cffcb0535a8fabf74f43ed89ef52236ef4fade593ce61dfbc450bbbd46581d0e

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6f2a5890f65a50909719ab6998adcf20.exe
Size

85KB
MD5

6f2a5890f65a50909719ab6998adcf20
SHA1

0b51cbe55cae3bc6b8ab4f63c458a719a67cac7e
SHA256

cffcb0535a8fabf74f43ed89ef52236ef4fade593ce61dfbc450bbbd46581d0e
SHA512

6bc2115f6519e2f3dd33b111b140b83cd1f53a8e105da776f63c1432d58a089ba77c0c96b0d6f66e98611266471b48e5244b7d797f49ebf7248d966617d04223
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71Gq:1eOLK7hNIMLrCiS4+PwRjY5xhEAXf

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wrrhlgu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wryoo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wxjukmo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wurpvjty.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wfnmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wfrlsr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wjntcd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wecj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wxnouba.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wixocw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wvaabp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wxyrmcpkw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wusfmlp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wnffs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wbqocrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wuddkpjr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wnfwfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	weslsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wsaqgtqeo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wbvgskuan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wmavv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wjwfnvpm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wndwadla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wdtqdnx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wlwhpw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wedvile.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wprouogd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wvge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	woxy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wnqpx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wgbvblps.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wcxsrjq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wjccii.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wxiiijxm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wbiiyl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wyjuanaa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	waacijgqm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wwjyj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wmqlkuj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wjdww.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wpg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wouslao.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wlhpr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wlah.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wjybea.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wexyyx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wclxt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wmmihu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wdvurrh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wcklmk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	watihm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wfgfaua.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wcwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wqujr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wofkfcgm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	whpqyao.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	whcrrc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wds.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	NEAS.6f2a5890f65a50909719ab6998adcf20.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wovslmv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wusvj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	wmc.exe

