b44a1586cf5340746087dcf2d6220912990c5231f0113be76b52a29f9f5397a5

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 23:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b44a1586cf5340746087dcf2d6220912990c5231f0113be76b52a29f9f5397a5.exe
Size

225KB
MD5

200671ee14e6589cdbe69985aa0d16b7
SHA1

203928777e94f19a373c8cf9943333840d71ee3d
SHA256

b44a1586cf5340746087dcf2d6220912990c5231f0113be76b52a29f9f5397a5
SHA512

d62843c048eb6c7edda9b25f0201eb903816ea3941f011843cbd598ccbbd3699f66b1a54266d02cb242704a35ff83d735d115ee17f637cc64db79b61ebef2c21
SSDEEP

3072:5YUb5QoJ4g+tknipuH/Zj6Iz1ZdW4SBoC2nH:5YfQ1h6SZI4j

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 44 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wdbtumk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wxmo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wobjv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wlyunhjqh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wfmhy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wioq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wycxyf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wtkdqtx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wmakx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wyalmhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wpjmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wofttg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wkvtu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wyxdds.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wvugvhpw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wflxpkg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wbrimknl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wbdu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wegage.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wqfeos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wwdrmr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wguwsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wucbcu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wnswgna.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wkanp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wpdecj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wfbgrir.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wvepq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wlhv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wrmlrnwc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wmmqjgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wbkqbt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wqbgucxrq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wexsgffkl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wrtcumgna.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wma.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wbfrgc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	weakh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wxpbg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	waefoxt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	b44a1586cf5340746087dcf2d6220912990c5231f0113be76b52a29f9f5397a5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wyqmjo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wessxsr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wisrr.exe

