020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe
Size

84KB
MD5

b637ddd656d25a63d680fc7563777bbd
SHA1

a1b251f73297e3684e4f1c8bc7b07f47c3dc6f46
SHA256

020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c
SHA512

69e69aebd5185ab0bf9cbe920a1b301089e9d751e1b9ab9385058146c3829c50d48bd8350cc3e8530a6af635ccdbe93abeb79add0945faabff02eb338ee2d38c
SSDEEP

1536:azUQz74LIvK/+Czax4IHVdmRvW1BDVwrVXwXaE:qUQz74TmFnmRvW1gXwqE

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 62 IoCs

pid	Process
3032	wfuena.exe
2664	wlemxy.exe
568	wqtpwfh.exe
2080	wdsulu.exe
2920	wkrpywo.exe
592	wssloycl.exe
2412	wugcvf.exe
2172	wsiurfrp.exe
2628	wfk.exe
2472	wbuott.exe
2824	wtnhfy.exe
1204	wckfrwg.exe
812	wivvhe.exe
2360	watwlly.exe
1604	warryc.exe
2152	wtuli.exe
3044	wlgcgm.exe
2604	wbhot.exe
2660	wodln.exe
1520	wfbmsp.exe
1856	warvutvjm.exe
1336	wkvvup.exe
1980	wbydcqw.exe
2680	wbwvpi.exe
2520	wctqcydk.exe
316	wrdcphm.exe
1904	wmnwkjv.exe
1496	wjfmlfsaw.exe
2200	wrtlcdx.exe
1664	wikltmn.exe
1800	wlsmfvfy.exe
3028	wdrn.exe
1548	wuwdulfe.exe
2412	wgwtb.exe
2488	wvhse.exe
2992	wrtgto.exe
2208	wilfmxh.exe
1668	wbmxuei.exe
2104	wwkvqciun.exe
2284	wxqob.exe
2952	wjtobqo.exe
536	wrvdjnhjt.exe
1400	wnnysna.exe
3044	wmktgfeyu.exe
2504	wujnth.exe
2168	wobkdhk.exe
1084	wxhune.exe
2228	wuae.exe
2904	wlwgy.exe
1664	wahtmfsl.exe
1964	wbecgs.exe
484	wynstnl.exe
1400	wxpgsjq.exe
2580	wwgmpj.exe
2504	wlmtqwc.exe
944	whlr.exe
1788	wiocuhq.exe
1464	wxmps.exe
2416	wrpib.exe
1768	woonxnu.exe
2752	wfxoqvdf.exe
316	wjidb.exe

