2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe
Size

460KB
MD5

13120df0d0267bcb5ca074e10f52f32b
SHA1

2fc0d62fbf44babd188f2ab1938dc00696e4abe7
SHA256

2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa
SHA512

7ebcb95e58abc2ec839deff8a77dffe840677171b852ea724cbd95f6e1525b2b5f448d5c1eed665189a95915beb3567a39977a5e8343b7cddcd9607a3f5d1e8c
SSDEEP

12288:+LKSZhnVepwI20UldLbz5f27POyORdIKB1bybT:+LRhiwI20UldLbz5f27POyORdIKB1byn

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 46 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wttrbc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wrq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wsidw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wldfyn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wbbkukg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wjwjh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wsswmyllo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wjtsbpo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wbgm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wlwikv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	whcpbxs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wfynapl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wankcfif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wfni.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wluu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wtuejn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wygi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wlmapa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	widr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wtrnwl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wywvjed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wmfwkx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wemqjwy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wvhht.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wmmyyo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wkun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wnhhk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wqdko.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wgqo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wcuekk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wmgf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	weahinjq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wtxofdqw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	whefstr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wqrjcrck.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wqjjq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wwvap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	waywdxfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wdul.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wywetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wjndk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wnfp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wyfgpe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wtbhkcj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wqex.exe

