0829074be18b904ef9966ba1741cb0e28b96088fb9a4cb3ec54f21ccb1b2309a

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe
Size

88KB
MD5

a52962dddaa4a37208926df9873d6720
SHA1

fad0c0e585684f88976899c673ea6fba30c5002e
SHA256

0829074be18b904ef9966ba1741cb0e28b96088fb9a4cb3ec54f21ccb1b2309a
SHA512

42d7bd017024d8aa63deabcc42c9fd3e9eded2d8e01842018ec6478b8503cff28f8b93bcbc3b2e358f3a54767c8df5340e1bfc4010b48bb4ea213aeec3ef6c59
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71qC2:1eOLK7hNIMLrCiS4+PwRjY5xhEAXQC2

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wxue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wrdnifm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wrhict.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wrhtgw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wemvv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wgdeam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wqtvee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wppruwr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wbam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wppjmpej.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wsxdiwb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wduqsp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wvdtx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wxbafen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wwcfen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wwihvxdt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wbjhis.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wbhgoll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wixovv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wfus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wlkbnwc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wnyf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wpqepo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	warf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wapsq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wimrkr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wtchwj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wtai.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wcgjh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wwddixmjv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wikadc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wwoquo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wwhykcu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wxwxpd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wxyjso.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wdbx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wkjfe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wsfvlbs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wmrdldrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wwawb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wawluahe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wmxckhsx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wlgonw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wtlnrhu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wfjqwh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wrtosxitw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wdovwb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wco.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wemeayc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wtbgfvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wnqgtx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wkmn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wmtlj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wmsflh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wwsjtk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wbuxsbq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	woykiv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wwcbkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wnttm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wwpfcprb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wqrncjmoo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wlsih.exe