Loads dropped DLL 64 IoCs

pid	Process
2948	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe
2948	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe
2948	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe
2948	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe
3032	wfuena.exe
3032	wfuena.exe
3032	wfuena.exe
3032	wfuena.exe
3032	wfuena.exe
2664	wlemxy.exe
2664	wlemxy.exe
2664	wlemxy.exe
2664	wlemxy.exe
2664	wlemxy.exe
568	wqtpwfh.exe
568	wqtpwfh.exe
568	wqtpwfh.exe
568	wqtpwfh.exe
568	wqtpwfh.exe
2080	wdsulu.exe
2080	wdsulu.exe
2080	wdsulu.exe
2080	wdsulu.exe
2080	wdsulu.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2920	wkrpywo.exe
2920	wkrpywo.exe
2920	wkrpywo.exe
2920	wkrpywo.exe
2920	wkrpywo.exe
592	wssloycl.exe
592	wssloycl.exe
592	wssloycl.exe
592	wssloycl.exe
592	wssloycl.exe
2412	wugcvf.exe
2412	wugcvf.exe
2412	wugcvf.exe
2412	wugcvf.exe
2412	wugcvf.exe
2172	wsiurfrp.exe
2172	wsiurfrp.exe
2172	wsiurfrp.exe
2172	wsiurfrp.exe
2172	wsiurfrp.exe
2628	wfk.exe
2628	wfk.exe
2628	wfk.exe
2628	wfk.exe
2628	wfk.exe
2472	wbuott.exe
2472	wbuott.exe
2472	wbuott.exe
2472	wbuott.exe
2472	wbuott.exe
2824	wtnhfy.exe
2824	wtnhfy.exe
2824	wtnhfy.exe
2824	wtnhfy.exe
2824	wtnhfy.exe
1204	wckfrwg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wkrpywo.exe	wdsulu.exe
File opened for modification	C:\Windows\SysWOW64\wrtgto.exe	wvhse.exe
File opened for modification	C:\Windows\SysWOW64\wbmxuei.exe	wilfmxh.exe
File created	C:\Windows\SysWOW64\wxqob.exe	wwkvqciun.exe
File opened for modification	C:\Windows\SysWOW64\wnnysna.exe	wrvdjnhjt.exe
File opened for modification	C:\Windows\SysWOW64\wssloycl.exe	wkrpywo.exe
File opened for modification	C:\Windows\SysWOW64\wsiurfrp.exe	wugcvf.exe
File opened for modification	C:\Windows\SysWOW64\wtuli.exe	warryc.exe
File created	C:\Windows\SysWOW64\wujnth.exe	wmktgfeyu.exe
File created	C:\Windows\SysWOW64\wnnysna.exe	wrvdjnhjt.exe
File opened for modification	C:\Windows\SysWOW64\wlmtqwc.exe	wwgmpj.exe
File created	C:\Windows\SysWOW64\wlgcgm.exe	wtuli.exe
File created	C:\Windows\SysWOW64\wdrn.exe	wlsmfvfy.exe
File created	C:\Windows\SysWOW64\wahtmfsl.exe	wlwgy.exe
File created	C:\Windows\SysWOW64\wfxoqvdf.exe	woonxnu.exe
File created	C:\Windows\SysWOW64\wfuena.exe	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe
File created	C:\Windows\SysWOW64\wbwvpi.exe	wbydcqw.exe
File created	C:\Windows\SysWOW64\wrdcphm.exe	wctqcydk.exe
File opened for modification	C:\Windows\SysWOW64\wdrn.exe	wlsmfvfy.exe
File created	C:\Windows\SysWOW64\wjtobqo.exe	wxqob.exe
File opened for modification	C:\Windows\SysWOW64\woonxnu.exe	wrpib.exe
File created	C:\Windows\SysWOW64\wwgmpj.exe	wxpgsjq.exe
File opened for modification	C:\Windows\SysWOW64\wjfgft.exe	wjidb.exe
File created	C:\Windows\SysWOW64\wmnwkjv.exe	wrdcphm.exe
File created	C:\Windows\SysWOW64\wlwgy.exe	wuae.exe
File opened for modification	C:\Windows\SysWOW64\wrvdjnhjt.exe	wjtobqo.exe
File created	C:\Windows\SysWOW64\wxpgsjq.exe	wynstnl.exe
File created	C:\Windows\SysWOW64\wsiurfrp.exe	wugcvf.exe
File opened for modification	C:\Windows\SysWOW64\wfbmsp.exe	wodln.exe
File created	C:\Windows\SysWOW64\wctqcydk.exe	wbwvpi.exe
File created	C:\Windows\SysWOW64\wvhse.exe	wgwtb.exe
File opened for modification	C:\Windows\SysWOW64\wxqob.exe	wwkvqciun.exe
File opened for modification	C:\Windows\SysWOW64\wlwgy.exe	wuae.exe
File created	C:\Windows\SysWOW64\woonxnu.exe	wrpib.exe
File created	C:\Windows\SysWOW64\wssloycl.exe	wkrpywo.exe
File created	C:\Windows\SysWOW64\wuae.exe	wxhune.exe
File opened for modification	C:\Windows\SysWOW64\wodln.exe	wbhot.exe
File opened for modification	C:\Windows\SysWOW64\wuwdulfe.exe	wdrn.exe
File opened for modification	C:\Windows\SysWOW64\wuae.exe	wxhune.exe
File opened for modification	C:\Windows\SysWOW64\wrpib.exe	wxmps.exe
File created	C:\Windows\SysWOW64\wlemxy.exe	wfuena.exe
File created	C:\Windows\SysWOW64\wbuott.exe	wfk.exe
File opened for modification	C:\Windows\SysWOW64\wbuott.exe	wfk.exe
File created	C:\Windows\SysWOW64\wobkdhk.exe	wujnth.exe
File created	C:\Windows\SysWOW64\wxmps.exe	wiocuhq.exe
File created	C:\Windows\SysWOW64\wbydcqw.exe	wkvvup.exe
File opened for modification	C:\Windows\SysWOW64\wjfmlfsaw.exe	wmnwkjv.exe
File created	C:\Windows\SysWOW64\wilfmxh.exe	wrtgto.exe
File opened for modification	C:\Windows\SysWOW64\wxpgsjq.exe	wynstnl.exe
File opened for modification	C:\Windows\SysWOW64\wlgcgm.exe	wtuli.exe
File created	C:\Windows\SysWOW64\wlsmfvfy.exe	wikltmn.exe
File created	C:\Windows\SysWOW64\wmktgfeyu.exe	wnnysna.exe
File opened for modification	C:\Windows\SysWOW64\wxhune.exe	wobkdhk.exe
File opened for modification	C:\Windows\SysWOW64\wynstnl.exe	wbecgs.exe
File opened for modification	C:\Windows\SysWOW64\whlr.exe	wlmtqwc.exe
File opened for modification	C:\Windows\SysWOW64\wlemxy.exe	wfuena.exe
File created	C:\Windows\SysWOW64\wqtpwfh.exe	wlemxy.exe
File created	C:\Windows\SysWOW64\warvutvjm.exe	wfbmsp.exe
File created	C:\Windows\SysWOW64\wbmxuei.exe	wilfmxh.exe
File opened for modification	C:\Windows\SysWOW64\wtnhfy.exe	wbuott.exe
File created	C:\Windows\SysWOW64\wbhot.exe	wlgcgm.exe
File opened for modification	C:\Windows\SysWOW64\warvutvjm.exe	wfbmsp.exe
File opened for modification	C:\Windows\SysWOW64\wikltmn.exe	wrtlcdx.exe
File opened for modification	C:\Windows\SysWOW64\wiocuhq.exe	whlr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2068	2080	WerFault.exe	39

