0b54ebb24f8c0d7dfadd75ba25903a02800ae3e29326afec429aeae6a64c61cf

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe
Size

104KB
MD5

c63bb200e4bd7823efcb4522194bc8d0
SHA1

423c9a159a61f1e0311c82ca8ffdf2fe4e308c68
SHA256

0b54ebb24f8c0d7dfadd75ba25903a02800ae3e29326afec429aeae6a64c61cf
SHA512

83c1d64e5f96d8af8daabb5e9768fb3f961301badae0d7d54b278c7fba0872c85bf0f60c247b984d17110c24c2d3489845c5ff4481b6775d2d40d04e605c8bf9
SSDEEP

1536:2zfXIsxrhzk2nfsW3ou3yWW2dvcW6eHcBwUi6vWE0Dl27b58XBdqaMGxuA11:yfjxrhzk2nfsWhP7dvavi6vWEbh8Xv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wch.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wnqamki.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wfiiegam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wmui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wfjls.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wcmbhveke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wkk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wnhcxdfjl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wsnyq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wdbx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wpsdsmwaf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wqkrggl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wabwxm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wadkpf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wergt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wpcljw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wxmdbjrq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wgsbstra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	weitde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wbipg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wojdqj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wcelmn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wttexan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	whicja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wykuhhav.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wwfnrob.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wkmbkkn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wwjsewcq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wbslr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wqcwxi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wlbdq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wgxdgj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wsgpqm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wdgcxp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wchas.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	whcxl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wnrwca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	whcpbxs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wwigleti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wguiwj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wuvjckm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wjbpwqj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wskmul.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wwolo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wtfpkt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wjnbd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wtvvud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wxdilghu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	welp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wxmvcq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wixqso.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wipvev.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wjccw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wwurxlnx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wxoymh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wmbwa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wlnh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wnblndxmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wwa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wbrwjhgh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	wgwpeg.exe

Executes dropped EXE 64 IoCs

pid	Process
4940	warplf.exe
1220	wdgcxp.exe
1336	wtqjny.exe
2692	wkmbkkn.exe
5080	wjccw.exe
2156	wchas.exe
5072	wssjj.exe
2032	wwigleti.exe
4192	wwjsewcq.exe
4728	wsswmyllo.exe
932	wbipg.exe
1340	wguiwj.exe
4400	wojdqj.exe
2436	wwurxlnx.exe
4604	wfjls.exe
4396	wwolo.exe
4352	wtfpkt.exe
2844	wtwru.exe
3584	wch.exe
4508	wkai.exe
4940	wcelmn.exe
4496	wle.exe
5056	wxoymh.exe
2588	wjnbd.exe
3800	wsoffb.exe
3352	wtqrwtbox.exe
2564	wuvjckm.exe
4672	wtvvud.exe
220	wxwdemf.exe
464	wcmbhveke.exe
3900	whcxl.exe
3512	wmchun.exe
3548	wxdilghu.exe
1256	wkk.exe
4500	waax.exe
996	welp.exe
1492	wbslr.exe
64	wbrwjhgh.exe
2404	wnrwca.exe
4356	wmbwa.exe
1176	wnqamki.exe
4352	wnhcxdfjl.exe
2304	wuhfye.exe
2552	wxmvcq.exe
4024	wjbpwqj.exe
3076	wlnh.exe
5112	wqefokev.exe
536	wueoatos.exe
3572	wavgv.exe
3548	wsnyq.exe
1704	whcpbxs.exe
4400	wleylh.exe
1360	wltawy.exe
4672	wttexan.exe
2156	wibidp.exe
3628	wmbpmyxrb.exe
4192	wqcwxi.exe
5056	wdbx.exe
1176	wlbdq.exe
2928	wgwpeg.exe
1240	whbh.exe
3668	wpcljw.exe
4972	wgxdgj.exe
4432	wgnf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wofiqo.exe	wsgpqm.exe
File opened for modification	C:\Windows\SysWOW64\wlbdq.exe	wdbx.exe
File created	C:\Windows\SysWOW64\wueoatos.exe	wqefokev.exe
File opened for modification	C:\Windows\SysWOW64\wibidp.exe	wttexan.exe
File created	C:\Windows\SysWOW64\wixqso.exe	wur.exe
File created	C:\Windows\SysWOW64\wch.exe	wtwru.exe
File created	C:\Windows\SysWOW64\wlkksja.exe	whicja.exe
File created	C:\Windows\SysWOW64\wsswmyllo.exe	wwjsewcq.exe
File created	C:\Windows\SysWOW64\wcmbhveke.exe	wxwdemf.exe
File opened for modification	C:\Windows\SysWOW64\wsnyq.exe	wavgv.exe
File created	C:\Windows\SysWOW64\wxoymh.exe	wle.exe
File opened for modification	C:\Windows\SysWOW64\wadkpf.exe	wabwxm.exe
File created	C:\Windows\SysWOW64\welp.exe	waax.exe
File opened for modification	C:\Windows\SysWOW64\wguiwj.exe	wbipg.exe
File opened for modification	C:\Windows\SysWOW64\waax.exe	wkk.exe
File opened for modification	C:\Windows\SysWOW64\wavgv.exe	wueoatos.exe
File opened for modification	C:\Windows\SysWOW64\wsswmyllo.exe	wwjsewcq.exe
File opened for modification	C:\Windows\SysWOW64\wxoymh.exe	wle.exe
File created	C:\Windows\SysWOW64\whicja.exe	weisyq.exe
File opened for modification	C:\Windows\SysWOW64\whicja.exe	weisyq.exe
File opened for modification	C:\Windows\SysWOW64\wmjkwvb.exe	wmui.exe
File created	C:\Windows\SysWOW64\wtqrwtbox.exe	wsoffb.exe
File opened for modification	C:\Windows\SysWOW64\wpcljw.exe	whbh.exe
File opened for modification	C:\Windows\SysWOW64\wyevtj.exe	wfiiegam.exe
File opened for modification	C:\Windows\SysWOW64\wttexan.exe	wltawy.exe
File opened for modification	C:\Windows\SysWOW64\wvhd.exe	wjhdgf.exe
File created	C:\Windows\SysWOW64\wnblndxmt.exe	wipvev.exe
File opened for modification	C:\Windows\SysWOW64\wtqjny.exe	wdgcxp.exe
File created	C:\Windows\SysWOW64\wsoffb.exe	wjnbd.exe
File opened for modification	C:\Windows\SysWOW64\welp.exe	waax.exe
File opened for modification	C:\Windows\SysWOW64\wur.exe	wnretvgnp.exe
File created	C:\Windows\SysWOW64\wergt.exe	wadkpf.exe
File created	C:\Windows\SysWOW64\wsnyq.exe	wavgv.exe
File created	C:\Windows\SysWOW64\wgxdgj.exe	wpcljw.exe
File created	C:\Windows\SysWOW64\wipvev.exe	wvhd.exe
File created	C:\Windows\SysWOW64\wjccw.exe	wkmbkkn.exe
File opened for modification	C:\Windows\SysWOW64\wbrwjhgh.exe	wbslr.exe
File created	C:\Windows\SysWOW64\wgnf.exe	wgxdgj.exe
File created	C:\Windows\SysWOW64\wfiiegam.exe	wergt.exe
File opened for modification	C:\Windows\SysWOW64\wfiiegam.exe	wergt.exe
File created	C:\Windows\SysWOW64\wdgcxp.exe	warplf.exe
File created	C:\Windows\SysWOW64\wwjsewcq.exe	wwigleti.exe
File created	C:\Windows\SysWOW64\wwolo.exe	wfjls.exe
File opened for modification	C:\Windows\SysWOW64\wqkrggl.exe	wmjkwvb.exe
File created	C:\Windows\SysWOW64\wkk.exe	wxdilghu.exe
File opened for modification	C:\Windows\SysWOW64\wmbpmyxrb.exe	wibidp.exe
File opened for modification	C:\Windows\SysWOW64\wmui.exe	weitde.exe
File opened for modification	C:\Windows\SysWOW64\wch.exe	wtwru.exe
File opened for modification	C:\Windows\SysWOW64\wgwpeg.exe	wlbdq.exe
File opened for modification	C:\Windows\SysWOW64\wnretvgnp.exe	wgsbstra.exe
File opened for modification	C:\Windows\SysWOW64\wuvjckm.exe	wtqrwtbox.exe
File opened for modification	C:\Windows\SysWOW64\wqefokev.exe	wlnh.exe
File opened for modification	C:\Windows\SysWOW64\whcpbxs.exe	wsnyq.exe
File created	C:\Windows\SysWOW64\wxdilghu.exe	wmchun.exe
File opened for modification	C:\Windows\SysWOW64\wbslr.exe	welp.exe
File created	C:\Windows\SysWOW64\wtqjny.exe	wdgcxp.exe
File created	C:\Windows\SysWOW64\wchas.exe	wjccw.exe
File opened for modification	C:\Windows\SysWOW64\wwigleti.exe	wssjj.exe
File created	C:\Windows\SysWOW64\wtfpkt.exe	wwolo.exe
File created	C:\Windows\SysWOW64\wxwdemf.exe	wtvvud.exe
File created	C:\Windows\SysWOW64\wnrwca.exe	wbrwjhgh.exe
File created	C:\Windows\SysWOW64\wwigleti.exe	wssjj.exe
File opened for modification	C:\Windows\SysWOW64\wtqrwtbox.exe	wsoffb.exe
File opened for modification	C:\Windows\SysWOW64\wgxdgj.exe	wpcljw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3776	1336	WerFault.exe	102
1648	2156	WerFault.exe	116
1992	4672	WerFault.exe	187
4836	3580	WerFault.exe	354