Executes dropped EXE 46 IoCs

pid	Process
4056	wjwjh.exe
4948	wtuejn.exe
1420	wygi.exe
5020	wlmapa.exe
4080	wsswmyllo.exe
2044	wfynapl.exe
2476	wtbhkcj.exe
4516	wankcfif.exe
1228	wqdko.exe
4136	wjtsbpo.exe
1088	wtxofdqw.exe
4944	whefstr.exe
2632	wgqo.exe
3084	wjndk.exe
2784	wtrnwl.exe
2240	wcuekk.exe
3132	wqrjcrck.exe
1140	wemqjwy.exe
2724	wnfp.exe
3508	wyfgpe.exe
2428	wlwikv.exe
2004	wvhht.exe
1820	whcpbxs.exe
2908	wqjjq.exe
4296	wywvjed.exe
4336	wttrbc.exe
3396	wmfwkx.exe
4364	wmmyyo.exe
4636	wkun.exe
852	wwvap.exe
1420	widr.exe
1728	wrq.exe
844	waywdxfc.exe
1792	wnhhk.exe
2004	wfni.exe
3188	wsidw.exe
2080	wdul.exe
2100	wqex.exe
4816	wywetx.exe
4296	wldfyn.exe
4528	weahinjq.exe
3680	wluu.exe
1272	wbbkukg.exe
980	wbgm.exe
1644	wmgf.exe
4280	wucpt.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wwvap.exe	wkun.exe
File opened for modification	C:\Windows\SysWOW64\wrq.exe	widr.exe
File created	C:\Windows\SysWOW64\wluu.exe	weahinjq.exe
File created	C:\Windows\SysWOW64\wfynapl.exe	wsswmyllo.exe
File opened for modification	C:\Windows\SysWOW64\wfynapl.exe	wsswmyllo.exe
File opened for modification	C:\Windows\SysWOW64\wtbhkcj.exe	wfynapl.exe
File created	C:\Windows\SysWOW64\wtrnwl.exe	wjndk.exe
File opened for modification	C:\Windows\SysWOW64\weahinjq.exe	wldfyn.exe
File created	C:\Windows\SysWOW64\waywdxfc.exe	wrq.exe
File opened for modification	C:\Windows\SysWOW64\wnhhk.exe	waywdxfc.exe
File opened for modification	C:\Windows\SysWOW64\wmgf.exe	wbgm.exe
File opened for modification	C:\Windows\SysWOW64\wjwjh.exe	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe
File created	C:\Windows\SysWOW64\wtbhkcj.exe	wfynapl.exe
File created	C:\Windows\SysWOW64\wankcfif.exe	wtbhkcj.exe
File opened for modification	C:\Windows\SysWOW64\whefstr.exe	wtxofdqw.exe
File opened for modification	C:\Windows\SysWOW64\wqjjq.exe	whcpbxs.exe
File created	C:\Windows\SysWOW64\wjwjh.exe	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe
File created	C:\Windows\SysWOW64\wtuejn.exe	wjwjh.exe
File opened for modification	C:\Windows\SysWOW64\wmmyyo.exe	wmfwkx.exe
File created	C:\Windows\SysWOW64\wmmyyo.exe	wmfwkx.exe
File created	C:\Windows\SysWOW64\wrq.exe	widr.exe
File opened for modification	C:\Windows\SysWOW64\wfni.exe	wnhhk.exe
File created	C:\Windows\SysWOW64\wgqo.exe	whefstr.exe
File opened for modification	C:\Windows\SysWOW64\wnfp.exe	wemqjwy.exe
File opened for modification	C:\Windows\SysWOW64\wyfgpe.exe	wnfp.exe
File opened for modification	C:\Windows\SysWOW64\wvhht.exe	wlwikv.exe
File created	C:\Windows\SysWOW64\wmfwkx.exe	wttrbc.exe
File created	C:\Windows\SysWOW64\wdul.exe	wsidw.exe
File created	C:\Windows\SysWOW64\wqex.exe	wdul.exe
File created	C:\Windows\SysWOW64\wldfyn.exe	wywetx.exe
File created	C:\Windows\SysWOW64\wbbkukg.exe	wluu.exe
File opened for modification	C:\Windows\SysWOW64\wqex.exe	wdul.exe
File created	C:\Windows\SysWOW64\wywetx.exe	wqex.exe
File created	C:\Windows\SysWOW64\whefstr.exe	wtxofdqw.exe
File created	C:\Windows\SysWOW64\wnfp.exe	wemqjwy.exe
File created	C:\Windows\SysWOW64\whcpbxs.exe	wvhht.exe
File opened for modification	C:\Windows\SysWOW64\wkun.exe	wmmyyo.exe
File created	C:\Windows\SysWOW64\wnhhk.exe	waywdxfc.exe
File opened for modification	C:\Windows\SysWOW64\wsidw.exe	wfni.exe
File opened for modification	C:\Windows\SysWOW64\wbbkukg.exe	wluu.exe
File opened for modification	C:\Windows\SysWOW64\wygi.exe	wtuejn.exe
File created	C:\Windows\SysWOW64\wtxofdqw.exe	wjtsbpo.exe
File opened for modification	C:\Windows\SysWOW64\wcuekk.exe	wtrnwl.exe
File opened for modification	C:\Windows\SysWOW64\wqrjcrck.exe	wcuekk.exe
File created	C:\Windows\SysWOW64\wvhht.exe	wlwikv.exe
File created	C:\Windows\SysWOW64\wqdko.exe	wankcfif.exe
File opened for modification	C:\Windows\SysWOW64\waywdxfc.exe	wrq.exe
File created	C:\Windows\SysWOW64\wwvap.exe	wkun.exe
File opened for modification	C:\Windows\SysWOW64\wldfyn.exe	wywetx.exe
File opened for modification	C:\Windows\SysWOW64\wtxofdqw.exe	wjtsbpo.exe
File opened for modification	C:\Windows\SysWOW64\wemqjwy.exe	wqrjcrck.exe
File opened for modification	C:\Windows\SysWOW64\wlwikv.exe	wyfgpe.exe
File opened for modification	C:\Windows\SysWOW64\wttrbc.exe	wywvjed.exe
File opened for modification	C:\Windows\SysWOW64\wmfwkx.exe	wttrbc.exe
File created	C:\Windows\SysWOW64\wywvjed.exe	wqjjq.exe
File created	C:\Windows\SysWOW64\wkun.exe	wmmyyo.exe
File opened for modification	C:\Windows\SysWOW64\wdul.exe	wsidw.exe
File created	C:\Windows\SysWOW64\wsswmyllo.exe	wlmapa.exe
File opened for modification	C:\Windows\SysWOW64\wsswmyllo.exe	wlmapa.exe
File created	C:\Windows\SysWOW64\wcuekk.exe	wtrnwl.exe
File created	C:\Windows\SysWOW64\wyfgpe.exe	wnfp.exe
File created	C:\Windows\SysWOW64\wqjjq.exe	whcpbxs.exe
File opened for modification	C:\Windows\SysWOW64\wywetx.exe	wqex.exe
File created	C:\Windows\SysWOW64\wasaolbwf.exe	wucpt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
5080	4744	WerFault.exe	86
3116	1088	WerFault.exe	133
1708	1088	WerFault.exe	133
4868	3084	WerFault.exe	149
4936	2908	WerFault.exe	182
2532	844	WerFault.exe	217
1896	4296	WerFault.exe	240
2232	1272	WerFault.exe	253
5052	1272	WerFault.exe	253