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 3032	2948	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe	30
PID 2948 wrote to memory of 3032	2948	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe	30
PID 2948 wrote to memory of 3032	2948	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe	30
PID 2948 wrote to memory of 3032	2948	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe	30
PID 2948 wrote to memory of 2708	2948	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe	31
PID 2948 wrote to memory of 2708	2948	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe	31
PID 2948 wrote to memory of 2708	2948	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe	31
PID 2948 wrote to memory of 2708	2948	020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe	31
PID 3032 wrote to memory of 2664	3032	wfuena.exe	33
PID 3032 wrote to memory of 2664	3032	wfuena.exe	33
PID 3032 wrote to memory of 2664	3032	wfuena.exe	33
PID 3032 wrote to memory of 2664	3032	wfuena.exe	33
PID 3032 wrote to memory of 2720	3032	wfuena.exe	34
PID 3032 wrote to memory of 2720	3032	wfuena.exe	34
PID 3032 wrote to memory of 2720	3032	wfuena.exe	34
PID 3032 wrote to memory of 2720	3032	wfuena.exe	34
PID 2664 wrote to memory of 568	2664	wlemxy.exe	36
PID 2664 wrote to memory of 568	2664	wlemxy.exe	36
PID 2664 wrote to memory of 568	2664	wlemxy.exe	36
PID 2664 wrote to memory of 568	2664	wlemxy.exe	36
PID 2664 wrote to memory of 2208	2664	wlemxy.exe	37
PID 2664 wrote to memory of 2208	2664	wlemxy.exe	37
PID 2664 wrote to memory of 2208	2664	wlemxy.exe	37
PID 2664 wrote to memory of 2208	2664	wlemxy.exe	37
PID 568 wrote to memory of 2080	568	wqtpwfh.exe	39
PID 568 wrote to memory of 2080	568	wqtpwfh.exe	39
PID 568 wrote to memory of 2080	568	wqtpwfh.exe	39
PID 568 wrote to memory of 2080	568	wqtpwfh.exe	39
PID 568 wrote to memory of 960	568	wqtpwfh.exe	40
PID 568 wrote to memory of 960	568	wqtpwfh.exe	40
PID 568 wrote to memory of 960	568	wqtpwfh.exe	40
PID 568 wrote to memory of 960	568	wqtpwfh.exe	40
PID 2080 wrote to memory of 2920	2080	wdsulu.exe	42
PID 2080 wrote to memory of 2920	2080	wdsulu.exe	42
PID 2080 wrote to memory of 2920	2080	wdsulu.exe	42
PID 2080 wrote to memory of 2920	2080	wdsulu.exe	42
PID 2080 wrote to memory of 2276	2080	wdsulu.exe	43
PID 2080 wrote to memory of 2276	2080	wdsulu.exe	43
PID 2080 wrote to memory of 2276	2080	wdsulu.exe	43
PID 2080 wrote to memory of 2276	2080	wdsulu.exe	43
PID 2080 wrote to memory of 2068	2080	wdsulu.exe	45
PID 2080 wrote to memory of 2068	2080	wdsulu.exe	45
PID 2080 wrote to memory of 2068	2080	wdsulu.exe	45
PID 2080 wrote to memory of 2068	2080	wdsulu.exe	45
PID 2920 wrote to memory of 592	2920	wkrpywo.exe	46
PID 2920 wrote to memory of 592	2920	wkrpywo.exe	46
PID 2920 wrote to memory of 592	2920	wkrpywo.exe	46
PID 2920 wrote to memory of 592	2920	wkrpywo.exe	46
PID 2920 wrote to memory of 1336	2920	wkrpywo.exe	47
PID 2920 wrote to memory of 1336	2920	wkrpywo.exe	47
PID 2920 wrote to memory of 1336	2920	wkrpywo.exe	47
PID 2920 wrote to memory of 1336	2920	wkrpywo.exe	47
PID 592 wrote to memory of 2412	592	wssloycl.exe	50
PID 592 wrote to memory of 2412	592	wssloycl.exe	50
PID 592 wrote to memory of 2412	592	wssloycl.exe	50
PID 592 wrote to memory of 2412	592	wssloycl.exe	50
PID 592 wrote to memory of 1636	592	wssloycl.exe	51
PID 592 wrote to memory of 1636	592	wssloycl.exe	51
PID 592 wrote to memory of 1636	592	wssloycl.exe	51
PID 592 wrote to memory of 1636	592	wssloycl.exe	51
PID 2412 wrote to memory of 2172	2412	wugcvf.exe	53
PID 2412 wrote to memory of 2172	2412	wugcvf.exe	53
PID 2412 wrote to memory of 2172	2412	wugcvf.exe	53
PID 2412 wrote to memory of 2172	2412	wugcvf.exe	53