Executes dropped EXE 44 IoCs

pid	Process
3956	wxmo.exe
4192	wvepq.exe
4384	wexsgffkl.exe
4020	wflxpkg.exe
2340	wbrimknl.exe
216	wlhv.exe
4776	wyqmjo.exe
5036	wrmlrnwc.exe
4072	wmmqjgd.exe
3776	wobjv.exe
1320	wmakx.exe
3048	wrtcumgna.exe
3660	wucbcu.exe
5096	wma.exe
1648	wnswgna.exe
3128	wbfrgc.exe
776	wpjmt.exe
428	weakh.exe
4412	wofttg.exe
4064	wbdu.exe
3964	wegage.exe
3480	wqfeos.exe
5064	wlyunhjqh.exe
4836	wfmhy.exe
4064	wwdrmr.exe
4288	wguwsm.exe
2432	wvugvhpw.exe
4220	wioq.exe
4472	wbkqbt.exe
4552	wyalmhe.exe
4272	wxpbg.exe
3800	wkvtu.exe
1416	wkanp.exe
4836	wpdecj.exe
3300	wessxsr.exe
1624	wqbgucxrq.exe
3408	waefoxt.exe
2496	wyxdds.exe
3064	wycxyf.exe
1704	wfbgrir.exe
4140	wtkdqtx.exe
1804	wdbtumk.exe
4204	wisrr.exe
2340	wrkv.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wbkqbt.exe	wioq.exe
File opened for modification	C:\Windows\SysWOW64\wpdecj.exe	wkanp.exe
File opened for modification	C:\Windows\SysWOW64\waefoxt.exe	wqbgucxrq.exe
File created	C:\Windows\SysWOW64\wxmo.exe	b44a1586cf5340746087dcf2d6220912990c5231f0113be76b52a29f9f5397a5.exe
File created	C:\Windows\SysWOW64\wnswgna.exe	wma.exe
File opened for modification	C:\Windows\SysWOW64\wycxyf.exe	wyxdds.exe
File opened for modification	C:\Windows\SysWOW64\wkanp.exe	wkvtu.exe
File opened for modification	C:\Windows\SysWOW64\wfbgrir.exe	wycxyf.exe
File opened for modification	C:\Windows\SysWOW64\wmmqjgd.exe	wrmlrnwc.exe
File opened for modification	C:\Windows\SysWOW64\wma.exe	wucbcu.exe
File created	C:\Windows\SysWOW64\wessxsr.exe	wpdecj.exe
File created	C:\Windows\SysWOW64\wyxdds.exe	waefoxt.exe
File opened for modification	C:\Windows\SysWOW64\wxmo.exe	b44a1586cf5340746087dcf2d6220912990c5231f0113be76b52a29f9f5397a5.exe
File opened for modification	C:\Windows\SysWOW64\wflxpkg.exe	wexsgffkl.exe
File opened for modification	C:\Windows\SysWOW64\wrtcumgna.exe	wmakx.exe
File opened for modification	C:\Windows\SysWOW64\wqfeos.exe	wegage.exe
File created	C:\Windows\SysWOW64\wtkdqtx.exe	wfbgrir.exe
File created	C:\Windows\SysWOW64\wmmqjgd.exe	wrmlrnwc.exe
File created	C:\Windows\SysWOW64\wmakx.exe	wobjv.exe
File opened for modification	C:\Windows\SysWOW64\wrmlrnwc.exe	wyqmjo.exe
File opened for modification	C:\Windows\SysWOW64\wnswgna.exe	wma.exe
File created	C:\Windows\SysWOW64\wguwsm.exe	wwdrmr.exe
File opened for modification	C:\Windows\SysWOW64\wvugvhpw.exe	wguwsm.exe
File created	C:\Windows\SysWOW64\wisrr.exe	wdbtumk.exe
File opened for modification	C:\Windows\SysWOW64\wisrr.exe	wdbtumk.exe
File opened for modification	C:\Windows\SysWOW64\wvepq.exe	wxmo.exe
File created	C:\Windows\SysWOW64\wlhv.exe	wbrimknl.exe
File created	C:\Windows\SysWOW64\wfmhy.exe	wlyunhjqh.exe
File opened for modification	C:\Windows\SysWOW64\wguwsm.exe	wwdrmr.exe
File created	C:\Windows\SysWOW64\wvugvhpw.exe	wguwsm.exe
File created	C:\Windows\SysWOW64\wkanp.exe	wkvtu.exe
File created	C:\Windows\SysWOW64\wpdecj.exe	wkanp.exe
File created	C:\Windows\SysWOW64\wbrimknl.exe	wflxpkg.exe
File opened for modification	C:\Windows\SysWOW64\wucbcu.exe	wrtcumgna.exe
File opened for modification	C:\Windows\SysWOW64\wkvtu.exe	wxpbg.exe
File created	C:\Windows\SysWOW64\wdbtumk.exe	wtkdqtx.exe
File opened for modification	C:\Windows\SysWOW64\wioq.exe	wvugvhpw.exe
File created	C:\Windows\SysWOW64\wyalmhe.exe	wbkqbt.exe
File created	C:\Windows\SysWOW64\wobjv.exe	wmmqjgd.exe
File opened for modification	C:\Windows\SysWOW64\wmakx.exe	wobjv.exe
File created	C:\Windows\SysWOW64\wrtcumgna.exe	wmakx.exe
File created	C:\Windows\SysWOW64\wpjmt.exe	wbfrgc.exe
File created	C:\Windows\SysWOW64\wlyunhjqh.exe	wqfeos.exe
File created	C:\Windows\SysWOW64\wwdrmr.exe	wfmhy.exe
File opened for modification	C:\Windows\SysWOW64\wexsgffkl.exe	wvepq.exe
File opened for modification	C:\Windows\SysWOW64\wbrimknl.exe	wflxpkg.exe
File created	C:\Windows\SysWOW64\wkvtu.exe	wxpbg.exe
File opened for modification	C:\Windows\SysWOW64\wessxsr.exe	wpdecj.exe
File opened for modification	C:\Windows\SysWOW64\wdbtumk.exe	wtkdqtx.exe
File opened for modification	C:\Windows\SysWOW64\wyalmhe.exe	wbkqbt.exe
File created	C:\Windows\SysWOW64\wxpbg.exe	wyalmhe.exe
File opened for modification	C:\Windows\SysWOW64\wegage.exe	wbdu.exe
File created	C:\Windows\SysWOW64\wfbgrir.exe	wycxyf.exe
File opened for modification	C:\Windows\SysWOW64\weakh.exe	wpjmt.exe
File created	C:\Windows\SysWOW64\wegage.exe	wbdu.exe
File opened for modification	C:\Windows\SysWOW64\wpjmt.exe	wbfrgc.exe
File created	C:\Windows\SysWOW64\wbdu.exe	wofttg.exe
File created	C:\Windows\SysWOW64\wqfeos.exe	wegage.exe
File opened for modification	C:\Windows\SysWOW64\wfmhy.exe	wlyunhjqh.exe
File opened for modification	C:\Windows\SysWOW64\wqbgucxrq.exe	wessxsr.exe
File opened for modification	C:\Windows\SysWOW64\wyxdds.exe	waefoxt.exe
File opened for modification	C:\Windows\SysWOW64\wyqmjo.exe	wlhv.exe
File created	C:\Windows\SysWOW64\wma.exe	wucbcu.exe
File opened for modification	C:\Windows\SysWOW64\wtkdqtx.exe	wfbgrir.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
1100	3776	WerFault.exe	131
5040	4836	WerFault.exe	184
1592	2432	WerFault.exe	195
3956	4552	WerFault.exe	206
3776	3064	WerFault.exe	235
2908	4204	WerFault.exe	249