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 4056	4744	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe	92
PID 4744 wrote to memory of 4056	4744	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe	92
PID 4744 wrote to memory of 4056	4744	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe	92
PID 4744 wrote to memory of 2104	4744	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe	95
PID 4744 wrote to memory of 2104	4744	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe	95
PID 4744 wrote to memory of 2104	4744	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe	95
PID 4056 wrote to memory of 4948	4056	wjwjh.exe	103
PID 4056 wrote to memory of 4948	4056	wjwjh.exe	103
PID 4056 wrote to memory of 4948	4056	wjwjh.exe	103
PID 4056 wrote to memory of 4036	4056	wjwjh.exe	104
PID 4056 wrote to memory of 4036	4056	wjwjh.exe	104
PID 4056 wrote to memory of 4036	4056	wjwjh.exe	104
PID 4948 wrote to memory of 1420	4948	wtuejn.exe	106
PID 4948 wrote to memory of 1420	4948	wtuejn.exe	106
PID 4948 wrote to memory of 1420	4948	wtuejn.exe	106
PID 4948 wrote to memory of 412	4948	wtuejn.exe	107
PID 4948 wrote to memory of 412	4948	wtuejn.exe	107
PID 4948 wrote to memory of 412	4948	wtuejn.exe	107
PID 1420 wrote to memory of 5020	1420	wygi.exe	110
PID 1420 wrote to memory of 5020	1420	wygi.exe	110
PID 1420 wrote to memory of 5020	1420	wygi.exe	110
PID 1420 wrote to memory of 1192	1420	wygi.exe	111
PID 1420 wrote to memory of 1192	1420	wygi.exe	111
PID 1420 wrote to memory of 1192	1420	wygi.exe	111
PID 5020 wrote to memory of 4080	5020	wlmapa.exe	115
PID 5020 wrote to memory of 4080	5020	wlmapa.exe	115
PID 5020 wrote to memory of 4080	5020	wlmapa.exe	115
PID 5020 wrote to memory of 2428	5020	wlmapa.exe	116
PID 5020 wrote to memory of 2428	5020	wlmapa.exe	116
PID 5020 wrote to memory of 2428	5020	wlmapa.exe	116
PID 4080 wrote to memory of 2044	4080	wsswmyllo.exe	118
PID 4080 wrote to memory of 2044	4080	wsswmyllo.exe	118
PID 4080 wrote to memory of 2044	4080	wsswmyllo.exe	118
PID 4080 wrote to memory of 2160	4080	wsswmyllo.exe	119
PID 4080 wrote to memory of 2160	4080	wsswmyllo.exe	119
PID 4080 wrote to memory of 2160	4080	wsswmyllo.exe	119
PID 2044 wrote to memory of 2476	2044	wfynapl.exe	121
PID 2044 wrote to memory of 2476	2044	wfynapl.exe	121
PID 2044 wrote to memory of 2476	2044	wfynapl.exe	121
PID 2044 wrote to memory of 2992	2044	wfynapl.exe	122
PID 2044 wrote to memory of 2992	2044	wfynapl.exe	122
PID 2044 wrote to memory of 2992	2044	wfynapl.exe	122
PID 2476 wrote to memory of 4516	2476	wtbhkcj.exe	124
PID 2476 wrote to memory of 4516	2476	wtbhkcj.exe	124
PID 2476 wrote to memory of 4516	2476	wtbhkcj.exe	124
PID 2476 wrote to memory of 1096	2476	wtbhkcj.exe	125
PID 2476 wrote to memory of 1096	2476	wtbhkcj.exe	125
PID 2476 wrote to memory of 1096	2476	wtbhkcj.exe	125
PID 4516 wrote to memory of 1228	4516	wankcfif.exe	127
PID 4516 wrote to memory of 1228	4516	wankcfif.exe	127
PID 4516 wrote to memory of 1228	4516	wankcfif.exe	127
PID 4516 wrote to memory of 4180	4516	wankcfif.exe	128
PID 4516 wrote to memory of 4180	4516	wankcfif.exe	128
PID 4516 wrote to memory of 4180	4516	wankcfif.exe	128
PID 1228 wrote to memory of 4136	1228	wqdko.exe	130
PID 1228 wrote to memory of 4136	1228	wqdko.exe	130
PID 1228 wrote to memory of 4136	1228	wqdko.exe	130
PID 1228 wrote to memory of 640	1228	wqdko.exe	131
PID 1228 wrote to memory of 640	1228	wqdko.exe	131
PID 1228 wrote to memory of 640	1228	wqdko.exe	131
PID 4136 wrote to memory of 1088	4136	wjtsbpo.exe	133
PID 4136 wrote to memory of 1088	4136	wjtsbpo.exe	133
PID 4136 wrote to memory of 1088	4136	wjtsbpo.exe	133
PID 4136 wrote to memory of 1432	4136	wjtsbpo.exe	134

C:\Users\Admin\AppData\Local\Temp\2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe
"C:\Users\Admin\AppData\Local\Temp\2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\SysWOW64\wjwjh.exe
  "C:\Windows\system32\wjwjh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\wtuejn.exe
    "C:\Windows\system32\wtuejn.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\SysWOW64\wygi.exe
      "C:\Windows\system32\wygi.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1420
    - - C:\Windows\SysWOW64\wlmapa.exe
        
        "C:\Windows\system32\wlmapa.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Windows\SysWOW64\wsswmyllo.exe
        
        "C:\Windows\system32\wsswmyllo.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\wfynapl.exe
        
        "C:\Windows\system32\wfynapl.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\wtbhkcj.exe
        
        "C:\Windows\system32\wtbhkcj.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\wankcfif.exe
        
        "C:\Windows\system32\wankcfif.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\wqdko.exe
        
        "C:\Windows\system32\wqdko.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\wjtsbpo.exe
        
        "C:\Windows\system32\wjtsbpo.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\wtxofdqw.exe
        
        "C:\Windows\system32\wtxofdqw.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\whefstr.exe
        
        "C:\Windows\system32\whefstr.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\wgqo.exe
        
        "C:\Windows\system32\wgqo.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\wjndk.exe
        
        "C:\Windows\system32\wjndk.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\wtrnwl.exe
        
        "C:\Windows\system32\wtrnwl.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\wcuekk.exe
        
        "C:\Windows\system32\wcuekk.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\wqrjcrck.exe
        