C:\Users\Admin\AppData\Local\Temp\020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe
"C:\Users\Admin\AppData\Local\Temp\020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\wfuena.exe
  "C:\Windows\system32\wfuena.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\wlemxy.exe
    "C:\Windows\system32\wlemxy.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\wqtpwfh.exe
      "C:\Windows\system32\wqtpwfh.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Windows\SysWOW64\wdsulu.exe
        
        "C:\Windows\system32\wdsulu.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Windows\SysWOW64\wkrpywo.exe
        
        "C:\Windows\system32\wkrpywo.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\wssloycl.exe
        
        "C:\Windows\system32\wssloycl.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\wugcvf.exe
        
        "C:\Windows\system32\wugcvf.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\wsiurfrp.exe
        
        "C:\Windows\system32\wsiurfrp.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2172
        
        C:\Windows\SysWOW64\wfk.exe
        
        "C:\Windows\system32\wfk.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2628
        
        C:\Windows\SysWOW64\wbuott.exe
        
        "C:\Windows\system32\wbuott.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\wtnhfy.exe
        
        "C:\Windows\system32\wtnhfy.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2824
        
        C:\Windows\SysWOW64\wckfrwg.exe
        
        "C:\Windows\system32\wckfrwg.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1204
        
        C:\Windows\SysWOW64\wivvhe.exe
        
        "C:\Windows\system32\wivvhe.exe"
        14⤵
        Executes dropped EXE
        
        PID:812
        
        C:\Windows\SysWOW64\watwlly.exe
        
        "C:\Windows\system32\watwlly.exe"
        15⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\warryc.exe
        
        "C:\Windows\system32\warryc.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\wtuli.exe
        
        "C:\Windows\system32\wtuli.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\wlgcgm.exe
        
        "C:\Windows\system32\wlgcgm.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\wbhot.exe
        
        "C:\Windows\system32\wbhot.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\wodln.exe
        
        "C:\Windows\system32\wodln.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\SysWOW64\wfbmsp.exe
        
        "C:\Windows\system32\wfbmsp.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\warvutvjm.exe
        
        "C:\Windows\system32\warvutvjm.exe"
        22⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\wkvvup.exe
        
        "C:\Windows\system32\wkvvup.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\wbydcqw.exe
        
        "C:\Windows\system32\wbydcqw.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\wbwvpi.exe
        
        "C:\Windows\system32\wbwvpi.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\wctqcydk.exe
        
        "C:\Windows\system32\wctqcydk.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\wrdcphm.exe
        
        "C:\Windows\system32\wrdcphm.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\wmnwkjv.exe
        
        "C:\Windows\system32\wmnwkjv.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\wjfmlfsaw.exe
        
        "C:\Windows\system32\wjfmlfsaw.exe"
        29⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\wrtlcdx.exe
        
        "C:\Windows\system32\wrtlcdx.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\wikltmn.exe
        
        "C:\Windows\system32\wikltmn.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\wlsmfvfy.exe
        
        "C:\Windows\system32\wlsmfvfy.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1800
        
        C:\Windows\SysWOW64\wdrn.exe
        
        "C:\Windows\system32\wdrn.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\wuwdulfe.exe
        
        "C:\Windows\system32\wuwdulfe.exe"
        34⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\wgwtb.exe
        
        "C:\Windows\system32\wgwtb.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\wvhse.exe
        
        "C:\Windows\system32\wvhse.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\wrtgto.exe
        
        "C:\Windows\system32\wrtgto.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\wilfmxh.exe
        
        "C:\Windows\system32\wilfmxh.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\wbmxuei.exe
        
        "C:\Windows\system32\wbmxuei.exe"
        39⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\wwkvqciun.exe
        
        "C:\Windows\system32\wwkvqciun.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\wxqob.exe
        
        "C:\Windows\system32\wxqob.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\wjtobqo.exe
        
        "C:\Windows\system32\wjtobqo.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\wrvdjnhjt.exe
        
        "C:\Windows\system32\wrvdjnhjt.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\wnnysna.exe
        
        "C:\Windows\system32\wnnysna.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\wmktgfeyu.exe
        
        "C:\Windows\system32\wmktgfeyu.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\wujnth.exe
        
        "C:\Windows\system32\wujnth.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\wobkdhk.exe
        
        "C:\Windows\system32\wobkdhk.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\wxhune.exe
        
        "C:\Windows\system32\wxhune.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\wuae.exe
        
        "C:\Windows\system32\wuae.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\wlwgy.exe
        
        "C:\Windows\system32\wlwgy.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\wahtmfsl.exe
        
        "C:\Windows\system32\wahtmfsl.exe"
        51⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\wbecgs.exe
        
        "C:\Windows\system32\wbecgs.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\wynstnl.exe
        
        "C:\Windows\system32\wynstnl.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:484
        
        C:\Windows\SysWOW64\wxpgsjq.exe
        
        "C:\Windows\system32\wxpgsjq.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\wwgmpj.exe
        
        "C:\Windows\system32\wwgmpj.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\wlmtqwc.exe
        
        "C:\Windows\system32\wlmtqwc.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\whlr.exe
        
        "C:\Windows\system32\whlr.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\wiocuhq.exe
        
        "C:\Windows\system32\wiocuhq.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\wxmps.exe
        
        "C:\Windows\system32\wxmps.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\wrpib.exe
        
        "C:\Windows\system32\wrpib.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2416
        
        C:\Windows\SysWOW64\woonxnu.exe
        
        "C:\Windows\system32\woonxnu.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\wfxoqvdf.exe
        
        "C:\Windows\system32\wfxoqvdf.exe"
        62⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\SysWOW64\wjidb.exe
        
        "C:\Windows\system32\wjidb.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\wjfgft.exe
        
        "C:\Windows\system32\wjfgft.exe"
        64⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjidb.exe"
        64⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfxoqvdf.exe"
        63⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woonxnu.exe"
        62⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrpib.exe"
        61⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxmps.exe"
        60⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiocuhq.exe"
        59⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whlr.exe"
        58⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlmtqwc.exe"
        57⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwgmpj.exe"
        56⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpgsjq.exe"
        55⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wynstnl.exe"
        54⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbecgs.exe"
        53⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahtmfsl.exe"
        52⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwgy.exe"
        51⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuae.exe"
        50⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxhune.exe"
        49⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobkdhk.exe"
        48⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujnth.exe"
        47⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmktgfeyu.exe"
        46⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnnysna.exe"
        45⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrvdjnhjt.exe"
        44⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjtobqo.exe"
        43⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxqob.exe"
        42⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwkvqciun.exe"
        41⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbmxuei.exe"
        40⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wilfmxh.exe"
        39⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtgto.exe"
        38⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvhse.exe"
        37⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwtb.exe"
        36⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwdulfe.exe"
        35⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrn.exe"
        34⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsmfvfy.exe"
        33⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikltmn.exe"
        32⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtlcdx.exe"
        31⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjfmlfsaw.exe"
        30⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmnwkjv.exe"
        29⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrdcphm.exe"
        28⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctqcydk.exe"
        27⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwvpi.exe"
        26⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbydcqw.exe"
        25⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvvup.exe"
        24⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warvutvjm.exe"
        23⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfbmsp.exe"
        22⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wodln.exe"
        21⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhot.exe"
        20⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlgcgm.exe"
        19⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtuli.exe"
        18⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warryc.exe"
        17⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\watwlly.exe"
        16⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivvhe.exe"
        15⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckfrwg.exe"
        14⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtnhfy.exe"
        13⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbuott.exe"
        12⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfk.exe"
        11⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsiurfrp.exe"
        10⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugcvf.exe"
        9⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wssloycl.exe"
        8⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkrpywo.exe"
        7⤵
        
        PID:1336
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdsulu.exe"
        6⤵
        
        PID:2276
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 868
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2068
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqtpwfh.exe"
        5⤵
        
        PID:960
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlemxy.exe"
      4⤵
      PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfuena.exe"
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\020eb4e8c9ab3081cf7060dd94ce4ad139b1c67d1ad3536f50910001737c6f5c.exe"
  2⤵
  - Deletes itself
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q20A6TQK.txt

Filesize
99B

MD5
d09d29d5a0a5a433b3c7fb76c230a1a5

SHA1
8eca00c75a6f3dff0b29ae08bca28a5b86e0dcbd

SHA256
ee064c35519577815f660a6d1dc7da9eaf1a41ba8ac4e3aeefffa7554b2e1f95

SHA512
45bf7f21b0cdb085b35a073043ed3c1a328b7c9e90db9e01f3b4481e77777bcd91fb66cfc99ce8f15331e4d39745421a84e4353dfd30590ddad711d2537f6be8

Download Submit
\Windows\SysWOW64\wdsulu.exe

Filesize
84KB

MD5
1382f6c6d78fcebe854255f7f7eb5fe9

SHA1
4495b71ef1d7c22fce5afab00c25277f9ea18945

SHA256
d1f576b77d9a73fba712d8d92c46f34e094457a132c9cba2a43fcd760ffd1ffd

SHA512
d4337e59d018ae207a886df79b5f1b6e2fb9fef32ede7193d68e5cbb593b2c50667d81889b870bd839b4a17e322a08e3e07b952c07ff9807ab0b718e53715212

Download Submit
\Windows\SysWOW64\wfk.exe

Filesize
84KB

MD5
2dc6e7811abe8151ea2a0ca28eaf012c

SHA1
b28a5dc4ad2d0a301cbdcf660b0a86025b27ac3d

SHA256
eab4c8bfb8e78507f73829b4883016d52e3c56060b46280deea0b4a268d3f293

SHA512
bacf318ee07288177b3e1637d4f5793bf98b39a5cd2c5efbe68259ea054303edcba31fdd45b1fba064d6866d70c995cf722e1eb7e4c0f9a9c31410a2dd0e8bc5

Download Submit
\Windows\SysWOW64\wfuena.exe

Filesize
84KB

MD5
9f00edd9c2e89a4e7b6d4a5a68badce5

SHA1
85c1bea0b1ffc82f66a833538cc92d59b7a25cd0

SHA256
1f42b6384c97c94425fd0f9660b7f4076448b7f863b78ed9390a1baff9d5c795

SHA512
8852378971fd77f3dea71f410502b24f302046f8c9a4dd864af2bf2201f02bcb77e339059e5204f1f7b60f18d67882e9d35c2d7ca4bbe9506ce2e9a9d542d61a

Download Submit
\Windows\SysWOW64\wkrpywo.exe

Filesize
84KB

MD5
5660e70ea0c56d9b1b1766a31b20fe07

SHA1
a343b10edd4be2ae27b49616e6cbebcf72efd3c8

SHA256
8ca3b591d2688c13d42242c9e6540e770a4870d310a6b42bd9ff44686391748d

SHA512
582fa4b8a7fa692eacf4c0cbe837adc2c442043660d2dff8da89264e5889fdf5b0d8d9bd2270c5de2ab4b485e06c185b1b131817404c59ecc0470e1a6a228a14