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 4940	2156	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe	86
PID 2156 wrote to memory of 4940	2156	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe	86
PID 2156 wrote to memory of 4940	2156	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe	86
PID 2156 wrote to memory of 1704	2156	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe	88
PID 2156 wrote to memory of 1704	2156	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe	88
PID 2156 wrote to memory of 1704	2156	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe	88
PID 4940 wrote to memory of 1220	4940	warplf.exe	95
PID 4940 wrote to memory of 1220	4940	warplf.exe	95
PID 4940 wrote to memory of 1220	4940	warplf.exe	95
PID 4940 wrote to memory of 3184	4940	warplf.exe	96
PID 4940 wrote to memory of 3184	4940	warplf.exe	96
PID 4940 wrote to memory of 3184	4940	warplf.exe	96
PID 1220 wrote to memory of 1336	1220	wdgcxp.exe	102
PID 1220 wrote to memory of 1336	1220	wdgcxp.exe	102
PID 1220 wrote to memory of 1336	1220	wdgcxp.exe	102
PID 1220 wrote to memory of 1972	1220	wdgcxp.exe	103
PID 1220 wrote to memory of 1972	1220	wdgcxp.exe	103
PID 1220 wrote to memory of 1972	1220	wdgcxp.exe	103
PID 1336 wrote to memory of 2692	1336	wtqjny.exe	106
PID 1336 wrote to memory of 2692	1336	wtqjny.exe	106
PID 1336 wrote to memory of 2692	1336	wtqjny.exe	106
PID 1336 wrote to memory of 3612	1336	wtqjny.exe	107
PID 1336 wrote to memory of 3612	1336	wtqjny.exe	107
PID 1336 wrote to memory of 3612	1336	wtqjny.exe	107
PID 2692 wrote to memory of 5080	2692	wkmbkkn.exe	112
PID 2692 wrote to memory of 5080	2692	wkmbkkn.exe	112
PID 2692 wrote to memory of 5080	2692	wkmbkkn.exe	112
PID 2692 wrote to memory of 4448	2692	wkmbkkn.exe	113
PID 2692 wrote to memory of 4448	2692	wkmbkkn.exe	113
PID 2692 wrote to memory of 4448	2692	wkmbkkn.exe	113
PID 5080 wrote to memory of 2156	5080	wjccw.exe	116
PID 5080 wrote to memory of 2156	5080	wjccw.exe	116
PID 5080 wrote to memory of 2156	5080	wjccw.exe	116
PID 5080 wrote to memory of 1704	5080	wjccw.exe	117
PID 5080 wrote to memory of 1704	5080	wjccw.exe	117
PID 5080 wrote to memory of 1704	5080	wjccw.exe	117
PID 2156 wrote to memory of 5072	2156	wchas.exe	120
PID 2156 wrote to memory of 5072	2156	wchas.exe	120
PID 2156 wrote to memory of 5072	2156	wchas.exe	120
PID 2156 wrote to memory of 996	2156	wchas.exe	121
PID 2156 wrote to memory of 996	2156	wchas.exe	121
PID 2156 wrote to memory of 996	2156	wchas.exe	121
PID 5072 wrote to memory of 2032	5072	wssjj.exe	125
PID 5072 wrote to memory of 2032	5072	wssjj.exe	125
PID 5072 wrote to memory of 2032	5072	wssjj.exe	125
PID 5072 wrote to memory of 1496	5072	wssjj.exe	126
PID 5072 wrote to memory of 1496	5072	wssjj.exe	126
PID 5072 wrote to memory of 1496	5072	wssjj.exe	126
PID 2032 wrote to memory of 4192	2032	wwigleti.exe	128
PID 2032 wrote to memory of 4192	2032	wwigleti.exe	128
PID 2032 wrote to memory of 4192	2032	wwigleti.exe	128
PID 2032 wrote to memory of 3468	2032	wwigleti.exe	129
PID 2032 wrote to memory of 3468	2032	wwigleti.exe	129
PID 2032 wrote to memory of 3468	2032	wwigleti.exe	129
PID 4192 wrote to memory of 4728	4192	wwjsewcq.exe	131
PID 4192 wrote to memory of 4728	4192	wwjsewcq.exe	131
PID 4192 wrote to memory of 4728	4192	wwjsewcq.exe	131
PID 4192 wrote to memory of 2348	4192	wwjsewcq.exe	132
PID 4192 wrote to memory of 2348	4192	wwjsewcq.exe	132
PID 4192 wrote to memory of 2348	4192	wwjsewcq.exe	132
PID 4728 wrote to memory of 932	4728	wsswmyllo.exe	134
PID 4728 wrote to memory of 932	4728	wsswmyllo.exe	134
PID 4728 wrote to memory of 932	4728	wsswmyllo.exe	134
PID 4728 wrote to memory of 4716	4728	wsswmyllo.exe	135