        "C:\Windows\system32\wqrjcrck.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\wemqjwy.exe
        
        "C:\Windows\system32\wemqjwy.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\wnfp.exe
        
        "C:\Windows\system32\wnfp.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\wyfgpe.exe
        
        "C:\Windows\system32\wyfgpe.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\wlwikv.exe
        
        "C:\Windows\system32\wlwikv.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\wvhht.exe
        
        "C:\Windows\system32\wvhht.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\whcpbxs.exe
        
        "C:\Windows\system32\whcpbxs.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\wqjjq.exe
        
        "C:\Windows\system32\wqjjq.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\wywvjed.exe
        
        "C:\Windows\system32\wywvjed.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\wttrbc.exe
        
        "C:\Windows\system32\wttrbc.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\wmfwkx.exe
        
        "C:\Windows\system32\wmfwkx.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\wmmyyo.exe
        
        "C:\Windows\system32\wmmyyo.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\wkun.exe
        
        "C:\Windows\system32\wkun.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\wwvap.exe
        
        "C:\Windows\system32\wwvap.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\widr.exe
        
        "C:\Windows\system32\widr.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\wrq.exe
        
        "C:\Windows\system32\wrq.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\waywdxfc.exe
        
        "C:\Windows\system32\waywdxfc.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\wnhhk.exe
        
        "C:\Windows\system32\wnhhk.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\wfni.exe
        
        "C:\Windows\system32\wfni.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\wsidw.exe
        
        "C:\Windows\system32\wsidw.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\wdul.exe
        
        "C:\Windows\system32\wdul.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\wqex.exe
        
        "C:\Windows\system32\wqex.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\wywetx.exe
        
        "C:\Windows\system32\wywetx.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\wldfyn.exe
        
        "C:\Windows\system32\wldfyn.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\weahinjq.exe
        
        "C:\Windows\system32\weahinjq.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\wluu.exe
        
        "C:\Windows\system32\wluu.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\wbbkukg.exe
        
        "C:\Windows\system32\wbbkukg.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\wbgm.exe
        
        "C:\Windows\system32\wbgm.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\wmgf.exe
        
        "C:\Windows\system32\wmgf.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\wucpt.exe
        
        "C:\Windows\system32\wucpt.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmgf.exe"
        47⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbgm.exe"
        46⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbbkukg.exe"
        45⤵
        
        PID:536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1084
        45⤵
        Program crash
        
        PID:2232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1344
        45⤵
        Program crash
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wluu.exe"
        44⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weahinjq.exe"
        43⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wldfyn.exe"
        42⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 748
        42⤵
        Program crash
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywetx.exe"
        41⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqex.exe"
        40⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdul.exe"
        39⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsidw.exe"
        38⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfni.exe"
        37⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnhhk.exe"
        36⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waywdxfc.exe"
        35⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 1280
        35⤵
        Program crash
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrq.exe"
        34⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\widr.exe"
        33⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwvap.exe"
        32⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkun.exe"
        31⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmyyo.exe"
        30⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmfwkx.exe"
        29⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wttrbc.exe"
        28⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywvjed.exe"
        27⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqjjq.exe"
        26⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1408
        26⤵
        Program crash
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whcpbxs.exe"
        25⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvhht.exe"
        24⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwikv.exe"
        23⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyfgpe.exe"
        22⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnfp.exe"
        21⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemqjwy.exe"
        20⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqrjcrck.exe"
        19⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcuekk.exe"
        18⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtrnwl.exe"
        17⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjndk.exe"
        16⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1564
        16⤵
        Program crash
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqo.exe"
        15⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whefstr.exe"
        14⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxofdqw.exe"
        13⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1676
        13⤵
        Program crash
        
        PID:3116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1688
        13⤵
        Program crash
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjtsbpo.exe"
        12⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqdko.exe"
        11⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wankcfif.exe"
        10⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtbhkcj.exe"
        9⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfynapl.exe"
        8⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsswmyllo.exe"
        7⤵
        
        PID:2160
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlmapa.exe"
        6⤵
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wygi.exe"
        5⤵
        
        PID:1192
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtuejn.exe"
      4⤵
      PID:412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwjh.exe"
    3⤵
    PID:4036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe"
  2⤵
  PID:2104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1660
  2⤵
  - Program crash
  PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4744 -ip 4744
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1088 -ip 1088
1⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1088 -ip 1088
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3084 -ip 3084
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2908 -ip 2908
1⤵
PID:340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 844 -ip 844
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4296 -ip 4296
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1272 -ip 1272
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1272 -ip 1272
1⤵
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wankcfif.exe

Filesize
461KB

MD5
cf5ee313dc964e6d71ee82e79687e51c

SHA1
3b54ae58a890569e587470af2e9d6763e8048b1d

SHA256
693aeba80fd1e2b1d2dc9ae0350b517bf60836a2433f675741834b6cb1aac3b8

SHA512
e8b59bb27a454f27bf072350e23e616a9bb8a10e88464f6385ab5332b4e6179ea4f80b78a82c51b3e0f6323e02dae02b05a779ac6608c87943343317ca4bc96a

