9e61f86a378552b9a27b543568b5629220bd19c355480e71d33be2643031162a

Analysis

max time kernel
117s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6be7e447b67246bfa7ba01c46215db0N.exe
Size

94KB
MD5

d6be7e447b67246bfa7ba01c46215db0
SHA1

324a86adfd230b788a3ff83744b4d88e243b2c0b
SHA256

9e61f86a378552b9a27b543568b5629220bd19c355480e71d33be2643031162a
SHA512

9b3337c4074e2537f1ef1728d6d92ccf6b019e7066d3be8db538d96e4b856f0df87b0d4f93265c2e23684a50ad1112d1ecc35bbb0fbeb5bab47f32c0558295ed
SSDEEP

1536:BYUb5NE3yZIp+6HO5J4ggpMFSvIKEu0dX4j2dAck9:BYUb5QoJ4g+FXb

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 31 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wnjrkr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	werp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wxs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wjjxcjy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wgyqevxwc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wcksjnae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wjnuwkt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wpku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wivd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wfyoocor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wlctnw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wnoqyvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wugjtf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wbmfrxy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wgchuxki.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wpwdlh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wknax.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wbl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wwoghusd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wslqdk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wpmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	whdktb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wbeq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wfdaj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wqmm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wxwqxb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wxlgc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	d6be7e447b67246bfa7ba01c46215db0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wjbuomxq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wdakc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wnyinq.exe