Download Submit
\Windows\SysWOW64\wlemxy.exe

Filesize
84KB

MD5
00f5f2b1daff54dd3ccc544308c8b1fc

SHA1
5b48acff435a714b22bed087bdd6d6fb3a6b4596

SHA256
4557c05feb4d0386ab026431f2ddad3057887a89f2c93177ef6be3e1bc3d6b4f

SHA512
72d06afe68780e577361ec80e10dfdac1e17e6356232fcb2007e9df5b73c17c2b252b0fa785fc814c5a819c7bbe4982f3f9a738b1979fbc0f5c78773f6b2694a

Download Submit
\Windows\SysWOW64\wqtpwfh.exe

Filesize
84KB

MD5
11fae36a97da8b51b67917d8473e98e9

SHA1
85401581c6c5027951c49f778d08fdd89c4f3dae

SHA256
a8b2dc82f4871bf6687b05266e493b2aa0cf44896f1fa2ce4de9bfadc45200a6

SHA512
d2a1726780ba6da61fcc22568b733619220aae37dc4646568f2904521cbcdc76c02089b17f3dbc9cf713d2a591f676109eb34551cc2217c8dd7ecdc9198c62b6

Download Submit
\Windows\SysWOW64\wsiurfrp.exe

Filesize
84KB

MD5
e821ec451183188233e19ca99f6e439d

SHA1
be439db0eca8855cfb518cdf803f63bee1a6dff1

SHA256
f7ab8d76e7a0aafe12b5e0ab08abf5de47093e0656171b4c333a825de476babb

SHA512
61e80c1d8f41bd4ccc17148a74558dc75a17e0492c447cc9d6f6579409efc7c642d04fa75c8ba049d270a4eef874a29b91dad9b7926239e9074b366bca85526d

Download Submit
\Windows\SysWOW64\wssloycl.exe

Filesize
84KB

MD5
a019e2f24002a6122b9cf6a09ac89814

SHA1
5de9e771aef3a86b79bbdfb9f0a61eb7ec361404

SHA256
dac0b6e7b0bdb1032e45ecc46416b611dcbcb4b6a8d7118b3465e03b114efb3c

SHA512
7452011b3c757a0447a0e257e26073ededfcaccf5e143f81bb0b2f50929dda27624d78d81e7859eb7dd070bc1a1af271841b229269fa42481a2aec9eac13c868

Download Submit
\Windows\SysWOW64\wugcvf.exe

Filesize
84KB

MD5
faded821f930797c3ccc0f79803ad5b7

SHA1
6efd4f00356753cd3be98cadae9be6b8f892fa77

SHA256
e5637ac6c070a21f9e90631fdf4d52ae9484c272e8d913d7e30a82fe5db762a1

SHA512
42ad9ae5e46b074bd1c6b51266d94035e3c0db6ffd6e39cdcc3f4b2cbfed5af0d0de035f4618fdbc606f573c5bc5418a231ce97d0f8cf409c8dca1a4d3be2eb1

Download Submit
memory/568-87-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/568-91-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/568-88-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/568-86-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/568-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/568-144-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/592-142-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/592-161-0x0000000003C20000-0x0000000003C37000-memory.dmp

Filesize
92KB

Download
memory/592-169-0x0000000003C30000-0x0000000003C40000-memory.dmp

Filesize
64KB

Download
memory/592-171-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/592-165-0x0000000003C30000-0x0000000003C47000-memory.dmp

Filesize
92KB

Download
memory/812-294-0x0000000003AD0000-0x0000000003AE7000-memory.dmp

Filesize
92KB

Download
memory/812-281-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/812-290-0x00000000030F0000-0x0000000003107000-memory.dmp

Filesize
92KB

Download
memory/812-296-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1204-278-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1204-262-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1204-279-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/1204-276-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/1204-277-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/1604-323-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/1604-322-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/1604-325-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2080-111-0x00000000032B0000-0x00000000032C7000-memory.dmp

Filesize
92KB

Download
memory/2080-160-0x00000000032B0000-0x00000000032C7000-memory.dmp

Filesize
92KB

Download
memory/2080-92-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2080-110-0x00000000032B0000-0x00000000032C7000-memory.dmp

Filesize
92KB

Download
memory/2080-109-0x00000000032B0000-0x00000000032C7000-memory.dmp

Filesize
92KB

Download
memory/2080-115-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/2080-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2080-162-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/2152-340-0x0000000003C30000-0x0000000003C47000-memory.dmp

Filesize
92KB

Download
memory/2152-342-0x0000000003C30000-0x0000000003C40000-memory.dmp

Filesize
64KB

Download
memory/2152-338-0x0000000003C20000-0x0000000003C37000-memory.dmp

Filesize
92KB

Download
memory/2152-330-0x0000000003C20000-0x0000000003C37000-memory.dmp

Filesize
92KB

Download
memory/2152-343-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2152-339-0x0000000003C30000-0x0000000003C47000-memory.dmp

Filesize
92KB

Download
memory/2152-324-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2172-212-0x0000000003190000-0x00000000031A7000-memory.dmp

Filesize
92KB

Download
memory/2172-211-0x0000000003190000-0x00000000031A7000-memory.dmp

Filesize
92KB

Download
memory/2172-199-0x0000000003190000-0x00000000031A7000-memory.dmp

Filesize
92KB

Download
memory/2172-213-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/2172-210-0x0000000003190000-0x00000000031A7000-memory.dmp

Filesize
92KB

Download
memory/2172-214-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2360-310-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2360-308-0x0000000003C90000-0x0000000003CA7000-memory.dmp

Filesize
92KB

Download
memory/2360-295-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2360-309-0x0000000003C90000-0x0000000003CA7000-memory.dmp

Filesize
92KB

Download
memory/2412-181-0x0000000003C60000-0x0000000003C77000-memory.dmp

Filesize
92KB

Download
memory/2412-190-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/2412-188-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/2412-192-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2412-168-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2472-242-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/2472-229-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2472-244-0x0000000003B30000-0x0000000003B47000-memory.dmp

Filesize
92KB

Download
memory/2472-245-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2472-243-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/2604-357-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2604-372-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/2604-368-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/2628-228-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2628-223-0x0000000003A70000-0x0000000003A87000-memory.dmp

Filesize
92KB

Download
memory/2628-280-0x0000000003A80000-0x0000000003A97000-memory.dmp

Filesize
92KB

Download
memory/2628-224-0x0000000003A70000-0x0000000003A87000-memory.dmp

Filesize
92KB

Download
memory/2664-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2664-63-0x0000000003C40000-0x0000000003C57000-memory.dmp

Filesize
92KB

Download
memory/2664-64-0x0000000003C40000-0x0000000003C57000-memory.dmp

Filesize
92KB

Download
memory/2664-65-0x0000000003C40000-0x0000000003C57000-memory.dmp

Filesize
92KB

Download
memory/2664-62-0x0000000003C40000-0x0000000003C57000-memory.dmp

Filesize
92KB

Download
memory/2824-261-0x0000000003B40000-0x0000000003B57000-memory.dmp

Filesize
92KB

Download
memory/2824-264-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2824-246-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2824-256-0x0000000003560000-0x0000000003577000-memory.dmp

Filesize
92KB

Download
memory/2824-260-0x0000000003B40000-0x0000000003B57000-memory.dmp

Filesize
92KB

Download
memory/2824-263-0x0000000003570000-0x0000000003580000-memory.dmp

Filesize
64KB

Download
memory/2920-137-0x0000000003C90000-0x0000000003CA7000-memory.dmp

Filesize
92KB

Download
memory/2920-114-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2920-136-0x0000000003520000-0x0000000003537000-memory.dmp

Filesize
92KB

Download
memory/2920-138-0x0000000003C90000-0x0000000003CA7000-memory.dmp

Filesize
92KB

Download
memory/2920-141-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2948-25-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2948-19-0x0000000003680000-0x0000000003697000-memory.dmp

Filesize
92KB

Download
memory/2948-20-0x0000000003680000-0x0000000003697000-memory.dmp

Filesize
92KB

Download
memory/2948-23-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/2948-12-0x0000000002D30000-0x0000000002D47000-memory.dmp

Filesize
92KB

Download
memory/2948-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2948-11-0x0000000002D30000-0x0000000002D47000-memory.dmp

Filesize
92KB

Download
memory/3032-45-0x0000000003760000-0x0000000003770000-memory.dmp

Filesize
64KB

Download
memory/3032-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3032-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3044-355-0x0000000003830000-0x0000000003847000-memory.dmp

Filesize
92KB

Download
memory/3044-358-0x0000000003270000-0x0000000003280000-memory.dmp

Filesize
64KB

Download
memory/3044-341-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3044-356-0x0000000003830000-0x0000000003847000-memory.dmp

Filesize
92KB

Download
memory/3044-359-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download