Download Submit
C:\Windows\SysWOW64\wcuekk.exe

Filesize
461KB

MD5
3c37a82737f1d2ad0fa9f41833b791f8

SHA1
f3162b551e96fe7abeabdfe81a06f01b86e6f958

SHA256
9b5adc993e9e2e9494b0be064ff99e47fa2018f174656f82c6f75ea2fb6aa8d6

SHA512
06caa7ef2c8b96cd1c8ac49525a06e1a2c1002cfb42e22379f8c890a2e8206b3fcce5064d1e3b89f049e93d5096fb9f90331126d1c371765eab9b71494d1426e

Download Submit
C:\Windows\SysWOW64\wemqjwy.exe

Filesize
461KB

MD5
12b3465046f33fbcbba1025ce9c778b2

SHA1
c8824ebe4532ea072460dc5447e39ec8d1ec17e9

SHA256
2380a1affcf95259d18b6a597e07ced5e41b9d4d5bc4cf6d687e913b1316c0d3

SHA512
03e84c0e6134eaf0b5f5948ad3645567d8d8a438f4e105b2f9a1d3f734ab94b71f4f394415d23051f4af8115fffdf94852cfd0d1c96119842634ee2ff422b9a7

Download Submit
C:\Windows\SysWOW64\wfynapl.exe

Filesize
460KB

MD5
5b4bac68a104201b317626c1d244f96a

SHA1
922ca09dbd7b507558b84ba3dad10f1f609eafad

SHA256
db7ab782c127c8911cf14d17f9dbff23c91e783aba6735cc713ebd8571fe3973

SHA512
0d18809a33843b3cfd8eef7b9c24eb42751dede697a7e38508dca322de2836d33de4e67454d0591f3a810151fe84c8d9d4e000d7487fc8ecc7e2399c257a5464

Download Submit
C:\Windows\SysWOW64\wgqo.exe

Filesize
461KB

MD5
09c9d9a3a79f87cf01d4676b045b1c2a

SHA1
c82d3ea39c4531f710be1f8f233dc2a8ab2b8ef1

SHA256
b5bc099eb66957a85d1b4996101b8594ca7c6d4d752332167fa50dc79ce0af63

SHA512
90b2c4186a71194b295eaf2202a45b1a76fea71627e79110074ffe5e33302c29e7fc23ec3e66c89f1993f7a028d78a79d2e4c51249a7ff409417de6480ccc987

Download Submit
C:\Windows\SysWOW64\whcpbxs.exe

Filesize
461KB

MD5
7f440495890a97da13ebb1c6855c123e

SHA1
134c544a8f069f95de1af2ce7b1a1130bcac9cfb

SHA256
6831f16d4367ad375d791e532b00118d5adc4f2851d7c1972a90a7fb8f4c5ffb

SHA512
0e021c6fd702af438b2e01b28fc11136312377c786fcf518760593c05293dc14ba52d21cae5288baa001c7494f6963999dc9322a7ae4ab0a8f2ac1cfc4f21a1e

Download Submit
C:\Windows\SysWOW64\whefstr.exe

Filesize
461KB

MD5
6b307f67c198e97df491fd51d8bb1696

SHA1
902edec72edbda2fc9ba7b9bc20c656a2e089953

SHA256
ce518818868ad9e7767e83885c49e3bc53affde8e9c57ba5291641dd22f6ad0f

SHA512
611ce3725e4f8b08010b24b049dce73c518693a88826d43f294669378c67b2ac07de86e165a7082c6177702f8aabfd6f71d8963c0ca2d291a400fd370f7c60aa

Download Submit
C:\Windows\SysWOW64\widr.exe

Filesize
461KB

MD5
f739dfd66c81fe27fc50cbab0bb2c68d

SHA1
b7df5a2c6f89852848457fe2de5cb9dff606503b

SHA256
a25e88818c860aeb5d1fe9ea42b5b40c356e93a5b55972d316b5676d09ed0732

SHA512
0d3f68ee08bd801a3b57c1586317f5d053390822a644eed5598ef333c610c8f3c68ce776675e42c9a62605aa38c813715c11f9f601674b4c1305d68190848f59

Download Submit
C:\Windows\SysWOW64\wjndk.exe

Filesize
461KB

MD5
8105b73cecac63e5e6ae512dea664e34

SHA1
6409ec91cda5119690850ef587359148290c6053

SHA256
4fd9ab7426af3d7d833b0f151765f943c1e7c68be85bd5dd5b8ac1364e8a1ceb

SHA512
6d348d0111c36e6d12922ada11c348d54be304d63f985a5242a6c0e8413e33518156a237b175ee975f495f4b830d0d97a7488c2c896b45f8146df0f325c18cde

Download Submit
C:\Windows\SysWOW64\wjtsbpo.exe

Filesize
461KB

MD5
edad9d08952e0257c18584fc0c42959a

SHA1
81b3140f235c482da339c81858a2c139fb00d65b

SHA256
f9b7aa40d4eee9f510e890b35383e92678bffd49c7e2a042ec61497052cbd89f

SHA512
13d31dc322ae363a8a86782391761b55673d6d29513b17377bf6e3a829d5b8ab447a2ef1fd27525ab5ee4fc61202f2b6a1284ea396592326ee3670730d0e4816