Executes dropped EXE 64 IoCs

pid	Process
2832	wpg.exe
1804	wbiiyl.exe
4292	wurpvjty.exe
4188	wyjuanaa.exe
4384	wfnmmt.exe
3604	wjwfnvpm.exe
3060	wnffs.exe
3872	wmmihu.exe
4972	waacijgqm.exe
3112	wiy.exe
4852	wbvgskuan.exe
2968	wcwd.exe
2740	wovslmv.exe
4960	wndwadla.exe
4156	wbqocrs.exe
2232	wuddkpjr.exe
3112	wecj.exe
4000	wnfwfj.exe
4200	wdvurrh.exe
3188	wcklmk.exe
2272	wfrlsr.exe
4976	weslsl.exe
5100	wlah.exe
2460	wprouogd.exe
3604	wqujr.exe
1016	wxnouba.exe
2228	wixocw.exe
1808	wusvj.exe
3316	wjybea.exe
4248	wmc.exe
1548	wdtqdnx.exe
3220	wofkfcgm.exe
2052	wvge.exe
2232	wwjyj.exe
2084	wmavv.exe
5024	whpqyao.exe
1604	wsaqgtqeo.exe
1108	wmqlkuj.exe
2016	wvaabp.exe
1756	wjntcd.exe
4692	watihm.exe
5116	wjdww.exe
4660	woxy.exe
4488	wouslao.exe
4216	wrrhlgu.exe
1708	wexyyx.exe
3916	wlwhpw.exe
4388	wlhpr.exe
2436	wxyrmcpkw.exe
1340	wnqpx.exe
1140	wjccii.exe
3192	whcrrc.exe
956	wusfmlp.exe
4036	wds.exe
2272	wxiiijxm.exe
1688	wclxt.exe
4012	wxjukmo.exe
4592	wryoo.exe
1468	wunba.exe
368	wgbvblps.exe
2808	wcxsrjq.exe
2576	womlsy.exe
3928	wge.exe
2164	wfgfaua.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\watihm = "\"C:\\Windows\\SysWOW64\\watihm.exe\""	watihm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjdww = "\"C:\\Windows\\SysWOW64\\wjdww.exe\""	wjdww.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxyrmcpkw = "\"C:\\Windows\\SysWOW64\\wxyrmcpkw.exe\""	wxyrmcpkw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwpnbqq = "\"C:\\Windows\\SysWOW64\\wwpnbqq.exe\""	wwpnbqq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyjuanaa = "\"C:\\Windows\\SysWOW64\\wyjuanaa.exe\""	wyjuanaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuddkpjr = "\"C:\\Windows\\SysWOW64\\wuddkpjr.exe\""	wuddkpjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpg = "\"C:\\Windows\\SysWOW64\\wpg.exe\""	wpg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wds = "\"C:\\Windows\\SysWOW64\\wds.exe\""	wds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wouslao = "\"C:\\Windows\\SysWOW64\\wouslao.exe\""	wouslao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wexyyx = "\"C:\\Windows\\SysWOW64\\wexyyx.exe\""	wexyyx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfrlsr = "\"C:\\Windows\\SysWOW64\\wfrlsr.exe\""	wfrlsr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wusvj = "\"C:\\Windows\\SysWOW64\\wusvj.exe\""	wusvj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmavv = "\"C:\\Windows\\SysWOW64\\wmavv.exe\""	wmavv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlhpr = "\"C:\\Windows\\SysWOW64\\wlhpr.exe\""	wlhpr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whcrrc = "\"C:\\Windows\\SysWOW64\\whcrrc.exe\""	whcrrc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wusfmlp = "\"C:\\Windows\\SysWOW64\\wusfmlp.exe\""	wusfmlp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbiiyl = "\"C:\\Windows\\SysWOW64\\wbiiyl.exe\""	wbiiyl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wecj = "\"C:\\Windows\\SysWOW64\\wecj.exe\""	wecj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnfwfj = "\"C:\\Windows\\SysWOW64\\wnfwfj.exe\""	wnfwfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxnouba = "\"C:\\Windows\\SysWOW64\\wxnouba.exe\""	wxnouba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxiiijxm = "\"C:\\Windows\\SysWOW64\\wxiiijxm.exe\""	wxiiijxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wryoo = "\"C:\\Windows\\SysWOW64\\wryoo.exe\""	wryoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgbvblps = "\"C:\\Windows\\SysWOW64\\wgbvblps.exe\""	wgbvblps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wurpvjty = "\"C:\\Windows\\SysWOW64\\wurpvjty.exe\""	wurpvjty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmmihu = "\"C:\\Windows\\SysWOW64\\wmmihu.exe\""	wmmihu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcxsrjq = "\"C:\\Windows\\SysWOW64\\wcxsrjq.exe\""	wcxsrjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdtqdnx = "\"C:\\Windows\\SysWOW64\\wdtqdnx.exe\""	wdtqdnx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxjukmo = "\"C:\\Windows\\SysWOW64\\wxjukmo.exe\""	wxjukmo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wndwadla = "\"C:\\Windows\\SysWOW64\\wndwadla.exe\""	wndwadla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbqocrs = "\"C:\\Windows\\SysWOW64\\wbqocrs.exe\""	wbqocrs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwjyj = "\"C:\\Windows\\SysWOW64\\wwjyj.exe\""	wwjyj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjwfnvpm = "\"C:\\Windows\\SysWOW64\\wjwfnvpm.exe\""	wjwfnvpm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcwd = "\"C:\\Windows\\SysWOW64\\wcwd.exe\""	wcwd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wixocw = "\"C:\\Windows\\SysWOW64\\wixocw.exe\""	wixocw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmc = "\"C:\\Windows\\SysWOW64\\wmc.exe\""	wmc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmqlkuj = "\"C:\\Windows\\SysWOW64\\wmqlkuj.exe\""	wmqlkuj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjntcd = "\"C:\\Windows\\SysWOW64\\wjntcd.exe\""	wjntcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrrhlgu = "\"C:\\Windows\\SysWOW64\\wrrhlgu.exe\""	wrrhlgu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wclxt = "\"C:\\Windows\\SysWOW64\\wclxt.exe\""	wclxt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlah = "\"C:\\Windows\\SysWOW64\\wlah.exe\""	wlah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqujr = "\"C:\\Windows\\SysWOW64\\wqujr.exe\""	wqujr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wge = "\"C:\\Windows\\SysWOW64\\wge.exe\""	wge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdvurrh = "\"C:\\Windows\\SysWOW64\\wdvurrh.exe\""	wdvurrh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnffs = "\"C:\\Windows\\SysWOW64\\wnffs.exe\""	wnffs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbvgskuan = "\"C:\\Windows\\SysWOW64\\wbvgskuan.exe\""	wbvgskuan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wunba = "\"C:\\Windows\\SysWOW64\\wunba.exe\""	wunba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weslsl = "\"C:\\Windows\\SysWOW64\\weslsl.exe\""	weslsl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\woxy = "\"C:\\Windows\\SysWOW64\\woxy.exe\""	woxy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wovslmv = "\"C:\\Windows\\SysWOW64\\wovslmv.exe\""	wovslmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvge = "\"C:\\Windows\\SysWOW64\\wvge.exe\""	wvge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\womlsy = "\"C:\\Windows\\SysWOW64\\womlsy.exe\""	womlsy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcklmk = "\"C:\\Windows\\SysWOW64\\wcklmk.exe\""	wcklmk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsaqgtqeo = "\"C:\\Windows\\SysWOW64\\wsaqgtqeo.exe\""	wsaqgtqeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvaabp = "\"C:\\Windows\\SysWOW64\\wvaabp.exe\""	wvaabp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlwhpw = "\"C:\\Windows\\SysWOW64\\wlwhpw.exe\""	wlwhpw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnqpx = "\"C:\\Windows\\SysWOW64\\wnqpx.exe\""	wnqpx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfgfaua = "\"C:\\Windows\\SysWOW64\\wfgfaua.exe\""	wfgfaua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NEAS = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.6f2a5890f65a50909719ab6998adcf20.exe\""	NEAS.6f2a5890f65a50909719ab6998adcf20.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfnmmt = "\"C:\\Windows\\SysWOW64\\wfnmmt.exe\""	wfnmmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wedvile = "\"C:\\Windows\\SysWOW64\\wedvile.exe\""	wedvile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waacijgqm = "\"C:\\Windows\\SysWOW64\\waacijgqm.exe\""	waacijgqm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjybea = "\"C:\\Windows\\SysWOW64\\wjybea.exe\""	wjybea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofkfcgm = "\"C:\\Windows\\SysWOW64\\wofkfcgm.exe\""	wofkfcgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whpqyao = "\"C:\\Windows\\SysWOW64\\whpqyao.exe\""	whpqyao.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wcklmk.exe	wdvurrh.exe
File created	C:\Windows\SysWOW64\wwjyj.exe	wvge.exe
File created	C:\Windows\SysWOW64\wxiiijxm.exe	wds.exe
File opened for modification	C:\Windows\SysWOW64\wwpnbqq.exe	wedvile.exe
File opened for modification	C:\Windows\SysWOW64\wpg.exe	NEAS.6f2a5890f65a50909719ab6998adcf20.exe
File opened for modification	C:\Windows\SysWOW64\wvaabp.exe	wmqlkuj.exe
File created	C:\Windows\SysWOW64\wryoo.exe	wxjukmo.exe
File opened for modification	C:\Windows\SysWOW64\wfgfaua.exe	wge.exe
File opened for modification	C:\Windows\SysWOW64\watihm.exe	wjntcd.exe
File created	C:\Windows\SysWOW64\wcwd.exe	wbvgskuan.exe
File created	C:\Windows\SysWOW64\wfrlsr.exe	wcklmk.exe
File opened for modification	C:\Windows\SysWOW64\wwjyj.exe	wvge.exe
File opened for modification	C:\Windows\SysWOW64\wlwhpw.exe	wexyyx.exe
File created	C:\Windows\SysWOW64\wlhpr.exe	wlwhpw.exe
File opened for modification	C:\Windows\SysWOW64\wds.exe	wusfmlp.exe
File created	C:\Windows\SysWOW64\wsaqgtqeo.exe	whpqyao.exe
File opened for modification	C:\Windows\SysWOW64\wryoo.exe	wxjukmo.exe
File created	C:\Windows\SysWOW64\wrrhlgu.exe	wouslao.exe
File created	C:\Windows\SysWOW64\wlls.exe	wwpnbqq.exe
File opened for modification	C:\Windows\SysWOW64\wovslmv.exe	wcwd.exe
File opened for modification	C:\Windows\SysWOW64\wdvurrh.exe	wnfwfj.exe
File opened for modification	C:\Windows\SysWOW64\wofkfcgm.exe	wdtqdnx.exe
File created	C:\Windows\SysWOW64\wmavv.exe	wwjyj.exe
File opened for modification	C:\Windows\SysWOW64\wjntcd.exe	wvaabp.exe
File opened for modification	C:\Windows\SysWOW64\wjdww.exe	watihm.exe
File opened for modification	C:\Windows\SysWOW64\wyjuanaa.exe	wurpvjty.exe
File opened for modification	C:\Windows\SysWOW64\wnffs.exe	wjwfnvpm.exe
File opened for modification	C:\Windows\SysWOW64\wcklmk.exe	wdvurrh.exe
File opened for modification	C:\Windows\SysWOW64\wqujr.exe	wprouogd.exe
File created	C:\Windows\SysWOW64\wfnmmt.exe	wyjuanaa.exe
File created	C:\Windows\SysWOW64\waacijgqm.exe	wmmihu.exe
File opened for modification	C:\Windows\SysWOW64\weslsl.exe	wfrlsr.exe
File created	C:\Windows\SysWOW64\wofkfcgm.exe	wdtqdnx.exe
File opened for modification	C:\Windows\SysWOW64\wclxt.exe	wxiiijxm.exe
File created	C:\Windows\SysWOW64\wgbvblps.exe	wunba.exe
File opened for modification	C:\Windows\SysWOW64\wsaqgtqeo.exe	whpqyao.exe
File created	C:\Windows\SysWOW64\wxyrmcpkw.exe	wlhpr.exe
File created	C:\Windows\SysWOW64\wqujr.exe	wprouogd.exe
File opened for modification	C:\Windows\SysWOW64\wxnouba.exe	wqujr.exe
File opened for modification	C:\Windows\SysWOW64\whcrrc.exe	wjccii.exe
File created	C:\Windows\SysWOW64\wnfwfj.exe	wecj.exe
File created	C:\Windows\SysWOW64\watihm.exe	wjntcd.exe
File opened for modification	C:\Windows\SysWOW64\wbvgskuan.exe	wiy.exe
File created	C:\Windows\SysWOW64\wdvurrh.exe	wnfwfj.exe
File created	C:\Windows\SysWOW64\wouslao.exe	woxy.exe
File created	C:\Windows\SysWOW64\wbvgskuan.exe	wiy.exe
File created	C:\Windows\SysWOW64\weslsl.exe	wfrlsr.exe
File opened for modification	C:\Windows\SysWOW64\wusvj.exe	wixocw.exe
File opened for modification	C:\Windows\SysWOW64\wmavv.exe	wwjyj.exe
File created	C:\Windows\SysWOW64\wvaabp.exe	wmqlkuj.exe
File opened for modification	C:\Windows\SysWOW64\wxjukmo.exe	wclxt.exe
File opened for modification	C:\Windows\SysWOW64\wmmihu.exe	wnffs.exe
File opened for modification	C:\Windows\SysWOW64\wbqocrs.exe	wndwadla.exe
File opened for modification	C:\Windows\SysWOW64\wxyrmcpkw.exe	wlhpr.exe
File opened for modification	C:\Windows\SysWOW64\wnqpx.exe	wxyrmcpkw.exe
File opened for modification	C:\Windows\SysWOW64\wjccii.exe	wnqpx.exe
File opened for modification	C:\Windows\SysWOW64\wlls.exe	wwpnbqq.exe
File created	C:\Windows\SysWOW64\wlwhpw.exe	wexyyx.exe
File created	C:\Windows\SysWOW64\wusfmlp.exe	whcrrc.exe
File created	C:\Windows\SysWOW64\wiy.exe	waacijgqm.exe
File created	C:\Windows\SysWOW64\wecj.exe	wuddkpjr.exe
File created	C:\Windows\SysWOW64\wprouogd.exe	wlah.exe
File opened for modification	C:\Windows\SysWOW64\wmc.exe	wjybea.exe
File opened for modification	C:\Windows\SysWOW64\woxy.exe	wjdww.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
4952	2832	WerFault.exe	89
4552	4960	WerFault.exe	138
4748	4156	WerFault.exe	141
1192	1016	WerFault.exe	185
3156	1548	WerFault.exe	202
4216	2084	WerFault.exe	216
928	1340	WerFault.exe	264
4948	1340	WerFault.exe	264

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 2832	1468	NEAS.6f2a5890f65a50909719ab6998adcf20.exe	89
PID 1468 wrote to memory of 2832	1468	NEAS.6f2a5890f65a50909719ab6998adcf20.exe	89
PID 1468 wrote to memory of 2832	1468	NEAS.6f2a5890f65a50909719ab6998adcf20.exe	89
PID 1468 wrote to memory of 4984	1468	NEAS.6f2a5890f65a50909719ab6998adcf20.exe	91
PID 1468 wrote to memory of 4984	1468	NEAS.6f2a5890f65a50909719ab6998adcf20.exe	91
PID 1468 wrote to memory of 4984	1468	NEAS.6f2a5890f65a50909719ab6998adcf20.exe	91
PID 2832 wrote to memory of 1804	2832	wpg.exe	95
PID 2832 wrote to memory of 1804	2832	wpg.exe	95
PID 2832 wrote to memory of 1804	2832	wpg.exe	95
PID 2832 wrote to memory of 464	2832	wpg.exe	96
PID 2832 wrote to memory of 464	2832	wpg.exe	96
PID 2832 wrote to memory of 464	2832	wpg.exe	96
PID 1804 wrote to memory of 4292	1804	wbiiyl.exe	102
PID 1804 wrote to memory of 4292	1804	wbiiyl.exe	102
PID 1804 wrote to memory of 4292	1804	wbiiyl.exe	102
PID 1804 wrote to memory of 4936	1804	wbiiyl.exe	103
PID 1804 wrote to memory of 4936	1804	wbiiyl.exe	103
PID 1804 wrote to memory of 4936	1804	wbiiyl.exe	103
PID 4292 wrote to memory of 4188	4292	wurpvjty.exe	105
PID 4292 wrote to memory of 4188	4292	wurpvjty.exe	105
PID 4292 wrote to memory of 4188	4292	wurpvjty.exe	105
PID 4292 wrote to memory of 1480	4292	wurpvjty.exe	106
PID 4292 wrote to memory of 1480	4292	wurpvjty.exe	106
PID 4292 wrote to memory of 1480	4292	wurpvjty.exe	106
PID 4188 wrote to memory of 4384	4188	wyjuanaa.exe	109
PID 4188 wrote to memory of 4384	4188	wyjuanaa.exe	109
PID 4188 wrote to memory of 4384	4188	wyjuanaa.exe	109
PID 4188 wrote to memory of 1268	4188	wyjuanaa.exe	110
PID 4188 wrote to memory of 1268	4188	wyjuanaa.exe	110
PID 4188 wrote to memory of 1268	4188	wyjuanaa.exe	110
PID 4384 wrote to memory of 3604	4384	wfnmmt.exe	113
PID 4384 wrote to memory of 3604	4384	wfnmmt.exe	113
PID 4384 wrote to memory of 3604	4384	wfnmmt.exe	113
PID 4384 wrote to memory of 5100	4384	wfnmmt.exe	114
PID 4384 wrote to memory of 5100	4384	wfnmmt.exe	114
PID 4384 wrote to memory of 5100	4384	wfnmmt.exe	114
PID 3604 wrote to memory of 3060	3604	wjwfnvpm.exe	116
PID 3604 wrote to memory of 3060	3604	wjwfnvpm.exe	116
PID 3604 wrote to memory of 3060	3604	wjwfnvpm.exe	116
PID 3604 wrote to memory of 112	3604	wjwfnvpm.exe	117
PID 3604 wrote to memory of 112	3604	wjwfnvpm.exe	117
PID 3604 wrote to memory of 112	3604	wjwfnvpm.exe	117
PID 3060 wrote to memory of 3872	3060	wnffs.exe	119
PID 3060 wrote to memory of 3872	3060	wnffs.exe	119
PID 3060 wrote to memory of 3872	3060	wnffs.exe	119
PID 3060 wrote to memory of 1496	3060	wnffs.exe	120
PID 3060 wrote to memory of 1496	3060	wnffs.exe	120
PID 3060 wrote to memory of 1496	3060	wnffs.exe	120
PID 3872 wrote to memory of 4972	3872	wmmihu.exe	122
PID 3872 wrote to memory of 4972	3872	wmmihu.exe	122
PID 3872 wrote to memory of 4972	3872	wmmihu.exe	122
PID 3872 wrote to memory of 3960	3872	wmmihu.exe	123
PID 3872 wrote to memory of 3960	3872	wmmihu.exe	123
PID 3872 wrote to memory of 3960	3872	wmmihu.exe	123
PID 4972 wrote to memory of 3112	4972	waacijgqm.exe	125
PID 4972 wrote to memory of 3112	4972	waacijgqm.exe	125
PID 4972 wrote to memory of 3112	4972	waacijgqm.exe	125
PID 4972 wrote to memory of 2832	4972	waacijgqm.exe	126
PID 4972 wrote to memory of 2832	4972	waacijgqm.exe	126
PID 4972 wrote to memory of 2832	4972	waacijgqm.exe	126
PID 3112 wrote to memory of 4852	3112	wiy.exe	128
PID 3112 wrote to memory of 4852	3112	wiy.exe	128
PID 3112 wrote to memory of 4852	3112	wiy.exe	128
PID 3112 wrote to memory of 2056	3112	wiy.exe	130

C:\Users\Admin\AppData\Local\Temp\NEAS.6f2a5890f65a50909719ab6998adcf20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6f2a5890f65a50909719ab6998adcf20.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\wpg.exe
  "C:\Windows\system32\wpg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\wbiiyl.exe
    "C:\Windows\system32\wbiiyl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\wurpvjty.exe
      "C:\Windows\system32\wurpvjty.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Windows\SysWOW64\wyjuanaa.exe
        
        "C:\Windows\system32\wyjuanaa.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4188
      - C:\Windows\SysWOW64\wfnmmt.exe
        
        "C:\Windows\system32\wfnmmt.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\wjwfnvpm.exe
        
        "C:\Windows\system32\wjwfnvpm.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\wnffs.exe
        
        "C:\Windows\system32\wnffs.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\wmmihu.exe
        
        "C:\Windows\system32\wmmihu.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\waacijgqm.exe
        
        "C:\Windows\system32\waacijgqm.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\wiy.exe
        
        "C:\Windows\system32\wiy.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\wbvgskuan.exe
        
        "C:\Windows\system32\wbvgskuan.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\wcwd.exe
        
        "C:\Windows\system32\wcwd.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\wovslmv.exe
        
        "C:\Windows\system32\wovslmv.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2740
        
        C:\Windows\SysWOW64\wndwadla.exe
        
        "C:\Windows\system32\wndwadla.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\wbqocrs.exe
        
        "C:\Windows\system32\wbqocrs.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4156
        
        C:\Windows\SysWOW64\wuddkpjr.exe
        
        "C:\Windows\system32\wuddkpjr.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\wecj.exe
        
        "C:\Windows\system32\wecj.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\wnfwfj.exe
        
        "C:\Windows\system32\wnfwfj.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\wdvurrh.exe
        
        "C:\Windows\system32\wdvurrh.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\wcklmk.exe
        
        "C:\Windows\system32\wcklmk.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\wfrlsr.exe
        
        "C:\Windows\system32\wfrlsr.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\weslsl.exe
        
        "C:\Windows\system32\weslsl.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4976
        
        C:\Windows\SysWOW64\wlah.exe
        
        "C:\Windows\system32\wlah.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\wprouogd.exe
        
        "C:\Windows\system32\wprouogd.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\wqujr.exe
        
        "C:\Windows\system32\wqujr.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\wxnouba.exe
        
        "C:\Windows\system32\wxnouba.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1016
        
        C:\Windows\SysWOW64\wixocw.exe
        
        "C:\Windows\system32\wixocw.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\wusvj.exe
        
        "C:\Windows\system32\wusvj.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1808
        
        C:\Windows\SysWOW64\wjybea.exe
        
        "C:\Windows\system32\wjybea.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\wmc.exe
        
        "C:\Windows\system32\wmc.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4248
        
        C:\Windows\SysWOW64\wdtqdnx.exe
        
        "C:\Windows\system32\wdtqdnx.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\wofkfcgm.exe
        
        "C:\Windows\system32\wofkfcgm.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3220
        
        C:\Windows\SysWOW64\wvge.exe
        
        "C:\Windows\system32\wvge.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2052
        
        C:\Windows\SysWOW64\wwjyj.exe
        
        "C:\Windows\system32\wwjyj.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\wmavv.exe
        
        "C:\Windows\system32\wmavv.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2084
        
        C:\Windows\SysWOW64\whpqyao.exe
        
        "C:\Windows\system32\whpqyao.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\wsaqgtqeo.exe
        
        "C:\Windows\system32\wsaqgtqeo.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1604
        
        C:\Windows\SysWOW64\wmqlkuj.exe
        
        "C:\Windows\system32\wmqlkuj.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1108
        
        C:\Windows\SysWOW64\wvaabp.exe
        
        "C:\Windows\system32\wvaabp.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\wjntcd.exe
        
        "C:\Windows\system32\wjntcd.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\watihm.exe
        
        "C:\Windows\system32\watihm.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\wjdww.exe
        
        "C:\Windows\system32\wjdww.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5116
        
        C:\Windows\SysWOW64\woxy.exe
        
        "C:\Windows\system32\woxy.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\wouslao.exe
        
        "C:\Windows\system32\wouslao.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\wrrhlgu.exe
        
        "C:\Windows\system32\wrrhlgu.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4216
        
        C:\Windows\SysWOW64\wexyyx.exe
        
        "C:\Windows\system32\wexyyx.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\wlwhpw.exe
        
        "C:\Windows\system32\wlwhpw.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3916
        
        C:\Windows\SysWOW64\wlhpr.exe
        
        "C:\Windows\system32\wlhpr.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\wxyrmcpkw.exe
        
        "C:\Windows\system32\wxyrmcpkw.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\wnqpx.exe
        
        "C:\Windows\system32\wnqpx.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\wjccii.exe
        
        "C:\Windows\system32\wjccii.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\whcrrc.exe
        
        "C:\Windows\system32\whcrrc.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\wusfmlp.exe
        
        "C:\Windows\system32\wusfmlp.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:956
        
        C:\Windows\SysWOW64\wds.exe
        
        "C:\Windows\system32\wds.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\wxiiijxm.exe
        
        "C:\Windows\system32\wxiiijxm.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\wclxt.exe
        
        "C:\Windows\system32\wclxt.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\wxjukmo.exe
        
        "C:\Windows\system32\wxjukmo.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\wryoo.exe
        
        "C:\Windows\system32\wryoo.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4592
        
        C:\Windows\SysWOW64\wunba.exe
        
        "C:\Windows\system32\wunba.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\wgbvblps.exe
        
        "C:\Windows\system32\wgbvblps.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:368
        
        C:\Windows\SysWOW64\wcxsrjq.exe
        
        "C:\Windows\system32\wcxsrjq.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2808
        
        C:\Windows\SysWOW64\womlsy.exe
        
        "C:\Windows\system32\womlsy.exe"
        63⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2576
        
        C:\Windows\SysWOW64\wge.exe
        
        "C:\Windows\system32\wge.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\wfgfaua.exe
        
        "C:\Windows\system32\wfgfaua.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2164
        
        C:\Windows\SysWOW64\wedvile.exe
        
        "C:\Windows\system32\wedvile.exe"
        66⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\wwpnbqq.exe
        
        "C:\Windows\system32\wwpnbqq.exe"
        67⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\wlls.exe
        
        "C:\Windows\system32\wlls.exe"
        68⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwpnbqq.exe"
        68⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wedvile.exe"
        67⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfgfaua.exe"
        66⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wge.exe"
        65⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womlsy.exe"
        64⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcxsrjq.exe"
        63⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgbvblps.exe"
        62⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunba.exe"
        61⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryoo.exe"
        60⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxjukmo.exe"
        59⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wclxt.exe"
        58⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxiiijxm.exe"
        57⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wds.exe"
        56⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wusfmlp.exe"
        55⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whcrrc.exe"
        54⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjccii.exe"
        53⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqpx.exe"
        52⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 1280
        52⤵
        Program crash
        
        PID:928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 528
        52⤵
        Program crash
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxyrmcpkw.exe"
        51⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlhpr.exe"
        50⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwhpw.exe"
        49⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexyyx.exe"
        48⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrrhlgu.exe"
        47⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wouslao.exe"
        46⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxy.exe"
        45⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdww.exe"
        44⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\watihm.exe"
        43⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjntcd.exe"
        42⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvaabp.exe"
        41⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmqlkuj.exe"
        40⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsaqgtqeo.exe"
        39⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whpqyao.exe"
        38⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmavv.exe"
        37⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1672
        37⤵
        Program crash
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjyj.exe"
        36⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvge.exe"
        35⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofkfcgm.exe"
        34⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdtqdnx.exe"
        33⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 1068
        33⤵
        Program crash
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmc.exe"
        32⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjybea.exe"
        31⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wusvj.exe"
        30⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wixocw.exe"
        29⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxnouba.exe"
        28⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1412
        28⤵
        Program crash
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqujr.exe"
        27⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wprouogd.exe"
        26⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlah.exe"
        25⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weslsl.exe"
        24⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfrlsr.exe"
        23⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcklmk.exe"
        22⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvurrh.exe"
        21⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnfwfj.exe"
        20⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wecj.exe"
        19⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuddkpjr.exe"
        18⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbqocrs.exe"
        17⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 1684
        17⤵
        Program crash
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wndwadla.exe"
        16⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 232
        16⤵
        Program crash
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovslmv.exe"
        15⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwd.exe"
        14⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvgskuan.exe"
        13⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiy.exe"
        12⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waacijgqm.exe"
        11⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmihu.exe"
        10⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnffs.exe"
        9⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwfnvpm.exe"
        8⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfnmmt.exe"
        7⤵
        
        PID:5100
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyjuanaa.exe"
        6⤵
        
        PID:1268
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wurpvjty.exe"
        5⤵
        
        PID:1480
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbiiyl.exe"
      4⤵
      PID:4936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpg.exe"
    3⤵
    PID:464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1536
    3⤵
    - Program crash
    PID:4952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\NEAS.6f2a5890f65a50909719ab6998adcf20.exe"
  2⤵
  PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2832 -ip 2832
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4960 -ip 4960
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4156 -ip 4156
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1016 -ip 1016
1⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1548 -ip 1548
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2084 -ip 2084
1⤵
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1340 -ip 1340
1⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1340 -ip 1340
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\waacijgqm.exe

Filesize
85KB

MD5
ad199f953341fee71919edee96bc0197

SHA1
c8115fde8de0d083689116412e811c5809b92a4e

SHA256
afd6616a51b8330ac2c1126c7419695415147411f5d4bb24f31d7d974bcaabe4

SHA512
bbe41d7fdfe9ed380bdb0e4ac15097e9a37b94b012658955c59d2646aaa17337591286d522069182e1b2392f6cbc2eb6dbf54be7c15b3a5c3f6772af947a0bf6

Download Submit
C:\Windows\SysWOW64\waacijgqm.exe

Filesize
85KB

MD5
ad199f953341fee71919edee96bc0197

SHA1
c8115fde8de0d083689116412e811c5809b92a4e

SHA256
afd6616a51b8330ac2c1126c7419695415147411f5d4bb24f31d7d974bcaabe4

SHA512
bbe41d7fdfe9ed380bdb0e4ac15097e9a37b94b012658955c59d2646aaa17337591286d522069182e1b2392f6cbc2eb6dbf54be7c15b3a5c3f6772af947a0bf6

Download Submit
C:\Windows\SysWOW64\wbiiyl.exe

Filesize
85KB

MD5
f4c448a573e07a67b664915ad2ac99dd

SHA1
d3dde9b71b9066651d0e668ffa06670802921a6b

SHA256
ab64db63f21b45f2dbcef37ef95efe989ca9312cd029a8b311bf611f10b07c7a

SHA512
ef727c3c89231f2d115cec79642a926220573c11f5136a308324cf6b58a12bec9ffa910cf8a4ef10db364106c5bc1fc7df0b5724061ce6b0ce4d5545d8e52635

Download Submit
C:\Windows\SysWOW64\wbiiyl.exe

Filesize
85KB

MD5
f4c448a573e07a67b664915ad2ac99dd

SHA1
d3dde9b71b9066651d0e668ffa06670802921a6b

SHA256
ab64db63f21b45f2dbcef37ef95efe989ca9312cd029a8b311bf611f10b07c7a

SHA512
ef727c3c89231f2d115cec79642a926220573c11f5136a308324cf6b58a12bec9ffa910cf8a4ef10db364106c5bc1fc7df0b5724061ce6b0ce4d5545d8e52635

Download Submit
C:\Windows\SysWOW64\wbqocrs.exe

Filesize
85KB

MD5
58fa4794346ac220bfd1de204fe9b0f1

SHA1
07efc9d4e48387dc64ecd904b5119ef8ad345976

SHA256
e2e2d626a7f53e37fe8b7d158520220c3e96283a41d2a12babeb78a27f72f856

SHA512
5744901a99db40a67e113a421f06e90705d0443a5a764139f2cfc34e78785057219ab4b2ceb6a334e89070cfcaabb07d51761102fe5fc665b722df105bcfb644

Download Submit
C:\Windows\SysWOW64\wbqocrs.exe

Filesize
85KB

MD5
58fa4794346ac220bfd1de204fe9b0f1

SHA1
07efc9d4e48387dc64ecd904b5119ef8ad345976

SHA256
e2e2d626a7f53e37fe8b7d158520220c3e96283a41d2a12babeb78a27f72f856

SHA512
5744901a99db40a67e113a421f06e90705d0443a5a764139f2cfc34e78785057219ab4b2ceb6a334e89070cfcaabb07d51761102fe5fc665b722df105bcfb644

Download Submit
C:\Windows\SysWOW64\wbvgskuan.exe

Filesize
85KB

MD5
9af34c12409bed059dc74e7552d33558

SHA1
67fcdffe7cb26a75b7f0e67cac6e83a2d78959fb

SHA256
092ccbee8648dcd12d30a64c988dd5c33075fb9c121544e01a0998fee56d3c0f

SHA512
15f34a422cdaf2381fb2ddb040253ddc0c1323dd5907041b8e47bbf50f21f73cba77df5cfa8306894999c89aadfa9733f19654aa2f9d1d62aa4256c43d5db50b

Download Submit
C:\Windows\SysWOW64\wbvgskuan.exe

Filesize
85KB

MD5
9af34c12409bed059dc74e7552d33558

SHA1
67fcdffe7cb26a75b7f0e67cac6e83a2d78959fb

SHA256
092ccbee8648dcd12d30a64c988dd5c33075fb9c121544e01a0998fee56d3c0f

SHA512
15f34a422cdaf2381fb2ddb040253ddc0c1323dd5907041b8e47bbf50f21f73cba77df5cfa8306894999c89aadfa9733f19654aa2f9d1d62aa4256c43d5db50b

Download Submit
C:\Windows\SysWOW64\wcklmk.exe

Filesize
85KB

MD5
ab456a8aea353d591dbd0efb7415e697

SHA1
9269a42c19b80a7f5945364764882bead2d97cb9

SHA256
4610c67fd2d62d5e4cc5ae4eef768cf86e95d59f8dd54c7b7cfd163bf004347d

SHA512
f3cea66461fc4b9070071c00391353acf7671f81cd865da5d2009768c9627cc879cbd5ab7d04e4294452561c2adf279cc0f8063a7841f5e27df1d4960998caf4

Download Submit
C:\Windows\SysWOW64\wcklmk.exe

Filesize
85KB

MD5
ab456a8aea353d591dbd0efb7415e697

SHA1
9269a42c19b80a7f5945364764882bead2d97cb9

SHA256
4610c67fd2d62d5e4cc5ae4eef768cf86e95d59f8dd54c7b7cfd163bf004347d

SHA512
f3cea66461fc4b9070071c00391353acf7671f81cd865da5d2009768c9627cc879cbd5ab7d04e4294452561c2adf279cc0f8063a7841f5e27df1d4960998caf4

Download Submit
C:\Windows\SysWOW64\wcwd.exe

Filesize
85KB

MD5
89bf368e1f09db86a31069a7ec92eecf

SHA1
58462e9e5dd99ec7ffb46fc1139fc1c4418a4ecf

SHA256
80583d9dbc9f8132c0a464d6980c79d0e530a59c141a4b325ac23a6422d20d3e

SHA512
717d2018d5829ef785ca1d1bd14bea4fbf6b7a0a77a2a0d909e238fbb9fb8d5854e65bdf010804993237c2d71ce0e02189ccc247d84e229336789a1cbd49137c

Download Submit
C:\Windows\SysWOW64\wcwd.exe

Filesize
85KB

MD5
89bf368e1f09db86a31069a7ec92eecf

SHA1
58462e9e5dd99ec7ffb46fc1139fc1c4418a4ecf

SHA256
80583d9dbc9f8132c0a464d6980c79d0e530a59c141a4b325ac23a6422d20d3e

SHA512
717d2018d5829ef785ca1d1bd14bea4fbf6b7a0a77a2a0d909e238fbb9fb8d5854e65bdf010804993237c2d71ce0e02189ccc247d84e229336789a1cbd49137c

Download Submit
C:\Windows\SysWOW64\wdtqdnx.exe

Filesize
86KB

MD5
14d23e9584ae22edec491acadf02785c

SHA1
bc45049d110372f030de6fe1671a262554a5a6fc

SHA256
242d994f57d65d4578fb140d15f672218e45df9c01677d4d377395a0bc0f8722

SHA512
24bf90e5fba95fac0acc677f6d1ac2a371051fd1ec2c446a0fa48ff47080ae5d6af28c1de74ef4686e413d4d9065500fad024e464da820ec4b7db42b3912d201

Download Submit
C:\Windows\SysWOW64\wdtqdnx.exe

Filesize
86KB

MD5
14d23e9584ae22edec491acadf02785c

SHA1
bc45049d110372f030de6fe1671a262554a5a6fc

SHA256
242d994f57d65d4578fb140d15f672218e45df9c01677d4d377395a0bc0f8722

SHA512
24bf90e5fba95fac0acc677f6d1ac2a371051fd1ec2c446a0fa48ff47080ae5d6af28c1de74ef4686e413d4d9065500fad024e464da820ec4b7db42b3912d201

Download Submit
C:\Windows\SysWOW64\wdvurrh.exe

Filesize
85KB

MD5
06cfa873321d4e385e3cc8c9ae8bdacf

SHA1
ef7d48e76a1d4c3792772a7c094b389b7dbdb5a4

SHA256
95a874151f4286763868087a8c5457b791ec64fefffc619ffc8ae12de1462cf3

SHA512
521320b6e30572165199e11cb314de5a13eaba95e1167e5acd37dfa6d97e9e0b7fbcaa53fb948fc7da00b4ccc7db946c3d4afb203796b73282128a42e92f45a3

Download Submit
C:\Windows\SysWOW64\wdvurrh.exe

Filesize
85KB

MD5
06cfa873321d4e385e3cc8c9ae8bdacf

SHA1
ef7d48e76a1d4c3792772a7c094b389b7dbdb5a4

SHA256
95a874151f4286763868087a8c5457b791ec64fefffc619ffc8ae12de1462cf3

SHA512
521320b6e30572165199e11cb314de5a13eaba95e1167e5acd37dfa6d97e9e0b7fbcaa53fb948fc7da00b4ccc7db946c3d4afb203796b73282128a42e92f45a3

Download Submit
C:\Windows\SysWOW64\wecj.exe

Filesize
85KB

MD5
6d5038c4f1155d04031837a49743838c

SHA1
b1bd37e8c70bad3b6842079a3711e515be9ded17

SHA256
21bd585594b4807420af769932dcad78dd5f0318b595c6d62b561d821525847d

SHA512
95fdd93d5becea7b3600d79339e0b02b80cc330bb286d8fb9059b36280581fc2e259464ff71c7a77e1b7e6d13cf02e5c07406a22a82959d9a66fd08a37670b47

Download Submit
C:\Windows\SysWOW64\wecj.exe

Filesize
85KB

MD5
6d5038c4f1155d04031837a49743838c

SHA1
b1bd37e8c70bad3b6842079a3711e515be9ded17

SHA256
21bd585594b4807420af769932dcad78dd5f0318b595c6d62b561d821525847d

SHA512
95fdd93d5becea7b3600d79339e0b02b80cc330bb286d8fb9059b36280581fc2e259464ff71c7a77e1b7e6d13cf02e5c07406a22a82959d9a66fd08a37670b47

Download Submit
C:\Windows\SysWOW64\weslsl.exe

Filesize
85KB

MD5
2b58de74be041ac2e1db7492dde9f246

SHA1
ab5bf6d6ccabe500d063376c403fbc9233b9c5a0

SHA256
24a36daefb84de9cbf7e1c19c0a541fdd3f2a13b42e110c70cc217015e2e69e3

SHA512
e817c2e5ff4fd745cb68e4b1f13bcf2d860d64235dd77b4817a7fb2f4073b279129e10e970c7af065eba265c69c306734abc5dfd61721a94de0bff4720fb9b63

Download Submit
C:\Windows\SysWOW64\weslsl.exe

Filesize
85KB

MD5
2b58de74be041ac2e1db7492dde9f246

SHA1
ab5bf6d6ccabe500d063376c403fbc9233b9c5a0

SHA256
24a36daefb84de9cbf7e1c19c0a541fdd3f2a13b42e110c70cc217015e2e69e3

SHA512
e817c2e5ff4fd745cb68e4b1f13bcf2d860d64235dd77b4817a7fb2f4073b279129e10e970c7af065eba265c69c306734abc5dfd61721a94de0bff4720fb9b63

Download Submit
C:\Windows\SysWOW64\wfnmmt.exe

Filesize
85KB

MD5
c017c600d4c205392edc143856c59d47

SHA1
1023a6f65a0da54e8b9a829780190771ceed0279

SHA256
df4607b3dc4b74d4d4cb72eabd6ee982b2114504f6fa478eb2d06aa6157fe200

SHA512
c60691e73846ba99624a7356c0cb4d23f0547dfeb33958cd88f18c1669206d2a2ae6931f8ec688b3c109b7eaee6af529d31d7b8120f991befabe98d11070421a

Download Submit
C:\Windows\SysWOW64\wfnmmt.exe

Filesize
85KB

MD5
c017c600d4c205392edc143856c59d47

SHA1
1023a6f65a0da54e8b9a829780190771ceed0279

SHA256
df4607b3dc4b74d4d4cb72eabd6ee982b2114504f6fa478eb2d06aa6157fe200

SHA512
c60691e73846ba99624a7356c0cb4d23f0547dfeb33958cd88f18c1669206d2a2ae6931f8ec688b3c109b7eaee6af529d31d7b8120f991befabe98d11070421a

Download Submit
C:\Windows\SysWOW64\wfrlsr.exe

Filesize
85KB

MD5
3380882357eda125213a0e3f8d8333db

SHA1
58ad09dee7248f232f603a0435749b0788d61ff8

SHA256
2f162d777fe8b97f1cb46d6e5d70271520ffd82a86bc3bcd79ee3a0e6a788635

SHA512
30e4366fbc3c56dfbc10ef1d2a6b457d04f6ad333d8c93ca1cb829e746f929c6ccbd9e915c9edcd62155896fb8d5bc2993a656236ed2d00696d9bb32f2896290

Download Submit
C:\Windows\SysWOW64\wfrlsr.exe

Filesize
85KB

MD5
3380882357eda125213a0e3f8d8333db

SHA1
58ad09dee7248f232f603a0435749b0788d61ff8

SHA256
2f162d777fe8b97f1cb46d6e5d70271520ffd82a86bc3bcd79ee3a0e6a788635

SHA512
30e4366fbc3c56dfbc10ef1d2a6b457d04f6ad333d8c93ca1cb829e746f929c6ccbd9e915c9edcd62155896fb8d5bc2993a656236ed2d00696d9bb32f2896290

Download Submit
C:\Windows\SysWOW64\wixocw.exe

Filesize
86KB

MD5
2ea48cb56de8bf6ad71f31a01b9d1d0b

SHA1
6d3ec5c560c0772aad39cf6ebf6d68a11a59bc10

SHA256
2d87b13f96bb85d4cec2b63ca2111a247ff243e81e03923017fad1c84ac6fb7d

SHA512
d1fc511c53347b8ad9e456d255fc95b5fc0506b02636d95629d5a2c199b9c7f8c2b6c0e22d006cbc9dd169604da8d640cb413e35a204d7ead847aaf484b7f1a2

Download Submit
C:\Windows\SysWOW64\wixocw.exe

Filesize
86KB

MD5
2ea48cb56de8bf6ad71f31a01b9d1d0b

SHA1
6d3ec5c560c0772aad39cf6ebf6d68a11a59bc10

SHA256
2d87b13f96bb85d4cec2b63ca2111a247ff243e81e03923017fad1c84ac6fb7d

SHA512
d1fc511c53347b8ad9e456d255fc95b5fc0506b02636d95629d5a2c199b9c7f8c2b6c0e22d006cbc9dd169604da8d640cb413e35a204d7ead847aaf484b7f1a2

Download Submit
C:\Windows\SysWOW64\wiy.exe

Filesize
85KB

MD5
b740a143bbb2548e9d60fb19e2ae748d

SHA1
50836c23a3430ebceebea7bf00bfe69666f00bba

SHA256
5c35d4161c254bcf4339b1d36d5ade4bca4acb0067d37cb7d1f13ccd71eac15a

SHA512
29962df8c626ded1febf0f6f2cca039c15ef4b48b0903888b079d3fb7c1469514718451675db80398d579b639e90ca8779517a5ddbac5ac16a881f99413ea3e3

Download Submit
C:\Windows\SysWOW64\wiy.exe

Filesize
85KB

MD5
b740a143bbb2548e9d60fb19e2ae748d

SHA1
50836c23a3430ebceebea7bf00bfe69666f00bba

SHA256
5c35d4161c254bcf4339b1d36d5ade4bca4acb0067d37cb7d1f13ccd71eac15a

SHA512
29962df8c626ded1febf0f6f2cca039c15ef4b48b0903888b079d3fb7c1469514718451675db80398d579b639e90ca8779517a5ddbac5ac16a881f99413ea3e3

Download Submit
C:\Windows\SysWOW64\wjwfnvpm.exe

Filesize
85KB

MD5
65da607f1d533fa15640f6eb784b8fe0

SHA1
d01ae13d0df21d3743b408c5139a0ec86046fc36

SHA256
50e6f32c9129649f9028043efe3534abed3cdf311e4061618c1bc49a3c52feec

SHA512
c38a33c18c5c0d49dbb58a630dde9fb30cd063e2a1d2b34a4074e56447f007c3a619dcb3fe573ee2097fe4645d15b37478e500e7368e24b66f8da9012873e625

Download Submit
C:\Windows\SysWOW64\wjwfnvpm.exe

Filesize
85KB

MD5
65da607f1d533fa15640f6eb784b8fe0

SHA1
d01ae13d0df21d3743b408c5139a0ec86046fc36

SHA256
50e6f32c9129649f9028043efe3534abed3cdf311e4061618c1bc49a3c52feec

SHA512
c38a33c18c5c0d49dbb58a630dde9fb30cd063e2a1d2b34a4074e56447f007c3a619dcb3fe573ee2097fe4645d15b37478e500e7368e24b66f8da9012873e625

Download Submit
C:\Windows\SysWOW64\wjybea.exe

Filesize
86KB

MD5
ab0bcc6c4e37ff086e7aa2c7400fc10f

SHA1
39ffa59c9ad6ac2d24eba66f11267826031373ae

SHA256
ce47f6f9ce75bab14cd580d6bc0166eb83b2576a36b343ead68f4c2bfcba8fe6

SHA512
3bc44046d95cf7c47c29e2af28d32422eef14774551020e677388a0a1dca56a7fbc83ad1e3af5f27901f7c355718aa5b3fd314541b12e20fb152496b1884441f

Download Submit
C:\Windows\SysWOW64\wjybea.exe

Filesize
86KB

MD5
ab0bcc6c4e37ff086e7aa2c7400fc10f

SHA1
39ffa59c9ad6ac2d24eba66f11267826031373ae

SHA256
ce47f6f9ce75bab14cd580d6bc0166eb83b2576a36b343ead68f4c2bfcba8fe6

SHA512
3bc44046d95cf7c47c29e2af28d32422eef14774551020e677388a0a1dca56a7fbc83ad1e3af5f27901f7c355718aa5b3fd314541b12e20fb152496b1884441f

Download Submit
C:\Windows\SysWOW64\wlah.exe

Filesize
85KB

MD5
a7b35696aa19cbf779746e60484dda39

SHA1
53241f91c19a22b72571f76aa2a613ccf276802b

SHA256
439275b6518f1d2af1500cbafc1d9fd68d03e1a148f8bfb9be79bcfdb24db8ef

SHA512
55c0029bb1c631bc126cefe61e9aa4dbbb93c46cd092c0b5a0dbd52cdece0cc2634c1ebb7648ba2001ad5f83342a4566c67900607bd2331ad756fab434f5b73f

Download Submit
C:\Windows\SysWOW64\wlah.exe

Filesize
85KB

MD5
a7b35696aa19cbf779746e60484dda39

SHA1
53241f91c19a22b72571f76aa2a613ccf276802b

SHA256
439275b6518f1d2af1500cbafc1d9fd68d03e1a148f8bfb9be79bcfdb24db8ef

SHA512
55c0029bb1c631bc126cefe61e9aa4dbbb93c46cd092c0b5a0dbd52cdece0cc2634c1ebb7648ba2001ad5f83342a4566c67900607bd2331ad756fab434f5b73f

Download Submit
C:\Windows\SysWOW64\wmc.exe

Filesize
86KB

MD5
b6517b17cb51c95f5d5d8d74584313f8

SHA1
050d858d91a9883580a2df2284aeabd8a8092e00

SHA256
2cae4da2f4adac71975e892b22a88264766e8d91691d9c85e556235d3e17220c

SHA512
025b1815a9581335c6dc93c75aae0d81c1a75b27a293132ead34f9a28a16600372344258df774906171e7e48c11289c8981c7cff3d4da91c77a204ccfb68ccd0

Download Submit
C:\Windows\SysWOW64\wmc.exe

Filesize
86KB

MD5
b6517b17cb51c95f5d5d8d74584313f8

SHA1
050d858d91a9883580a2df2284aeabd8a8092e00

SHA256
2cae4da2f4adac71975e892b22a88264766e8d91691d9c85e556235d3e17220c

SHA512
025b1815a9581335c6dc93c75aae0d81c1a75b27a293132ead34f9a28a16600372344258df774906171e7e48c11289c8981c7cff3d4da91c77a204ccfb68ccd0

Download Submit
C:\Windows\SysWOW64\wmmihu.exe

Filesize
85KB

MD5
a8770f8c5adf6239c35273226f8b5bdb

SHA1
252d726655315dce9b1aff42b8e518290fb41311

SHA256
19d42c7166e0e4d58c984870bd6bff55cd4c622fb43ed291e1ebe084b639696a

SHA512
c41c58267ffdaa8807bad7735df71537e5b8b70b5158a56b4a8c6fb88bc7b780f9be9b9fcf3810cdd1198a93cf8911f1b4a08148f4f9a22c3bbb96dd0f929e2c

Download Submit
C:\Windows\SysWOW64\wmmihu.exe

Filesize
85KB

MD5
a8770f8c5adf6239c35273226f8b5bdb

SHA1
252d726655315dce9b1aff42b8e518290fb41311

SHA256
19d42c7166e0e4d58c984870bd6bff55cd4c622fb43ed291e1ebe084b639696a

SHA512
c41c58267ffdaa8807bad7735df71537e5b8b70b5158a56b4a8c6fb88bc7b780f9be9b9fcf3810cdd1198a93cf8911f1b4a08148f4f9a22c3bbb96dd0f929e2c

Download Submit
C:\Windows\SysWOW64\wndwadla.exe

Filesize
85KB

MD5
fac501eaa014c9027e87dc047dc36e1d

SHA1
624123d7b8a6cf9cdb94a6aeb64a1bd7e14cdb6b

SHA256
50ecbb74dc2ea13f7e6d65f99e73c3c7cc9125128839979a29438714e635420e

SHA512
43b71f15d34d5620f48bef591e1302f16050f2b290b82faab123859171ff5c104a1ed939ef21727f6846d1b2b548f0721e984e60ee9dadb486cd887269dbe138

Download Submit
C:\Windows\SysWOW64\wndwadla.exe

Filesize
85KB

MD5
fac501eaa014c9027e87dc047dc36e1d

SHA1
624123d7b8a6cf9cdb94a6aeb64a1bd7e14cdb6b

SHA256
50ecbb74dc2ea13f7e6d65f99e73c3c7cc9125128839979a29438714e635420e

SHA512
43b71f15d34d5620f48bef591e1302f16050f2b290b82faab123859171ff5c104a1ed939ef21727f6846d1b2b548f0721e984e60ee9dadb486cd887269dbe138

Download Submit
C:\Windows\SysWOW64\wnffs.exe

Filesize
85KB

MD5
c616fd06dceba09ca770be5ead21fb36

SHA1
bf352355af08ec78f3e63b6d0968bf65f0fed090

SHA256
4f7e626e81adb76b797efa326de992da73a8ca9a115706836521326f7b87cf4e

SHA512
627d43d148dc730709e6d9692187a3604a359b96030708a203ee3f3443fd49e292a86e2c8a26f9ba09f8a87b266cd3641dd95bad61b9428f4f91df481a092c7e

Download Submit
C:\Windows\SysWOW64\wnffs.exe

Filesize
85KB

MD5
c616fd06dceba09ca770be5ead21fb36

SHA1
bf352355af08ec78f3e63b6d0968bf65f0fed090

SHA256
4f7e626e81adb76b797efa326de992da73a8ca9a115706836521326f7b87cf4e

SHA512
627d43d148dc730709e6d9692187a3604a359b96030708a203ee3f3443fd49e292a86e2c8a26f9ba09f8a87b266cd3641dd95bad61b9428f4f91df481a092c7e

Download Submit
C:\Windows\SysWOW64\wnfwfj.exe

Filesize
85KB

MD5
6fde42cd51c79101cdf0cf6d9428e53f

SHA1
46361011668b6478371ad0c18440e5050bcd3fb9

SHA256
2b7483f4b58d4ba8314036b98ffca8d7986b5bb289798e829d5b5effc9b7eeec

SHA512
cda2e84fb63c40383fb918ec638726c187d75b2aecaa35ec3c60f6c6675a20a84ecdeb2bd5e6b9b2ea98db36241627f9d931efe825c06ea7228ecf10e23e8cd6

Download Submit
C:\Windows\SysWOW64\wnfwfj.exe

Filesize
85KB

MD5
6fde42cd51c79101cdf0cf6d9428e53f

SHA1
46361011668b6478371ad0c18440e5050bcd3fb9

SHA256
2b7483f4b58d4ba8314036b98ffca8d7986b5bb289798e829d5b5effc9b7eeec

SHA512
cda2e84fb63c40383fb918ec638726c187d75b2aecaa35ec3c60f6c6675a20a84ecdeb2bd5e6b9b2ea98db36241627f9d931efe825c06ea7228ecf10e23e8cd6

Download Submit
C:\Windows\SysWOW64\wofkfcgm.exe

Filesize
86KB

MD5
54c22b68687e3b1a0afae702139dbae5

SHA1
56958d5387c888acce8caf595777b4d8d3e4707e

SHA256
ca65d6c4e6de84c52d5c24ffc7470c98af1307680e662442940f3b671dbbbf78

SHA512
29985b49d6fb9f8f72cf1a1c8de1449998bda7433c6467acd030b177b69027c778a7c005400c8dbfc0afb778610433d21e236cb1bda3ea19fdf7924130cf4090

Download Submit
C:\Windows\SysWOW64\wofkfcgm.exe

Filesize
86KB

MD5
54c22b68687e3b1a0afae702139dbae5

SHA1
56958d5387c888acce8caf595777b4d8d3e4707e

SHA256
ca65d6c4e6de84c52d5c24ffc7470c98af1307680e662442940f3b671dbbbf78

SHA512
29985b49d6fb9f8f72cf1a1c8de1449998bda7433c6467acd030b177b69027c778a7c005400c8dbfc0afb778610433d21e236cb1bda3ea19fdf7924130cf4090

Download Submit
C:\Windows\SysWOW64\wovslmv.exe

Filesize
85KB

MD5
60c3f039c2fb91dbe4ee7d6346713aa7

SHA1
184bfb5432db44577fd46a2b4d696e1a13f4f67e

SHA256
0520aa09c93322a89e8998ff4c075c320ce6453519f1917201fbaafe2f0d0fc5

SHA512
5752ce14cd24ad72af088af59834141410fa02c5b2d0d6d8055a7aacba1b728a4c5d52b02ec3f0e57d9026e6caeccaa0fe269c72417b613f899b336725c103a2

Download Submit
C:\Windows\SysWOW64\wovslmv.exe

Filesize
85KB

MD5
60c3f039c2fb91dbe4ee7d6346713aa7

SHA1
184bfb5432db44577fd46a2b4d696e1a13f4f67e

SHA256
0520aa09c93322a89e8998ff4c075c320ce6453519f1917201fbaafe2f0d0fc5

SHA512
5752ce14cd24ad72af088af59834141410fa02c5b2d0d6d8055a7aacba1b728a4c5d52b02ec3f0e57d9026e6caeccaa0fe269c72417b613f899b336725c103a2

Download Submit
C:\Windows\SysWOW64\wpg.exe

Filesize
85KB

MD5
c9c7a325439c15afbcd54830874fbf98

SHA1
fdb884e04b68396e437e8f0d406e9e62bc463af9

SHA256
8bc77306f4390f99f816e83e2a30099f351d59d9110f0715871f88b02659a4ff

SHA512
096dad05c145a93aecf11fb982623caa1c642bb22b31264d30d7699744f2e005ff6d7818ee7e42296f677b3b045cab545185a350da34129452bd6d73f08dc793

Download Submit
C:\Windows\SysWOW64\wpg.exe

Filesize
85KB

MD5
c9c7a325439c15afbcd54830874fbf98

SHA1
fdb884e04b68396e437e8f0d406e9e62bc463af9

SHA256
8bc77306f4390f99f816e83e2a30099f351d59d9110f0715871f88b02659a4ff

SHA512
096dad05c145a93aecf11fb982623caa1c642bb22b31264d30d7699744f2e005ff6d7818ee7e42296f677b3b045cab545185a350da34129452bd6d73f08dc793

Download Submit
C:\Windows\SysWOW64\wpg.exe

Filesize
85KB

MD5
c9c7a325439c15afbcd54830874fbf98

SHA1
fdb884e04b68396e437e8f0d406e9e62bc463af9

SHA256
8bc77306f4390f99f816e83e2a30099f351d59d9110f0715871f88b02659a4ff

SHA512
096dad05c145a93aecf11fb982623caa1c642bb22b31264d30d7699744f2e005ff6d7818ee7e42296f677b3b045cab545185a350da34129452bd6d73f08dc793

Download Submit
C:\Windows\SysWOW64\wprouogd.exe

Filesize
85KB

MD5
14cc465dc5d4c1a12fa8f0901a8b1239

SHA1
bd7e3f090e38c48b49f182e76a8b84028ccaf669

SHA256
be49be6bb32f8c70840ee8cfae51c2d3e28800249c57f5c6a74b1e5c2eaa6e60

SHA512
740fdecfdd107ea7fffae90bee498671421337496f2d924aae4291c96106526750ff8c24f703c406ee1cf2fb25c0d404eb00225fa6a542893726fbda45a20e6e

Download Submit
C:\Windows\SysWOW64\wprouogd.exe

Filesize
85KB

MD5
14cc465dc5d4c1a12fa8f0901a8b1239

SHA1
bd7e3f090e38c48b49f182e76a8b84028ccaf669

SHA256
be49be6bb32f8c70840ee8cfae51c2d3e28800249c57f5c6a74b1e5c2eaa6e60

SHA512
740fdecfdd107ea7fffae90bee498671421337496f2d924aae4291c96106526750ff8c24f703c406ee1cf2fb25c0d404eb00225fa6a542893726fbda45a20e6e

Download Submit
C:\Windows\SysWOW64\wqujr.exe

Filesize
86KB

MD5
d53d94d4d3338fca0f182a9032c40f65

SHA1
a80dfd6763e6bff0b0fd0304edc3d48d6ddeaf2a

SHA256
12728f5f7fbfa883f2c9c9aa9458b4ab1245e95086302ffae68c269c70503482

SHA512
e92cef7c4e5da08ad51c9dd1908010970ecb583ad80a6721ca57de2bc9ed209819906847b85606b52f605ee93df47421ff0db6b887e5e4e533882544d7612e65

Download Submit
C:\Windows\SysWOW64\wqujr.exe

Filesize
86KB

MD5
d53d94d4d3338fca0f182a9032c40f65

SHA1
a80dfd6763e6bff0b0fd0304edc3d48d6ddeaf2a

SHA256
12728f5f7fbfa883f2c9c9aa9458b4ab1245e95086302ffae68c269c70503482

SHA512
e92cef7c4e5da08ad51c9dd1908010970ecb583ad80a6721ca57de2bc9ed209819906847b85606b52f605ee93df47421ff0db6b887e5e4e533882544d7612e65

Download Submit
C:\Windows\SysWOW64\wuddkpjr.exe

Filesize
85KB

MD5
685093e1d148eb4df195267a20ea6ca8

SHA1
186cfc928f621985e6f0b702118219a150404aa6

SHA256
e8b2016af2d5355f1ac7ef73e3e5951db676516e2fb9070cc416e5353e0d6d30

SHA512
f333c41633cdbd121718d715dbd95c402a35e43a0cfd6e5397681e4c733a28367d82e52b04d5b7425794db5604e8caee00c2f60518eb9e2110d54b152aed6d01

Download Submit
C:\Windows\SysWOW64\wuddkpjr.exe

Filesize
85KB

MD5
685093e1d148eb4df195267a20ea6ca8

SHA1
186cfc928f621985e6f0b702118219a150404aa6

SHA256
e8b2016af2d5355f1ac7ef73e3e5951db676516e2fb9070cc416e5353e0d6d30

SHA512
f333c41633cdbd121718d715dbd95c402a35e43a0cfd6e5397681e4c733a28367d82e52b04d5b7425794db5604e8caee00c2f60518eb9e2110d54b152aed6d01

Download Submit
C:\Windows\SysWOW64\wurpvjty.exe

Filesize
85KB

MD5
0ffdaf819fa2b2c0fc68bed2f3ad313f

SHA1
94aa9831972c01bddc2a404cf32f90c9d2fccb90

SHA256
40335abb183853f597577cbc1e445e0d62ad32f9097f670872e3b451b859a9c3

SHA512
c8c47ede72a7730509b4f5d0a5d0b4a6e4e079d7d01fe612a922a9940dc2d42870c57f5e875f2e9e3d47248005f64f75661d41f673c44a004dfe3f8154be566f

Download Submit
C:\Windows\SysWOW64\wurpvjty.exe

Filesize
85KB

MD5
0ffdaf819fa2b2c0fc68bed2f3ad313f

SHA1
94aa9831972c01bddc2a404cf32f90c9d2fccb90

SHA256
40335abb183853f597577cbc1e445e0d62ad32f9097f670872e3b451b859a9c3

SHA512
c8c47ede72a7730509b4f5d0a5d0b4a6e4e079d7d01fe612a922a9940dc2d42870c57f5e875f2e9e3d47248005f64f75661d41f673c44a004dfe3f8154be566f

Download Submit
C:\Windows\SysWOW64\wusvj.exe

Filesize
86KB

MD5
3d7641bdfa95c7651ae516852da38a31

SHA1
c94d0b736c4612aec248d83dd56f5c5e5fdf2e4c

SHA256
ae788acb3bfa6b779f6ef61e449d94d85a64088ec36b4472fb0a2e093511c429

SHA512
07d0b2c15b6b83eb04fdf7cf09d691a3514a13104cbd4537826673e9cca904baba9e26faa340161bff2f5acaa2a56629d54e53d3abbe8ca32db2cebf91228df8

Download Submit
C:\Windows\SysWOW64\wusvj.exe

Filesize
86KB

MD5
3d7641bdfa95c7651ae516852da38a31

SHA1
c94d0b736c4612aec248d83dd56f5c5e5fdf2e4c

SHA256
ae788acb3bfa6b779f6ef61e449d94d85a64088ec36b4472fb0a2e093511c429

SHA512
07d0b2c15b6b83eb04fdf7cf09d691a3514a13104cbd4537826673e9cca904baba9e26faa340161bff2f5acaa2a56629d54e53d3abbe8ca32db2cebf91228df8

Download Submit
C:\Windows\SysWOW64\wxnouba.exe

Filesize
86KB

MD5
8d010c584bb2b079309593ae853d3875

SHA1
e68dde6af23b2b69c5c55d41a96b17f9b16c8e2e

SHA256
684f4948378f7499198e20821142c1d12858ac9c41b3e16dacb27aedae964581

SHA512
3ad4fa85354f187c7b6daf46b93e6bd767c7ab694c5bac9426ea4b02b06eab4ad5661ad756e403052455a620481fd35c3dcd58961726baecf1e9a7672e825065

Download Submit
C:\Windows\SysWOW64\wxnouba.exe

Filesize
86KB

MD5
8d010c584bb2b079309593ae853d3875

SHA1
e68dde6af23b2b69c5c55d41a96b17f9b16c8e2e

SHA256
684f4948378f7499198e20821142c1d12858ac9c41b3e16dacb27aedae964581

SHA512
3ad4fa85354f187c7b6daf46b93e6bd767c7ab694c5bac9426ea4b02b06eab4ad5661ad756e403052455a620481fd35c3dcd58961726baecf1e9a7672e825065

Download Submit
C:\Windows\SysWOW64\wyjuanaa.exe

Filesize
85KB

MD5
b462bcffd330178ca3320f2e802223a8

SHA1
b273e1f3b148b06915ce2340269ca03404aa2c12

SHA256
82c4d457efc52c81586f36eeedfb8b5738cce99e855aef2c93833e2d6a22c000

SHA512
18d5e7afbb0258400c25a8882496338205add3daf68d6b003e6d39245a1d570d7cedc2e35b620ad8a6706d134a5fa978da9f218bd941ccce0cdd41a93a76dee8

Download Submit
C:\Windows\SysWOW64\wyjuanaa.exe

Filesize
85KB

MD5
b462bcffd330178ca3320f2e802223a8

SHA1
b273e1f3b148b06915ce2340269ca03404aa2c12

SHA256
82c4d457efc52c81586f36eeedfb8b5738cce99e855aef2c93833e2d6a22c000

SHA512
18d5e7afbb0258400c25a8882496338205add3daf68d6b003e6d39245a1d570d7cedc2e35b620ad8a6706d134a5fa978da9f218bd941ccce0cdd41a93a76dee8

Download Submit
memory/368-563-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/956-507-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1016-277-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1108-383-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1140-491-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1340-483-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1468-555-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1468-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1468-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1548-327-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1604-375-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1688-531-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1708-447-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1756-399-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1804-30-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1808-297-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2016-391-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2052-343-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2084-359-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2228-287-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2232-351-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2232-171-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2272-221-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2272-523-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2436-471-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2460-252-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2740-140-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2808-571-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2832-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2968-130-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3060-80-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3112-181-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3112-110-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3188-211-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3192-499-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3220-335-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3316-307-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3604-262-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3604-70-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3872-90-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3916-455-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4000-191-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4012-539-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4036-515-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4156-161-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4188-50-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4200-201-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4216-439-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4248-317-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4292-40-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4384-60-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4388-463-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4488-431-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4592-547-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4660-423-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4692-407-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4852-120-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4960-151-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4972-100-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4976-232-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5024-367-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5100-242-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5100-231-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5116-415-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads