c0f6c1a0dad78113f8708a3e54661479ff9df109c34e8af4d5b43ed5ad0c9

SHA512
10f9d342405cecadba4e52918d6178feee6befc86a7aa519aadb766c6f81b67b186c7f888cc8743083e6c43dc7eafad630afe55bcfb86d997f07905a31404b41

Download Submit
C:\Windows\SysWOW64\wfbrdgy.exe

Filesize
270KB

MD5
85120a2d094a33555cf06d49eb7bff0e

SHA1
810032ff53036e29ea7bec28e07e1abb352a680a

SHA256
9b9c514f67d4cf8f3c7f1df471b31ef28e3e13385b8d61d4bceb34580b1f51b0

SHA512
04dc05eadbd35a8a09498b0e0984f76e475a23958fd160c9cb5b91fa4aa6d7fce65e637e656eb87e2ca7990d66f86c69559c67d76108b4789a03fed077503626

Download Submit
C:\Windows\SysWOW64\wfknmfci.exe

Filesize
270KB

MD5
627802ca4a19ca237765671ae97f748a

SHA1
1bd6fc89d82d47055e45f6422df6f2972c5c4dfd

SHA256
753949f570c086679af9cfebeaf1fc762a342379703c6b813515fa839dc26a1f

SHA512
78431845f9470b4dfad765eaca1ea0a80da8cbdcb8734088ef449f154cf43511da1633148c012e90c0db5a1bc28d9277c6fa05f225accf6a7adae49430be0644

Download Submit
C:\Windows\SysWOW64\whedf.exe

Filesize
270KB

MD5
eda8463898e28c77b6cb0cae89fb48ee

SHA1
d35aa704404333d64a2c4fc2e6b2fa4dc1fd0993

SHA256
f4b3289d1885208fb74efff0ff4a550a2978f896ca4791fb0d8558e37f3a303c

SHA512
9c2a80b78b495d56d88397a8b78a719189afe56ec5e68344193a53973831381cc3c07539af31e327a7e9ec836262de25708d3f1703ffc6908bf174ccac8727c4

Download Submit
C:\Windows\SysWOW64\whowku.exe

Filesize
271KB

MD5
188d7ce167047346607d373c752d1fc1

SHA1
82e08cd37576c50c47df02eb6f12b49540ba0fbf

SHA256
4d8d0a97c62c7d578bd9db8ab1cf2b8038efa6bef909a6e85a048b83c981ed77

SHA512
ce98bf57866a61d625924e117663dd92e4a11276e3165b58afb1dec67b7d0a65fb94773a5662ac756d35081261d4cf8d8e218992e96918bf445f6de43baf0415

Download Submit
C:\Windows\SysWOW64\wibbtbkf.exe

Filesize
271KB

MD5
18e736e1b5a664620ef41de7de1f8dd6

SHA1
b53d28ae3dd448902dfd2e467770e61dd055d109

SHA256
5d7b956eeb341f99d63156fa869d18e1a9929440090e1c9ad44b366364caebf3

SHA512
24af7279dcd377734f7eef09e97067ead7ef005f69c74381261b7df6d7654243049c31f7d167895faf0ad3bb7296a03e4801111b0191fcc9d121491738395a6e

Download Submit
C:\Windows\SysWOW64\wikaco.exe

Filesize
270KB

MD5
63b7c242f7d703d9892ae51c83f92952

SHA1
6dc22bf333460769601d8a9e68181d9a6e18b9a9

SHA256
3ed6566d474479d042186fb7141b897094b53276e05262ae017807d4b8118a06

SHA512
a405cca30233cc9158981fb223d4a6d6705c3c61093d9e462052dfabf61df5ec32aec631b4d78ba90d3baa1675396aaf0f8f9066444cca2489f54dda524890cf

Download Submit
C:\Windows\SysWOW64\wkeuh.exe

Filesize
271KB

MD5
8916497b435be524542a9d9440755971

SHA1
9b5713540851d6bdd6c68299e99d6730cd1d34df

SHA256
ca1df8cf615e2b41ec9289bf1dea4cdb561f80f03e26bccb3c8cd2e35d193ecd

SHA512
51841714e093aabba6cc31aae61bf504d9171cf7b21aa1a8280b3b3848617fadf34c466ca3a53bd077080ac3e5dd659dbb602b45c9e0ad39a2531e6f4f726160