Executes dropped EXE 64 IoCs

pid	Process
2516	wbam.exe
5112	wykac.exe
1484	whivar.exe
1172	whlfcln.exe
3948	wmtlj.exe
1976	wxxu.exe
116	wtbgfvb.exe
3404	wapsq.exe
3356	wasctv.exe
2740	wwhykcu.exe
2716	wfa.exe
4356	wuxyho.exe
4848	wxwxpd.exe
1660	wyig.exe
440	wwcfen.exe
2404	wkgy.exe
4352	wlyt.exe
1460	wqslaft.exe
4568	wemvv.exe
2208	wnqshd.exe
2720	wpp.exe
5112	wwihvxdt.exe
4856	wdoi.exe
3152	wixovv.exe
3964	wmsflh.exe
3504	wnqgtx.exe
1452	wmvoouync.exe
1268	wenuchlk.exe
3756	wnttm.exe
2816	wbjhis.exe
2348	wbvaqoh.exe
4204	wcgjh.exe
2008	wdovwb.exe
2628	wmxxuee.exe
1664	wsgs.exe
1856	wco.exe
4980	wwsjtk.exe
3888	wgm.exe
2116	wlgonw.exe
2544	wwpfcprb.exe
4444	wxiahd.exe
4900	wtlnrhu.exe
1652	wroydkw.exe
4904	wnfp.exe
3644	walmejbrm.exe
4716	wbuxsbq.exe
3300	wgdeam.exe
3388	wqrncjmoo.exe
5036	wqtvee.exe
2120	wemeayc.exe
1752	wmrdldrs.exe
1480	wgttogsq.exe
1432	wsxmrc.exe
4380	wyhux.exe
1004	wimrkr.exe
1180	wjqshgkd.exe
2496	wpk.exe
4528	wloxfwm.exe
2608	wxsri.exe
820	wdbx.exe
5072	wxel.exe
4604	wfus.exe
1548	wlkbnwc.exe
1132	wkjfe.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wapsq = "\"C:\\Windows\\SysWOW64\\wapsq.exe\""	wapsq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wunvl = "\"C:\\Windows\\SysWOW64\\wunvl.exe\""	wunvl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmf = "\"C:\\Windows\\SysWOW64\\wmf.exe\""	wmf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weyedjw = "\"C:\\Windows\\SysWOW64\\weyedjw.exe\""	weyedjw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdlbvob = "\"C:\\Windows\\SysWOW64\\wdlbvob.exe\""	wdlbvob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqcrdt = "\"C:\\Windows\\SysWOW64\\wqcrdt.exe\""	wqcrdt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wduqsp = "\"C:\\Windows\\SysWOW64\\wduqsp.exe\""	wduqsp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtai = "\"C:\\Windows\\SysWOW64\\wtai.exe\""	wtai.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqslaft = "\"C:\\Windows\\SysWOW64\\wqslaft.exe\""	wqslaft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wppjmpej = "\"C:\\Windows\\SysWOW64\\wppjmpej.exe\""	wppjmpej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmoewr = "\"C:\\Windows\\SysWOW64\\wmoewr.exe\""	wmoewr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyckv = "\"C:\\Windows\\SysWOW64\\wyckv.exe\""	wyckv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuxyho = "\"C:\\Windows\\SysWOW64\\wuxyho.exe\""	wuxyho.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlyt = "\"C:\\Windows\\SysWOW64\\wlyt.exe\""	wlyt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjqshgkd = "\"C:\\Windows\\SysWOW64\\wjqshgkd.exe\""	wjqshgkd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wloxfwm = "\"C:\\Windows\\SysWOW64\\wloxfwm.exe\""	wloxfwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsxdiwb = "\"C:\\Windows\\SysWOW64\\wsxdiwb.exe\""	wsxdiwb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxue = "\"C:\\Windows\\SysWOW64\\wxue.exe\""	wxue.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpqepo = "\"C:\\Windows\\SysWOW64\\wpqepo.exe\""	wpqepo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfynyu = "\"C:\\Windows\\SysWOW64\\wfynyu.exe\""	wfynyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyig = "\"C:\\Windows\\SysWOW64\\wyig.exe\""	wyig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbvaqoh = "\"C:\\Windows\\SysWOW64\\wbvaqoh.exe\""	wbvaqoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsmgksp = "\"C:\\Windows\\SysWOW64\\wsmgksp.exe\""	wsmgksp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wto = "\"C:\\Windows\\SysWOW64\\wto.exe\""	wto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whivar = "\"C:\\Windows\\SysWOW64\\whivar.exe\""	whivar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxxu = "\"C:\\Windows\\SysWOW64\\wxxu.exe\""	wxxu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnyf = "\"C:\\Windows\\SysWOW64\\wnyf.exe\""	wnyf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrtosxitw = "\"C:\\Windows\\SysWOW64\\wrtosxitw.exe\""	wrtosxitw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkgu = "\"C:\\Windows\\SysWOW64\\wkgu.exe\""	wkgu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdoi = "\"C:\\Windows\\SysWOW64\\wdoi.exe\""	wdoi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wenuchlk = "\"C:\\Windows\\SysWOW64\\wenuchlk.exe\""	wenuchlk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbjhis = "\"C:\\Windows\\SysWOW64\\wbjhis.exe\""	wbjhis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\walmejbrm = "\"C:\\Windows\\SysWOW64\\walmejbrm.exe\""	walmejbrm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvdtx = "\"C:\\Windows\\SysWOW64\\wvdtx.exe\""	wvdtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrdnifm = "\"C:\\Windows\\SysWOW64\\wrdnifm.exe\""	wrdnifm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkcwsy = "\"C:\\Windows\\SysWOW64\\wkcwsy.exe\""	wkcwsy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrhtgw = "\"C:\\Windows\\SysWOW64\\wrhtgw.exe\""	wrhtgw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnqshd = "\"C:\\Windows\\SysWOW64\\wnqshd.exe\""	wnqshd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwihvxdt = "\"C:\\Windows\\SysWOW64\\wwihvxdt.exe\""	wwihvxdt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsgs = "\"C:\\Windows\\SysWOW64\\wsgs.exe\""	wsgs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wroydkw = "\"C:\\Windows\\SysWOW64\\wroydkw.exe\""	wroydkw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbhgoll = "\"C:\\Windows\\SysWOW64\\wbhgoll.exe\""	wbhgoll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\warf = "\"C:\\Windows\\SysWOW64\\warf.exe\""	warf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtlnrhu = "\"C:\\Windows\\SysWOW64\\wtlnrhu.exe\""	wtlnrhu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwewph = "\"C:\\Windows\\SysWOW64\\wwewph.exe\""	wwewph.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykac = "\"C:\\Windows\\SysWOW64\\wykac.exe\""	wykac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnttm = "\"C:\\Windows\\SysWOW64\\wnttm.exe\""	wnttm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkjfe = "\"C:\\Windows\\SysWOW64\\wkjfe.exe\""	wkjfe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wemeayc = "\"C:\\Windows\\SysWOW64\\wemeayc.exe\""	wemeayc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlkbnwc = "\"C:\\Windows\\SysWOW64\\wlkbnwc.exe\""	wlkbnwc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtchwj = "\"C:\\Windows\\SysWOW64\\wtchwj.exe\""	wtchwj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwcbkj = "\"C:\\Windows\\SysWOW64\\wwcbkj.exe\""	wwcbkj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wixovv = "\"C:\\Windows\\SysWOW64\\wixovv.exe\""	wixovv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfus = "\"C:\\Windows\\SysWOW64\\wfus.exe\""	wfus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtbgfvb = "\"C:\\Windows\\SysWOW64\\wtbgfvb.exe\""	wtbgfvb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmsflh = "\"C:\\Windows\\SysWOW64\\wmsflh.exe\""	wmsflh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wco = "\"C:\\Windows\\SysWOW64\\wco.exe\""	wco.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpk = "\"C:\\Windows\\SysWOW64\\wpk.exe\""	wpk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wppruwr = "\"C:\\Windows\\SysWOW64\\wppruwr.exe\""	wppruwr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrhict = "\"C:\\Windows\\SysWOW64\\wrhict.exe\""	wrhict.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whlfcln = "\"C:\\Windows\\SysWOW64\\whlfcln.exe\""	whlfcln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkgy = "\"C:\\Windows\\SysWOW64\\wkgy.exe\""	wkgy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqrncjmoo = "\"C:\\Windows\\SysWOW64\\wqrncjmoo.exe\""	wqrncjmoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvxototfo = "\"C:\\Windows\\SysWOW64\\wvxototfo.exe\""	wvxototfo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wpp.exe	wnqshd.exe
File created	C:\Windows\SysWOW64\wixovv.exe	wdoi.exe
File opened for modification	C:\Windows\SysWOW64\wxel.exe	wdbx.exe
File opened for modification	C:\Windows\SysWOW64\wikadc.exe	wdlbvob.exe
File created	C:\Windows\SysWOW64\wjhrfubap.exe	wfjqwh.exe
File created	C:\Windows\SysWOW64\wqslaft.exe	wlyt.exe
File opened for modification	C:\Windows\SysWOW64\wlkbnwc.exe	wfus.exe
File created	C:\Windows\SysWOW64\wsxdiwb.exe	woenvkap.exe
File opened for modification	C:\Windows\SysWOW64\wxue.exe	wkcudh.exe
File created	C:\Windows\SysWOW64\wmxckhsx.exe	wprvfil.exe
File created	C:\Windows\SysWOW64\walmejbrm.exe	wnfp.exe
File opened for modification	C:\Windows\SysWOW64\wlgonw.exe	wgm.exe
File created	C:\Windows\SysWOW64\wxsri.exe	wloxfwm.exe
File opened for modification	C:\Windows\SysWOW64\wmf.exe	wunvl.exe
File opened for modification	C:\Windows\SysWOW64\wkcwsy.exe	woykiv.exe
File created	C:\Windows\SysWOW64\woykiv.exe	wrhict.exe
File created	C:\Windows\SysWOW64\wwihvxdt.exe	wpp.exe
File opened for modification	C:\Windows\SysWOW64\wxiahd.exe	wwpfcprb.exe
File opened for modification	C:\Windows\SysWOW64\wsmgksp.exe	wxyjso.exe
File opened for modification	C:\Windows\SysWOW64\whlfcln.exe	whivar.exe
File opened for modification	C:\Windows\SysWOW64\wgwgvb.exe	wwddixmjv.exe
File opened for modification	C:\Windows\SysWOW64\wawluahe.exe	wmf.exe
File opened for modification	C:\Windows\SysWOW64\wprvfil.exe	wto.exe
File created	C:\Windows\SysWOW64\wesiu.exe	wmoewr.exe
File created	C:\Windows\SysWOW64\whlfcln.exe	whivar.exe
File created	C:\Windows\SysWOW64\wgdeam.exe	wbuxsbq.exe
File opened for modification	C:\Windows\SysWOW64\wrtosxitw.exe	wsfvlbs.exe
File created	C:\Windows\SysWOW64\wxbafen.exe	wmxckhsx.exe
File created	C:\Windows\SysWOW64\wtbgfvb.exe	wxxu.exe
File created	C:\Windows\SysWOW64\wmsflh.exe	wixovv.exe
File created	C:\Windows\SysWOW64\wgm.exe	wwsjtk.exe
File opened for modification	C:\Windows\SysWOW64\wsgs.exe	wmxxuee.exe
File opened for modification	C:\Windows\SysWOW64\wsxmrc.exe	wgttogsq.exe
File opened for modification	C:\Windows\SysWOW64\wgm.exe	wwsjtk.exe
File created	C:\Windows\SysWOW64\wrtosxitw.exe	wsfvlbs.exe
File created	C:\Windows\SysWOW64\wkmn.exe	wyckv.exe
File created	C:\Windows\SysWOW64\wqtvee.exe	wqrncjmoo.exe
File opened for modification	C:\Windows\SysWOW64\wdbx.exe	wxsri.exe
File opened for modification	C:\Windows\SysWOW64\wppjmpej.exe	wqcrdt.exe
File opened for modification	C:\Windows\SysWOW64\wtbgfvb.exe	wxxu.exe
File created	C:\Windows\SysWOW64\wwsjtk.exe	wco.exe
File opened for modification	C:\Windows\SysWOW64\wmrdldrs.exe	wemeayc.exe
File created	C:\Windows\SysWOW64\wlxkpaf.exe	wdwgna.exe
File created	C:\Windows\SysWOW64\wrhict.exe	wrtosxitw.exe
File opened for modification	C:\Windows\SysWOW64\wkgu.exe	wwcbkj.exe
File opened for modification	C:\Windows\SysWOW64\wco.exe	wsgs.exe
File opened for modification	C:\Windows\SysWOW64\wrhtgw.exe	wwoquo.exe
File created	C:\Windows\SysWOW64\wsmgksp.exe	wxyjso.exe
File created	C:\Windows\SysWOW64\wgwgvb.exe	wwddixmjv.exe
File created	C:\Windows\SysWOW64\wprvfil.exe	wto.exe
File created	C:\Windows\SysWOW64\wyckv.exe	wujrib.exe
File opened for modification	C:\Windows\SysWOW64\wykac.exe	wbam.exe
File opened for modification	C:\Windows\SysWOW64\wwcfen.exe	wyig.exe
File opened for modification	C:\Windows\SysWOW64\wnqgtx.exe	wmsflh.exe
File created	C:\Windows\SysWOW64\wyhux.exe	wsxmrc.exe
File opened for modification	C:\Windows\SysWOW64\wkmn.exe	wyckv.exe
File created	C:\Windows\SysWOW64\wco.exe	wsgs.exe
File opened for modification	C:\Windows\SysWOW64\wwsjtk.exe	wco.exe
File created	C:\Windows\SysWOW64\wtlnrhu.exe	wxiahd.exe
File created	C:\Windows\SysWOW64\wvdtx.exe	weyedjw.exe
File created	C:\Windows\SysWOW64\wvxototfo.exe	wvdtx.exe
File opened for modification	C:\Windows\SysWOW64\wvxototfo.exe	wvdtx.exe
File created	C:\Windows\SysWOW64\wkcwsy.exe	woykiv.exe
File opened for modification	C:\Windows\SysWOW64\wqcrdt.exe	wrhtgw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
1008	2516	WerFault.exe	84
3268	4848	WerFault.exe	127
4956	5112	WerFault.exe	156
2324	3964	WerFault.exe	167
3152	4204	WerFault.exe	193
4272	1856	WerFault.exe	207
892	4904	WerFault.exe	233
2768	3388	WerFault.exe	247
1572	1752	WerFault.exe	258
4848	1752	WerFault.exe	258
3020	1480	WerFault.exe	261
4532	3128	WerFault.exe	319
2012	2248	WerFault.exe	438