Executes dropped EXE 31 IoCs

pid	Process
3112	wjbuomxq.exe
4436	wknax.exe
3940	whdktb.exe
2324	wbl.exe
4344	wlctnw.exe
2460	wgyqevxwc.exe
4928	wfdaj.exe
2560	wbeq.exe
2900	wnoqyvs.exe
3560	wqmm.exe
4216	wcksjnae.exe
3536	wjnuwkt.exe
2140	wwoghusd.exe
3444	wugjtf.exe
1680	wbmfrxy.exe
3644	wdakc.exe
4608	wslqdk.exe
3628	wpku.exe
976	wgchuxki.exe
2952	wivd.exe
4060	wpwdlh.exe
3128	wfyoocor.exe
972	wnjrkr.exe
2516	wnyinq.exe
2980	werp.exe
1912	wxs.exe
3064	wxlgc.exe
4468	wjjxcjy.exe
400	wxwqxb.exe
4572	wpmp.exe
636	wvhd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 63 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\whdktb.exe	wknax.exe
File created	C:\Windows\SysWOW64\wgyqevxwc.exe	wlctnw.exe
File opened for modification	C:\Windows\SysWOW64\wgyqevxwc.exe	wlctnw.exe
File created	C:\Windows\SysWOW64\wwoghusd.exe	wjnuwkt.exe
File created	C:\Windows\SysWOW64\wbmfrxy.exe	wugjtf.exe
File created	C:\Windows\SysWOW64\wdakc.exe	wbmfrxy.exe
File opened for modification	C:\Windows\SysWOW64\wdakc.exe	wbmfrxy.exe
File opened for modification	C:\Windows\SysWOW64\wbl.exe	whdktb.exe
File opened for modification	C:\Windows\SysWOW64\wfdaj.exe	wgyqevxwc.exe
File opened for modification	C:\Windows\SysWOW64\wjnuwkt.exe	wcksjnae.exe
File created	C:\Windows\SysWOW64\wivd.exe	wgchuxki.exe
File opened for modification	C:\Windows\SysWOW64\wxs.exe	werp.exe
File opened for modification	C:\Windows\SysWOW64\wxlgc.exe	wxs.exe
File opened for modification	C:\Windows\SysWOW64\whdktb.exe	wknax.exe
File opened for modification	C:\Windows\SysWOW64\wlctnw.exe	wbl.exe
File opened for modification	C:\Windows\SysWOW64\wbmfrxy.exe	wugjtf.exe
File opened for modification	C:\Windows\SysWOW64\wjjxcjy.exe	wxlgc.exe
File opened for modification	C:\Windows\SysWOW64\wnoqyvs.exe	wbeq.exe
File opened for modification	C:\Windows\SysWOW64\wwoghusd.exe	wjnuwkt.exe
File created	C:\Windows\SysWOW64\wslqdk.exe	wdakc.exe
File created	C:\Windows\SysWOW64\wgchuxki.exe	wpku.exe
File opened for modification	C:\Windows\SysWOW64\wxwqxb.exe	wjjxcjy.exe
File opened for modification	C:\Windows\SysWOW64\wbeq.exe	wfdaj.exe
File created	C:\Windows\SysWOW64\wnyinq.exe	wnjrkr.exe
File created	C:\Windows\SysWOW64\wxwqxb.exe	wjjxcjy.exe
File opened for modification	C:\Windows\SysWOW64\wjbuomxq.exe	d6be7e447b67246bfa7ba01c46215db0N.exe
File opened for modification	C:\Windows\SysWOW64\wknax.exe	wjbuomxq.exe
File opened for modification	C:\Windows\SysWOW64\wpku.exe	wslqdk.exe
File created	C:\Windows\SysWOW64\wxs.exe	werp.exe
File created	C:\Windows\SysWOW64\wjbuomxq.exe	d6be7e447b67246bfa7ba01c46215db0N.exe
File created	C:\Windows\SysWOW64\wjnuwkt.exe	wcksjnae.exe
File opened for modification	C:\Windows\SysWOW64\wugjtf.exe	wwoghusd.exe
File created	C:\Windows\SysWOW64\wpku.exe	wslqdk.exe
File opened for modification	C:\Windows\SysWOW64\wivd.exe	wgchuxki.exe
File opened for modification	C:\Windows\SysWOW64\wvhd.exe	wpmp.exe
File created	C:\Windows\SysWOW64\wfdaj.exe	wgyqevxwc.exe
File created	C:\Windows\SysWOW64\wqmm.exe	wnoqyvs.exe
File created	C:\Windows\SysWOW64\wjjxcjy.exe	wxlgc.exe
File created	C:\Windows\SysWOW64\wlctnw.exe	wbl.exe
File opened for modification	C:\Windows\SysWOW64\wslqdk.exe	wdakc.exe
File opened for modification	C:\Windows\SysWOW64\wgchuxki.exe	wpku.exe
File opened for modification	C:\Windows\SysWOW64\wpmp.exe	wxwqxb.exe
File created	C:\Windows\SysWOW64\wbl.exe	whdktb.exe
File created	C:\Windows\SysWOW64\wugjtf.exe	wwoghusd.exe
File opened for modification	C:\Windows\SysWOW64\werp.exe	wnyinq.exe
File created	C:\Windows\SysWOW64\wvhd.exe	wpmp.exe
File opened for modification	C:\Windows\SysWOW64\wpwdlh.exe	wivd.exe
File created	C:\Windows\SysWOW64\wfyoocor.exe	wpwdlh.exe
File opened for modification	C:\Windows\SysWOW64\wnyinq.exe	wnjrkr.exe
File created	C:\Windows\SysWOW64\wpmp.exe	wxwqxb.exe
File created	C:\Windows\SysWOW64\wnoqyvs.exe	wbeq.exe
File opened for modification	C:\Windows\SysWOW64\wqmm.exe	wnoqyvs.exe
File opened for modification	C:\Windows\SysWOW64\wcksjnae.exe	wqmm.exe
File created	C:\Windows\SysWOW64\wpwdlh.exe	wivd.exe
File opened for modification	C:\Windows\SysWOW64\wnjrkr.exe	wfyoocor.exe
File created	C:\Windows\SysWOW64\werp.exe	wnyinq.exe
File opened for modification	C:\Windows\SysWOW64\wfyoocor.exe	wpwdlh.exe
File created	C:\Windows\SysWOW64\wxlgc.exe	wxs.exe
File created	C:\Windows\SysWOW64\wcksjnae.exe	wqmm.exe
File created	C:\Windows\SysWOW64\wnjrkr.exe	wfyoocor.exe
File created	C:\Windows\SysWOW64\wknax.exe	wjbuomxq.exe
File created	C:\Windows\SysWOW64\wbeq.exe	wfdaj.exe
File created	C:\Windows\SysWOW64\wspwwhy.exe	wvhd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
4964	368	WerFault.exe	82
2516	3112	WerFault.exe	87
3128	2460	WerFault.exe	115
4560	2460	WerFault.exe	115
1920	1680	WerFault.exe	148
1412	1680	WerFault.exe	148

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfyoocor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxwqxb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnoqyvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wslqdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpwdlh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	werp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnjrkr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcksjnae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgyqevxwc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfdaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgchuxki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whdktb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbmfrxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdakc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlctnw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpku.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjnuwkt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwoghusd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wivd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxlgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6be7e447b67246bfa7ba01c46215db0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wugjtf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjbuomxq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wknax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnyinq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjjxcjy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 3112	368	d6be7e447b67246bfa7ba01c46215db0N.exe	87
PID 368 wrote to memory of 3112	368	d6be7e447b67246bfa7ba01c46215db0N.exe	87
PID 368 wrote to memory of 3112	368	d6be7e447b67246bfa7ba01c46215db0N.exe	87
PID 368 wrote to memory of 956	368	d6be7e447b67246bfa7ba01c46215db0N.exe	89
PID 368 wrote to memory of 956	368	d6be7e447b67246bfa7ba01c46215db0N.exe	89
PID 368 wrote to memory of 956	368	d6be7e447b67246bfa7ba01c46215db0N.exe	89
PID 3112 wrote to memory of 4436	3112	wjbuomxq.exe	98
PID 3112 wrote to memory of 4436	3112	wjbuomxq.exe	98
PID 3112 wrote to memory of 4436	3112	wjbuomxq.exe	98
PID 3112 wrote to memory of 1920	3112	wjbuomxq.exe	99
PID 3112 wrote to memory of 1920	3112	wjbuomxq.exe	99
PID 3112 wrote to memory of 1920	3112	wjbuomxq.exe	99
PID 4436 wrote to memory of 3940	4436	wknax.exe	104
PID 4436 wrote to memory of 3940	4436	wknax.exe	104
PID 4436 wrote to memory of 3940	4436	wknax.exe	104
PID 4436 wrote to memory of 2428	4436	wknax.exe	105
PID 4436 wrote to memory of 2428	4436	wknax.exe	105
PID 4436 wrote to memory of 2428	4436	wknax.exe	105
PID 3940 wrote to memory of 2324	3940	whdktb.exe	109
PID 3940 wrote to memory of 2324	3940	whdktb.exe	109
PID 3940 wrote to memory of 2324	3940	whdktb.exe	109
PID 3940 wrote to memory of 3064	3940	whdktb.exe	110
PID 3940 wrote to memory of 3064	3940	whdktb.exe	110
PID 3940 wrote to memory of 3064	3940	whdktb.exe	110
PID 2324 wrote to memory of 4344	2324	wbl.exe	112
PID 2324 wrote to memory of 4344	2324	wbl.exe	112
PID 2324 wrote to memory of 4344	2324	wbl.exe	112
PID 2324 wrote to memory of 3424	2324	wbl.exe	113
PID 2324 wrote to memory of 3424	2324	wbl.exe	113
PID 2324 wrote to memory of 3424	2324	wbl.exe	113
PID 4344 wrote to memory of 2460	4344	wlctnw.exe	115
PID 4344 wrote to memory of 2460	4344	wlctnw.exe	115
PID 4344 wrote to memory of 2460	4344	wlctnw.exe	115
PID 4344 wrote to memory of 4232	4344	wlctnw.exe	116
PID 4344 wrote to memory of 4232	4344	wlctnw.exe	116
PID 4344 wrote to memory of 4232	4344	wlctnw.exe	116
PID 2460 wrote to memory of 4928	2460	wgyqevxwc.exe	118
PID 2460 wrote to memory of 4928	2460	wgyqevxwc.exe	118
PID 2460 wrote to memory of 4928	2460	wgyqevxwc.exe	118
PID 2460 wrote to memory of 3204	2460	wgyqevxwc.exe	119
PID 2460 wrote to memory of 3204	2460	wgyqevxwc.exe	119
PID 2460 wrote to memory of 3204	2460	wgyqevxwc.exe	119
PID 4928 wrote to memory of 2560	4928	wfdaj.exe	125
PID 4928 wrote to memory of 2560	4928	wfdaj.exe	125
PID 4928 wrote to memory of 2560	4928	wfdaj.exe	125
PID 4928 wrote to memory of 2864	4928	wfdaj.exe	126
PID 4928 wrote to memory of 2864	4928	wfdaj.exe	126
PID 4928 wrote to memory of 2864	4928	wfdaj.exe	126
PID 2560 wrote to memory of 2900	2560	wbeq.exe	128
PID 2560 wrote to memory of 2900	2560	wbeq.exe	128
PID 2560 wrote to memory of 2900	2560	wbeq.exe	128
PID 2560 wrote to memory of 3832	2560	wbeq.exe	129
PID 2560 wrote to memory of 3832	2560	wbeq.exe	129
PID 2560 wrote to memory of 3832	2560	wbeq.exe	129
PID 2900 wrote to memory of 3560	2900	wnoqyvs.exe	131
PID 2900 wrote to memory of 3560	2900	wnoqyvs.exe	131
PID 2900 wrote to memory of 3560	2900	wnoqyvs.exe	131
PID 2900 wrote to memory of 2100	2900	wnoqyvs.exe	132
PID 2900 wrote to memory of 2100	2900	wnoqyvs.exe	132
PID 2900 wrote to memory of 2100	2900	wnoqyvs.exe	132
PID 3560 wrote to memory of 4216	3560	wqmm.exe	135
PID 3560 wrote to memory of 4216	3560	wqmm.exe	135
PID 3560 wrote to memory of 4216	3560	wqmm.exe	135
PID 3560 wrote to memory of 3548	3560	wqmm.exe	136

C:\Users\Admin\AppData\Local\Temp\d6be7e447b67246bfa7ba01c46215db0N.exe
"C:\Users\Admin\AppData\Local\Temp\d6be7e447b67246bfa7ba01c46215db0N.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\wjbuomxq.exe
  "C:\Windows\system32\wjbuomxq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\SysWOW64\wknax.exe
    "C:\Windows\system32\wknax.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\SysWOW64\whdktb.exe
      "C:\Windows\system32\whdktb.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3940
    - - C:\Windows\SysWOW64\wbl.exe
        
        "C:\Windows\system32\wbl.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\SysWOW64\wlctnw.exe
        
        "C:\Windows\system32\wlctnw.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\wgyqevxwc.exe
        
        "C:\Windows\system32\wgyqevxwc.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\wfdaj.exe
        
        "C:\Windows\system32\wfdaj.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\wbeq.exe
        
        "C:\Windows\system32\wbeq.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\wnoqyvs.exe
        
        "C:\Windows\system32\wnoqyvs.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\wqmm.exe
        
        "C:\Windows\system32\wqmm.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\wcksjnae.exe
        
        "C:\Windows\system32\wcksjnae.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\wjnuwkt.exe
        
        "C:\Windows\system32\wjnuwkt.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\wwoghusd.exe
        
        "C:\Windows\system32\wwoghusd.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\wugjtf.exe
        
        "C:\Windows\system32\wugjtf.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\wbmfrxy.exe
        
        "C:\Windows\system32\wbmfrxy.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\wdakc.exe
        
        "C:\Windows\system32\wdakc.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\wslqdk.exe
        
        "C:\Windows\system32\wslqdk.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\wpku.exe
        
        "C:\Windows\system32\wpku.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\wgchuxki.exe
        
        "C:\Windows\system32\wgchuxki.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\wivd.exe
        
        "C:\Windows\system32\wivd.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\wpwdlh.exe
        
        "C:\Windows\system32\wpwdlh.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\wfyoocor.exe
        
        "C:\Windows\system32\wfyoocor.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\wnjrkr.exe
        
        "C:\Windows\system32\wnjrkr.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\wnyinq.exe
        
        "C:\Windows\system32\wnyinq.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\werp.exe
        
        "C:\Windows\system32\werp.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\wxs.exe
        
        "C:\Windows\system32\wxs.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\wxlgc.exe
        
        "C:\Windows\system32\wxlgc.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\wjjxcjy.exe
        
        "C:\Windows\system32\wjjxcjy.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\wxwqxb.exe
        
        "C:\Windows\system32\wxwqxb.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\wpmp.exe
        
        "C:\Windows\system32\wpmp.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\wvhd.exe
        
        "C:\Windows\system32\wvhd.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpmp.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwqxb.exe"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjjxcjy.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxlgc.exe"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxs.exe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\werp.exe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnyinq.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnjrkr.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfyoocor.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpwdlh.exe"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivd.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgchuxki.exe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpku.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wslqdk.exe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdakc.exe"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbmfrxy.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 116
        17⤵
        Program crash
        
        PID:1920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1536
        17⤵
        Program crash
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugjtf.exe"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwoghusd.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjnuwkt.exe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcksjnae.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqmm.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnoqyvs.exe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbeq.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfdaj.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgyqevxwc.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1664
        8⤵
        Program crash
        
        PID:3128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1440
        8⤵
        Program crash
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlctnw.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4232
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbl.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdktb.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wknax.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjbuomxq.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1440
    3⤵
    - Program crash
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\d6be7e447b67246bfa7ba01c46215db0N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 904
  2⤵
  - Program crash
  PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 368 -ip 368
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3112 -ip 3112
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2460 -ip 2460
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2460 -ip 2460
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1680 -ip 1680
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1680 -ip 1680
1⤵
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wbeq.exe

Filesize
94KB

MD5
cb29b0c401942f3c625d5e51f2be32eb

SHA1
a35e803be50f06900ab38ec1624f1a800b8b2907

SHA256
2b4f258d99c8a33bd14e44822cb2a9dae126f60806f6d0c9f0b910ce4e0f41e9

SHA512
6a8a584d59ced478b95875456038a4c3b050352a0943c5004ce65c82438c6b3b91d1cfd1d17ff99265710580c95fe9a11a3b852079b9d6663274908347b73b36

Download Submit
C:\Windows\SysWOW64\wbl.exe

Filesize
94KB

MD5
4ffd60429a49c88d7a6f1cbcb5caa9f3

SHA1
bb9db0c8a9fe594108f86c6917528fec5dd2db7c

SHA256
9c029b66d4b7d1c17ed2bcbb0d41ce46cb98e22c70a71672c85f5b630df48e09

SHA512
9e11f8d4c474802d11932a24941b4f55dc44a9e02ba2d5b077e86821503b7df07b96c4b17a85718f258c210d6cabc6285a6a6909cc4846c5a857044a39ccc7ec

Download Submit
C:\Windows\SysWOW64\wbmfrxy.exe

Filesize
94KB

MD5
14437751a4bc04f79ac01a97d9a3bdfc

SHA1
1e3aff737eedf06580bca6d56d1ed45ec7f4ef8b

SHA256
93812e938f95c4f14bb7c657b26e81cf75e825cea84e25c54f7705ccab5cfa9b

SHA512
5ffd35ee33853b1cc2c7c5adfc3d0657cd2b37df0cb9e2008c371cedaa1385e957fb70ee9588e934bada667704598bf0c46f575fd4ced531545ebe47bc396525

Download Submit
C:\Windows\SysWOW64\wcksjnae.exe

Filesize
94KB

MD5
4ecd108cb75300d0ed51af8af7d75fdc

SHA1
4ccfcbf2b89dcadb3ae57917b0daf9ff14a438c1

SHA256
aa738525c149cd268f9798fa62aca1d84aece60698ad2e574ba5dd4189741078

SHA512
7543fed72c0aed4f844ea15b03a8a8cae2275e5def00069869d8f84af2c5b901e214f6f236d29d7e9e30c960f06819a76333cc7de88c878c0e35f7ea32d12e37

Download Submit
C:\Windows\SysWOW64\wdakc.exe

Filesize
94KB

MD5
09df97055a9927e59dd446cfad67533a

SHA1
0b870db929a12a84417dbd84520350a95c53b3d8

SHA256
dcb334103241b1015ea2ccc97885e5ee8a5bd7f86195f9abf3a626b4cbedd0de

SHA512
e62a20f5891d7f5ba7f718f38a9ec1c45c11f20ff7808dd2e0924e4d8cf6bffdcf49c6424baf1f9629da78d942025b1bda03f2281d257cedb81afdfb7f2edbb5

Download Submit
C:\Windows\SysWOW64\werp.exe

Filesize
94KB

MD5
5e8cd02c09a682dc6045687010fa888d

SHA1
282b509ef047f6c56546a85f71f0e769af0eab68

SHA256
71573b1ea3b92ced46dc25c8551055f451c167752b0273548eb8237d3ee9876c

SHA512
2c89da8376b6dc869e06ff53137244c34e8b9a574b51f5100541cf52a0430010dc2518074b5c9d32a464df268acd729fbefb00f9cf7ec6b3c958f3edc6f95055

Download Submit
C:\Windows\SysWOW64\wfdaj.exe

Filesize
94KB

MD5
7db3430ec21d8961e0a34ec05bff454e

SHA1
703e28bc4077a086abd58a91de2cc34be4350ee4

SHA256
89c0fa9bfdbacd850aa9cf500cda7fee6b4a6f2fdc1f65a8d07ebc96fa4d361b

SHA512
d1808cb856a1efe6b2dfe7cacb8c95bcad981069dbe7da86a488d3ca09754c3dd55f4363d674662b2ce4d7894c0c9d52f4d0925a66c442e4a9619650893248b7

Download Submit
C:\Windows\SysWOW64\wfyoocor.exe

Filesize
94KB

MD5
fb4cf0c36ab8057262ce4f8b9c174578

SHA1
d34fb5af7a350a527f5c1db7b7e607cfa24e3823

SHA256
f04f2c23627649f3ef64c4cd1d27be86a3436f185d60ed190532220a30d238f5

SHA512
c082e9a261a7d4d0e043ab4e16e0f792384534e692d95e345b53c64c26043c5415f1e68ec536f90551af339a0d1344210fa2589153e697667441560f36d764d9

Download Submit
C:\Windows\SysWOW64\wgchuxki.exe

Filesize
94KB

MD5
2f02ae9c28df5d79650b2558e04ed7b4

SHA1
cc95585c952b079e6a92692461761465c8f1d049

SHA256
0a88e06f9b49407a657de050ab2dc4138e8ab27013bbec4685acb3165c717971

SHA512
0de775dda7f2e11352280d018a41980799a0a24fbb29dea45939200fabed4ad422364dd29ac74916897a1b12065e841d20b625a4bb3fd428289bc24044261538

Download Submit
C:\Windows\SysWOW64\wgyqevxwc.exe

Filesize
94KB

MD5
6ebd481e7037701ea24739c582cef239

SHA1
01ffe4533ecf9bb2780ce732a0d61e44688ea29a

SHA256
f5b886bfffe7dcb7b72370b9664a00604533e693102cf56423f697294561902a

SHA512
136011c4ba837af8eaf5d1df6206783225265cf3a00e79b5a7e059ee84296a003db4259d2c51870553f0439a2dc6991bf687ad139a8f2035a481e04ca25b09a5

Download Submit
C:\Windows\SysWOW64\whdktb.exe

Filesize
94KB

MD5
95bce3203acb5f96f3a82fd9ec82c592

SHA1
ea4163ff35e824dc4a2b87637002fe52f563b058

SHA256
1109ebb86955ef5fbf26dc2d7c09b47f470a8a3b92179b9e67ed061664bbf1cb

SHA512
781fb602fcbc7e2faf60fe74e65b0ffd3d68de5ab1c1e597ff68d6c140dcbb5fe9fe6cbb601556c2a891ed9f57676f4eaa92173a5fb5ae3b013afbac116afd4f

Download Submit
C:\Windows\SysWOW64\wivd.exe

Filesize
94KB

MD5
17e270c844ebeab9ba38472728c68d7d

SHA1
3b60ff4e828800c6da47d2799edc510706c7373e

SHA256
916bc35fbfbe09b1b76d90e7204c12fc3013000dee71e6b3957a435b5e37892c

SHA512
2fcd81f706f7265cb89de6514f93cc8d139dcaf26fc1ee356b1d1a92f716376f3a968480c670eeaea236e8ef88c89b9825ad23e53b73d31e5e9cf9dc94ecf077

Download Submit
C:\Windows\SysWOW64\wjbuomxq.exe

Filesize
94KB

MD5
1016719694daddc59986800e7d9bdc6f

SHA1
48c450be49ae64c07f6ddd035b481b46dd4c624e

SHA256
70d0dfb5c43566f82a2d988c2223caa3b99fba9ee9d1e9ba7a3a823864e6e59f

SHA512
175dfbb5bb07a142d6380a845c9af00c1be3f49c4bdfc77bc4e7067bc617a7430322b5e1be3cb88404eb0bb07687e6b973959a1cffc84c84dfa435dfcacab9ef

Download Submit
C:\Windows\SysWOW64\wjjxcjy.exe

Filesize
94KB

MD5
a664d4a2a3b803c1846db583bfeb4c2b

SHA1
d59cf2baf5b3c683d03480f08d1e6b88267a23f2

SHA256
a2056f52abea71a8ec1fdbacb2d0bb2c4e972e00f6842bff25b13e0b031a954c

SHA512
8c3bcde463ca89ee5f752ac799eaddc90619ffe1c242379b6082c938b5e6843bc0c72223eacad00f64b01bae63e714cb7a914e39cc84422c4e0a4e186f881e71

Download Submit
C:\Windows\SysWOW64\wjnuwkt.exe

Filesize
94KB

MD5
3ee9bd86527f0afa134c449940e9f929

SHA1
d29432d43d4946b7fcfd4212a0153490aea13bf9

SHA256
77a155812432f7e3b6aacf0f0de1dc972ae35ad690f04c5c5202edc4c1e392c5

SHA512
62b13a6406a313f453052c56d53e7c3256bc408d0da3d42b32c3479c4984b367c43887b01786ad110ceaaf713b7bc672716c46603577c571d002f1556edf4906

Download Submit
C:\Windows\SysWOW64\wknax.exe

Filesize
94KB

MD5
33f824baf81f861fda06848787a7e2ec

SHA1
5485f0dae4d8272d00013f51e378217b27f57ce6

SHA256
4994a71227ce2e4a65ac8db6190f50d2c810b96a1b668765886bd50fe257b65d

SHA512
a000df5414d291bf90fe89d6d2f99b64b35df55be09e4f7efb176d3fb63b90839fbb3cfcda383fd9ef60520aab629e688ce7584a29dbf2e7fc519acfcfce1bdc

Download Submit
C:\Windows\SysWOW64\wlctnw.exe

Filesize
94KB

MD5
2a0a9ff2722a28cb5c31da0ca8d4bdfe

SHA1
d42939ee45a11ff5220a187168dc763c360c29af

SHA256
0d06443c1ada586632ec3900bce57d51fe319a373e0ca4bb59b1ba89feeacbdc

SHA512
5e495a8dea5ff1c6d36ce8394a4b7dc53383bd7ffc763fd0769a66236d542ac0fd9712bf3f6f191711e01b3c7c398e433b5cba39989735106adb2b9dcd751f1e

Download Submit
C:\Windows\SysWOW64\wnjrkr.exe

Filesize
94KB

MD5
2105c233cb049128c3e2acff64a4652a

SHA1
ffea87c00c4be7cb463c7ca1c8db2e58a0579a88

SHA256
703c9dc8f134c9890d506f1425d933cbc55f226cbc022102109fa354ec5a6ff7

SHA512
57b82ba351cb5e135f9422ec4fe87cc817e15b8d34893d1583c4dc94638885af1e67c7877502b682a297648ea97457eb219e59bf9397778f071603291bac6022

Download Submit
C:\Windows\SysWOW64\wnoqyvs.exe

Filesize
94KB

MD5
987f79de6a856d0be15f04a5f83bcdf9

SHA1
8cbbe26e922600b3b205c4a1db8ace025e0be596

SHA256
23af93ab8c156654dac91ae0ed4ac5c45cad5e68af13fc2689ce95e55e0e6d7d

SHA512
41229c31d382cbec18905caa249ba02e32591f8fae2b58b432c110b3f7a4bc735151d33a8d1891312dfad3babe23218ee4a65a85f3090a6eeb1a047bbfa450ca

Download Submit
C:\Windows\SysWOW64\wnyinq.exe

Filesize
94KB

MD5
1c0b70282331cfb971a9a065a65911d4

SHA1
953055ca9697811c5d6d3a894b734c3cf1fab392

SHA256
0e88fda7df604314bd5821e1d5cb5fb18c838074612e2b15d4d3f9a9ef0bf004

SHA512
68c50be5fb9bf983969151d15524b73ebcd1c1565b5c80fa3d1f97bd9f8d29699eeed1f1824b4e68f1818794bdeb1837d616d12527442d15713e94481e8e8d7e

Download Submit
C:\Windows\SysWOW64\wpku.exe

Filesize
94KB

MD5
f29d3d0c82cbbcfb385539d638e6fd8b

SHA1
5d095e48e8f040147c2cf5002668d570ae34b126

SHA256
aa76e745dd60ae2ccdf3685266bc1dee6d267dff91085fdf7d81a61423d1c241

SHA512
34f76f2fdeae70e6469fe85f99384b74017bd652363897b1520dd3b0a2151587c3dd18dc14b548d61948fc684103db43136299c5b5ad3db8bc7417a13c45be71

Download Submit
C:\Windows\SysWOW64\wpmp.exe

Filesize
94KB

MD5
72541f88a890051d988f5a267623181a

SHA1
bd70f95099121a6cb17ffef7b4ac686426d30610

SHA256
8d3b2a4b1a5f794801d042455e9e90d5c2e21a053c70d2dcc45259c40e75e7d4

SHA512
89d4584db915023e586eec6e5a8aeac37c4aac3f2d06d938f676ca5c419c785acd6a2e3c106df3946d08549f7263e258ab32457267a61c3befffcb519d9d34ea

Download Submit
C:\Windows\SysWOW64\wpwdlh.exe

Filesize
94KB

MD5
3ede9db42ddcda04e93621f35d3e2394

SHA1
2bec0043d0f7c0b93dd26ee9bf7132a1ec80eef2

SHA256
eb793b0c3c4619a876c0b9e794f1d254545b4b1ea318c64f7d735867f6e1c645

SHA512
30cc30c80e412052ec99178b8b858a7d269e35164437b3afafa49fd9a7e3cbf89cf5272dc0dc3f6f5dc1f8ca3cc8a93a650d1678753a37a64373375f3df0fd84

Download Submit
C:\Windows\SysWOW64\wqmm.exe

Filesize
94KB

MD5
ae56ff2f606d4180feab24b81bb72058

SHA1
9349aeda8ed8fbd4a8c36ca6b8e154d6b08ff0eb

SHA256
970747ad615adda30b33c5641f55cc6fd4aed6659ab4b5cedcf2420c9788d4c0

SHA512
76bdc5fafa5131209d6e53a2030882120b63c2efddef494b3490e88af5186e9b519b483e2f3160e482c40b11be278720678bebd76e6d4de03e3e1f3de8a3104f