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 3956	4880	b44a1586cf5340746087dcf2d6220912990c5231f0113be76b52a29f9f5397a5.exe	97
PID 4880 wrote to memory of 3956	4880	b44a1586cf5340746087dcf2d6220912990c5231f0113be76b52a29f9f5397a5.exe	97
PID 4880 wrote to memory of 3956	4880	b44a1586cf5340746087dcf2d6220912990c5231f0113be76b52a29f9f5397a5.exe	97
PID 4880 wrote to memory of 2312	4880	b44a1586cf5340746087dcf2d6220912990c5231f0113be76b52a29f9f5397a5.exe	99
PID 4880 wrote to memory of 2312	4880	b44a1586cf5340746087dcf2d6220912990c5231f0113be76b52a29f9f5397a5.exe	99
PID 4880 wrote to memory of 2312	4880	b44a1586cf5340746087dcf2d6220912990c5231f0113be76b52a29f9f5397a5.exe	99
PID 3956 wrote to memory of 4192	3956	wxmo.exe	102
PID 3956 wrote to memory of 4192	3956	wxmo.exe	102
PID 3956 wrote to memory of 4192	3956	wxmo.exe	102
PID 3956 wrote to memory of 4948	3956	wxmo.exe	103
PID 3956 wrote to memory of 4948	3956	wxmo.exe	103
PID 3956 wrote to memory of 4948	3956	wxmo.exe	103
PID 4192 wrote to memory of 4384	4192	wvepq.exe	107
PID 4192 wrote to memory of 4384	4192	wvepq.exe	107
PID 4192 wrote to memory of 4384	4192	wvepq.exe	107
PID 4192 wrote to memory of 4512	4192	wvepq.exe	108
PID 4192 wrote to memory of 4512	4192	wvepq.exe	108
PID 4192 wrote to memory of 4512	4192	wvepq.exe	108
PID 4384 wrote to memory of 4020	4384	wexsgffkl.exe	110
PID 4384 wrote to memory of 4020	4384	wexsgffkl.exe	110
PID 4384 wrote to memory of 4020	4384	wexsgffkl.exe	110
PID 4384 wrote to memory of 4652	4384	wexsgffkl.exe	111
PID 4384 wrote to memory of 4652	4384	wexsgffkl.exe	111
PID 4384 wrote to memory of 4652	4384	wexsgffkl.exe	111
PID 4020 wrote to memory of 2340	4020	wflxpkg.exe	113
PID 4020 wrote to memory of 2340	4020	wflxpkg.exe	113
PID 4020 wrote to memory of 2340	4020	wflxpkg.exe	113
PID 4020 wrote to memory of 428	4020	wflxpkg.exe	114
PID 4020 wrote to memory of 428	4020	wflxpkg.exe	114
PID 4020 wrote to memory of 428	4020	wflxpkg.exe	114
PID 2340 wrote to memory of 216	2340	wbrimknl.exe	116
PID 2340 wrote to memory of 216	2340	wbrimknl.exe	116
PID 2340 wrote to memory of 216	2340	wbrimknl.exe	116
PID 2340 wrote to memory of 4088	2340	wbrimknl.exe	117
PID 2340 wrote to memory of 4088	2340	wbrimknl.exe	117
PID 2340 wrote to memory of 4088	2340	wbrimknl.exe	117
PID 216 wrote to memory of 4776	216	wlhv.exe	120
PID 216 wrote to memory of 4776	216	wlhv.exe	120
PID 216 wrote to memory of 4776	216	wlhv.exe	120
PID 216 wrote to memory of 2544	216	wlhv.exe	121
PID 216 wrote to memory of 2544	216	wlhv.exe	121
PID 216 wrote to memory of 2544	216	wlhv.exe	121
PID 4776 wrote to memory of 5036	4776	wyqmjo.exe	123
PID 4776 wrote to memory of 5036	4776	wyqmjo.exe	123
PID 4776 wrote to memory of 5036	4776	wyqmjo.exe	123
PID 4776 wrote to memory of 3408	4776	wyqmjo.exe	124
PID 4776 wrote to memory of 3408	4776	wyqmjo.exe	124
PID 4776 wrote to memory of 3408	4776	wyqmjo.exe	124
PID 5036 wrote to memory of 4072	5036	wrmlrnwc.exe	127
PID 5036 wrote to memory of 4072	5036	wrmlrnwc.exe	127
PID 5036 wrote to memory of 4072	5036	wrmlrnwc.exe	127
PID 5036 wrote to memory of 5040	5036	wrmlrnwc.exe	128
PID 5036 wrote to memory of 5040	5036	wrmlrnwc.exe	128
PID 5036 wrote to memory of 5040	5036	wrmlrnwc.exe	128
PID 4072 wrote to memory of 3776	4072	wmmqjgd.exe	131
PID 4072 wrote to memory of 3776	4072	wmmqjgd.exe	131
PID 4072 wrote to memory of 3776	4072	wmmqjgd.exe	131
PID 4072 wrote to memory of 1592	4072	wmmqjgd.exe	132
PID 4072 wrote to memory of 1592	4072	wmmqjgd.exe	132
PID 4072 wrote to memory of 1592	4072	wmmqjgd.exe	132
PID 3776 wrote to memory of 1320	3776	wobjv.exe	137
PID 3776 wrote to memory of 1320	3776	wobjv.exe	137
PID 3776 wrote to memory of 1320	3776	wobjv.exe	137
PID 3776 wrote to memory of 772	3776	wobjv.exe	138

C:\Users\Admin\AppData\Local\Temp\b44a1586cf5340746087dcf2d6220912990c5231f0113be76b52a29f9f5397a5.exe
"C:\Users\Admin\AppData\Local\Temp\b44a1586cf5340746087dcf2d6220912990c5231f0113be76b52a29f9f5397a5.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\SysWOW64\wxmo.exe
  "C:\Windows\system32\wxmo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\SysWOW64\wvepq.exe
    "C:\Windows\system32\wvepq.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Windows\SysWOW64\wexsgffkl.exe
      "C:\Windows\system32\wexsgffkl.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Windows\SysWOW64\wflxpkg.exe
        
        "C:\Windows\system32\wflxpkg.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Windows\SysWOW64\wbrimknl.exe
        
        "C:\Windows\system32\wbrimknl.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\wlhv.exe
        
        "C:\Windows\system32\wlhv.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\wyqmjo.exe
        
        "C:\Windows\system32\wyqmjo.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\wrmlrnwc.exe
        
        "C:\Windows\system32\wrmlrnwc.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\wmmqjgd.exe
        
        "C:\Windows\system32\wmmqjgd.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\wobjv.exe
        
        "C:\Windows\system32\wobjv.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\wmakx.exe
        
        "C:\Windows\system32\wmakx.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\wrtcumgna.exe
        
        "C:\Windows\system32\wrtcumgna.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\wucbcu.exe
        
        "C:\Windows\system32\wucbcu.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\wma.exe
        
        "C:\Windows\system32\wma.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\wnswgna.exe
        
        "C:\Windows\system32\wnswgna.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\wbfrgc.exe
        
        "C:\Windows\system32\wbfrgc.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\wpjmt.exe
        
        "C:\Windows\system32\wpjmt.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:776
        
        C:\Windows\SysWOW64\weakh.exe
        
        "C:\Windows\system32\weakh.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:428
        
        C:\Windows\SysWOW64\wofttg.exe
        
        "C:\Windows\system32\wofttg.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4412
        
        C:\Windows\SysWOW64\wbdu.exe
        
        "C:\Windows\system32\wbdu.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\wegage.exe
        
        "C:\Windows\system32\wegage.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\wqfeos.exe
        
        "C:\Windows\system32\wqfeos.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3480
        
        C:\Windows\SysWOW64\wlyunhjqh.exe
        
        "C:\Windows\system32\wlyunhjqh.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\wfmhy.exe
        
        "C:\Windows\system32\wfmhy.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\wwdrmr.exe
        
        "C:\Windows\system32\wwdrmr.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\wguwsm.exe
        
        "C:\Windows\system32\wguwsm.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\wvugvhpw.exe
        
        "C:\Windows\system32\wvugvhpw.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\wioq.exe
        
        "C:\Windows\system32\wioq.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\wbkqbt.exe
        
        "C:\Windows\system32\wbkqbt.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\wyalmhe.exe
        
        "C:\Windows\system32\wyalmhe.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\wxpbg.exe
        
        "C:\Windows\system32\wxpbg.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\SysWOW64\wkvtu.exe
        
        "C:\Windows\system32\wkvtu.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\wkanp.exe
        
        "C:\Windows\system32\wkanp.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\wpdecj.exe
        
        "C:\Windows\system32\wpdecj.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\wessxsr.exe
        
        "C:\Windows\system32\wessxsr.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3300
        
        C:\Windows\SysWOW64\wqbgucxrq.exe
        
        "C:\Windows\system32\wqbgucxrq.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\waefoxt.exe
        
        "C:\Windows\system32\waefoxt.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3408
        
        C:\Windows\SysWOW64\wyxdds.exe
        
        "C:\Windows\system32\wyxdds.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\wycxyf.exe
        
        "C:\Windows\system32\wycxyf.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\wfbgrir.exe
        
        "C:\Windows\system32\wfbgrir.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\wtkdqtx.exe
        
        "C:\Windows\system32\wtkdqtx.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\wdbtumk.exe
        
        "C:\Windows\system32\wdbtumk.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\wisrr.exe
        
        "C:\Windows\system32\wisrr.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\wrkv.exe
        
        "C:\Windows\system32\wrkv.exe"
        45⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wisrr.exe"
        45⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 1280
        45⤵
        Program crash
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbtumk.exe"
        44⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtkdqtx.exe"
        43⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfbgrir.exe"
        42⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wycxyf.exe"
        41⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1424
        41⤵
        Program crash
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxdds.exe"
        40⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waefoxt.exe"
        39⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqbgucxrq.exe"
        38⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wessxsr.exe"
        37⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpdecj.exe"
        36⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkanp.exe"
        35⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvtu.exe"
        34⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpbg.exe"
        33⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyalmhe.exe"
        32⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1456
        32⤵
        Program crash
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbkqbt.exe"
        31⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wioq.exe"
        30⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvugvhpw.exe"
        29⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1396
        29⤵
        Program crash
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wguwsm.exe"
        28⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwdrmr.exe"
        27⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfmhy.exe"
        26⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1436
        26⤵
        Program crash
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyunhjqh.exe"
        25⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqfeos.exe"
        24⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wegage.exe"
        23⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbdu.exe"
        22⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofttg.exe"
        21⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weakh.exe"
        20⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpjmt.exe"
        19⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbfrgc.exe"
        18⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnswgna.exe"
        17⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wma.exe"
        16⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wucbcu.exe"
        15⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtcumgna.exe"
        14⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmakx.exe"
        13⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobjv.exe"
        12⤵
        
        PID:772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 1452
        12⤵
        Program crash
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmqjgd.exe"
        11⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrmlrnwc.exe"
        10⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyqmjo.exe"
        9⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlhv.exe"
        8⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbrimknl.exe"
        7⤵
        
        PID:4088
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wflxpkg.exe"
        6⤵
        
        PID:428
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexsgffkl.exe"
        5⤵
        
        PID:4652
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvepq.exe"
      4⤵
      PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxmo.exe"
    3⤵
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\b44a1586cf5340746087dcf2d6220912990c5231f0113be76b52a29f9f5397a5.exe"
  2⤵
  PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3776 -ip 3776
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4836 -ip 4836
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2432 -ip 2432
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4552 -ip 4552
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3064 -ip 3064
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4204 -ip 4204
1⤵
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wbdu.exe

Filesize
226KB

MD5
25e6dc0ea8b549094d79188e0911d7bd

SHA1
3dd965e8a5964e5b79c464cd7fcbf1af672056bd

SHA256
1e5fae2db777fb253fb2cb53a517a93371ecd7ccf76012907577569cf7b5aef6

SHA512
eb051f891aa30594a9c7d64e950d86acbd7948cc9eafe5a41ee5f6730adfecde1c19cc39b8fc45eb385fc39b7dde6bd1053d02aad4a8ee3c8fada53ad6877784

Download Submit
C:\Windows\SysWOW64\wbfrgc.exe

Filesize
225KB

MD5
46d354f6b00d15003fef4e7856b53a03

SHA1
f1ec6c13f8df645935781788e5136e129d0ffb67

SHA256
c56cf76a32af8d4cb24815015af6f2dcdd3ed9541b3650bddb9b8dd7a6dab824

SHA512
ca9e86419117ece615a958bb4ba09381e75305f8013337565beb9fef91741f41d0b4190439ec34b65c603d165a915723d4401c595db4fcf1732fd7e78699dd0b

Download Submit
C:\Windows\SysWOW64\wbkqbt.exe

Filesize
226KB

MD5
e133bab11ffcf2e579054ffc3ec52e24

SHA1
ad34a6fbbfa23838afec1bd6279f8fdf7a089640

SHA256
a6592c54abfb4e3ec9d29778b3a8732204cf66c43886ac49e78b2ff53a3a2e47

SHA512
2329b826ee3901d3c4932763aa5e30e2d0c87b0e04139f2298ed3f74af54e931da56cd001e70e2fe0fa539d4dab52d4f54396059b31b78721deb2d46cde9a485

Download Submit
C:\Windows\SysWOW64\wbrimknl.exe

Filesize
225KB

MD5
fa9e990f75fd02cb8afe394b29085d32

SHA1
cb55a7383fe5188ccc03fc1f59a0c6f058e8411e

SHA256
fbd4f9cb6d8aa525d5693248c42fa4464d39eaf6d79186aaabcf74ade151c232

SHA512
9dc7b136249ee651c10247da2115b1fe876cab01972d644b31335869297f7fd30e12f401e18575f90823aca8a67ddc0e74ca1c0776ec2aa04a1ed7aded4b6db7

Download Submit
C:\Windows\SysWOW64\weakh.exe

Filesize
226KB

MD5
1921242b3cd56a0557a7b22f34c209cb

SHA1
b182ffeb46237721ed0279e396d744fd51af78e3

SHA256
d54dc4749e10765ad5982ae1f2524b1efd53fb16b7fa78fb7a6b0f33cc13cd62

SHA512
4839c322889ae629ade00d8d8aab1c6cc41a1b6f872186ce131732271ca30c4577a64fe906703eee5a387ff6a30bc7244558648689e77014f035280c1dec46ef

Download Submit
C:\Windows\SysWOW64\wegage.exe

Filesize
226KB

MD5
7f59d4f949b11869c1a8d65f85f7d45e

SHA1
878e94f803977229861ff7e873d34d11bb6293b0

SHA256
0465f9f37a9692ff9da1fb62a58cf5a069c25774dcc78d3a9615559a0904dc2d

SHA512
59f59ea6c16118f8ffa1f34a8b7e3ca3e8f59cc9b6b122ff2094b323555dd6d5f9cbd2138453228349bc4501a32de556b530e4443ddb1abd52d215aa784c61d1

Download Submit
C:\Windows\SysWOW64\wexsgffkl.exe

Filesize
225KB

MD5
d7f9f3212c05e6477f01773e8efa4fae

SHA1
47743f976afc4b4db3fee05e0c893d436720dcd7

SHA256
f4d41c58ae2f50397ad897082073a6c2362013923a67d65471a34a92b384aba3

SHA512
baf665d0f17ed1983992c087c7cb6dc0c7e74cc254f0a5a7093c612695d16cbd146f7d74d6266e847633dd6e6f9992da6924fca891b423f3ec7b8d62a9f17776

Download Submit
C:\Windows\SysWOW64\wflxpkg.exe

Filesize
225KB

MD5
2cdad2d4e80baed3b0016a5f759a0e7d

SHA1
4a5f5f47d4cf5a59b41f6e59c9ce25be98895669

SHA256
e09d8f7ca73f7d7e05940905dc37ff734a25d226da5772773cfc72e9a5366dc2

SHA512
ba0a6ac652cd6ae09b51515758f7527280136b563eb448d7058b568c7dc626f86d15cd574b40a8087c0e3338e3dc30645d1c29b5a670f0ab705984c3e01b67ee

Download Submit
C:\Windows\SysWOW64\wfmhy.exe

Filesize
226KB

MD5
57da99e6d3bdebe6e53e349ef7071104

SHA1
113dbf12ba1603a08444f0a41fe17d4f06adc9fe

SHA256
9a002068257cd6d6dfc47f8dff64dc4302b6b141c0e040febece2bd010f4b67f

SHA512
215fbe3fa75cc3f00c50d9412da0c1cd78dcf4741d9d6e7730e593dcf51db34cca6c23a58cc9e964b11ce61ed8944d9fa6ba37858c4979ea202f1de0638d52e9

Download Submit
C:\Windows\SysWOW64\wguwsm.exe

Filesize
226KB

MD5
0667083badd9b32007667444a25c2ac5

SHA1
ad4b94826d01a9a45788ce41fdd6cbb7c52aca38

SHA256
8de953e970b55a2ee70b0640d2dc86a5dbc13b1f84f100fb1bf36801d65d8384

SHA512
e813eda0cc9d397666a0245eb2e5ffd416969d5ce97ed97daa2e667c42d43478b6c2e7b5d5d0a8b5994b8b0efc5d47a9118beaaf0ef81ef8da8d7631230a5265

Download Submit
C:\Windows\SysWOW64\wioq.exe

Filesize
226KB

MD5
437f01f92068403c1f18fe882a1ab378

SHA1
4bc63ac5fb25bbee0d3cf51a81343f0ccb28d363

SHA256
20a5a481a81c9ba0787ae619ec700323e2caa530f8c5bc9e02c25c7a6ec6a918

SHA512
6169726dee03ed5b1feafa0dc69d26f4a9f91d9776b1ba5849e5fe9bf1f6fb1388022dc94a68bbc5ce98db2f8f1275126bf32856051ee8efb233453d08dd16c0

Download Submit
C:\Windows\SysWOW64\wkvtu.exe

Filesize
226KB

MD5
5d18292a0835ac50815124d1b129bc6c

SHA1
e49cc35bbf3a171c69b6689291250529a662dea3

SHA256
a404969da34aba70cf868cd1400f6244b72c0ed1ccbd8256676da9da8683fa05

SHA512
96ecb229f0210467a258095964469f576bb0b60fea6d4d545eda470feb28663cfe8d708cfa6f11a94707c7daee15cb473c99e13604ebe684ceb498d856f291ef

Download Submit
C:\Windows\SysWOW64\wlhv.exe

Filesize
225KB

MD5
1af1ee1568e11a44e187d6e99d4a6865

SHA1
79d704db6cdd5349f2836cc5fb1580a0fb66f0b0

SHA256
d0534f99a3666a6781932c432a8593409d093863aa994a877c1bb77b087818ae

SHA512
44446b3b521da516900f9a1e21e9c4b8dbcbcd3ae0c850678d3ee0cb2612925b12ae76673c57bf175bcddcaf3028fbe5397e92061eb771745b26f0af52caee06

Download Submit
C:\Windows\SysWOW64\wlyunhjqh.exe

Filesize
226KB

MD5
29649baf3dfe60e08685d0c9f892e549

SHA1
15b93d2179aea7a5dde5e6f19d1760e55e5cee03

SHA256
b8ece422e6d5765c02b9a04c786b3905d29e98dd4f6fb8baec7067da02f88e8d

SHA512
8207b16a98ab46f61520d3e36b8d29ae34103901d087c1bdd89330bd977e787362230b9a465120a46f4d5850990f5e9373a15784df2b8b666092f6a593a6638b

Download Submit
C:\Windows\SysWOW64\wma.exe

Filesize
225KB

MD5
018262889ad8a1591f8915b8acfec668

SHA1
06693e0c31ec97669689539ab40017f7e80af8cf

SHA256
8113637351f4a62c1a572207c01fdd004e24a0c6be641350bf3a038ba4318932

SHA512
511c6f2da491e305a6d6936763ba925dd702b3a2c5691ba7d2f9e9b6410a9d7f0db76c68a7c4a497b3d0864e17eb95a0bb52cbce439ae8de73dea3b84f7f86b0

Download Submit
C:\Windows\SysWOW64\wmakx.exe

Filesize
225KB

MD5
7246ef1c9f7f8bb999ff18f16a4e7b7f

SHA1
835ad01e3ff520e402485637fc078243613e0c8e

SHA256
f468e80aa7fbfaed7cad7ab4aa96518b75f49547afe0f276ce19f876f41a5002

SHA512
fb21cc1b350e8ce1d47d71f195f4cbd7bf5f6b13fe083d85f3c3137fe03a638da60e0eb8c7e12008916b1e4e2f88794de04a22615f764634984a99e38cf40f53

Download Submit
C:\Windows\SysWOW64\wmmqjgd.exe

Filesize
225KB

MD5
64c2b31677f8ec6f779b47bfa120a310

SHA1
f0561127f7116d5db21fe47fa22930aaa0471e03

SHA256
7b8f3e40115b3b8b1d7b10b6e6487b43aaf70681102d5bc199e34c1083ef032e

SHA512
b714f1c1c18f6d6c9b485134ce796e057574bb324f57025f48d89feba27b6a3dacf9a76ebf9b85d2f2e742bb9370a26788ed69b1c29526f95160fdf0f3f46405

Download Submit
C:\Windows\SysWOW64\wnswgna.exe

Filesize
225KB

MD5
6114c33760eb537cd4860e61ff5b39ad

SHA1
0d76f51f3a2d61c8fa9746780e8b88a3ff25e7e9

SHA256
c46517ae836e5dd9b90e0336a2c0a0fc04da8eea9232fee57a2d758bff11cab3

SHA512
9f33d50ddf128cd1b05a018534890a71cf1612e45d5547e23ce8c6098e88bd0c0bb6414246869274c0483aba72e88b320ef5786638e2fc4ab8532d20464472f9

Download Submit
C:\Windows\SysWOW64\wobjv.exe

Filesize
225KB

MD5
8082e50cf7ec01e875c93a4a79a097a5

SHA1
0fcefd9ed3a4868edb9c8d960e475da9b51ed1a8

SHA256
84d70e814ee3272f63e19ea09c6182bab2102e8b946be2cc6171567d2c7cfcb6

SHA512
b0b4ff337c4e5512d2ec2ae2da559a4b29ce84e38b02fe8f21e5e716be8ffb29b64b15c14476c6bd90f7c9db500bfe2e0d400b038e62bfe28bd0e265387c97dc

Download Submit
C:\Windows\SysWOW64\wofttg.exe

Filesize
226KB

MD5
06183832a00447b4ca06bfc7873a216b

SHA1
036cac8fac55f54e671c0fb2a1f434befc371821

SHA256
e05a69ff100383d7aaf9a0c6657e6082e98859f3fd41761e4387fcb9d61aa0db

SHA512
d8673b34b453f6a51f535cbea10d1a6112e1ba1cfd1ac87752b5ea9185a912cc0085ac7abf0d31ac28674c1e016d6f0e709b44b8050386db94a437f4403b740a

Download Submit
C:\Windows\SysWOW64\wpjmt.exe

Filesize
226KB

MD5
45ccbc3344ce531a40f575f25f523932

SHA1
aa2e6264d505a0398308dc4ab4cab9f483388f37

SHA256
6861ea3929cf0c46b9e5a08502db2ccee8da52bbe12a0375109a5010b3c28bd5

SHA512
c46e04fc71aece21b08dba93bc1ce59b0ffd3de74e666ccde91cb5fb268a0093eee305a1d61ce6b13ac616ab3a9c3fabba4d22f75a41715a93504c7183d8c558

Download Submit
C:\Windows\SysWOW64\wqfeos.exe

Filesize
226KB

MD5
83ba19b4b5a5c73cad136baf439fb628

SHA1
f99760a150f0ece4851216a4e373f8c1e463071e

SHA256
a0a55a51edb1ed21914ec58c3d2e4b27fbadaf2e121d3e2ad87020b6a8c89ccf

SHA512
2087b4f0f203efdfd34ac981fdce3f03080683d7ce6ffbdb556a7dbfa3d33ea0a7781439cf755c49879dfb323aba8eea7629455748cc1866b51a0294a3753292

Download Submit
C:\Windows\SysWOW64\wrmlrnwc.exe

Filesize
225KB

MD5
53320728949501d1360d4d4455b34e4b

SHA1
a739817373c6ec09af94235fb331a1668620bb5e

SHA256
ef6d662dfe09f3b817fff4326d1fd3d683c348fbd7777767102642deae0c68e4

SHA512
27eb49222e93891b371f91104fde145b25fefcd77a0689935334062c4ca6b8143ea3b15f1fd3bec8e1d27f1fd6595dc998181162d26e0b3e96acc98ccec6fa20

Download Submit
C:\Windows\SysWOW64\wrtcumgna.exe

Filesize
225KB

MD5
783d44b22eaab00282ea505aad568fc1

SHA1
66879029bc000cc4747952bcdb36a382dc0847ee

SHA256
1fde40cbefce8042f52de1964cf6524d405962c8b68a05ad0931e33c97df9d31

SHA512
25073116732484b9e52c91425b077c73a86445ce96bda953f9856fa3690b3ee31f243068baf2812999deafdb2b8e9533bbc3819927cb8279489795680e4c3aec

Download Submit
C:\Windows\SysWOW64\wucbcu.exe

Filesize
152KB

MD5
97a0be95fb365f1b60129a1e513db3e7

SHA1
cc1a0c7a5d9e1285bf8c2ad45d471c12e7862a05

SHA256
abddfb0c1e38af1727249545e850e0e946d8906fce09e8f2091080f9866fa766

SHA512
ee17fcc0003a253c408facede850e625080a84056bd45cc4c899d4887f6300caecb4d94a16b5cfef0f404c73d5134b087f74df1d2e4124008dd795971ef4f318

Download Submit
C:\Windows\SysWOW64\wucbcu.exe

Filesize
195KB

MD5
e2a10027a11fcb66a4a36bfb2d52f30a

SHA1
2877c44e4da613570b681523dd14ec58d2e0e55e

SHA256
2ad984ee9c69438125bbd4624a9d5bd0f180a570db9b09d83fd36eb41231ecce

SHA512
da5a8c6b7829a9a313ee5ff0f7a017cb185cf043a6dad3d0d2e0ddd9f528497234ac745ee268e4a51803589d6540bd45d1ca9f249cd528ea0ec7078e60a3bf7a

Download Submit
C:\Windows\SysWOW64\wvepq.exe

Filesize
225KB

MD5
f9f288d9657c54264fb713be62be878b

SHA1
5856902fb11847bee89f61864e132ea93b1588d9

SHA256
f3d41b26cacd0b2fc02dd65db2d366234a737c77128a9ddd27e110be4be598cc

SHA512
92dc43344928e93759cffe681d7c8272c73bba8036ce6edb697427b5d6178e33003a7875ba5091180234b565594b74971a2eb17a09e1790b74f01fe96d9dda77

Download Submit
C:\Windows\SysWOW64\wvugvhpw.exe

Filesize
226KB

MD5
29e7fbf08267dc60dc96c2bc3049e567

SHA1
fff5b3313a1cd96b908fdc4e0e5d93fc6b43fb39

SHA256
94216f1cec3ed96f7660a5e5539cc9feb42ca61f9df7238f16b8721ff5f482a7

SHA512
16efda26a962deba57c1fcc3364b040809b1ba145b30602bfa495c748c32f10bcd70ec5edc61208f8d70411f1f459a9f1c209635fb6fe1d006dbfd05e233d870

Download Submit
C:\Windows\SysWOW64\wwdrmr.exe

Filesize
226KB

MD5
6df3f236d98260bec767ca003e6ac161

SHA1
6ba16429ec12ce12e425eb9f5e99bf21dd8a8928

SHA256
8d581fd9097e980d79cec7f16aa110bf8848892f67a69d6bc16a697de057f3ac

SHA512
414e5e39f067f61800760f6af0191ec1036cab4175db4438d6f0c059393449c6dc234afa19215ce2e2407daebc93380beda36e519087dbd6e6f506d7a894e75c

Download Submit
C:\Windows\SysWOW64\wxmo.exe

Filesize
225KB

MD5
70e66b94753ce6f5e64c7ff610bd2adc

SHA1
a5e24c96ca25f6a890ca00edb349edb69861004f

SHA256
39e97db24d9472c28d3776049c910642d56d708f03fe66f91e0dbc05d6ea98d2

SHA512
2a03b50e4c611562510e72317348b02a5d439a3a88db76a09ca4483c3d5c44dbcb1a4fb7312433d53033c5ae8b4501c9e5a7259196faecd1ae10692970b896e2

Download Submit
C:\Windows\SysWOW64\wxpbg.exe

Filesize
226KB

MD5
d4e9fbdc224af909502c317231be0205

SHA1
d24321f5819578ebfc4f64acda2a75da42790eab

SHA256
af1bbd3c92f413fe04e6f679ba2665acd18b57ddf01ef24ecb91fa4596e3f0b2

SHA512
ddb90ddbc9d5ba7e9ee7e5a8d6924d83d312080366ae72277802432765d6d97f955399bca69128bc88620f8f5bc675abf1399c03eabc733697b7e9c8fe7502ec

Download Submit
C:\Windows\SysWOW64\wyalmhe.exe

Filesize
226KB

MD5
5a8cd80b3b76462e8e3ef1cac32f4774

SHA1
3cae4e5c565b25e1be18d76eb2252d8e3680e0e4

SHA256
4c0fd90691bc8e9fef8834c3e9dec7ae47ee1efd7e13c6d06c82730152a41778

SHA512
b3531bbf556541edd59bd9ce19073de71a88045e0f9f1fb7bc0a1b61ba5855444981d84b84e2754529e5d3fbf6e4427fc93668040be5d5da8fd05e40431c6d62

Download Submit
C:\Windows\SysWOW64\wyqmjo.exe

Filesize
225KB

MD5
6631ed10476cce88a963149dba611157

SHA1
fb9230278fc5b1af85eab9e492e5263c28e619ca

SHA256
6472865dbdd025299ea491d50ce37dae42dfde23cd9d08dba8f3b0a5a276caa3

SHA512
1e7fa1c3ca0a1b69be7113959310d18130f409d7c42c03c01d7e8b87f8147d36adcb68be57258dea4913c001a4077b9898fef1e35114f9a9a6f73dcc1da90224

Download Submit
memory/216-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/428-198-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/776-186-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1320-124-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1320-113-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1416-350-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1624-374-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1648-166-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1648-154-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1704-405-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1804-422-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2340-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2432-323-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2496-390-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-134-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3128-176-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3128-165-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3300-366-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3408-382-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3480-239-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3660-144-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3776-102-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3776-114-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3800-342-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3956-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3964-229-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4020-51-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4064-208-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4064-270-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4064-219-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4064-259-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4072-103-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4140-414-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4192-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4192-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4220-301-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4272-333-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4288-280-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4288-269-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4384-41-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4412-209-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4412-197-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4472-312-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4472-300-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4552-322-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4776-82-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4836-302-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4836-358-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4880-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4880-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5036-92-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5064-249-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5096-155-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download