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2516	1856	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe	84
PID 1856 wrote to memory of 2516	1856	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe	84
PID 1856 wrote to memory of 2516	1856	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe	84
PID 1856 wrote to memory of 2860	1856	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe	86
PID 1856 wrote to memory of 2860	1856	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe	86
PID 1856 wrote to memory of 2860	1856	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe	86
PID 2516 wrote to memory of 5112	2516	wbam.exe	90
PID 2516 wrote to memory of 5112	2516	wbam.exe	90
PID 2516 wrote to memory of 5112	2516	wbam.exe	90
PID 2516 wrote to memory of 3888	2516	wbam.exe	91
PID 2516 wrote to memory of 3888	2516	wbam.exe	91
PID 2516 wrote to memory of 3888	2516	wbam.exe	91
PID 5112 wrote to memory of 1484	5112	wykac.exe	97
PID 5112 wrote to memory of 1484	5112	wykac.exe	97
PID 5112 wrote to memory of 1484	5112	wykac.exe	97
PID 5112 wrote to memory of 1440	5112	wykac.exe	98
PID 5112 wrote to memory of 1440	5112	wykac.exe	98
PID 5112 wrote to memory of 1440	5112	wykac.exe	98
PID 1484 wrote to memory of 1172	1484	whivar.exe	100
PID 1484 wrote to memory of 1172	1484	whivar.exe	100
PID 1484 wrote to memory of 1172	1484	whivar.exe	100
PID 1484 wrote to memory of 1544	1484	whivar.exe	101
PID 1484 wrote to memory of 1544	1484	whivar.exe	101
PID 1484 wrote to memory of 1544	1484	whivar.exe	101
PID 1172 wrote to memory of 3948	1172	whlfcln.exe	103
PID 1172 wrote to memory of 3948	1172	whlfcln.exe	103
PID 1172 wrote to memory of 3948	1172	whlfcln.exe	103
PID 1172 wrote to memory of 440	1172	whlfcln.exe	104
PID 1172 wrote to memory of 440	1172	whlfcln.exe	104
PID 1172 wrote to memory of 440	1172	whlfcln.exe	104
PID 3948 wrote to memory of 1976	3948	wmtlj.exe	106
PID 3948 wrote to memory of 1976	3948	wmtlj.exe	106
PID 3948 wrote to memory of 1976	3948	wmtlj.exe	106
PID 3948 wrote to memory of 968	3948	wmtlj.exe	107
PID 3948 wrote to memory of 968	3948	wmtlj.exe	107
PID 3948 wrote to memory of 968	3948	wmtlj.exe	107
PID 1976 wrote to memory of 116	1976	wxxu.exe	109
PID 1976 wrote to memory of 116	1976	wxxu.exe	109
PID 1976 wrote to memory of 116	1976	wxxu.exe	109
PID 1976 wrote to memory of 3952	1976	wxxu.exe	110
PID 1976 wrote to memory of 3952	1976	wxxu.exe	110
PID 1976 wrote to memory of 3952	1976	wxxu.exe	110
PID 116 wrote to memory of 3404	116	wtbgfvb.exe	112
PID 116 wrote to memory of 3404	116	wtbgfvb.exe	112
PID 116 wrote to memory of 3404	116	wtbgfvb.exe	112
PID 116 wrote to memory of 4372	116	wtbgfvb.exe	113
PID 116 wrote to memory of 4372	116	wtbgfvb.exe	113
PID 116 wrote to memory of 4372	116	wtbgfvb.exe	113
PID 3404 wrote to memory of 3356	3404	wapsq.exe	115
PID 3404 wrote to memory of 3356	3404	wapsq.exe	115
PID 3404 wrote to memory of 3356	3404	wapsq.exe	115
PID 3404 wrote to memory of 3608	3404	wapsq.exe	116
PID 3404 wrote to memory of 3608	3404	wapsq.exe	116
PID 3404 wrote to memory of 3608	3404	wapsq.exe	116
PID 3356 wrote to memory of 2740	3356	wasctv.exe	118
PID 3356 wrote to memory of 2740	3356	wasctv.exe	118
PID 3356 wrote to memory of 2740	3356	wasctv.exe	118
PID 3356 wrote to memory of 5104	3356	wasctv.exe	119
PID 3356 wrote to memory of 5104	3356	wasctv.exe	119
PID 3356 wrote to memory of 5104	3356	wasctv.exe	119
PID 2740 wrote to memory of 2716	2740	wwhykcu.exe	121
PID 2740 wrote to memory of 2716	2740	wwhykcu.exe	121
PID 2740 wrote to memory of 2716	2740	wwhykcu.exe	121
PID 2740 wrote to memory of 3300	2740	wwhykcu.exe	122

C:\Users\Admin\AppData\Local\Temp\a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\wbam.exe
  "C:\Windows\system32\wbam.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\wykac.exe
    "C:\Windows\system32\wykac.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\SysWOW64\whivar.exe
      "C:\Windows\system32\whivar.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Windows\SysWOW64\whlfcln.exe
        
        "C:\Windows\system32\whlfcln.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1172
      - C:\Windows\SysWOW64\wmtlj.exe
        
        "C:\Windows\system32\wmtlj.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\wxxu.exe
        
        "C:\Windows\system32\wxxu.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\wtbgfvb.exe
        
        "C:\Windows\system32\wtbgfvb.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\wapsq.exe
        
        "C:\Windows\system32\wapsq.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\wasctv.exe
        
        "C:\Windows\system32\wasctv.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\wwhykcu.exe
        
        "C:\Windows\system32\wwhykcu.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\wfa.exe
        
        "C:\Windows\system32\wfa.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\SysWOW64\wuxyho.exe
        
        "C:\Windows\system32\wuxyho.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4356
        