Download Submit
C:\Windows\SysWOW64\wslqdk.exe

Filesize
94KB

MD5
26ed615077fd85e62d156418a1448575

SHA1
4f9e0f1700e4271d13e94cb951a3208ca11c7401

SHA256
7e5fe9cc281f6a9af152eb136e83a6034b38a4a31ab6fffc682c1c9840ecbaa2

SHA512
61a0c65f5541d9f1a81cb1deb5e2bbe26aaf8c3c82d9dbd3e82d8213b7118fcfefb048e3fedbcc5292cb50ff4f3adda30d7ae7eb74cdd11e55338e09de3688b5

Download Submit
C:\Windows\SysWOW64\wugjtf.exe

Filesize
94KB

MD5
e621b9bcfde103a4f359455521bb0014

SHA1
3d54cfd827cf7f6e7f82670e9e4acd86c22a1a7d

SHA256
138538fe68daebe95aaf2038407d36e7b1622f47807a72f6ceaff83e10b4d861

SHA512
7ba0659424577e1c729b9fcb825f72fff7b9a89837308d74ff5eb08bc7397583c32910db3b93c8e31d7d969772d8e1e09409cdd77a608d071a4577080813cbc0

Download Submit
C:\Windows\SysWOW64\wvhd.exe

Filesize
94KB

MD5
888f24ca6635682a65ead09cbaedfac6

SHA1
d4718ff47730c77816151f736a9f51b6e83932be

SHA256
07b27d77b50e7e3b53e6f1bd01aa85feb3091beffb20fa0c22ddf0ba8f9efc68

SHA512
b742be35847a183ab60c3b8ef5fba6db9d1d92a9958a6a4540ef2e0160f8166119bbcdd8653aad9903ae41f44f793bea4670f0853635ef69a169d07bac4e58bd

Download Submit
C:\Windows\SysWOW64\wwoghusd.exe

Filesize
94KB

MD5
6d5f5f1d7f9dcd8761a6d7fa16701305

SHA1
5eefdbc51afa59d8159325cfba0825e6ded17cc0

SHA256
724f7dd7689c2ba091d780375c8838daf975ce166ef2c02acf3377ac36ce73b1

SHA512
c30361b86c8422e200eba2e220753e20278a4fdf683eabfd2a8b7fae4d3ac892fd55c7e6a30b9db95d336a2f2b18a7f50d557df17ff0ec230b3aac98e7a4d8b4

Download Submit
C:\Windows\SysWOW64\wxlgc.exe

Filesize
94KB

MD5
222b43c21e88a71f2137c3129497464f

SHA1
73e587880d0167ac1b0af3efe151b2604dcb21b5

SHA256
fefb1e330611e57f819dc2f7dd055b2f8dc48f26a36c0686894f1c5d0a213e65

SHA512
d09e413f4348b021062d4ada920b28d4baef0885122783958a75fe9a3cd708b1a5fdf898263ca4063b9bc5b0545ed12393a1006343814e23d2eb02b04c39f0c1

Download Submit
C:\Windows\SysWOW64\wxs.exe

Filesize
94KB

MD5
c5f42f436270531cc58467a8f3eaa1e2

SHA1
57affae823f44ca0ab72cfad75676920fa0d088c

SHA256
059edb96257197bf04db63eb40e56308edadf2b21cca649c00b9938c397ee4cc

SHA512
8aca0621a4c85972d310f0ca72fef6cfd8715890f3cafafbbd07b7181cf5253d82f817b1b27dade4a3448ee13392df55a4acc1a9cc3faed6da540c5246892497

Download Submit
C:\Windows\SysWOW64\wxwqxb.exe

Filesize
94KB

MD5
80c7d424462f2438e72a3338cf48a917

SHA1
94aa68940d3c63a63fef2d54ab33c6ebb8117f4c

SHA256
9a1bd6a9320cabed392846c202286c6c176ad5b1f4184fe1f155112f08174259

SHA512
6916eab2785cb5552c1ef350503df1b5833973645da7738538ceb335aa3e93e76d6f2b6e9620eeceb7ae2e2fd018b4ba4e5d1ecf91924b80262c6f2826124dfb

Download Submit
memory/368-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/368-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/400-300-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/972-240-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/976-200-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1680-160-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1912-270-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2140-140-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2324-50-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2460-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2516-250-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2560-90-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2900-100-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2952-210-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2980-260-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3064-280-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3112-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3128-230-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3444-150-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3536-130-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3560-110-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3628-190-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3644-170-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3940-40-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4060-220-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4216-120-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4344-60-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4436-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4468-290-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4572-310-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4608-180-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4928-80-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download