Download Submit
C:\Windows\SysWOW64\wklnda.exe

Filesize
270KB

MD5
601240b5374ec8b5ba24a90abcb868d4

SHA1
71a16e780a32b9f7e0a1a07850d0e9529e4960f0

SHA256
f6a84d0ef8dc02c84d01e3804a9c54189d01edddb4687d5439776a0e4270eb3b

SHA512
59cc9326f334aaac5c19c9a1c115776e360d8836df7d88b993f3a47ab177cad53c6b5b1aacc81ab1905a7e001e077de2b42c47233cd24d9bfb9931dbc752cc74

Download Submit
C:\Windows\SysWOW64\wkxnhk.exe

Filesize
270KB

MD5
17fbf0d3ee4267654382f3d9f9ea6e17

SHA1
a70ed651ca76f805547fb905062ee26f54a209cd

SHA256
4e5adaa8d6334eb995c21698c70c5c844c8be2464ae64a33830dff859954b3b5

SHA512
15d10690eccce6262bc2a7e4e27128f7e99e1c89ea9a15d22d12e4515ecfc1b5a852e16cdf96585f9b59960edf1c82dc5ac0bc4ab4166cbb9daa8237dbd0966b

Download Submit
C:\Windows\SysWOW64\wlnrqa.exe

Filesize
271KB

MD5
be382df0590ced0891eab267f7a68499

SHA1
3eaf82c6f4274cb775c25a9491ede2465215e347

SHA256
aa462b32e2a1e2253176376602dc26d3433efa2974454060b77a593696945ec5

SHA512
8586c7123b1ccf7b670938de2a9930dc184d02fad446c484b37bdcf0813567714f806c306250649e5fe1f3a63b123cb07e499e12fba1bd890003145b364378a5

Download Submit
C:\Windows\SysWOW64\wlyocfn.exe

Filesize
270KB

MD5
29261b97589d4771e15a4e584aae0ca0

SHA1
c1154f2138f12edc8aba53a4bd3ec08d8e9c717e

SHA256
98c22c5c59f495ecb51300ba5c119660955f734d9552495ade44d50bc3f12aec

SHA512
417bedbcf98961604d3610e3c0bdff82b90d6b068bce156159870edab9e2bd193a92c4e032ea05947ec99457d10d0eb1b08bb9f4725f4f14f4dafea7465384e9

Download Submit
C:\Windows\SysWOW64\wnheify.exe

Filesize
270KB

MD5
894d168109d284e4dc86fac6dfbeda5b

SHA1
3538e49bfc653a7c48bebeacd4bb38f0806a532f

SHA256
842e42f8f1ae19ff056dc9aeee00adef99e6cbbd0ee64cca6fa113f7c0e26ae7

SHA512
164586f2c68cf972dd42b7647628e4ee101a1d0bae76bdf9ebc77454e36ade689b4cbf91f8cdab7c13c911fda61005da7b6820a33dba03a27ee211cab11a3e3c

Download Submit
C:\Windows\SysWOW64\wodiaov.exe

Filesize
270KB

MD5
58c72a18714956a3d423291c10f64ad3

SHA1
53e7da88718e882b1f803e3eccf53a346f55d9d1

SHA256
f634d1b6872c2b487eb6e9f0d0a6f13a9143ecbd3c0c001445abdfd5e09476b8

SHA512
2ad8cbd6267fecc634c63b32e9fd3489c6694a770bfd1064303b091dd8c63b53ca233c3fdce2a7519c8c14e506b58850f288335dd3b8c9a04d7812c336853c1d

Download Submit
C:\Windows\SysWOW64\wqpafxp.exe

Filesize
271KB

MD5
73c261b081a46d747eef9f66b168dd74

SHA1
04a43da6226519f3363c62792014013d77661196

SHA256
4567bfffac769b811b550fc5119cb296bdc01246da85ef69244846675ef29908

SHA512
49b845a87fa25a63da2a47be743ddc0a354dbcbc27ebcfe85cc432143184777fd12729aa07b4ca131bfec4d273381926e68c917e84a5f0660560d9e6d5817699

Download Submit
C:\Windows\SysWOW64\wrirbreax.exe

Filesize
270KB

MD5
2ad1cc978b6d4ae331dcbc037586094e

SHA1
49171315a6575079d4603c7696c43a13fcc79c13

SHA256
d67601ec7bb46bb85a5aeb0f17d0d7905af98fa12feb6607ff58d04fcf65845b

SHA512
05df3ee71874201b52a4a80eb325f0e02e3d3d0662bddd26e004e94725e4a17644b57a0e3c79677c801654aa5e11226594d149011eb95cb07ea50b1e0a9d3d5d

Download Submit
C:\Windows\SysWOW64\wtdtc.exe

Filesize
271KB

MD5
6178383957ef489a12029cb82256f35c

SHA1
2b8b7d45c40c38aac672b60f6afb134bc93b668b

SHA256
21569e57c33a34ca69bf4d7be78c234462bdd343dc249aef94020870bba1e232

SHA512
7a8337c9d811122f046ca1d9b7ba70ee0c18c2bed3383f0d9baba33a531a95e750a896814303bd8aeab1a9daf2d8b3caaf42fcfc3d3fe5b8df5ccd82bb8f50e0

Download Submit
C:\Windows\SysWOW64\wunvl.exe

Filesize
271KB

MD5
c5fa2bd36d73bbc303943b5e80d51040

SHA1
66f27fd165690dbfd14812b1e728c389715d02f5

SHA256
eb294167c59c842213995003ac585d11eccced85aa82179b4a5a49af6839fa3e

SHA512
da37ff37591ae84d82af0a9c05d3b0203aff91fc6bce2db97f439b23760c37f962f76d097cdb5c8714a4c33c2df9044b0531e141ae82dfecfa811b3c2bf8313a

Download Submit
C:\Windows\SysWOW64\wwtvya.exe

Filesize
271KB

MD5
502932b0e9abcc38d8910449614b5349

SHA1
8ab80e3f80e801a8fe0c8228895b186cd3f64db8

SHA256
b3528e72cefc0832cbc4c8db6546d4876f3e5317bfcf4e4b2a75adf4e6ccdad2

SHA512
a3dfcca25a9c3b441c47512c502a1fbd72d27d61bf52d7f90e8efb2e666bc2c0bdb7a7a946bc8c6de8e6e0b3c0d1e54c4e323b9dd5c1060e110ef5522245ee6f

Download Submit
C:\Windows\SysWOW64\wxj.exe

Filesize
270KB

MD5
801bdd240ae3a733a36620a7f89189e8

SHA1
179f1c69a46c1c86532a180655dcc300257e0242

SHA256
4fd26db6e1eadf3c6207a5f386b8a0f868a124ea743cf975047e611e33e4fb57

SHA512
8a75a55b1ca48826f084615d4e7413820f6904e9066df928d62a3b11adc4e48ce084db6a2b0992330b9f1f6a4f466a444fdc76e5f4c0adb0b8bea25140ee51f6

Download Submit
C:\Windows\SysWOW64\wywihclh.exe

Filesize
270KB

MD5
44289a7798e50ba61df2a787d34f5738

SHA1
78dcc1bdf0ee7da0ae7b8787b2662a8cdcdf922a

SHA256
1fa56b38ebb81453d5f4448c6b5b0319c1e9019ccd2bad964ce57bbdc75f4170

SHA512
1234f02aafe4f8f8b3cf1a110087c07ccabe8adc2c2a655fbdc03d085dc84be6fa35c76fad4b2c03a968972c255b3319dd00c9a5165f1be2f9263082e8944cf3

Download Submit
memory/408-212-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/408-224-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/888-120-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1072-447-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1088-383-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1296-161-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1296-172-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1324-245-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1324-234-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1660-439-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1668-162-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1688-305-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1728-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1952-415-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1996-343-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1996-202-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2004-265-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2076-455-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2080-367-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2116-431-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2356-407-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2396-100-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2396-335-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2448-295-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2476-54-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2528-79-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2624-399-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2816-285-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2880-463-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2880-192-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2984-315-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3004-131-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3080-39-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3100-473-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3148-375-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3148-59-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-359-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-255-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3508-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3908-151-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3908-213-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3952-275-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4048-130-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4048-141-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4064-325-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4240-110-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4424-182-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4528-391-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4528-423-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4664-90-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4884-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4884-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4916-235-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4948-351-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download