        C:\Windows\SysWOW64\wxwxpd.exe
        
        "C:\Windows\system32\wxwxpd.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\wyig.exe
        
        "C:\Windows\system32\wyig.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\wwcfen.exe
        
        "C:\Windows\system32\wwcfen.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\wkgy.exe
        
        "C:\Windows\system32\wkgy.exe"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2404
        
        C:\Windows\SysWOW64\wlyt.exe
        
        "C:\Windows\system32\wlyt.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\wqslaft.exe
        
        "C:\Windows\system32\wqslaft.exe"
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1460
        
        C:\Windows\SysWOW64\wemvv.exe
        
        "C:\Windows\system32\wemvv.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\wnqshd.exe
        
        "C:\Windows\system32\wnqshd.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\wpp.exe
        
        "C:\Windows\system32\wpp.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\wwihvxdt.exe
        
        "C:\Windows\system32\wwihvxdt.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5112
        
        C:\Windows\SysWOW64\wdoi.exe
        
        "C:\Windows\system32\wdoi.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\wixovv.exe
        
        "C:\Windows\system32\wixovv.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\wmsflh.exe
        
        "C:\Windows\system32\wmsflh.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\wnqgtx.exe
        
        "C:\Windows\system32\wnqgtx.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3504
        
        C:\Windows\SysWOW64\wmvoouync.exe
        
        "C:\Windows\system32\wmvoouync.exe"
        28⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\wenuchlk.exe
        
        "C:\Windows\system32\wenuchlk.exe"
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1268
        
        C:\Windows\SysWOW64\wnttm.exe
        
        "C:\Windows\system32\wnttm.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3756
        
        C:\Windows\SysWOW64\wbjhis.exe
        
        "C:\Windows\system32\wbjhis.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2816
        
        C:\Windows\SysWOW64\wbvaqoh.exe
        
        "C:\Windows\system32\wbvaqoh.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2348
        
        C:\Windows\SysWOW64\wcgjh.exe
        
        "C:\Windows\system32\wcgjh.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\wdovwb.exe
        
        "C:\Windows\system32\wdovwb.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\wmxxuee.exe
        
        "C:\Windows\system32\wmxxuee.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2628
        
        C:\Windows\SysWOW64\wsgs.exe
        
        "C:\Windows\system32\wsgs.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\wco.exe
        
        "C:\Windows\system32\wco.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\wwsjtk.exe
        
        "C:\Windows\system32\wwsjtk.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\wgm.exe
        
        "C:\Windows\system32\wgm.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3888
        
        C:\Windows\SysWOW64\wlgonw.exe
        
        "C:\Windows\system32\wlgonw.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\wwpfcprb.exe
        
        "C:\Windows\system32\wwpfcprb.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\wxiahd.exe
        
        "C:\Windows\system32\wxiahd.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\wtlnrhu.exe
        
        "C:\Windows\system32\wtlnrhu.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4900
        
        C:\Windows\SysWOW64\wroydkw.exe
        
        "C:\Windows\system32\wroydkw.exe"
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1652
        
        C:\Windows\SysWOW64\wnfp.exe
        
        "C:\Windows\system32\wnfp.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\walmejbrm.exe
        
        "C:\Windows\system32\walmejbrm.exe"
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3644
        
        C:\Windows\SysWOW64\wbuxsbq.exe
        
        "C:\Windows\system32\wbuxsbq.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\wgdeam.exe
        
        "C:\Windows\system32\wgdeam.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\wqrncjmoo.exe
        
        "C:\Windows\system32\wqrncjmoo.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\wqtvee.exe
        
        "C:\Windows\system32\wqtvee.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\wemeayc.exe
        
        "C:\Windows\system32\wemeayc.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\wmrdldrs.exe
        
        "C:\Windows\system32\wmrdldrs.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\wgttogsq.exe
        
        "C:\Windows\system32\wgttogsq.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\wsxmrc.exe
        
        "C:\Windows\system32\wsxmrc.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\wyhux.exe
        
        "C:\Windows\system32\wyhux.exe"
        55⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\wimrkr.exe
        
        "C:\Windows\system32\wimrkr.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\wjqshgkd.exe
        
        "C:\Windows\system32\wjqshgkd.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1180
        
        C:\Windows\SysWOW64\wpk.exe
        
        "C:\Windows\system32\wpk.exe"
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2496
        
        C:\Windows\SysWOW64\wloxfwm.exe
        
        "C:\Windows\system32\wloxfwm.exe"
        59⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\wxsri.exe
        
        "C:\Windows\system32\wxsri.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\wdbx.exe
        
        "C:\Windows\system32\wdbx.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:820
        
        C:\Windows\SysWOW64\wxel.exe
        
        "C:\Windows\system32\wxel.exe"
        62⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\wfus.exe
        
        "C:\Windows\system32\wfus.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\wlkbnwc.exe
        
        "C:\Windows\system32\wlkbnwc.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1548
        
        C:\Windows\SysWOW64\wkjfe.exe
        
        "C:\Windows\system32\wkjfe.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1132
        
        C:\Windows\SysWOW64\wdwgna.exe
        
        "C:\Windows\system32\wdwgna.exe"
        66⤵
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\wlxkpaf.exe
        
        "C:\Windows\system32\wlxkpaf.exe"
        67⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\wbhgoll.exe
        
        "C:\Windows\system32\wbhgoll.exe"
        68⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4052
        
        C:\Windows\SysWOW64\wxyjso.exe
        
        "C:\Windows\system32\wxyjso.exe"
        69⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\wsmgksp.exe
        
        "C:\Windows\system32\wsmgksp.exe"
        70⤵
        Adds Run key to start application
        
        PID:3128
        
        C:\Windows\SysWOW64\wppruwr.exe
        
        "C:\Windows\system32\wppruwr.exe"
        71⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4576
        
        C:\Windows\SysWOW64\wtchwj.exe
        
        "C:\Windows\system32\wtchwj.exe"
        72⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4392
        
        C:\Windows\SysWOW64\wpqepo.exe
        
        "C:\Windows\system32\wpqepo.exe"
        73⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2500
        
        C:\Windows\SysWOW64\weyedjw.exe
        
        "C:\Windows\system32\weyedjw.exe"
        74⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\wvdtx.exe
        
        "C:\Windows\system32\wvdtx.exe"
        75⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\wvxototfo.exe
        
        "C:\Windows\system32\wvxototfo.exe"
        76⤵
        Adds Run key to start application
        
        PID:5024
        
        C:\Windows\SysWOW64\warf.exe
        
        "C:\Windows\system32\warf.exe"
        77⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4596
        
        C:\Windows\SysWOW64\wnyf.exe
        
        "C:\Windows\system32\wnyf.exe"
        78⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:440
        
        C:\Windows\SysWOW64\wwddixmjv.exe
        
        "C:\Windows\system32\wwddixmjv.exe"
        79⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\wgwgvb.exe
        
        "C:\Windows\system32\wgwgvb.exe"
        80⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\wfynyu.exe
        
        "C:\Windows\system32\wfynyu.exe"
        81⤵
        Adds Run key to start application
        
        PID:4052
        
        C:\Windows\SysWOW64\wsej.exe
        
        "C:\Windows\system32\wsej.exe"
        82⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\wwawb.exe
        
        "C:\Windows\system32\wwawb.exe"
        83⤵
        Checks computer location settings
        