Download Submit
C:\Windows\SysWOW64\wjwjh.exe

Filesize
460KB

MD5
1fcc849153316441dd55383e9904fc6d

SHA1
395a96c031e4559843792a5478c0d87e20cf9c61

SHA256
a55035e0624dcf5a2840e45cc530bf1b3207b4cfb29df99afff5f51665272e0e

SHA512
64c51f71ca3e43dbef3dadb2d8d44d2aa9306b4409d3a5cde6e1d0a5909c05448a5c5998133d359528e50324f12bd9456a4dd3b59d1ace475588ad1a581bb9d1

Download Submit
C:\Windows\SysWOW64\wkun.exe

Filesize
461KB

MD5
83ba3eea2cc022ede67f418a9e57300e

SHA1
6ada15e1285ca119f193c5e3a8491482c26fea22

SHA256
d7b98ecc6264892fb5b8d878ca95e50a479fdaf989a052b30589a09d4957dfbb

SHA512
27ac40bd685379473df746cd1d4859f2e77b41c955e9da068bb6a21acd874937f48a54ce6c619e3404f9bf641bc25f95fc29e61ce9fee174dbf58601dc6d6b60

Download Submit
C:\Windows\SysWOW64\wlmapa.exe

Filesize
460KB

MD5
afb1c776a151654f720b3dec91353a0c

SHA1
617211d9de9559e85403a09dc31f4f5d6d651bb0

SHA256
94ae9c6182b807e02a7e2df06001f2b5f25ce94df4e9eb2d24cf8b7198c4d014

SHA512
220c1085a367486cc680fbb09654b494bde522860253bd7955dc860eae12552cb25596ec7c97d65ff3b8f833781cd1f8a802e3c7002c7a6a21da6a92ea29057a

Download Submit
C:\Windows\SysWOW64\wlwikv.exe

Filesize
461KB

MD5
5f95d04524c5ba1df31924c7673ff1ad

SHA1
a6284d96d2922c9e1fc33c76afe5d725aee3be4b

SHA256
67a21729a3f538f803929b2c8d9a6c0b3a0f9807fc165874b73993bd26673262

SHA512
059501a09137460610caa30568d0c00ac61459c491ddfcbcfe39d175b2bea699a180aeccc8bc171447498bdb6aab6b45acc1443068ef0a2f918638ddd4139122

Download Submit
C:\Windows\SysWOW64\wmfwkx.exe

Filesize
461KB

MD5
92206fe8a116a55f4c95074aca68c3d1

SHA1
c3e1c4688bf889560d6ee1d14a7d8912afa42f3f

SHA256
a9a33e16485ae5bc113703abd7038264c453f64f9f393c4f47fa744ab5d02e01

SHA512
e518816dd381a3b9f6c8cc14b9ee0e1e4d956576a1588d33b0772c2502afe0cf4a571d265abb594c09f67ccbd4c5c3d0191863a418296b2e5953a255f12fb9f0

Download Submit
C:\Windows\SysWOW64\wmmyyo.exe

Filesize
461KB

MD5
f8025dbf2269e6f76d06f65e4bd468d1

SHA1
dd740bbd004427452d9fdb5d77930230d31ae795

SHA256
a0105726df9bc33128f7939f8e536971c98f81d720a680165e2bdd7f3312d1ba

SHA512
9db23470fcb235229504aeea7805913de67b36d0be677578608222cda20cf8be2b46227aca666ba604eb5a4166b562596c2bdbacba678fbaf827354674231e05

Download Submit
C:\Windows\SysWOW64\wnfp.exe

Filesize
461KB

MD5
caeed0246d03ae13f4fe9f5d2abf101e

SHA1
165dcc38b10679fcd1780a41c6814124ca999bb1

SHA256
62f2e6b20f7bc0a6efd44079bdb1381e86694a052b5517d8437fb9129022faa2

SHA512
3db3ef9e4dccd336a8210a6068193d44e0cb0ec08365c82dc823fe873f42ce54436b5b3bc48a63c1d9600e0b752d67d4f9370cd0b4b01894bdf9f9ea3d251271

Download Submit
C:\Windows\SysWOW64\wqdko.exe

Filesize
461KB

MD5
0a7b07a91b98db7729dc98c6f2d2741c

SHA1
0129921822264c49ce011840184ff28f6f66ac43

SHA256
fb4ac70170e3a753fe8c16ab209985c8fff9a54838c1e52acc1225d16ea05729

SHA512
2e1c89072a172a0a9e8d2b3af0eb36ad3b7ebc45c90f976f78b996044a25fb019480c133da85de472e9bf5d578cb205447b0d9215de3ae12a0ef6a8233bfab02