C:\Users\Admin\AppData\Local\Temp\c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\warplf.exe
  "C:\Windows\system32\warplf.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\wdgcxp.exe
    "C:\Windows\system32\wdgcxp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\SysWOW64\wtqjny.exe
      "C:\Windows\system32\wtqjny.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\SysWOW64\wkmbkkn.exe
        
        "C:\Windows\system32\wkmbkkn.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\wjccw.exe
        
        "C:\Windows\system32\wjccw.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\wchas.exe
        
        "C:\Windows\system32\wchas.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\wssjj.exe
        
        "C:\Windows\system32\wssjj.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\wwigleti.exe
        
        "C:\Windows\system32\wwigleti.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\wwjsewcq.exe
        
        "C:\Windows\system32\wwjsewcq.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\wsswmyllo.exe
        
        "C:\Windows\system32\wsswmyllo.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\wbipg.exe
        
        "C:\Windows\system32\wbipg.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:932
        
        C:\Windows\SysWOW64\wguiwj.exe
        
        "C:\Windows\system32\wguiwj.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\wojdqj.exe
        
        "C:\Windows\system32\wojdqj.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\wwurxlnx.exe
        
        "C:\Windows\system32\wwurxlnx.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\wfjls.exe
        
        "C:\Windows\system32\wfjls.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\wwolo.exe
        
        "C:\Windows\system32\wwolo.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\wtfpkt.exe
        
        "C:\Windows\system32\wtfpkt.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\wtwru.exe
        
        "C:\Windows\system32\wtwru.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\wch.exe
        
        "C:\Windows\system32\wch.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\wkai.exe
        
        "C:\Windows\system32\wkai.exe"
        21⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\wcelmn.exe
        
        "C:\Windows\system32\wcelmn.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\wle.exe
        
        "C:\Windows\system32\wle.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\wxoymh.exe
        
        "C:\Windows\system32\wxoymh.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\wjnbd.exe
        
        "C:\Windows\system32\wjnbd.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\wsoffb.exe
        
        "C:\Windows\system32\wsoffb.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\wtqrwtbox.exe
        
        "C:\Windows\system32\wtqrwtbox.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\wuvjckm.exe
        
        "C:\Windows\system32\wuvjckm.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\wtvvud.exe
        
        "C:\Windows\system32\wtvvud.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\wxwdemf.exe
        
        "C:\Windows\system32\wxwdemf.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\wcmbhveke.exe
        
        "C:\Windows\system32\wcmbhveke.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\whcxl.exe
        
        "C:\Windows\system32\whcxl.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\SysWOW64\wmchun.exe
        
        "C:\Windows\system32\wmchun.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\wxdilghu.exe
        
        "C:\Windows\system32\wxdilghu.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\wkk.exe
        
        "C:\Windows\system32\wkk.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\waax.exe
        
        "C:\Windows\system32\waax.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\welp.exe
        
        "C:\Windows\system32\welp.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:996
        
        C:\Windows\SysWOW64\wbslr.exe
        
        "C:\Windows\system32\wbslr.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\wbrwjhgh.exe
        
        "C:\Windows\system32\wbrwjhgh.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\wnrwca.exe
        
        "C:\Windows\system32\wnrwca.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\wmbwa.exe
        
        "C:\Windows\system32\wmbwa.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\wnqamki.exe
        
        "C:\Windows\system32\wnqamki.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\wnhcxdfjl.exe
        
        "C:\Windows\system32\wnhcxdfjl.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\wuhfye.exe
        
        "C:\Windows\system32\wuhfye.exe"
        44⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\wxmvcq.exe
        
        "C:\Windows\system32\wxmvcq.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\wjbpwqj.exe
        
        "C:\Windows\system32\wjbpwqj.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4024
        
        C:\Windows\SysWOW64\wlnh.exe
        
        "C:\Windows\system32\wlnh.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\wqefokev.exe
        
        "C:\Windows\system32\wqefokev.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\wueoatos.exe
        
        "C:\Windows\system32\wueoatos.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\wavgv.exe
        
        "C:\Windows\system32\wavgv.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\wsnyq.exe
        
        "C:\Windows\system32\wsnyq.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\whcpbxs.exe
        
        "C:\Windows\system32\whcpbxs.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\wleylh.exe
        
        "C:\Windows\system32\wleylh.exe"
        53⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\wltawy.exe
        
        "C:\Windows\system32\wltawy.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\wttexan.exe
        
        "C:\Windows\system32\wttexan.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\wibidp.exe
        
        "C:\Windows\system32\wibidp.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\wmbpmyxrb.exe
        
        "C:\Windows\system32\wmbpmyxrb.exe"
        57⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\wqcwxi.exe
        
        "C:\Windows\system32\wqcwxi.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\wdbx.exe
        
        "C:\Windows\system32\wdbx.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\wlbdq.exe
        
        "C:\Windows\system32\wlbdq.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1176
        
        C:\Windows\SysWOW64\wgwpeg.exe
        
        "C:\Windows\system32\wgwpeg.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\whbh.exe
        
        "C:\Windows\system32\whbh.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1240
        
        C:\Windows\SysWOW64\wpcljw.exe
        
        "C:\Windows\system32\wpcljw.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\wgxdgj.exe
        
        "C:\Windows\system32\wgxdgj.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\wgnf.exe
        
        "C:\Windows\system32\wgnf.exe"
        65⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\wxmdbjrq.exe
        
        "C:\Windows\system32\wxmdbjrq.exe"
        66⤵
        Checks computer location settings
        
        PID:3960
        
        C:\Windows\SysWOW64\wsgpqm.exe
        
        "C:\Windows\system32\wsgpqm.exe"
        67⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:800
        
        C:\Windows\SysWOW64\wofiqo.exe
        
        "C:\Windows\system32\wofiqo.exe"
        68⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\wwfnrob.exe
        
        "C:\Windows\system32\wwfnrob.exe"
        69⤵
        Checks computer location settings
        
        PID:4396
        
        C:\Windows\SysWOW64\wqtarvov.exe
        
        "C:\Windows\system32\wqtarvov.exe"
        70⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\wskmul.exe
        
        "C:\Windows\system32\wskmul.exe"
        71⤵
        Checks computer location settings
        
        PID:1632
        
        C:\Windows\SysWOW64\wbrrjkgd.exe
        
        "C:\Windows\system32\wbrrjkgd.exe"
        72⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\wgsbstra.exe
        
        "C:\Windows\system32\wgsbstra.exe"
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\wnretvgnp.exe
        
        "C:\Windows\system32\wnretvgnp.exe"
        74⤵
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\wur.exe
        
        "C:\Windows\system32\wur.exe"
        75⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\wixqso.exe
        
        "C:\Windows\system32\wixqso.exe"
        76⤵
        Checks computer location settings
        
        PID:4580
        
        C:\Windows\SysWOW64\weisyq.exe
        
        "C:\Windows\system32\weisyq.exe"
        77⤵
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\whicja.exe
        
        "C:\Windows\system32\whicja.exe"
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:616
        
        C:\Windows\SysWOW64\wlkksja.exe
        
        "C:\Windows\system32\wlkksja.exe"
        79⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\wpsdsmwaf.exe
        
        "C:\Windows\system32\wpsdsmwaf.exe"
        80⤵
        Checks computer location settings
        
        PID:3580
        
        C:\Windows\SysWOW64\weitde.exe
        
        "C:\Windows\system32\weitde.exe"
        81⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\wmui.exe
        
        "C:\Windows\system32\wmui.exe"
        82⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\wmjkwvb.exe
        
        "C:\Windows\system32\wmjkwvb.exe"
        83⤵
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\wqkrggl.exe
        
        "C:\Windows\system32\wqkrggl.exe"
        84⤵
        Checks computer location settings
        
        PID:424
        
        C:\Windows\SysWOW64\wykuhhav.exe
        
        "C:\Windows\system32\wykuhhav.exe"
        85⤵
        Checks computer location settings
        
        PID:2848
        
        C:\Windows\SysWOW64\wjhdgf.exe
        
        "C:\Windows\system32\wjhdgf.exe"
        86⤵
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\wvhd.exe
        
        "C:\Windows\system32\wvhd.exe"
        87⤵
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\wipvev.exe
        
        "C:\Windows\system32\wipvev.exe"
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\wnblndxmt.exe
        
        "C:\Windows\system32\wnblndxmt.exe"
        89⤵
        Checks computer location settings
        
        PID:1684
        
        C:\Windows\SysWOW64\wwa.exe
        
        "C:\Windows\system32\wwa.exe"
        90⤵
        Checks computer location settings
        
        PID:2020
        
        C:\Windows\SysWOW64\wabwxm.exe
        
        "C:\Windows\system32\wabwxm.exe"
        91⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\wadkpf.exe
        
        "C:\Windows\system32\wadkpf.exe"
        92⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\wergt.exe
        
        "C:\Windows\system32\wergt.exe"
        93⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\wfiiegam.exe
        
        "C:\Windows\system32\wfiiegam.exe"
        94⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\wyevtj.exe
        
        "C:\Windows\system32\wyevtj.exe"
        95⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\wsjvq.exe
        
        "C:\Windows\system32\wsjvq.exe"
        96⤵
        
        PID:372
        
        C:\Windows\SysWOW64\wuva.exe
        
        "C:\Windows\system32\wuva.exe"
        97⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjvq.exe"
        97⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyevtj.exe"
        96⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfiiegam.exe"
        95⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wergt.exe"
        94⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wadkpf.exe"
        93⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wabwxm.exe"
        92⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwa.exe"
        91⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnblndxmt.exe"
        90⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipvev.exe"
        89⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvhd.exe"
        88⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhdgf.exe"
        87⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wykuhhav.exe"
        86⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqkrggl.exe"
        85⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmjkwvb.exe"
        84⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmui.exe"
        83⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weitde.exe"
        82⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpsdsmwaf.exe"
        81⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1424
        81⤵
        Program crash
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkksja.exe"
        80⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whicja.exe"
        79⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weisyq.exe"
        78⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wixqso.exe"
        77⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wur.exe"
        76⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnretvgnp.exe"
        75⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsbstra.exe"
        74⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbrrjkgd.exe"
        73⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wskmul.exe"
        72⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqtarvov.exe"
        71⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfnrob.exe"
        70⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofiqo.exe"
        69⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsgpqm.exe"
        68⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxmdbjrq.exe"
        67⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgnf.exe"
        66⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxdgj.exe"
        65⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpcljw.exe"
        64⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whbh.exe"
        63⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwpeg.exe"
        62⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlbdq.exe"
        61⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbx.exe"
        60⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqcwxi.exe"
        59⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmbpmyxrb.exe"
        58⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibidp.exe"
        57⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wttexan.exe"
        56⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wltawy.exe"
        55⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wleylh.exe"
        54⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whcpbxs.exe"
        53⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsnyq.exe"
        52⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wavgv.exe"
        51⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wueoatos.exe"
        50⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqefokev.exe"
        49⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnh.exe"
        48⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjbpwqj.exe"
        47⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxmvcq.exe"
        46⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhfye.exe"
        45⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnhcxdfjl.exe"
        44⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqamki.exe"
        43⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmbwa.exe"
        42⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnrwca.exe"
        41⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbrwjhgh.exe"
        40⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbslr.exe"
        39⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\welp.exe"
        38⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waax.exe"
        37⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkk.exe"
        36⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxdilghu.exe"
        35⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmchun.exe"
        34⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whcxl.exe"
        33⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcmbhveke.exe"
        32⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwdemf.exe"
        31⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvvud.exe"
        30⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1356
        30⤵
        Program crash
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuvjckm.exe"
        29⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtqrwtbox.exe"
        28⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsoffb.exe"
        27⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjnbd.exe"
        26⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxoymh.exe"
        25⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wle.exe"
        24⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcelmn.exe"
        23⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkai.exe"
        22⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wch.exe"
        21⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtwru.exe"
        20⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtfpkt.exe"
        19⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwolo.exe"
        18⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfjls.exe"
        17⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwurxlnx.exe"
        16⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wojdqj.exe"
        15⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wguiwj.exe"
        14⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbipg.exe"
        13⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsswmyllo.exe"
        12⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjsewcq.exe"
        11⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwigleti.exe"
        10⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wssjj.exe"
        9⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchas.exe"
        8⤵
        
        PID:996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1460
        8⤵
        Program crash
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjccw.exe"
        7⤵
        
        PID:1704
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkmbkkn.exe"
        6⤵
        
        PID:4448
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtqjny.exe"
        5⤵
        
        PID:3612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1468
        5⤵
        Program crash
        
        PID:3776
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdgcxp.exe"
      4⤵
      PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warplf.exe"
    3⤵
    PID:3184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe"
  2⤵
  PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1336 -ip 1336
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2156 -ip 2156
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4672 -ip 4672
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3580 -ip 3580
1⤵
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I50YRZD3\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Windows\SysWOW64\warplf.exe

Filesize
104KB

MD5
e5b438293ac28b0a1e3fe28d7bbca9e3

SHA1
fcbde38cf9e1143e00a21b91c57619a441a34058

SHA256
3d149afa84fa06612051dc1726827ecb13c5b9aa55d255a7f09f035fd8f7618f

SHA512
f8aaa910596f52536ec1800115c9484d465ed2c793612f6e225cd47e4f0eba23b241cc05395d93e909134e1a8972d5bab5420167333103c2c26afe81c4adac62

Download Submit
C:\Windows\SysWOW64\wbipg.exe

Filesize
105KB

MD5
a39b37061438b4c01bc54fa585899860

SHA1
9e9cf1d0cfeb9c93c7d8bdd8800ae744da835a11

SHA256
be493de699d675429e4cfbc2a8b5a942059858f4f0a741adf1286ba35d3c3894

SHA512
07b6a26629905e21bd115a151ace5cdab37017341dd5961f7240d3ef6f4cd7423fd01da18532b6d018ff3f574523dae28a6645244a3fcd18ba9cfcf0a8f56dfd

Download Submit
C:\Windows\SysWOW64\wcelmn.exe

Filesize
105KB

MD5
65a3d59fe1aa058d50d3fb36bdfab999

SHA1
5dd0eee39355b79585e95c24fe444241f871fb28

SHA256
f6758e422756969df41ad688fe79edc8dbf0e2ec1a8a3cbd325c4658bce34567

SHA512
cbd6a5e3d8598ada48a36a77b65b13aecdc74d97bf8ecb2d04cb7109671962663fbe635a6d278239a056da44e0ef89f3fe005a648c166430becf28a18886d2b0

Download Submit
C:\Windows\SysWOW64\wch.exe

Filesize
105KB

MD5
47ff9b0af010364d65d6295b4ad6b921

SHA1
c5bac3ea4e4bc60f67e79a2436ec7e28bf8d4b8f

SHA256
af23530904e1aa3007158faaa43744c5b273fd51138b0151f521dfef7700d813

SHA512
d885759c72f313d0a0cc228775ddd08b29e4c9afca6b10dcd5c7c54d90e28df6d4139ce1c7bf7d12b62a8f89a61d9866c6d476b2d9b1ae10d8a5ddf16653a085

Download Submit
C:\Windows\SysWOW64\wchas.exe

Filesize
105KB

MD5
a67b41b211a341614112b946eae4b651

SHA1
096b13aa7d32897a997708d77654c2aa9db87e9f

SHA256
12511439cecc32e92ee361a5c27249bf313be5caa4ddb3893467dc99e0c8ee40

SHA512
ba8f69ad1d9cb565e19b03e4744201c86b88b95fe9b6b1b2fedddfbcb6809b263928ed3231bb11dd23f9b67366860f887c327d398ab5371b09c059df19fa8bed

Download Submit
C:\Windows\SysWOW64\wcmbhveke.exe

Filesize
105KB

MD5
d7ea4e905bb64a28936db6c5fb5e79d8

SHA1
26b1cb5e3e0c5f02e7e96dedceae8279f20ae51e

SHA256
fcafa2dc1597b249041e93d66e9b4f15f1e5320da048255f45fd1478493ddad0

SHA512
9ad0d60a3259e559231c30b0cf6b3125cd7abf1e8083ad9317cde8a050e869526f4555716573626990d7d43f552b9f1d7c66e12c113e8c4b1cfde1a97dec1134

Download Submit
C:\Windows\SysWOW64\wdgcxp.exe

Filesize
104KB

MD5
f6174912968bd4d0e9b65bb2e26ddc88

SHA1
cb9e2a5e6db1d465895589b3997b6ada2ec040aa

SHA256
f31529e14c3fb80273c6117616c7a64b82c33810c78f9af173674cff6e31a4aa

SHA512
01f345ddc1594bd01dcb3cf6240e60c6b1c63259d1fc132180c736f6952109f3e30dc4c9f1ccf753250a1bf22b9d003711ec43c7ffe7a1108cd73c07dac37309

Download Submit
C:\Windows\SysWOW64\wfjls.exe

Filesize
105KB

MD5
9c6b19f3d7237c6dbbc8c05bb64955e6

SHA1
7f25e808407f559818848993b19caa40465f112f

SHA256
ad9f4bbec0b58f9d715cb4c9ad19b88833cbb611f0753ae38304467505621e3e

SHA512
19fd1aec6885ca5a81c12834649480844d388323e81840288f2fedcd822400e4cdb48b07108c5e989154170976bd5be65226ad6ba59b00192ec88be715b39f3a

Download Submit
C:\Windows\SysWOW64\wguiwj.exe

Filesize
105KB

MD5
e1a55e911ae78255a0d28f64cc299a55

SHA1
d2aa814653c5615998be7edce0ddae14830c22f2

SHA256
6859267c18ed2258bf07acd23f2838c5b9e0fe28d2602690222031dc6b1c6d39

SHA512
cfc707ff5ee7639564e1c372eb8a953827120ab315439b38e61b5e15b03cd7a5e2f0a46e5c214f4a63a96d63d162ff691d4f2310d3df97d3bc74561b71aa3402

Download Submit
C:\Windows\SysWOW64\whcxl.exe

Filesize
105KB

MD5
e19dca30984ca605982e911e08369ae5

SHA1
f960277c50cc8aeeb8d7a5c8fd75d61c3c9dba40

SHA256
2be69bfab4c67f122fd1637705664a3f57fb37a4674b99fce97ecb19947d2abf

SHA512
f5231b9e8102f5a4541394c1ce89bd9fb7047d6e97973c8d40097f416deb2b86f0fd209b4a2d67bd15e113ff4459449cdd08242f6a398240133299e07c13c370

Download Submit
C:\Windows\SysWOW64\wjccw.exe

Filesize
105KB

MD5
a5059d493ab3e8272606592f17cf64d5

SHA1
3793f663e41d5fc45f7b28eb1c1ed47b6014e42c

SHA256
c06c3224eff6c8f23f25ef85d132d487aba416e6f4198767735017c0d13dc942

SHA512
d96ac0c8d53c3bfece8edbf369c914c53a247a6181484f8e5b9997e5746288be82f584ea3feabd90170ab740b2e5d7c42b3be352005bd48e08c7c8ededa32e98

Download Submit
C:\Windows\SysWOW64\wjnbd.exe

Filesize
105KB

MD5
27045a03422befbb873d3327ff613660

SHA1
885adfd4d8e5d2acfcdeab2a80af1e3fd5e0ed38

SHA256
1276388f0fa8c215bf677b1d127084bfa9dfb3f79a53d7c2bad588d7a7fa3de8

SHA512
3ae35fab284476c793653bfebc72b5f11165ddd2c76dca34a282e93451a4823c0a300ef55a5fe5b137d0b4891faa4b238e4643f43dbf96fe9d2bc30a2fbf7c8e

Download Submit
C:\Windows\SysWOW64\wkai.exe

Filesize
105KB

MD5
4f0390a786d535c08a7b2724935c87fa

SHA1
8eeebf31e2b0b3a1b2317dacbd664a2b52f08037

SHA256
bb28e4e35fde44054807ba613e0828ea744b95fe2313ad80266562e8051e543f

SHA512
59d09e5a583ac5aa71f94549d949093b9f429725aff74930ebf09bd103946a4d8b179bd4ac828630ff389b2df85a66866275b22b64acadea9f33e986c3e62f19

Download Submit
C:\Windows\SysWOW64\wkmbkkn.exe

Filesize
104KB

MD5
45486b46e7142e6edb11f286dbe1f5dd

SHA1
035fd591336de7f51d6eb986d67945f57a5d064c

SHA256
e3a522a38eff301c325216d19817cdab71256d4cf40a4b899d43ece1c432451e

SHA512
0a3cd6bfd0373c12b2300013e2169ebc634d0a04bc936945ac19c8083542e99ae1d476414216b36715678acefe16367acb3140c973e92d05ab0898a2d9bd4d11

Download Submit
C:\Windows\SysWOW64\wle.exe

Filesize
105KB

MD5
1c92239927d117268c4c3832e26e6252

SHA1
51225d5d0cfc06a3660d5e729c14bea985777002

SHA256
cd0428a141f5e6c05a3c32bfbc8ed999ca66e1039cac107246c0ec8fcfd6f70b

SHA512
9daf527cf1f299c127b2391320d5c416cfb5c26e631bc7415bce8f76e378c5d6ce8bd8cd88945d6ab598e7e91e81f761c611f03c8f16e0babcece9845b6cc7e0

Download Submit
C:\Windows\SysWOW64\wmchun.exe

Filesize
105KB

MD5
9686ef1399b8274c939eb79a1f87bfa8

SHA1
ba7a0e5a046cf1342f03230ec3d31f20433acd07

SHA256
55f12d60f26a146bac900ae8b7d44cea80d4dd2a82a3f47f593e82bae4392953

SHA512
c29bd4d6a3aa029f694d9c577c7c02f9a51264c560a631ebcfded6fae4b0a6c9b7eaa67ae60a9ea7e9fb8e5669dcfa78a0444c531cbc0dd89e70839c9845bdcc

Download Submit
C:\Windows\SysWOW64\wojdqj.exe

Filesize
105KB

MD5
8f664a0b50f5742fb605d56030f68fef

SHA1
6162aafe10ffe55199384c0bce9ba2c8addd2eb3

SHA256
7cb8afff7b9f3b5a78e67e705adf956961b883513bfc66d11066c3c16ac19610

SHA512
5af1c8a79e40f62f291fa73984605ef42bead119d7f247c285ae4409e0f16b9cfd249dfddb8e713866756c2fb967474e35c945d6f4b6b0b88a3a40e86c216324

Download Submit
C:\Windows\SysWOW64\wsoffb.exe

Filesize
105KB

MD5
f4a611b79bdbaf6146f21e9cb0202197

SHA1
3e5ba520f72d1c57cf4b7bbea6d9bb1a18969390

SHA256
0c6e0354a021fbefddbd2c413efe37b31c3f6ca91d572f89cd5ac7cda0df148e

SHA512
18873e357911e02445e43d0e511764f6e7fb9295da89fd11fcbdc65768bf5c9b188df60a93aaac7651a9f6593feacb0ed6952deea94a90ce98e2380e82107c87

Download Submit
C:\Windows\SysWOW64\wssjj.exe

Filesize
105KB

MD5
3e7a76b8c6c32785528baa3c40339905

SHA1
f518dde88eb39fdf6b10e21103e3fdd93888d072

SHA256
f3366f2178539469306ad7deca788938cea89a9c7be69833d6f81d7f9902ef03

SHA512
a56635acdd8e0e2f5b806e0bd4e5351cd9d0be12db0266a9de9fd4f8df6e774339782fcafa2195f69342f146c693f2df1c43d35bdb5589ecbf6c9eb5a02c7292

Download Submit
C:\Windows\SysWOW64\wsswmyllo.exe

Filesize
105KB

MD5
3571b971f5e8192edd264dd9a4862aef

SHA1
c6b8cda2d30cc7cadb1b1627ee7fdc869cd7b39c

SHA256
532fd6ef0aa62af7d5b9fd3593a731dff546e1f4cd4bffe7d5699ce80753066b

SHA512
b2385f86b886d578dce18f6dfffcf3ec3114f9b9450f472a9bd6e070eb9c889ae81728b6de86bfdae6b8d9a30fa6f71e78173ea23d7002389fe6d06d828a3499

Download Submit
C:\Windows\SysWOW64\wtfpkt.exe

Filesize
105KB

MD5
d94c2c3b69f70ce309a97cbb8e814d87

SHA1
4919714130c8b180fea70053128709f4f7693de2

SHA256
fa1b6a4254ebc07b9d0b86f2469136e140bca0f0cd01d65780e78678f46980e4

SHA512
9618062be9e4e39d488770ab1578129d7e24d62687be23875727e9e590fa740a0a471d5a54033da123721e7bf79b6ffdb0e1705cf185e711b5084c333edc8145

Download Submit
C:\Windows\SysWOW64\wtqjny.exe

Filesize
104KB

MD5
c16a0ace94f7a7ba756e8233d4560f6c

SHA1
df38b9045c253ea8846de789cd7674018f45e92a

SHA256
8574f89fafac80967fc5cc2d1aaa619eba11d042bc66f08c3f0cbb48bb076611

SHA512
ddf0ea623fa8441e487129705d641d804e79c7b786de3d6f4adda3d1ce7093b89792caac6da721277acd04899dd984de718c3dd9774be6a9b8bae8e6a8077864

Download Submit
C:\Windows\SysWOW64\wtqrwtbox.exe

Filesize
105KB

MD5
0fd9e0dc24687fcd1a8ca78fd5b3057e

SHA1
964e2a74ecf2e3820bba76fa12007416ed4ec732

SHA256
02175c928b005f8ea8684a3b86e1ca4952569842898625966637fca683d9095d

SHA512
b205bf38ad5eeff502352e978fc8796d740d4454af8b3a0f6853baa77a088a37842af2f570c869e91ec4d3ff0962870a162d3f2b6bb4e92603fd8ce0462fe729

Download Submit
C:\Windows\SysWOW64\wtvvud.exe

Filesize
105KB

MD5
f5e29efc9e7e197e2328b5b051564c0a

SHA1
9c35e6993e1c3e5914abb82e8423fb67773a32c0

SHA256
8395d5e76a6f355c5ce0bc960a838c5354e7ba3103b812f1d0cd97d9adf2ae0c

SHA512
72f08880640fbc6cc8f9b4041bf78dd315b72c9af910eb139a035bcba0840733b8ed01bf5c7e771e06e786a7ef0f1660cda14d206845ba8557f74f7b5263f66e

Download Submit
C:\Windows\SysWOW64\wtwru.exe

Filesize
105KB

MD5
a217e19378a11a3aa3fdf175cc84a52a

SHA1
06b1fbb29f47e35cb6425b75cbc0d8549f5f9e4c

SHA256
67beba792f9ad1483ec51a20a026024634bca055a20180c870bb9923e3d07bf6

SHA512
7da566eca150a6159c3cf3c90e5dcd59f96dc1b68c21bb6a40206f94d7f43ac862bf0f371dc950f32b4fc2c3d479076797c0bb5f78d31548cc03887718d7ead6

Download Submit
C:\Windows\SysWOW64\wuvjckm.exe

Filesize
105KB

MD5
1c3d021af88db9432b9eea452fe76bde

SHA1
15279c4e6c5fba37e3d91fdca016d9dc21af5068

SHA256
c7ffde90d5c10447625d1b638c623ae0e78046175aa822e612571fd6e47df383

SHA512
b08f12785412d658aee5eceedd8aaadb5897f681bf21efc2222f5b905f102f3b9a5dd457de76137432418b8ba43b6e8e67669b9683f0e4d7f5e4bd2d381ff079

Download Submit
C:\Windows\SysWOW64\wwigleti.exe

Filesize
105KB

MD5
ff2887c03f2bd39a378ffdfd72075940

SHA1
ebaa2e2be4a7e260f3e25bd14fa3a417b3279691

SHA256
bbfbc5d57c573f797b069ae66f8ce2e521bde3ded163b1423d3ca7a7adee70e9

SHA512
adf6fa7ce6f9707e66aeeee4cb63bb2e4c7b9ea0c42366daa9a38218772e9e07665ab43a7ccc31edd9425a244eb5fa8fdaeb96d94d8abe5a026d9f460d24b74d

Download Submit
C:\Windows\SysWOW64\wwjsewcq.exe

Filesize
105KB

MD5
883a51695baceffcf5d5a46350be05aa

SHA1
3f45c8e7afa19409cb60eccfb7dbba0da8ef2953

SHA256
c9b90d7c095365c8ad3c70b00beff6c0227cfe5552d6fffaed7410a9cb7bf907

SHA512
d517028328955d3dfe5aecab37da3b5d355607825c1fd41505290da22e308ebacd79c6a5426a5448acfe96961a8a9b1d587594fed2199dc24e711a5499372d89

Download Submit
C:\Windows\SysWOW64\wwolo.exe

Filesize
105KB

MD5
c45850ed8eb9258aaae066e6ed5f4cc0

SHA1
114c5a343917a90028b6fbd73b2aee495b413877

SHA256
ec9d0632340066cb5e4aeffcde4d5901eebb771af647a4959f4adf185bc41b96

SHA512
f0457aad403d2ec73c0403ef85708db04a4b5bf4fb804210453a118b187318e744ac4ddb40a1549107a02b90f9e42e4e9c0ea5d92baeb8a83d7f25a4c51191c9

Download Submit
C:\Windows\SysWOW64\wwurxlnx.exe

Filesize
105KB

MD5
ca71123f067c6a44e028429e85649626

SHA1
258cc1f3fe71607db4dedbc4ab33bb4d6535da65

SHA256
e0e21291ee9f4275b10eceae42efd704425e7b9da3f1bf9f3dbf6091dda5bd50

SHA512
497b1f5e6f969bbdf89ac3f6bebdd5e7bbc51ee40b8741105593ad452b1a890db63760e4a5b029dae0b3f962ce71a421becd3de4c73638bee85dd52a687ffeee

Download Submit
C:\Windows\SysWOW64\wxoymh.exe

Filesize
105KB

MD5
ae7cd6820cb79f4918f4e38c409c73d6

SHA1
b79d8783c498f47121035bddc9aeb991844e826c

SHA256
2910df9ac07e482ed62a3c4d3dd9235fbf66f313da948cf5c8a51fe4d81fb3bf

SHA512
356b4d87e44a4e6404bdba0bee12e9887976f02288ff315c46054fcf5bbd7496184e4d82f7da478bf59c7cffb9ea001554a4260d28dd58c8eb87a58664a540af

Download Submit
C:\Windows\SysWOW64\wxwdemf.exe

Filesize
105KB

MD5
e710b83a88906d577229670a1c7973ef

SHA1
4a5a942cfb1f6cf20e20213c06fdbc60c842133f

SHA256
f13d5a9feec45dfa867188333a35c055fd238bb03629ef323f80d380ac1dee54

SHA512
563bce4b6f595f05414caac4ff7e09596b6d54a9b0cb510455ee45d5f43871ca7c49e68b9475c5f2576fbab2d8ed4a0f6711c0f37741174ed08a615782ba55b2

Download Submit
memory/64-395-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/64-386-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/220-315-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/464-326-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/464-314-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/536-474-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/536-484-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/932-124-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/996-378-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1176-580-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1176-421-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1176-571-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1176-411-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1220-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1256-361-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1336-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1340-134-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1360-528-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1360-518-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1492-387-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1492-377-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1704-500-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1704-510-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2032-93-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2032-82-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2156-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2156-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2156-536-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2156-545-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2156-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2304-429-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2304-439-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2404-403-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2552-438-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2552-448-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2564-283-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2564-294-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2588-250-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2588-262-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2692-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2844-199-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2928-588-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3076-456-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3076-466-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3352-284-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3352-272-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3512-345-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3512-336-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3548-501-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3548-353-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3572-492-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3584-198-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3584-209-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3628-554-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3800-273-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3800-261-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3900-337-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3900-325-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4024-457-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4024-447-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4192-553-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4192-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4192-562-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4352-430-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4352-420-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4352-187-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4356-412-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4396-177-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4396-166-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4400-509-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4400-519-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4400-146-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4400-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4496-240-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4496-229-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4500-369-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4508-219-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4604-167-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4672-304-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4672-527-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4672-537-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4728-103-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4728-114-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4940-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4940-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4940-230-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5056-251-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5056-563-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5056-572-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5072-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5072-83-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5080-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5112-465-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5112-475-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download