        PID:3880
        
        C:\Windows\SysWOW64\woenvkap.exe
        
        "C:\Windows\system32\woenvkap.exe"
        84⤵
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\wsxdiwb.exe
        
        "C:\Windows\system32\wsxdiwb.exe"
        85⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3680
        
        C:\Windows\SysWOW64\wkcudh.exe
        
        "C:\Windows\system32\wkcudh.exe"
        86⤵
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\wxue.exe
        
        "C:\Windows\system32\wxue.exe"
        87⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:5040
        
        C:\Windows\SysWOW64\wlsih.exe
        
        "C:\Windows\system32\wlsih.exe"
        88⤵
        Checks computer location settings
        
        PID:4304
        
        C:\Windows\SysWOW64\wunvl.exe
        
        "C:\Windows\system32\wunvl.exe"
        89⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\wmf.exe
        
        "C:\Windows\system32\wmf.exe"
        90⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3184
        
        C:\Windows\SysWOW64\wawluahe.exe
        
        "C:\Windows\system32\wawluahe.exe"
        91⤵
        Checks computer location settings
        
        PID:440
        
        C:\Windows\SysWOW64\wdlbvob.exe
        
        "C:\Windows\system32\wdlbvob.exe"
        92⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\wikadc.exe
        
        "C:\Windows\system32\wikadc.exe"
        93⤵
        Checks computer location settings
        
        PID:1760
        
        C:\Windows\SysWOW64\wrdnifm.exe
        
        "C:\Windows\system32\wrdnifm.exe"
        94⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1008
        
        C:\Windows\SysWOW64\wsfvlbs.exe
        
        "C:\Windows\system32\wsfvlbs.exe"
        95⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\wrtosxitw.exe
        
        "C:\Windows\system32\wrtosxitw.exe"
        96⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\wrhict.exe
        
        "C:\Windows\system32\wrhict.exe"
        97⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1308
        
        C:\Windows\SysWOW64\woykiv.exe
        
        "C:\Windows\system32\woykiv.exe"
        98⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\wkcwsy.exe
        
        "C:\Windows\system32\wkcwsy.exe"
        99⤵
        Adds Run key to start application
        
        PID:5048
        
        C:\Windows\SysWOW64\wfjqwh.exe
        
        "C:\Windows\system32\wfjqwh.exe"
        100⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\wjhrfubap.exe
        
        "C:\Windows\system32\wjhrfubap.exe"
        101⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\wwoquo.exe
        
        "C:\Windows\system32\wwoquo.exe"
        102⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\wrhtgw.exe
        
        "C:\Windows\system32\wrhtgw.exe"
        103⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\wqcrdt.exe
        
        "C:\Windows\system32\wqcrdt.exe"
        104⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\wppjmpej.exe
        
        "C:\Windows\system32\wppjmpej.exe"
        105⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4716
        
        C:\Windows\SysWOW64\wto.exe
        
        "C:\Windows\system32\wto.exe"
        106⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2364
        
        C:\Windows\SysWOW64\wprvfil.exe
        
        "C:\Windows\system32\wprvfil.exe"
        107⤵
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\wmxckhsx.exe
        
        "C:\Windows\system32\wmxckhsx.exe"
        108⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\wxbafen.exe
        
        "C:\Windows\system32\wxbafen.exe"
        109⤵
        Checks computer location settings
        
        PID:2248
        
        C:\Windows\SysWOW64\wduqsp.exe
        
        "C:\Windows\system32\wduqsp.exe"
        110⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4996
        
        C:\Windows\SysWOW64\wmoewr.exe
        
        "C:\Windows\system32\wmoewr.exe"
        111⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\wesiu.exe
        
        "C:\Windows\system32\wesiu.exe"
        112⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\wwcbkj.exe
        
        "C:\Windows\system32\wwcbkj.exe"
        113⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\wkgu.exe
        
        "C:\Windows\system32\wkgu.exe"
        114⤵
        Adds Run key to start application
        
        PID:4720
        
        C:\Windows\SysWOW64\wtai.exe
        
        "C:\Windows\system32\wtai.exe"
        115⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3028
        
        C:\Windows\SysWOW64\wujrib.exe
        
        "C:\Windows\system32\wujrib.exe"
        116⤵
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\wyckv.exe
        
        "C:\Windows\system32\wyckv.exe"
        117⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\wkmn.exe
        
        "C:\Windows\system32\wkmn.exe"
        118⤵
        Checks computer location settings
        
        PID:5116
        
        C:\Windows\SysWOW64\wwewph.exe
        
        "C:\Windows\system32\wwewph.exe"
        119⤵
        Adds Run key to start application
        
        PID:2860
        
        C:\Windows\SysWOW64\wkjqtdms.exe
        
        "C:\Windows\system32\wkjqtdms.exe"
        120⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\wbmhmpj.exe
        
        "C:\Windows\system32\wbmhmpj.exe"
        121⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjqtdms.exe"
        121⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwewph.exe"
        120⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkmn.exe"
        119⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyckv.exe"
        118⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujrib.exe"
        117⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtai.exe"
        116⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkgu.exe"
        115⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwcbkj.exe"
        114⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wesiu.exe"
        113⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmoewr.exe"
        112⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wduqsp.exe"
        111⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxbafen.exe"
        110⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1504
        110⤵
        Program crash
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmxckhsx.exe"
        109⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wprvfil.exe"
        108⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wto.exe"
        107⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wppjmpej.exe"
        106⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqcrdt.exe"
        105⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhtgw.exe"
        104⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwoquo.exe"
        103⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhrfubap.exe"
        102⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfjqwh.exe"
        101⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcwsy.exe"
        100⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woykiv.exe"
        99⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhict.exe"
        98⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtosxitw.exe"
        97⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsfvlbs.exe"
        96⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrdnifm.exe"
        95⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikadc.exe"
        94⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdlbvob.exe"
        93⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wawluahe.exe"
        92⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmf.exe"
        91⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunvl.exe"
        90⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsih.exe"
        89⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxue.exe"
        88⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcudh.exe"
        87⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxdiwb.exe"
        86⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woenvkap.exe"
        85⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwawb.exe"
        84⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsej.exe"
        83⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfynyu.exe"
        82⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwgvb.exe"
        81⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwddixmjv.exe"
        80⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnyf.exe"
        79⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warf.exe"
        78⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvxototfo.exe"
        77⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdtx.exe"
        76⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weyedjw.exe"
        75⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpqepo.exe"
        74⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtchwj.exe"
        73⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wppruwr.exe"
        72⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsmgksp.exe"
        71⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1520
        71⤵
        Program crash
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxyjso.exe"
        70⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhgoll.exe"
        69⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlxkpaf.exe"
        68⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdwgna.exe"
        67⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjfe.exe"
        66⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkbnwc.exe"
        65⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfus.exe"
        64⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxel.exe"
        63⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbx.exe"
        62⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxsri.exe"
        61⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wloxfwm.exe"
        60⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpk.exe"
        59⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjqshgkd.exe"
        58⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimrkr.exe"
        57⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyhux.exe"
        56⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxmrc.exe"
        55⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgttogsq.exe"
        54⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1536
        54⤵
        Program crash
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrdldrs.exe"
        53⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 660
        53⤵
        Program crash
        
        PID:1572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 656
        53⤵
        Program crash
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemeayc.exe"
        52⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqtvee.exe"
        51⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqrncjmoo.exe"
        50⤵
        