Download Submit
C:\Windows\SysWOW64\wqjjq.exe

Filesize
461KB

MD5
5a7605a315f3b7adfaaee8c4dafb4cab

SHA1
b04c730e3ed7916518b1925053b330a593a41496

SHA256
f603226882e2f2422c71968912eb82f5ec6922555ab2c292619ddc7e2340594d

SHA512
e89f2677de4b12430f29407525d5ed433dbdc02df5e8158e7504a269c5a7979e1fc5ea98a38ea421ad34624c006d26062e13f247056f3b160ddff981c616d57b

Download Submit
C:\Windows\SysWOW64\wqrjcrck.exe

Filesize
121KB

MD5
af7ec48a478d14b2c9738c4c9ad5b46d

SHA1
3c02c979c086ed54645503ab76333387ae3106c8

SHA256
e8c770a6b0cd4f6b4f9ff385ea50003d8f6b5dd4acd9f20429d62327ebe703a8

SHA512
397f71e75b765c49b186d57f63ef78c5bb640b4ccf29b7d88d3d62c4fb8b64c6cb4c1ea18ed43d78a1ea1e41367fbe84d4f769eede27508d3cb6308a1fa90811

Download Submit
C:\Windows\SysWOW64\wqrjcrck.exe

Filesize
461KB

MD5
c1055a65c37ab81dc255531782b2b77c

SHA1
2a48132b20b5ffcc5747897881fb5e612c1b3218

SHA256
c509d4ea20803e5a47f01a68d16cd9ae3e35e2742a56748913382d093d8f3c1c

SHA512
1532a318e2f9d1b1402b2716de4534274bf9925176c6e531b33d2247c00e840f8ebf3dd758ef821dbfdb8b1fdeab4912e1c8193079bcc9679164dc7fa4c1089c

Download Submit
C:\Windows\SysWOW64\wrq.exe

Filesize
461KB

MD5
42d6935004aaa855508d6b1fbb58306c

SHA1
70090907f1ecb5b7bf6dad0ff5b47eeeb9c48a62

SHA256
fd451e902a2b733a1c22168a2ce10193588326a5f9297ce627581f6daf828590

SHA512
fea46e7579dd21883adb7f6dacac0ad56458464d2cef8da972643c5e314482f7f17216d3fafa1d1960fe1a23fb8949178366372f8af06737fbdbee9f62bbf665

Download Submit
C:\Windows\SysWOW64\wsswmyllo.exe

Filesize
460KB

MD5
cfff17a876e3fa6be1548f2b46999875

SHA1
d1bf020aacc120220323c2e7da6677f7af12f60c

SHA256
ca2c520863afbebc516ea74cd662dc6416305782c1f919ab804d62edf30df4df

SHA512
9d172f14a94d663155e166d86003b40f6726a8b760cf25db745f38e0c1dc739ddf1c3fd8ef0d9bc35f6e912650626077ea3d9044370d6b3996ec51576adbbf9e

Download Submit
C:\Windows\SysWOW64\wtbhkcj.exe

Filesize
461KB

MD5
b1756fe2278ac57e61efa94e940923a0

SHA1
5aae047d27647fbf6affefb29cd753cb92ca5652

SHA256
a0d3e9dd8a6e2482c9f4d978b6de3fb3788a8d140fa89dac47b32c3529a21949

SHA512
dbbbed657c7f08a07746cb8b6e4fb4bff9400451887159fe211f5d903494158c5217b138d2062f3ccd88e08ea528f0611dff4b05e80e70aa03f097a5ae4a191b

Download Submit
C:\Windows\SysWOW64\wtrnwl.exe

Filesize
461KB

MD5
ddc61cd25920a583e3f9aff3caba63ff

SHA1
caec9f8c47fbe6b7356b34a0695436ab711953d1

SHA256
ce7394647d29fbcd89c37481633c9ab11e3daa2ec947e888882b9ddacb61f695

SHA512
1d426f5753400b3422d5f070512405c021c27f8975bb2cf0cb125ed694cb9103628bd109d38931b74704da03f13ce645095c551683276f25f6ca8186704151aa

Download Submit
C:\Windows\SysWOW64\wttrbc.exe

Filesize
461KB

MD5
22909cbd9f3f2ca78e06442bd7cd0293

SHA1
22aa6bc5522e890938f6be033e8414d7bcae4b5a

SHA256
70a01a6a29bca5d7f4f119505f5244694ff4fdb6697de76c4ae65ba743cb09e5

SHA512
90dac030113a3e14036a3bf0598f47c3c999438a69dbf3da00d4afd1aa62f028d9cbbc387f27b5f4f665aab6ccca4828c9082c13f6a51a512bdb0abe6bfbc4a9

Download Submit
C:\Windows\SysWOW64\wttrbc.exe

Filesize
128KB

MD5
fe48b9c4dc2a20d9d733636d64f0a40f

SHA1
5b1d49521831c802ac71f6a3637f22abae2309f9

SHA256
ae3f4cc42ed61ff68bf8a83b040b99c9462e476d4e7b81615f25f409e4f74e4b

SHA512
cc258d218797ac49ff232b0c227284595af4c2dc2f3a267bafe3a7a7dfba04240b5ac0138f6a0a6c13ebdee26396854630c822f8391fcfe4ce1ee37e54426699

Download Submit
C:\Windows\SysWOW64\wtuejn.exe

Filesize
460KB

MD5
118e533db6b0305cc8a9559aedf37e93

SHA1
d159c20ab0d99c0e461a0e8429567482d97a0f48

SHA256
e453947dd1f667085bb08816680c5aebc4d8efb75bbc9eba6385d2adf4c445b4

SHA512
efaa657dd3bb6004ca291569c1cc5e06c6438f1e1b2c0056c16953b7808e585911ddf21299babcf531eb5157e16eecc9c9fd4525c924ce94063ee210daeeb9c3

Download Submit
C:\Windows\SysWOW64\wtxofdqw.exe

Filesize
461KB

MD5
bd26e5fed674fd17511bd5ad70cafe70

SHA1
07fb45a1c4722e23a14eacab14dbf85b6f8594ec

SHA256
39d8f93ee7c227cedc784641708d6d5900c6d77ba26839f46b58deea38f9b84a

SHA512
36900663a3cf6b60d7dcefd53f4fbb6fd1edbb354a2e506f15ffaed84261d7a4976ae0e73c714e60819d935a9e89511025049b3bcc1def87e6f3f30b23837c6b

Download Submit
C:\Windows\SysWOW64\wvhht.exe

Filesize
461KB

MD5
0631547eba94198b0f8587a04063a6b7

SHA1
5614850b849bb4adce9d0689ff0f50348d0dd925

SHA256
6091385afb4a46d2aafe5b6aa821f02571dee9458d72992d6e5472c28601b257

SHA512
1dec6b36f7fe6fd1ab8f5284649b168535da2719593438b2290c4732bf5a9adc2b179b7ce189dfe383646b37645b0f2fe7272033d3d5c254125e168247a1d47a

Download Submit
C:\Windows\SysWOW64\wwvap.exe

Filesize
461KB

MD5
fb1aecb5275567b050eb42a6e5b285d6

SHA1
466a6eeaac533cdfd237a02a5ed024899315026f

SHA256
c4de5cd3a02902c40d5b3a50d49731711a439f2cbc696234e824a9f30f9dad82

SHA512
8dfb7720a7e8feb2d4617ea1bd483d396577321c798cf56cc7a44b89ed3183d3056c39c32015dace2e69ffd5942bd4f410c753bf523a390a039cad360a647b96

Download Submit
C:\Windows\SysWOW64\wyfgpe.exe

Filesize
461KB

MD5
6dacefeaa9e722719672efd0071ba0fe

SHA1
16ec075ae5c6d266422448a1612a4fe603adfb38

SHA256
87621657d1ddf93f9c8207954c72d34cc807ec164085174c63ed356557aaf6ac

SHA512
42354f8703c75e9fbe3415d723ca4f707166d656854df83da6bc27b48dd8c3d4331284933b0ef05d2e2b97eb1cb1fed914579624081846239e083f6edc7e2b0d

Download Submit
C:\Windows\SysWOW64\wygi.exe

Filesize
460KB

MD5
0a7da10f847b13b8dd0fc10c755cc52b

SHA1
a7059c58baf5f81568fc88e058f8100c8c9af60b

SHA256
6c589cd267a693214356517e361038e066b0f8142b52e84acccc784795a4dad4

SHA512
f24a9824cb2148d4552203d705332055a4a1f378d4d90eb5309af68706a6d227574a068eb992eef1be91ba8b24a7d00f2064162863c76757b1e4da418eccfd07

Download Submit
C:\Windows\SysWOW64\wywvjed.exe

Filesize
461KB

MD5
a6953d893179d39ff04de9e0d20ea530

SHA1
2f6220bc953f28394f7554d854ba28385cae7e82

SHA256
a7d509ca03fc58e119371650defc1d3c49f2e3e52df6dc24351dd3e8c2bd0e4a

SHA512
482249faf8e667ed9164c49832ed9e372a05dbe0807ac4b6f2f7c1a9e8822acec95975807d70cbbafa4f17225f12f0096cef2590822f5aaf894a7abf7bb92beb

Download Submit
memory/844-352-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/844-362-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/852-321-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/852-333-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1088-128-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1140-205-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1228-106-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1228-94-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1420-41-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1420-344-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1420-30-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1420-332-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1728-353-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1728-343-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1792-371-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1820-258-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2004-379-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2004-247-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2004-370-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2004-237-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2044-73-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2080-395-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2100-396-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2100-404-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2240-173-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2240-184-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2428-236-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2476-83-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2476-72-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2632-149-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2724-216-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2724-204-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2784-174-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2784-160-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2908-257-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2908-269-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3084-148-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3084-159-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3084-163-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3132-194-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3188-387-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3396-300-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3508-226-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3508-215-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4056-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4080-61-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4136-116-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4136-105-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4296-420-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4296-268-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4296-279-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4336-290-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4336-280-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4364-301-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4364-311-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4516-95-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4516-84-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4636-322-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4744-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4744-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4816-412-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4944-138-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4948-31-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5020-51-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download