        PID:264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 1088
        50⤵
        Program crash
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgdeam.exe"
        49⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbuxsbq.exe"
        48⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\walmejbrm.exe"
        47⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnfp.exe"
        46⤵
        
        PID:244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1440
        46⤵
        Program crash
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wroydkw.exe"
        45⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtlnrhu.exe"
        44⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxiahd.exe"
        43⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwpfcprb.exe"
        42⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlgonw.exe"
        41⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgm.exe"
        40⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwsjtk.exe"
        39⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wco.exe"
        38⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1584
        38⤵
        Program crash
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsgs.exe"
        37⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmxxuee.exe"
        36⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdovwb.exe"
        35⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcgjh.exe"
        34⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 1464
        34⤵
        Program crash
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvaqoh.exe"
        33⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbjhis.exe"
        32⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnttm.exe"
        31⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wenuchlk.exe"
        30⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmvoouync.exe"
        29⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqgtx.exe"
        28⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmsflh.exe"
        27⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1464
        27⤵
        Program crash
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wixovv.exe"
        26⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdoi.exe"
        25⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwihvxdt.exe"
        24⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 116
        24⤵
        Program crash
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpp.exe"
        23⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqshd.exe"
        22⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemvv.exe"
        21⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqslaft.exe"
        20⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyt.exe"
        19⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkgy.exe"
        18⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwcfen.exe"
        17⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyig.exe"
        16⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwxpd.exe"
        15⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1140
        15⤵
        Program crash
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuxyho.exe"
        14⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfa.exe"
        13⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhykcu.exe"
        12⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wasctv.exe"
        11⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wapsq.exe"
        10⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtbgfvb.exe"
        9⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxu.exe"
        8⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmtlj.exe"
        7⤵
        
        PID:968
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whlfcln.exe"
        6⤵
        
        PID:440
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whivar.exe"
        5⤵
        
        PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wykac.exe"
      4⤵
      PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbam.exe"
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 1356
    3⤵
    - Program crash
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe"
  2⤵
  PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2516 -ip 2516
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4848 -ip 4848
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5112 -ip 5112
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3964 -ip 3964
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4204 -ip 4204
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1856 -ip 1856
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4904 -ip 4904
1⤵
PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3388 -ip 3388
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1752 -ip 1752
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1752 -ip 1752
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1480 -ip 1480
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3128 -ip 3128
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2248 -ip 2248
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wapsq.exe

Filesize
88KB

MD5
03c9de6488ab520f8504402b727bd1ff

SHA1
e463adf2601032e149cfc71fd582d8e48a8f86fe

SHA256
69edd0a3a85e9e25df9278e664765b00bb80977e43ac0d78ee3aec214a930252

SHA512
d5b6fc0b7a9f97becc494d0099326881643086affdd213fdef5f83aa82c70710731a8be6df2d66a7bb5fd94b96647e8950513f5cb0da3fc10b89b41c72bdd37a

Download Submit
C:\Windows\SysWOW64\wasctv.exe

Filesize
88KB

MD5
db1c8426fe58f8e0c443cf0b06aaabe3

SHA1
eeab8c1093be4e923fa0b2426bf11ce869124917

SHA256
9cf1776f8a7eaf0cf9d2a86e3d6b0700fd44de1d62b1731748846840148074c1

SHA512
3dafa50f3a40fc68a3624e5f13f3c55b0ef54fe114a6127d0ae896a56af83bacd84b6fa450941f2894763d85fdb133a35b3c72e942705984db442e9d2a9f6127

Download Submit
C:\Windows\SysWOW64\wbam.exe

Filesize
88KB

MD5
7ed52dd40e769d0347b0d8e389ca63ea

SHA1
babd5bfca3c70d4dc3ea81a0ba9773e6d55f5a41

SHA256
0f3423f1641dc523d7f703b10fb6232d440796831c166e0cc597b68219ebf696

SHA512
c7f74cdf21498670217cf44ff5644ca73795e22d70e4bbc120d90bcd2d87d588a599f5db1e5bee8945038e5abfb43a7254d9912c0d25c389c314f0f4004466d2

Download Submit
C:\Windows\SysWOW64\wbjhis.exe

Filesize
89KB

MD5
93d3e28009e67eefed512eafcc7325cc

SHA1
969775075abdb388d1a1189d5e78bd67eb1dd25c

SHA256
b5509ed652efeb23216dc83fdcc7ab2732a2fe97b19b9088f48c7a64e948bf5c

SHA512
158ef060af134360baa92f3901587955086d6bbdfc0ad4a80431a7f34d6bfea72d6568be7d4d17acb065d3916d8797d75de3dc39b9b8a416062f177d09a01620

Download Submit
C:\Windows\SysWOW64\wbvaqoh.exe

Filesize
89KB

MD5
fb015039ae7e450ca48e557f37ed6b2c

SHA1
76ceeff4a224cba365914017caf60161ed128815

SHA256
f0a0d0cc00d8e4652eb30de7b2b857fad8d3137b20ad60b095d6f087bb70d3c1

SHA512
94dc92171ab73c64e67159b06bc4fd01b28e59b49c50653ab4f0a9615644437d8dcda0fb1386c202c3a9866c6cd4265f1f68ca9bbd56872f96612a24ebf8beb8

Download Submit
C:\Windows\SysWOW64\wcgjh.exe

Filesize
89KB

MD5
a6ce12617055c9156ed58c1ad088dd0f

SHA1
a28dced590a8a0948b52cdd7f44214d1350f3a33

SHA256
b36c2fc01b734600f0012d02df7e02bc65cc675b2e9f269222ca9be1e6b64ce8

SHA512
1b1b328586903df2032e2a877e90ae3d2b049b70024e0180a43aff4d186499cdc917e43d0604a944ced073c45f25b6123ae1a33d1b6bfb33d203a29112634865

Download Submit
C:\Windows\SysWOW64\wdoi.exe

Filesize
89KB

MD5
4222d47353f116fd4c8b09eb5e0a4859

SHA1
afd89d4308859ab8b5d10851697f569a68c32f11

SHA256
51ea3b7f974738eeed3d7a3734a20b6f981c29d71a6e63725aee18bea5ae31a2

SHA512
80e39e360f54695e8d3eabac0080e494b0e5266a475659ba8298f915a8b2fba7377d134ed255899b4d2e15b69a962b630d062c3df6969d193028e556cef210db

Download Submit
C:\Windows\SysWOW64\wemvv.exe

Filesize
89KB

MD5
59ab3a6eb7adbdcd23056bc2d9981fcf

SHA1
1ba82a61d5f91a10e812c37a7f7c9674bf0cb0d5

SHA256
0b1ebe324b04fb2aeab1e371dde4191f7a8131f04e702d64bff727fd8806f0a9

SHA512
6e0314707eba91483ea3cd64be549a63701cfabbc0e656d8c7c9391e333380f9b6c3452c0a0318082c067ba85e3f1ed79569e300d40324f1fde150a8fc869861

Download Submit
C:\Windows\SysWOW64\wenuchlk.exe

Filesize
89KB

MD5
99e35585f7b46bbebaa2f622b20d1c89

SHA1
a8bd849847ffbb7b02154b310af317522805b778

SHA256
632d1abac18e758fa52392ee5452a6f27b5ede176c2a76c2b97c81cada3e4ee6

SHA512
c1afb69e0aa80b262bfffeb08af86c0ab896a6e414923428f6b0521ddd8a50644d40775ffa583dc01bfa8c65cb7f8a88b11795c881e4dc29102eca30a21ecf88

Download Submit
C:\Windows\SysWOW64\wfa.exe

Filesize
88KB

MD5
221d7b74c77812f6f79ffa5082383fef

SHA1
3ce2d51a714b8e2f7cb73f07f400d0fbefc62f1d

SHA256
d8ee44261f62b8c22fd7ff9d095cb30e013eb0f6387c9293da71d2912b2aaff5

SHA512
acf5d62d75eeb4316676173e13a79b31b74223bace105d1db1f4bbd34ab2e167b72902b6b6614c1f794339c922e1a27d37f9f8ae8e081f27570e50fa86354880

Download Submit
C:\Windows\SysWOW64\whivar.exe

Filesize
88KB

MD5
3e4a2590ecfaf3381793d76c91dd4294

SHA1
fa0b9a14406c049262b96ca631b20514533404d2

SHA256
dda30abf68270200dbafa3d31f6c265d95af49ef48c2adb288a9598d2071b0c5

SHA512
69cb01ced538822557df8a6665b92ee08e5a2f8dc26a636e326810da74ba307455e2daa40d7bb87a3e6a3211666d7897e02995b4cd2bb7269c37da67b7384fff

Download Submit
C:\Windows\SysWOW64\whlfcln.exe

Filesize
88KB

MD5
edc45dd9345fd987dfbd8ee7fce8a7af

SHA1
3b0fedda075928d9bb5969d7523e3cf991e47b36

SHA256
7aad237282a5151618178c19133fc0f77ced8a0475f4a326927d4ea30034f7bb

SHA512
42e5aed8dfb284d1c788acd846a50a85e017a4be9ef3fce0ddbbed2f66d738df174ecab0d433c15e6d6c6d9fda190a9149edb2bbd8188a3e0c554aa34193074e

Download Submit
C:\Windows\SysWOW64\wixovv.exe

Filesize
89KB

MD5
a29fbb44184773fcd5e453343e9e8115

SHA1
4770b3639619e3e2cc677f10279478c2973a1e84

SHA256
6ba6b292bed2c5d4ed3eafba1630b6f788f4713a96e64a925ed9784b21be07e1

SHA512
46214e8a7d6e0c21810be153011ebd0947f99a7a2a377a0ee65907ce26c8891dce6a8b0a8fb7da7c941df4ce0e4f6ba9d7f2a5b275632dd02f1b79020ca865c0

Download Submit
C:\Windows\SysWOW64\wkgy.exe

Filesize
89KB

MD5
fc16ffd6e7321866cc98af800cb41948

SHA1
86bed78526dcd8fea6675486ef00b1060bf16885

SHA256
2f73ff0a93eabfae557e8e41c127f67edc330bd2320a9dccc80d4b93b5af0a10

SHA512
c23ddff25bd22cbc64096edb75ca68dada4f49d8f0f81cdcaf9cd71b3e5de64f5adb7e5ad549ac9279cf779ce059aa1b62e8c7c8dc044aaea26145273acf67d2

Download Submit
C:\Windows\SysWOW64\wlyt.exe

Filesize
89KB

MD5
bef5019825d1b71fb2781cb7fd4d891d

SHA1
2642d76297610209abba9547f59e1d33d05caa5b

SHA256
90a6d42fea1604e8a09e9974dcad2b3dcf9467b8fce39cb34671a30c4e98be97

SHA512
2cb56fbd95ddfa325123b4da18eb83eb06c7b594e96d37f5ae913e5177da6f6cbf4e91910f9bce23f4c0065c6ed76cc672d2e1aa1b959f951a5dc320e23d2ae5

Download Submit
C:\Windows\SysWOW64\wmsflh.exe

Filesize
89KB

MD5
748f7f4e2ea192dfc27a1864623e5c9e

SHA1
f5c4b717ac70bad08074c50b1ab78a274ea6ebee

SHA256
c7a3ccb7a9c054924400a550d68b35b1c27d750c26702f9f25c374c13040531a

SHA512
93633d43ee51b8937836c111395803e2fdc714c891b426c5515ccc0e0fb340f40fb4f4256bb1a8c92135cf0fbcf19fe40b078073edeadb2733de4551570cf7b1

Download Submit
C:\Windows\SysWOW64\wmtlj.exe

Filesize
88KB

MD5
9e39264a23b2a53e3b02dc93086ce6b5

SHA1
fb0ee4f8d7758a2c00f1daeb7106fdb15242476f

SHA256
c69a06cb81d3e1976741381835bd9f31cf68a0e7c6508d08ddd1995f0f3501c8

SHA512
61d213a7244262bb202adbf8e7f8666874daffb9d7258af6668b688289540159d1de3b231bd7e9d0dfe57863bfc013e13463cf804d3261793af8285437d56485

Download Submit
C:\Windows\SysWOW64\wmvoouync.exe

Filesize
89KB

MD5
660a23e2967c1d4e3787386790c89d4a

SHA1
e4606d141e7514370608867219135dc2b33a1d5b

SHA256
f53bfe964b3a13e8aa004181b8f1fcf04d8de9436c39c19ee4554ee4083dab06

SHA512
ef4fdf89b67137f7f9349c8ba39400860f52a4854d40ff03caf3e334b1fc6f2b70adf3464e3e6f3e7ffd46adacbcea73491f1537a64f0c759c9ce71c02e322bf

Download Submit
C:\Windows\SysWOW64\wnqgtx.exe

Filesize
89KB

MD5
fc9eb9c8f649006d3d909e9ba517e579

SHA1
71546865994aae7318a3ab652088dd9957a72361

SHA256
dc7c9a9949189dcdf2f6dbd8f43c95dc8a4a411109745e6a189c0213bf1fb12e

SHA512
80e51e9fffc21fac41a94fd03b25e74c8da1037bf254021d8697ba651a11ad1833ec42cebbe5c5814f1e319ef83cdb7f56429665c626db4037ebae97bd3f4678

Download Submit
C:\Windows\SysWOW64\wnqshd.exe

Filesize
89KB

MD5
1a31d9da43b57704fa81a2fb57d6714c

SHA1
7ae60f26abee04e9103e404534beca0843fbf663

SHA256
10dd813d7310bd7f0ac4868bbb3702d367174357c22dff6d74ce0fcb179cda0c

SHA512
4db53aaa6bf660ffac6b972e659d9b2d53cd54fb478a1bf26b7501869ba06bd721a0983d60586d57677e17507812f42ee11bb8a5b489728ee43ed4230f6c59e0

Download Submit
C:\Windows\SysWOW64\wnttm.exe

Filesize
89KB

MD5
5b65cd5e564dc62a100ba0c07435bf04

SHA1
e5f3de8c3ba4a455bea46664e8f9824868fe8143

SHA256
fc2ab9097e38ff9cf59097f688312e22b899fd277e3ffc92d09f48d34e6c2c1d

SHA512
c0dea022ee094761deb42338e528001667c2770a2478da3ca21b39c2fa2f3a6d814bd0218d050a0956e70691eecb967596c62a797e7eb6ef7e34b20c53b35d54

Download Submit
C:\Windows\SysWOW64\wpp.exe

Filesize
89KB

MD5
f071901567af355a4e9a81c312f1e35c

SHA1
40b3f3e7893e30b810f1b61ad0592db4dc237579

SHA256
25acc0546f9e0e1f8b58305a29196f95a0634281ccc65e254dc3b1f0ca52270a

SHA512
3dde59dd7580f5ed78db869df62e35110967fccd45bcf8438e02a6980588fec5a2880c0e2e831e5f0970508c22c0d237b676d3943f3ca0af895e3ba4c899411f

Download Submit
C:\Windows\SysWOW64\wqslaft.exe

Filesize
89KB

MD5
4e9f183da098a25aba1cb623f699260b

SHA1
80f0ae9504c7f34480d017b1ce1c7eaca6ade9c2

SHA256
3f01269f4319545f8540e46fc68e0f65880527068b9ec4099d3db895754a5a08

SHA512
f8ec4be6dd53e8b840f2d9dc8fb171b6784fd727b6cab0a7f560e26dc840f4824e4a29326c9ec6847c779dedd4692406629fade6722c7cdb48f80e2c0dd0cf93

Download Submit
C:\Windows\SysWOW64\wtbgfvb.exe

Filesize
88KB

MD5
9cceedef1edc4d940e8b917c1aa16cb3

SHA1
bff0c69dd1813e35eb7c90f4919f85e7383796ef

SHA256
f982bc9866315e243a7910dad8067d634fefdf5f937366080615398bd34f05ae

SHA512
5d52aea8310b985887be961f71cfa70dac686570bb2979c093fbe6bf38aef9376a5d96ae75fd38320195e7b3bce6297bfca140b3edd71f706bc0ab9f7062ea23

Download Submit
C:\Windows\SysWOW64\wuxyho.exe

Filesize
88KB

MD5
e76f0522f02b09100a36134d814f0522

SHA1
e37738ef77f1fd9d764ae2b3f06dc05256b26e1a

SHA256
168133d047169c03e5251e648f1a149636e3d0a636905fb14f4bccb8798a13e4

SHA512
8d879bf3fdf96f44ac7fd7d3c2489694fe34b1403d90bbd9dfafb5697f009ff88c0657207fc278a5f1bc1319b5d113ed3dea5701444ca6abfbebe8a7cd57a641

Download Submit
C:\Windows\SysWOW64\wwcfen.exe

Filesize
88KB

MD5
2702e1b37f7a0f37e64f5ca404b8fe55

SHA1
f9f75cfc2f08bfdd55758229bd789a05c0d77aa6

SHA256
608a0d2ae5c9c924eba84e0e003455887a128955108edb90804604dd399d6daf

SHA512
58cb5dfed4cf5ca00450c6d1470b111b7e8c77b211442ccfc71bc075bc4f0826167de86842333c9f1d5178955556b4f0edcdbf3c1c15bf7ecd08485734010766

Download Submit
C:\Windows\SysWOW64\wwhykcu.exe

Filesize
88KB

MD5
fcf6ff6c7837fda8e2ce51de383baf30

SHA1
5d8dcf4e3947f2129acd3b0f3d0914d1aada6a51

SHA256
3c2c2d5f6ebe49704112cc241b7e70ab019d0c2e9d0ecbe1224992e2e0d6ce0c

SHA512
1ca4aa44f851268ddc9c1f504d38b92ea618d9af351ad0d708b397f0604f8ac09c134f4b9cba1996ba540872857112c31c5425a2ffe6f18e0422075419f91454

Download Submit
C:\Windows\SysWOW64\wwihvxdt.exe

Filesize
89KB

MD5
093fdc3f42b38b3c1ad3c513ab7a867c

SHA1
fa65eb6ca71454f8b7a17a209c78f7d515342381

SHA256
ccb62b0d63615ba10a4bacadf058929fbaa80c479052a85b4b2e950024ff0523

SHA512
3039217fa991fd2c9f934926eb0a2d43bb21a29da0c84a11d38e932db6f3cc9a59a98c590c479fb577d4ec99449437518741eabcb42a63167181f63d40af57aa

Download Submit
C:\Windows\SysWOW64\wxwxpd.exe

Filesize
88KB

MD5
2ebccd5328e30ed456e478fb90328738

SHA1
a02b08c9bbff8d6757f3cd9f1c12b57cb0fc237a

SHA256
c5c3904a5610eeb029ca72b8a2c241be2dec6b682b28702b48f7121fa868dc35

SHA512
4b3156e716f7e00a647b2c1ad25c4ec827b29bf1c73b3cc1c2278fca0f87355eb96fe3bba276178cbe8227bd1df8da70d3f09e5ffdb690217fcfb00740d48f0c

Download Submit
C:\Windows\SysWOW64\wxxu.exe

Filesize
88KB

MD5
ce705ce2b77ac6038fd29ecf79e6df47

SHA1
17f983f349c4f86b3c8b7687c2a056b8cea9bdb7

SHA256
33e9e6217a60b73eff0fd39aa3c0cca5641892dfc00b37c9768f146b63ed188e

SHA512
76b0a0b1ac728bf1d6ba9286b91bf617a50767fe415b5da0314e19a3ead8de5851314347a8746b51d5bebdfda90611f59a1cc64b46687e2e709f5252825effa4

Download Submit
C:\Windows\SysWOW64\wyig.exe

Filesize
88KB

MD5
200a252c03ad8b235cb1afb52c6b5783

SHA1
c7e44cc8c98216fc0a6abd7c0a198e9fd3ff0803

SHA256
988e02742f4585bb769885222915adc9dec30e053bdb205920854416b8c16924

SHA512
0fa8de3046d26ab3469404d13282a6d7076e856a05049266f149ceac97841093d088f71227d98eef85fc7ad7f0ed71cbb7ad4f4c290d5734d87ef407dadc4b39

Download Submit
C:\Windows\SysWOW64\wykac.exe

Filesize
88KB

MD5
b79017daa876a8173ca431b0ad743608

SHA1
09f8581928bcdd015827c32ecfc5a19ec45d2f48

SHA256
5eaa9c82efdbce26a9e626f677e513c5f468959abb8eb9a673fae2e220c1a3a5

SHA512
922cca9ad659f4cd30856b0f16eb94c0699bc7d4d0cac980eec7d118038cb05ab58136d59dbac53137e42f698ba5f0bdc6ea10dc0366916e97d49ca3b14d125c

Download Submit
memory/116-86-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/116-75-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/440-168-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/440-157-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/820-577-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/820-587-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1004-542-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1004-532-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1172-42-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1172-55-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1180-551-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1180-541-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1268-303-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1432-514-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1432-523-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1452-292-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1460-189-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1460-200-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1480-524-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1484-31-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1484-43-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1652-428-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1652-438-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1660-158-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1664-368-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1752-497-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1752-506-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1856-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1856-369-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1856-385-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1856-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1976-76-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2008-352-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2008-343-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2116-403-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2116-393-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2120-498-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2120-488-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2208-220-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2348-335-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2404-179-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2496-559-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2496-550-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2516-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2516-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2544-402-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2544-412-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2608-568-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2608-578-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2628-360-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2716-116-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2716-127-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2720-231-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2740-117-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2816-324-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2816-313-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3152-262-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3300-472-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3300-462-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3356-106-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3388-480-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3388-471-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3404-96-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3504-282-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3644-454-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3756-314-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3756-302-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3888-394-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3948-54-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3948-65-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3964-272-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4204-344-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4204-334-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4352-190-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4352-178-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4356-137-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4380-522-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4380-533-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4444-411-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4444-420-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4528-569-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4528-560-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4568-210-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4716-463-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4848-147-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4856-252-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4856-241-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4900-429-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4904-437-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4904-446-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4980-384-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5036-489-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5072-586-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5112-230-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5112-242-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5112-32-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads