57940a828c9f5f8223a4f5400100c35d9e511fc1eeff90ef1d2702264138ef02

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe
Size

89KB
MD5

012903b6776cd32b7194a67d2240d240
SHA1

0c1cb394b462f0ceb3e2b1762b2de3bf7263bc63
SHA256

57940a828c9f5f8223a4f5400100c35d9e511fc1eeff90ef1d2702264138ef02
SHA512

cff6e5455b316553cc8d61564d5cd1a098f5f4804b9210309b65eaa448842dfa90d233f2bf7ed09cf6ea4969dd1870ac3d1273070e9c71c1593450fe8d723ab7
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71PvJdsJG1:1eOLK7hNIMLrCiS4+PwRjY5xhEAXVvt

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	weevdm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wmdrknphy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wvtmgn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wbexho.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wktslw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wklkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wrkraok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wiukipa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wlege.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wtoo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wwjimen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	waoojk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	whbpiolw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	waerttx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wrqv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wgwmfbrfr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wbubs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wmqpsklkr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wajd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wrfjdjas.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wivycl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wosbyke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wsuk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wgxn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wjjip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	watgh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wcortk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wakddxd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wnucug.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wfjls.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wjdquymna.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wbgal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wwvvqpdm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wsldg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wfocie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wnjdwq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wjmy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wncan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wipfqdq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wakjfsqn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wugwwbtbg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wmqyopcd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	whlqoe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wdpulom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wurplvwiu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wjwwy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wemtbawj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wwwijhk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wlfgt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wigaxfmgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wyutvdlin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wftxeqwcu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wvoeop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wspcr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wvqtja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wgdg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wafo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wgdepy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wgpjb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wpyhwsy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wtedqn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wauobqi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wwwgfc.exe

Executes dropped EXE 64 IoCs

pid	Process
2248	wigaxfmgs.exe
3000	woxrvj.exe
1844	wkpwpjk.exe
3468	wspcr.exe
1328	wfocie.exe
4792	wsndcvis.exe
2088	wfynapl.exe
3312	wcyekj.exe
4772	wsjkbsy.exe
3388	wfjls.exe
220	wbexho.exe
4716	wbubs.exe
2028	wakddxd.exe
1552	wnjdwq.exe
2592	wftjl.exe
764	wjjip.exe
3820	weevdm.exe
1528	wdxgj.exe
2356	wee.exe
5040	wyud.exe
2896	wauobqi.exe
4756	wquljac.exe
2776	wdgwjt.exe
1552	wiuuk.exe
1328	whp.exe
3004	waerttx.exe
2772	wmdrknphy.exe
4796	wvtmgn.exe
1728	wrkraok.exe
2676	watgh.exe
3144	wiukipa.exe
5040	wmkhly.exe
8	wakjfsqn.exe
2336	wivxlt.exe
4116	wyutvdlin.exe
3740	wlfgt.exe
4232	wgpjb.exe
3252	wlege.exe
540	wspvmjx.exe
232	wugwwbtbg.exe
3216	wdfbxd.exe
4908	wivycl.exe
1080	woocoon.exe
3224	wjmy.exe
3908	wsldg.exe
2036	wvqtja.exe
2336	wmqpsklkr.exe
3876	wmrdldrs.exe
4976	wjwwy.exe
5084	wcortk.exe
656	wtoo.exe
5056	wlfxhc.exe
2576	wiomown.exe
4176	wajd.exe
1928	wtedqn.exe
1484	whlqoe.exe
2896	wgdg.exe
2028	wpsctevj.exe
3700	wbrcnw.exe
3580	wjdquymna.exe
4056	wemtbawj.exe
1700	widr.exe
4000	wncan.exe
2940	wosbyke.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsuk = "\"C:\\Windows\\SysWOW64\\wsuk.exe\""	wsuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvtmgn = "\"C:\\Windows\\SysWOW64\\wvtmgn.exe\""	wvtmgn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmkhly = "\"C:\\Windows\\SysWOW64\\wmkhly.exe\""	wmkhly.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wivycl = "\"C:\\Windows\\SysWOW64\\wivycl.exe\""	wivycl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\woxrvj = "\"C:\\Windows\\SysWOW64\\woxrvj.exe\""	woxrvj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnucug = "\"C:\\Windows\\SysWOW64\\wnucug.exe\""	wnucug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlege = "\"C:\\Windows\\SysWOW64\\wlege.exe\""	wlege.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgwmfbrfr = "\"C:\\Windows\\SysWOW64\\wgwmfbrfr.exe\""	wgwmfbrfr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wklkh = "\"C:\\Windows\\SysWOW64\\wklkh.exe\""	wklkh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbexho = "\"C:\\Windows\\SysWOW64\\wbexho.exe\""	wbexho.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkcmtcmj = "\"C:\\Windows\\SysWOW64\\wkcmtcmj.exe\""	wkcmtcmj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfjls = "\"C:\\Windows\\SysWOW64\\wfjls.exe\""	wfjls.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wauobqi = "\"C:\\Windows\\SysWOW64\\wauobqi.exe\""	wauobqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wivxlt = "\"C:\\Windows\\SysWOW64\\wivxlt.exe\""	wivxlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbrcnw = "\"C:\\Windows\\SysWOW64\\wbrcnw.exe\""	wbrcnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waerttx = "\"C:\\Windows\\SysWOW64\\waerttx.exe\""	waerttx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvoeop = "\"C:\\Windows\\SysWOW64\\wvoeop.exe\""	wvoeop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waoojk = "\"C:\\Windows\\SysWOW64\\waoojk.exe\""	waoojk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wigaxfmgs = "\"C:\\Windows\\SysWOW64\\wigaxfmgs.exe\""	wigaxfmgs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wemtbawj = "\"C:\\Windows\\SysWOW64\\wemtbawj.exe\""	wemtbawj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wakddxd = "\"C:\\Windows\\SysWOW64\\wakddxd.exe\""	wakddxd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrfjdjas = "\"C:\\Windows\\SysWOW64\\wrfjdjas.exe\""	wrfjdjas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpyhwsy = "\"C:\\Windows\\SysWOW64\\wpyhwsy.exe\""	wpyhwsy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrkraok = "\"C:\\Windows\\SysWOW64\\wrkraok.exe\""	wrkraok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wajd = "\"C:\\Windows\\SysWOW64\\wajd.exe\""	wajd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weevdm = "\"C:\\Windows\\SysWOW64\\weevdm.exe\""	weevdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcyekj = "\"C:\\Windows\\SysWOW64\\wcyekj.exe\""	wcyekj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdgwjt = "\"C:\\Windows\\SysWOW64\\wdgwjt.exe\""	wdgwjt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whlqoe = "\"C:\\Windows\\SysWOW64\\whlqoe.exe\""	whlqoe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosbyke = "\"C:\\Windows\\SysWOW64\\wosbyke.exe\""	wosbyke.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwvvqpdm = "\"C:\\Windows\\SysWOW64\\wwvvqpdm.exe\""	wwvvqpdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgxn = "\"C:\\Windows\\SysWOW64\\wgxn.exe\""	wgxn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjwwy = "\"C:\\Windows\\SysWOW64\\wjwwy.exe\""	wjwwy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwwijhk = "\"C:\\Windows\\SysWOW64\\wwwijhk.exe\""	wwwijhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyy = "\"C:\\Windows\\SysWOW64\\wyy.exe\""	wyy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\012903b6776cd32b7194a67d2240d240_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe\""	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfynapl = "\"C:\\Windows\\SysWOW64\\wfynapl.exe\""	wfynapl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsjkbsy = "\"C:\\Windows\\SysWOW64\\wsjkbsy.exe\""	wsjkbsy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wftjl = "\"C:\\Windows\\SysWOW64\\wftjl.exe\""	wftjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipfqdq = "\"C:\\Windows\\SysWOW64\\wipfqdq.exe\""	wipfqdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmqpsklkr = "\"C:\\Windows\\SysWOW64\\wmqpsklkr.exe\""	wmqpsklkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnjdwq = "\"C:\\Windows\\SysWOW64\\wnjdwq.exe\""	wnjdwq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuuk = "\"C:\\Windows\\SysWOW64\\wiuuk.exe\""	wiuuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wakjfsqn = "\"C:\\Windows\\SysWOW64\\wakjfsqn.exe\""	wakjfsqn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wncan = "\"C:\\Windows\\SysWOW64\\wncan.exe\""	wncan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wftxeqwcu = "\"C:\\Windows\\SysWOW64\\wftxeqwcu.exe\""	wftxeqwcu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuqru = "\"C:\\Windows\\SysWOW64\\wuqru.exe\""	wuqru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyutvdlin = "\"C:\\Windows\\SysWOW64\\wyutvdlin.exe\""	wyutvdlin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wktslw = "\"C:\\Windows\\SysWOW64\\wktslw.exe\""	wktslw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfocie = "\"C:\\Windows\\SysWOW64\\wfocie.exe\""	wfocie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyud = "\"C:\\Windows\\SysWOW64\\wyud.exe\""	wyud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcortk = "\"C:\\Windows\\SysWOW64\\wcortk.exe\""	wcortk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wurplvwiu = "\"C:\\Windows\\SysWOW64\\wurplvwiu.exe\""	wurplvwiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiqrmaa = "\"C:\\Windows\\SysWOW64\\wiqrmaa.exe\""	wiqrmaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsndcvis = "\"C:\\Windows\\SysWOW64\\wsndcvis.exe\""	wsndcvis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdxgj = "\"C:\\Windows\\SysWOW64\\wdxgj.exe\""	wdxgj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpsctevj = "\"C:\\Windows\\SysWOW64\\wpsctevj.exe\""	wpsctevj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjjip = "\"C:\\Windows\\SysWOW64\\wjjip.exe\""	wjjip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvqtja = "\"C:\\Windows\\SysWOW64\\wvqtja.exe\""	wvqtja.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbubs = "\"C:\\Windows\\SysWOW64\\wbubs.exe\""	wbubs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whp = "\"C:\\Windows\\SysWOW64\\whp.exe\""	whp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiukipa = "\"C:\\Windows\\SysWOW64\\wiukipa.exe\""	wiukipa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsldg = "\"C:\\Windows\\SysWOW64\\wsldg.exe\""	wsldg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiomown = "\"C:\\Windows\\SysWOW64\\wiomown.exe\""	wiomown.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wee.exe	wdxgj.exe
File created	C:\Windows\SysWOW64\watgh.exe	wrkraok.exe
File opened for modification	C:\Windows\SysWOW64\watgh.exe	wrkraok.exe
File created	C:\Windows\SysWOW64\woocoon.exe	wivycl.exe
File created	C:\Windows\SysWOW64\wmqpsklkr.exe	wvqtja.exe
File opened for modification	C:\Windows\SysWOW64\wurplvwiu.exe	wwwgfc.exe
File created	C:\Windows\SysWOW64\wbubs.exe	wbexho.exe
File opened for modification	C:\Windows\SysWOW64\wsuk.exe	wosbyke.exe
File created	C:\Windows\SysWOW64\wrfjdjas.exe	wftxeqwcu.exe
File opened for modification	C:\Windows\SysWOW64\wmqyopcd.exe	wdpulom.exe
File opened for modification	C:\Windows\SysWOW64\wafo.exe	wurplvwiu.exe
File created	C:\Windows\SysWOW64\wtoo.exe	wcortk.exe
File opened for modification	C:\Windows\SysWOW64\waoojk.exe	wuofx.exe
File created	C:\Windows\SysWOW64\wvoeop.exe	wmqyopcd.exe
File created	C:\Windows\SysWOW64\wauobqi.exe	wyud.exe
File created	C:\Windows\SysWOW64\wlege.exe	wgpjb.exe
File opened for modification	C:\Windows\SysWOW64\wjmy.exe	woocoon.exe
File created	C:\Windows\SysWOW64\woxrvj.exe	wigaxfmgs.exe
File opened for modification	C:\Windows\SysWOW64\wiuuk.exe	wdgwjt.exe
File created	C:\Windows\SysWOW64\wjwwy.exe	wmrdldrs.exe
File created	C:\Windows\SysWOW64\wuofx.exe	wpyhwsy.exe
File opened for modification	C:\Windows\SysWOW64\wkcmtcmj.exe	wklkh.exe
File created	C:\Windows\SysWOW64\wxlxwyr.exe	whbpiolw.exe
File created	C:\Windows\SysWOW64\wosbyke.exe	wncan.exe
File created	C:\Windows\SysWOW64\wyy.exe	wbfof.exe
File opened for modification	C:\Windows\SysWOW64\whp.exe	wiuuk.exe
File opened for modification	C:\Windows\SysWOW64\wipfqdq.exe	waqbpc.exe
File created	C:\Windows\SysWOW64\wkkmsubus.exe	wkcmtcmj.exe
File created	C:\Windows\SysWOW64\wncan.exe	widr.exe
File opened for modification	C:\Windows\SysWOW64\wspvmjx.exe	wlege.exe
File created	C:\Windows\SysWOW64\wcortk.exe	wjwwy.exe
File opened for modification	C:\Windows\SysWOW64\wwjimen.exe	wsuk.exe
File opened for modification	C:\Windows\SysWOW64\wgdepy.exe	wgxn.exe
File opened for modification	C:\Windows\SysWOW64\wvqtja.exe	wsldg.exe
File opened for modification	C:\Windows\SysWOW64\wjdquymna.exe	wbrcnw.exe
File opened for modification	C:\Windows\SysWOW64\wbexho.exe	wfjls.exe
File opened for modification	C:\Windows\SysWOW64\wnjdwq.exe	wakddxd.exe
File created	C:\Windows\SysWOW64\weevdm.exe	wjjip.exe
File created	C:\Windows\SysWOW64\wigaxfmgs.exe	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\wiuuk.exe	wdgwjt.exe
File created	C:\Windows\SysWOW64\wvtmgn.exe	wmdrknphy.exe
File created	C:\Windows\SysWOW64\wfynapl.exe	wsndcvis.exe
File created	C:\Windows\SysWOW64\waoojk.exe	wuofx.exe
File created	C:\Windows\SysWOW64\wgpjb.exe	wlfgt.exe
File created	C:\Windows\SysWOW64\wpsctevj.exe	wgdg.exe
File opened for modification	C:\Windows\SysWOW64\wtoo.exe	wcortk.exe
File opened for modification	C:\Windows\SysWOW64\wlfgt.exe	wyutvdlin.exe
File opened for modification	C:\Windows\SysWOW64\wdfbxd.exe	wugwwbtbg.exe
File created	C:\Windows\SysWOW64\wakddxd.exe	wbubs.exe
File opened for modification	C:\Windows\SysWOW64\waerttx.exe	whp.exe
File opened for modification	C:\Windows\SysWOW64\wvtmgn.exe	wmdrknphy.exe
File opened for modification	C:\Windows\SysWOW64\wiukipa.exe	watgh.exe
File created	C:\Windows\SysWOW64\wkpwpjk.exe	woxrvj.exe
File created	C:\Windows\SysWOW64\wcyekj.exe	wfynapl.exe
File opened for modification	C:\Windows\SysWOW64\wwvvqpdm.exe	wkkmsubus.exe
File opened for modification	C:\Windows\SysWOW64\wjjip.exe	wftjl.exe
File created	C:\Windows\SysWOW64\whp.exe	wiuuk.exe
File created	C:\Windows\SysWOW64\wrkraok.exe	wvtmgn.exe
File opened for modification	C:\Windows\SysWOW64\wlfxhc.exe	wtoo.exe
File created	C:\Windows\SysWOW64\wdpulom.exe	wyy.exe
File created	C:\Windows\SysWOW64\waqbpc.exe	wrqv.exe
File created	C:\Windows\SysWOW64\wpbt.exe	wipfqdq.exe
File opened for modification	C:\Windows\SysWOW64\wspcr.exe	wkpwpjk.exe
File created	C:\Windows\SysWOW64\wdgwjt.exe	wquljac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
876	2248	WerFault.exe	85
908	3820	WerFault.exe	137
980	1528	WerFault.exe	140
2864	540	WerFault.exe	211
1744	2036	WerFault.exe	234
4384	3580	WerFault.exe	278
2288	1700	WerFault.exe	286
2680	4812	WerFault.exe	371
2356	4112	WerFault.exe	374

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2248	1532	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe	85
PID 1532 wrote to memory of 2248	1532	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe	85
PID 1532 wrote to memory of 2248	1532	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe	85
PID 1532 wrote to memory of 4940	1532	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe	87
PID 1532 wrote to memory of 4940	1532	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe	87
PID 1532 wrote to memory of 4940	1532	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe	87
PID 2248 wrote to memory of 3000	2248	wigaxfmgs.exe	89
PID 2248 wrote to memory of 3000	2248	wigaxfmgs.exe	89
PID 2248 wrote to memory of 3000	2248	wigaxfmgs.exe	89
PID 2248 wrote to memory of 1964	2248	wigaxfmgs.exe	90
PID 2248 wrote to memory of 1964	2248	wigaxfmgs.exe	90
PID 2248 wrote to memory of 1964	2248	wigaxfmgs.exe	90
PID 3000 wrote to memory of 1844	3000	woxrvj.exe	95
PID 3000 wrote to memory of 1844	3000	woxrvj.exe	95
PID 3000 wrote to memory of 1844	3000	woxrvj.exe	95
PID 3000 wrote to memory of 1552	3000	woxrvj.exe	96
PID 3000 wrote to memory of 1552	3000	woxrvj.exe	96
PID 3000 wrote to memory of 1552	3000	woxrvj.exe	96
PID 1844 wrote to memory of 3468	1844	wkpwpjk.exe	98
PID 1844 wrote to memory of 3468	1844	wkpwpjk.exe	98
PID 1844 wrote to memory of 3468	1844	wkpwpjk.exe	98
PID 1844 wrote to memory of 4712	1844	wkpwpjk.exe	99
PID 1844 wrote to memory of 4712	1844	wkpwpjk.exe	99
PID 1844 wrote to memory of 4712	1844	wkpwpjk.exe	99
PID 3468 wrote to memory of 1328	3468	wspcr.exe	101
PID 3468 wrote to memory of 1328	3468	wspcr.exe	101
PID 3468 wrote to memory of 1328	3468	wspcr.exe	101
PID 3468 wrote to memory of 4456	3468	wspcr.exe	102
PID 3468 wrote to memory of 4456	3468	wspcr.exe	102
PID 3468 wrote to memory of 4456	3468	wspcr.exe	102
PID 1328 wrote to memory of 4792	1328	wfocie.exe	104
PID 1328 wrote to memory of 4792	1328	wfocie.exe	104
PID 1328 wrote to memory of 4792	1328	wfocie.exe	104
PID 1328 wrote to memory of 2252	1328	wfocie.exe	105
PID 1328 wrote to memory of 2252	1328	wfocie.exe	105
PID 1328 wrote to memory of 2252	1328	wfocie.exe	105
PID 4792 wrote to memory of 2088	4792	wsndcvis.exe	107
PID 4792 wrote to memory of 2088	4792	wsndcvis.exe	107
PID 4792 wrote to memory of 2088	4792	wsndcvis.exe	107
PID 4792 wrote to memory of 3800	4792	wsndcvis.exe	108
PID 4792 wrote to memory of 3800	4792	wsndcvis.exe	108
PID 4792 wrote to memory of 3800	4792	wsndcvis.exe	108
PID 2088 wrote to memory of 3312	2088	wfynapl.exe	110
PID 2088 wrote to memory of 3312	2088	wfynapl.exe	110
PID 2088 wrote to memory of 3312	2088	wfynapl.exe	110
PID 2088 wrote to memory of 3680	2088	wfynapl.exe	111
PID 2088 wrote to memory of 3680	2088	wfynapl.exe	111
PID 2088 wrote to memory of 3680	2088	wfynapl.exe	111
PID 3312 wrote to memory of 4772	3312	wcyekj.exe	113
PID 3312 wrote to memory of 4772	3312	wcyekj.exe	113
PID 3312 wrote to memory of 4772	3312	wcyekj.exe	113
PID 3312 wrote to memory of 2256	3312	wcyekj.exe	114
PID 3312 wrote to memory of 2256	3312	wcyekj.exe	114
PID 3312 wrote to memory of 2256	3312	wcyekj.exe	114
PID 4772 wrote to memory of 3388	4772	wsjkbsy.exe	116
PID 4772 wrote to memory of 3388	4772	wsjkbsy.exe	116
PID 4772 wrote to memory of 3388	4772	wsjkbsy.exe	116
PID 4772 wrote to memory of 1276	4772	wsjkbsy.exe	117
PID 4772 wrote to memory of 1276	4772	wsjkbsy.exe	117
PID 4772 wrote to memory of 1276	4772	wsjkbsy.exe	117
PID 3388 wrote to memory of 220	3388	wfjls.exe	119
PID 3388 wrote to memory of 220	3388	wfjls.exe	119
PID 3388 wrote to memory of 220	3388	wfjls.exe	119
PID 3388 wrote to memory of 2428	3388	wfjls.exe	120

C:\Users\Admin\AppData\Local\Temp\012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\wigaxfmgs.exe
  "C:\Windows\system32\wigaxfmgs.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\woxrvj.exe
    "C:\Windows\system32\woxrvj.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\wkpwpjk.exe
      "C:\Windows\system32\wkpwpjk.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Windows\SysWOW64\wspcr.exe
        
        "C:\Windows\system32\wspcr.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3468
      - C:\Windows\SysWOW64\wfocie.exe
        
        "C:\Windows\system32\wfocie.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\wsndcvis.exe
        
        "C:\Windows\system32\wsndcvis.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\wfynapl.exe
        
        "C:\Windows\system32\wfynapl.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\wcyekj.exe
        
        "C:\Windows\system32\wcyekj.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\wsjkbsy.exe
        
        "C:\Windows\system32\wsjkbsy.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\wfjls.exe
        
        "C:\Windows\system32\wfjls.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\wbexho.exe
        
        "C:\Windows\system32\wbexho.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\wbubs.exe
        
        "C:\Windows\system32\wbubs.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\wakddxd.exe
        
        "C:\Windows\system32\wakddxd.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\wnjdwq.exe
        
        "C:\Windows\system32\wnjdwq.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1552
        
        C:\Windows\SysWOW64\wftjl.exe
        
        "C:\Windows\system32\wftjl.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\wjjip.exe
        
        "C:\Windows\system32\wjjip.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\weevdm.exe
        
        "C:\Windows\system32\weevdm.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3820
        
        C:\Windows\SysWOW64\wdxgj.exe
        
        "C:\Windows\system32\wdxgj.exe"
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\wee.exe
        
        "C:\Windows\system32\wee.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\wyud.exe
        
        "C:\Windows\system32\wyud.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\wauobqi.exe
        
        "C:\Windows\system32\wauobqi.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2896
        
        C:\Windows\SysWOW64\wquljac.exe
        
        "C:\Windows\system32\wquljac.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\wdgwjt.exe
        
        "C:\Windows\system32\wdgwjt.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2776
        
        C:\Windows\SysWOW64\wiuuk.exe
        
        "C:\Windows\system32\wiuuk.exe"
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\whp.exe
        
        "C:\Windows\system32\whp.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\waerttx.exe
        
        "C:\Windows\system32\waerttx.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3004
        
        C:\Windows\SysWOW64\wmdrknphy.exe
        
        "C:\Windows\system32\wmdrknphy.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\wvtmgn.exe
        
        "C:\Windows\system32\wvtmgn.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\wrkraok.exe
        
        "C:\Windows\system32\wrkraok.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\watgh.exe
        
        "C:\Windows\system32\watgh.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\wiukipa.exe
        
        "C:\Windows\system32\wiukipa.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3144
        
        C:\Windows\SysWOW64\wmkhly.exe
        
        "C:\Windows\system32\wmkhly.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5040
        
        C:\Windows\SysWOW64\wakjfsqn.exe
        
        "C:\Windows\system32\wakjfsqn.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:8
        
        C:\Windows\SysWOW64\wivxlt.exe
        
        "C:\Windows\system32\wivxlt.exe"
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2336
        
        C:\Windows\SysWOW64\wyutvdlin.exe
        
        "C:\Windows\system32\wyutvdlin.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\wlfgt.exe
        
        "C:\Windows\system32\wlfgt.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\wgpjb.exe
        
        "C:\Windows\system32\wgpjb.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\wlege.exe
        
        "C:\Windows\system32\wlege.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\wspvmjx.exe
        
        "C:\Windows\system32\wspvmjx.exe"
        40⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\wugwwbtbg.exe
        
        "C:\Windows\system32\wugwwbtbg.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\wdfbxd.exe
        
        "C:\Windows\system32\wdfbxd.exe"
        42⤵
        Executes dropped EXE
        
        PID:3216
        
        C:\Windows\SysWOW64\wivycl.exe
        
        "C:\Windows\system32\wivycl.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\woocoon.exe
        
        "C:\Windows\system32\woocoon.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1080
        
        C:\Windows\SysWOW64\wjmy.exe
        
        "C:\Windows\system32\wjmy.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\wsldg.exe
        
        "C:\Windows\system32\wsldg.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\wvqtja.exe
        
        "C:\Windows\system32\wvqtja.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\wmqpsklkr.exe
        
        "C:\Windows\system32\wmqpsklkr.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2336
        
        C:\Windows\SysWOW64\wmrdldrs.exe
        
        "C:\Windows\system32\wmrdldrs.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\wjwwy.exe
        
        "C:\Windows\system32\wjwwy.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\wcortk.exe
        
        "C:\Windows\system32\wcortk.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\wtoo.exe
        
        "C:\Windows\system32\wtoo.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:656
        
        C:\Windows\SysWOW64\wlfxhc.exe
        
        "C:\Windows\system32\wlfxhc.exe"
        53⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\wiomown.exe
        
        "C:\Windows\system32\wiomown.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2576
        
        C:\Windows\SysWOW64\wajd.exe
        
        "C:\Windows\system32\wajd.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4176
        
        C:\Windows\SysWOW64\wtedqn.exe
        
        "C:\Windows\system32\wtedqn.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\whlqoe.exe
        
        "C:\Windows\system32\whlqoe.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1484
        
        C:\Windows\SysWOW64\wgdg.exe
        
        "C:\Windows\system32\wgdg.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\wpsctevj.exe
        
        "C:\Windows\system32\wpsctevj.exe"
        59⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2028
        
        C:\Windows\SysWOW64\wbrcnw.exe
        
        "C:\Windows\system32\wbrcnw.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\wjdquymna.exe
        
        "C:\Windows\system32\wjdquymna.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\SysWOW64\wemtbawj.exe
        
        "C:\Windows\system32\wemtbawj.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4056
        
        C:\Windows\SysWOW64\widr.exe
        
        "C:\Windows\system32\widr.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\wncan.exe
        
        "C:\Windows\system32\wncan.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\wosbyke.exe
        
        "C:\Windows\system32\wosbyke.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\wsuk.exe
        
        "C:\Windows\system32\wsuk.exe"
        66⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\wwjimen.exe
        
        "C:\Windows\system32\wwjimen.exe"
        67⤵
        Checks computer location settings
        
        PID:4680
        
        C:\Windows\SysWOW64\wktslw.exe
        
        "C:\Windows\system32\wktslw.exe"
        68⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2460
        
        C:\Windows\SysWOW64\wnucug.exe
        
        "C:\Windows\system32\wnucug.exe"
        69⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3048
        
        C:\Windows\SysWOW64\wftxeqwcu.exe
        
        "C:\Windows\system32\wftxeqwcu.exe"
        70⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3332
        
        C:\Windows\SysWOW64\wrfjdjas.exe
        
        "C:\Windows\system32\wrfjdjas.exe"
        71⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3928
        
        C:\Windows\SysWOW64\wbfof.exe
        
        "C:\Windows\system32\wbfof.exe"
        72⤵
        Drops file in System32 directory
        
        PID:1848
        
        C:\Windows\SysWOW64\wyy.exe
        
        "C:\Windows\system32\wyy.exe"
        73⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:444
        
        C:\Windows\SysWOW64\wdpulom.exe
        
        "C:\Windows\system32\wdpulom.exe"
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\wmqyopcd.exe
        
        "C:\Windows\system32\wmqyopcd.exe"
        75⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\wvoeop.exe
        
        "C:\Windows\system32\wvoeop.exe"
        76⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3472
        
        C:\Windows\SysWOW64\wpyhwsy.exe
        
        "C:\Windows\system32\wpyhwsy.exe"
        77⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\wuofx.exe
        
        "C:\Windows\system32\wuofx.exe"
        78⤵
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\waoojk.exe
        
        "C:\Windows\system32\waoojk.exe"
        79⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1908
        
        C:\Windows\SysWOW64\wbgal.exe
        
        "C:\Windows\system32\wbgal.exe"
        80⤵
        Checks computer location settings
        
        PID:116
        
        C:\Windows\SysWOW64\wwwgfc.exe
        
        "C:\Windows\system32\wwwgfc.exe"
        81⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\wurplvwiu.exe
        
        "C:\Windows\system32\wurplvwiu.exe"
        82⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\wafo.exe
        
        "C:\Windows\system32\wafo.exe"
        83⤵
        Checks computer location settings
        
        PID:2776
        
        C:\Windows\SysWOW64\wuqru.exe
        
        "C:\Windows\system32\wuqru.exe"
        84⤵
        Adds Run key to start application
        
        PID:2168
        
        C:\Windows\SysWOW64\wiqrmaa.exe
        
        "C:\Windows\system32\wiqrmaa.exe"
        85⤵
        Adds Run key to start application
        
        PID:5100
        
        C:\Windows\SysWOW64\wrqv.exe
        
        "C:\Windows\system32\wrqv.exe"
        86⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\waqbpc.exe
        
        "C:\Windows\system32\waqbpc.exe"
        87⤵
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\wipfqdq.exe
        
        "C:\Windows\system32\wipfqdq.exe"
        88⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\wpbt.exe
        
        "C:\Windows\system32\wpbt.exe"
        89⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\whbpiolw.exe
        
        "C:\Windows\system32\whbpiolw.exe"
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\wxlxwyr.exe
        
        "C:\Windows\system32\wxlxwyr.exe"
        91⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\wgwmfbrfr.exe
        
        "C:\Windows\system32\wgwmfbrfr.exe"
        92⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3688
        
        C:\Windows\SysWOW64\wklkh.exe
        
        "C:\Windows\system32\wklkh.exe"
        93⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\wkcmtcmj.exe
        
        "C:\Windows\system32\wkcmtcmj.exe"
        94⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\wkkmsubus.exe
        
        "C:\Windows\system32\wkkmsubus.exe"
        95⤵
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\wwvvqpdm.exe
        
        "C:\Windows\system32\wwvvqpdm.exe"
        96⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1176
        
        C:\Windows\SysWOW64\wwwijhk.exe
        
        "C:\Windows\system32\wwwijhk.exe"
        97⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1492
        
        C:\Windows\SysWOW64\wgxn.exe
        
        "C:\Windows\system32\wgxn.exe"
        98⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\wgdepy.exe
        
        "C:\Windows\system32\wgdepy.exe"
        99⤵
        Checks computer location settings
        
        PID:1408
        
        C:\Windows\SysWOW64\wvwvmkc.exe
        
        "C:\Windows\system32\wvwvmkc.exe"
        100⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgdepy.exe"
        100⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxn.exe"
        99⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwwijhk.exe"
        98⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwvvqpdm.exe"
        97⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkkmsubus.exe"
        96⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcmtcmj.exe"
        95⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wklkh.exe"
        94⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwmfbrfr.exe"
        93⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxlxwyr.exe"
        92⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1356
        92⤵
        Program crash
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whbpiolw.exe"
        91⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1644
        91⤵
        Program crash
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbt.exe"
        90⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipfqdq.exe"
        89⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waqbpc.exe"
        88⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrqv.exe"
        87⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiqrmaa.exe"
        86⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuqru.exe"
        85⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wafo.exe"
        84⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wurplvwiu.exe"
        83⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwwgfc.exe"
        82⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbgal.exe"
        81⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waoojk.exe"
        80⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuofx.exe"
        79⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpyhwsy.exe"
        78⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvoeop.exe"
        77⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmqyopcd.exe"
        76⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdpulom.exe"
        75⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyy.exe"
        74⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbfof.exe"
        73⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrfjdjas.exe"
        72⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wftxeqwcu.exe"
        71⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnucug.exe"
        70⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wktslw.exe"
        69⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjimen.exe"
        68⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsuk.exe"
        67⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wosbyke.exe"
        66⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wncan.exe"
        65⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\widr.exe"
        64⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 1664
        64⤵
        Program crash
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemtbawj.exe"
        63⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdquymna.exe"
        62⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 748
        62⤵
        Program crash
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbrcnw.exe"
        61⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpsctevj.exe"
        60⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgdg.exe"
        59⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whlqoe.exe"
        58⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtedqn.exe"
        57⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wajd.exe"
        56⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiomown.exe"
        55⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfxhc.exe"
        54⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtoo.exe"
        53⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcortk.exe"
        52⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwwy.exe"
        51⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrdldrs.exe"
        50⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmqpsklkr.exe"
        49⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqtja.exe"
        48⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1420
        48⤵
        Program crash
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsldg.exe"
        47⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjmy.exe"
        46⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woocoon.exe"
        45⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivycl.exe"
        44⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdfbxd.exe"
        43⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugwwbtbg.exe"
        42⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wspvmjx.exe"
        41⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1448
        41⤵
        Program crash
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlege.exe"
        40⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgpjb.exe"
        39⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfgt.exe"
        38⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyutvdlin.exe"
        37⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivxlt.exe"
        36⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wakjfsqn.exe"
        35⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmkhly.exe"
        34⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiukipa.exe"
        33⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\watgh.exe"
        32⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkraok.exe"
        31⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtmgn.exe"
        30⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmdrknphy.exe"
        29⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waerttx.exe"
        28⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whp.exe"
        27⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiuuk.exe"
        26⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdgwjt.exe"
        25⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wquljac.exe"
        24⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wauobqi.exe"
        23⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyud.exe"
        22⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wee.exe"
        21⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxgj.exe"
        20⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1096
        20⤵
        Program crash
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weevdm.exe"
        19⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1260
        19⤵
        Program crash
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjjip.exe"
        18⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wftjl.exe"
        17⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnjdwq.exe"
        16⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wakddxd.exe"
        15⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbubs.exe"
        14⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbexho.exe"
        13⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfjls.exe"
        12⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjkbsy.exe"
        11⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcyekj.exe"
        10⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfynapl.exe"
        9⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsndcvis.exe"
        8⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfocie.exe"
        7⤵
        
        PID:2252
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wspcr.exe"
        6⤵
        
        PID:4456
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkpwpjk.exe"
        5⤵
        
        PID:4712
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxrvj.exe"
      4⤵
      PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigaxfmgs.exe"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1080
    3⤵
    - Program crash
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe"
  2⤵
  PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2248 -ip 2248
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3820 -ip 3820
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1528 -ip 1528
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 540 -ip 540
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2036 -ip 2036
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3580 -ip 3580
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1700 -ip 1700
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4812 -ip 4812
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4112 -ip 4112
1⤵
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Windows\SysWOW64\waerttx.exe

Filesize
90KB

MD5
be737b0cba167c6c5d406bb4db82ac8c

SHA1
f2de3c9fb410ac88c237e66b094ba202dd1c16ae

SHA256
838fa755cb6f1fd180422bebad4149cbab1a5b6f5fca198c4081f5152628faf2

SHA512
c347bb5e81afbf7ae6e3f01e57848c2df73db83faa793bc5c4ec3b35e7b732d4cbf7fa9508f3ecef69eaa435e7fd1faf23209cf1d54ee801a8f2924b630b397e

Download Submit
C:\Windows\SysWOW64\wakddxd.exe

Filesize
89KB

MD5
cf5912defa2b95534df40716392fd226

SHA1
1f2cacf4a3286662d531efdce9b47f0f74474759

SHA256
2052b9e4bf5e1229f42cb8efdbda17a40af5a8924b528170e025b7006883460c

SHA512
39ea2019e6398a8e7312bed04cf6c52510f01143bd9277a40496f094845382c89e9ccacfd3234e2f1210d86527aafc33f24de5c5df90deb00c65e4fefe25d6b0

Download Submit
C:\Windows\SysWOW64\watgh.exe

Filesize
90KB

MD5
9d53ccfce2ec775ad7ccf707c5c624e0

SHA1
2e0bdac3068ff272395a67be1480a77e435d7b90

SHA256
4da91c54f7ac1c017fc7ce3ae5cdc189f14983f9e2ece10f0a1bbb1d5dba3ef5

SHA512
615ecf8ba8eb41077751f7b8baa8cf79d397584aa5239770b01e10bc8623e8a46b9e243727bf5597e007fccf441e5d0e929a6a1ade2c9bd6daa9d65dc4e40f2d

Download Submit
C:\Windows\SysWOW64\wauobqi.exe

Filesize
89KB

MD5
242c8d61194d798c5be7f20ab0df3619

SHA1
4f84fb7359f90f211fd06e05ea9e7d75fce1d9d3

SHA256
846e8bad8d66cd172b975cd9d858099c607b44ca7aa1f00b6e885c0f1fe20082

SHA512
1c91c944bf6977608b456119a75da08a03161ed0890dbf33dca2e2397be0aa1e3a20e7013761ca9734209192eb9b0480abdb1de20132be4087de568ee843ac05

Download Submit
C:\Windows\SysWOW64\wbexho.exe

Filesize
89KB

MD5
14ee0de1c7893f7d1f50dd1cd43d40c2

SHA1
71c00e20cc8f2cbc8791c5b5bc2e36b58fa56936

SHA256
c84036beb36e1e4e7e4623dd295881be7d5f83460260c35e934e13d021241139

SHA512
747ba86adb1df1214a6afff958a131e19090626200237266d7789094041364045cc45a2e7a8d90c2520f270b927d4a84314d0bcfeb3dfc967ee2dbd6b7d7c44e

Download Submit
C:\Windows\SysWOW64\wbubs.exe

Filesize
89KB

MD5
928bff389e0cd89bf6fccba7f04d02c6

SHA1
b3e7488752d667f3bc0b2dc18101ac5303dfae4b

SHA256
a553e32dd458a095c6d73055c587969006027b80732c5c23b746c99e04411ce5

SHA512
0bebd56b80e56b7719f63494f40229f921cd6eab3156962877f44bcdd09ef55e067ff105da3843dd49de5b4f4aadaa9d1d2e1a9a691bc3070d5ca2d60cec2ea1

Download Submit
C:\Windows\SysWOW64\wcyekj.exe

Filesize
89KB

MD5
672ba361a49aea4b4356a4ed8f0650b3

SHA1
87b85b9f32d8e2086f5fe5e44100937d4ef6bdc8

SHA256
e137f7f3ee58fade683cf223d64e2d52c9819cb4514dbe330e9214d17458bf84

SHA512
9af38f2d081b0f6c036a3fe25edf64b33dbfadd03ca89c952e201d1a87b388ba7d284e53fe3098b0c60e4c5933397eab116a3e6f87ec2df1e780031a52846df1

Download Submit
C:\Windows\SysWOW64\wdgwjt.exe

Filesize
89KB

MD5
56997c32d541b3ab5a20e576ad6ddeb3

SHA1
efdff4d253116db98bda0f995ff96942c5e82ce6

SHA256
d3711f6fec6c519674e5d0e63b582993e0d216ba52791acca7d2a1f70bd9efb1

SHA512
07df391f50ea35ab91b62bbd0597e92cf23ba482e457f6218e8fd3af87a3dda287b55d9e30a03f5bf726f3f9338b95656aa904212ccc739a1b26c79509f76673

Download Submit
C:\Windows\SysWOW64\wdxgj.exe

Filesize
89KB

MD5
9c6517d3fbb3364618700051ee2e07ee

SHA1
1bb55bc42de450aff6d7d9ba57561056c946fe55

SHA256
7c009fcca25a328cec7e6f7c0b334e0d46b89f7d2f4ebb9eb6ef09c548b455ad

SHA512
6192cf39e98da6c868963c4b5d67daa1eb6eb55b212435b1026072cf8b1d7b945f8a35b62fa0d6d9df1df26f0098835c3bb9887391da375ee95123094e6981e6

Download Submit
C:\Windows\SysWOW64\wee.exe

Filesize
89KB

MD5
9739df040203aa62ae9c6e89551b4ac6

SHA1
b4529a14addef19a87acc79a766ca3cf04be82eb

SHA256
b0268fbdd1859aeafd518b885ed911f632cddbd2c052c4815aa3af054e0e1102

SHA512
6888a19e56383d98c2943c15150644507de7e886db9c73bb4e09666adfd7f3e499bef9d3d3e3a8e48fb9ebe0f417953a0bb1c4a323ab39a4b1797f32d4880f3a

Download Submit
C:\Windows\SysWOW64\weevdm.exe

Filesize
89KB

MD5
a3c14cb7ece94c65eb60bb116088895c

SHA1
8cf73d230b281e2df50c83f4fa55952743618992

SHA256
5925b2396e123b762a6a971e4949a76b51305ac5ba9a981468bd7239b8899a28

SHA512
f7da00709fa7e4fd02e545fda95a6c08e58b5088701afcdab6ef6bf760a0eeb1fb8b0900a1a576682af7ee8a291f9f849999ec0464abb8c16a56cbc0e0e78b18

Download Submit
C:\Windows\SysWOW64\wfjls.exe

Filesize
89KB

MD5
5d411a9b8f958ed89bc74634cee59242

SHA1
24cb89b929fc87e90cc808f1d9cd2de5c2770472

SHA256
8ea139000cea133b45f9cf2860475ae62aa22f1fd4db65d3642586a5dfdd9f21

SHA512
650038bcee4b053e43cac4791590cecf434f302c2bcd64acf2c2b35f7f0094ba1feb72bd50e21b9b5029395e3aab3d25aa8a09f9b519e6ffaccbf626a3bf8201

Download Submit
C:\Windows\SysWOW64\wfocie.exe

Filesize
89KB

MD5
29991a3bd0eb1090b6831ce2daadac54

SHA1
b0e17365ae595631820d5b43520db69d4116eb5a

SHA256
f340d720435f4f521345bca406be323e334789d4142b72e6dc3e0fbe0ed69128

SHA512
b0b41020a39deb735300a573e9724c0d4d758d69ba4261388e6875533358356f46be35f6bc159c873c3465c9ab5c790eb2a98cf77e65f3ad110de7ce84e7c6ef

Download Submit
C:\Windows\SysWOW64\wftjl.exe

Filesize
89KB

MD5
c15df684ac76079eeea4f8055ba66194

SHA1
678f1ae83d17f5bd952e10c463136055302f9af5

SHA256
5fedc2bbafa89bcb747a139df85168c1f4e6bfc869a96c2e62c1050f383d72c9

SHA512
296bc92b332708e4c93aa0d5271cc90c147b2127dfd023652b317001d5036988d40b3c54500382b6e4998a6d92ac75b5dfd355d0a927468577edb4ba35567101

Download Submit
C:\Windows\SysWOW64\wfynapl.exe

Filesize
89KB

MD5
1d0a8e2b87e931a97ee1e042874abbd1

SHA1
265fc7848d50ea6f5a2d5e1b774faa95031017d8

SHA256
46938ab093aba34297db4bb5962be288438e1779cb735aaf4d3f9701889db478

SHA512
f41c53982f9847073bb2c04ff8d86637762e42a75f95e3459afffe4faf19ccc77875d2a34f6401a3afdb96d85fe38076cf595ace5c06f01daf655ac252141450

Download Submit
C:\Windows\SysWOW64\whp.exe

Filesize
90KB

MD5
9e1c0513b24d800f09b8796dd85d5efd

SHA1
7daed4c3cfc735bf56cf7046dd60a9b67fa6c341

SHA256
bbc49e2998c99c590988e9516351a69cfc25b178636b0e563e2a0e21d04f8461

SHA512
6945e51a5c0fe728b1d4f70404d4c8ad1acf58546868ddc29f206f724da6b665339895a4b2e72402798499a5a07952267918bfb75666466dd410115c710ca7d9

Download Submit
C:\Windows\SysWOW64\wigaxfmgs.exe

Filesize
89KB

MD5
0b6ebcd7b87862f63dcabd6730076721

SHA1
2ca0ff1668b637ebbff4055f99128749d7e0e281

SHA256
a1bd27fb092287936c69bab04804bdc140cbec242ced5a739d080d7a6648ff6a

SHA512
4d8a3c5e698fb3a5c0b4ab3e922e984e9f48b8682fd2ae8b08b80dcc26eb1f1033fd1d14a4d393ea6daa3082d75136761dc8764ae4d1ed009221a658fc4b4142

Download Submit
C:\Windows\SysWOW64\wiukipa.exe

Filesize
90KB

MD5
805436eae2aac8bb24b862c319644a01

SHA1
3811fd67407b363121f88bd9007b1d58aed8a978

SHA256
860aa7247852e47bb2323d287b4cb770d56bb2f24902ab9150bc633342ff877a

SHA512
24e61cc51af64e845ca7b35decf30f98aa877cfdbf2f4733ab89ca08546fcd022940d0c13f4cd2f0ab6e48333bb76f5799fc2236425b6295bdab066e6349ede0

Download Submit
C:\Windows\SysWOW64\wiuuk.exe

Filesize
90KB

MD5
71071359b40e1385858336bafb433311

SHA1
123e6283c6d30adc29d6ad5cdcff3e45812a63f5

SHA256
d53ddc61e4fc69b5cb4b9ed4e97b7ea7cf698b4a36cf8e25814ed60d3dd0f20e

SHA512
a99cae1722361006b37145632447646818a39ee0561354146b59e32ccade7bf8006a6802ebfe7cd8ef36ba30b74073d766912726342714a604cbcfeed1759a3f

Download Submit
C:\Windows\SysWOW64\wjjip.exe

Filesize
89KB

MD5
928f0b2bc9ddde16900d17557dd8fa0f

SHA1
b5f2064b56a5bb8024822a13e12ebe3c144aca62

SHA256
c894624003ba8929e35aa883672315f72ccbed1faafeb8b265f50f5c1bafb581

SHA512
3146214eb88ac5ef1b914914aaf73a6eff885c84cc63b55577e13551d9ceba073b7f73853628a107ee02a727477386afd4be19494f10545d37eddf5c86e1adf2

Download Submit
C:\Windows\SysWOW64\wkpwpjk.exe

Filesize
89KB

MD5
ca6455d45e7645aac537f6f62c3c50fa

SHA1
e07ca34af260bc9edf7f0c33103dc5da7ee55601

SHA256
1be62372c6bb9034224a82e9cd3526c8afe7e0ecd41952ca95ca99696974966b

SHA512
2e56ba3c3dc8195c239cf624b1c2c63c9bc3b803966c191eff33c5dcd7131d48af08217a841035176ede60b86c836de78f9f3017621cbfc6062fdbf54acca4e7

Download Submit
C:\Windows\SysWOW64\wmdrknphy.exe

Filesize
90KB

MD5
1cf3f72c76f629a7e8370d03a05fae07

SHA1
1b2df7643f81cd2b5594ca2a036d8c5cc0d9659d

SHA256
3a2b9960272678ac817a7d27f2d828494bf783c7e067018671ce3398ede24cb0

SHA512
d3164cbccf4eb9c6e39fdd8e1600dc1b9a5003c27f273fa3c67ba20ac0a7af364231439d127aeca1442aecf85a26574300d548bfd467a5db1642f6e202b4c045

Download Submit
C:\Windows\SysWOW64\wmkhly.exe

Filesize
90KB

MD5
cc8f325c9826905b5bffc793965bf9ce

SHA1
31d8ee4ea25d83d9a9b86eba6ebf5a199d1a55c8

SHA256
9b278e1fc3276ef49301d08b6298650bbef9b3741e79ca4a7426d5ad01de711f

SHA512
5899d95460a94761372272db1592fb71f323482224069948a89ecaf46b862a270af2ca7fb77378e0cc058f15e2d17f70985a9d8c98374b65e5120a091fe92ba4

Download Submit
C:\Windows\SysWOW64\wnjdwq.exe

Filesize
89KB

MD5
cfa547f69a88424f8dfb6fc83017a62b

SHA1
34c33c574399b7afd8f1e206a9ac2b9ad11f6bec

SHA256
82f3d83204514412e4eabe305c8103b041a1d06d695de4bdd420ee12a28fde9a

SHA512
da51a56f52aab452a918c4a4986262dd5659d10b6d7a301a62d97fb40c5deb72ef0d35bb393aac99e37b7c8cc4271c081ac36677b4552420c136debeec38f26e

Download Submit
C:\Windows\SysWOW64\woxrvj.exe

Filesize
89KB

MD5
5f066cd19c0330adea0d5c67f813b783

SHA1
57af0e9a414f75b789c9d6019b492feda5fc26b7

SHA256
3c0d27365d002a018faf2c68f62ea2b08b2fe048be98b8a0c0bdd7d0ffe4873b

SHA512
b7d9c1b54ec6ef12224984c8a60c1cc1ec0eb70f3936ae3233a848f98ba0bd81f10646addb6ff2f4614cd671b08d0d568b2f4649dfd7ea509972aa22461cf76b

Download Submit
C:\Windows\SysWOW64\wquljac.exe

Filesize
89KB

MD5
d6b05f1e44603342201dfac15ed6368d

SHA1
7d3d2ce651c0097f815081c0a2d6e93bf9005927

SHA256
139d76863e9d5cfd9a3996c177e02904c71c27c0dace0fe3a83aa0d143fb4300

SHA512
e99b61069a5cc3e15c7130a7b2c3b5870c3b88e4eae1627e0f17f89f1e2354a1a4b673b0ba4750461da5c9b8cb1073079f2aec3bcac8844a1b3d8921f6c1730c

Download Submit
C:\Windows\SysWOW64\wrkraok.exe

Filesize
90KB

MD5
abbdbab17e4ce232427d0a7256986166

SHA1
ef5b5ece7fb12115ba63517cba2e6f93bee65f0b

SHA256
4bac0de18f6dfdde11689c297772415644c7e3cb7f325107f4d716fe7d35c0d5

SHA512
ef6ea7e573a5a05e9e3fdac58c6510cd11c41203b29389471025d2be3b229c29b797a120ea096a63a87be5190a81c50943b8e98527fe78806aa827b7fdb4c266

Download Submit
C:\Windows\SysWOW64\wsjkbsy.exe

Filesize
89KB

MD5
4eaee4a17c3cfcffecfa53439989e34b

SHA1
1c1d59dc08028aa164a0f77361b962a2e85e66c7

SHA256
d4ad4982c6936ec6a8171e568a5cb80f781860a28adae6600f065c51e9637edc

SHA512
ca4ec2837beb269309e39095b7125bc99c0c88f2f619c73223a104a926d69dce94b7fcd513ff69dc557664532c2c065894c32f2663c5000a3a97fabb42d9b899

Download Submit
C:\Windows\SysWOW64\wsndcvis.exe

Filesize
89KB

MD5
f1e1806f4710063a23ef1d991639517a

SHA1
591a283914d59eadf2c66174df7e7d0815fdeead

SHA256
995f7fef97da419a816efaf45a167041bcd6f0286056e103230a3b486ab64419

SHA512
ab794ef59ad676f7ba7479a6d4c515508e07d4f40359d3f5e29bd1794c480628fe7ca3fc8500a3524200568cab5394807941b4993422a2ef40065baf99b42c03

Download Submit
C:\Windows\SysWOW64\wspcr.exe

Filesize
89KB

MD5
baa532179cc04598d055d14e526d65be

SHA1
a18709a47d259824134ad4226fed01d2de7e7df3

SHA256
ff812cb3d0f3a87c3ec8313ab61abc072af68fa8424f723c3285c7a3d8418b04

SHA512
7226dfa8bfa943286daeed2c590c4a47a526602cba9d96a3dd1fc5662c45cda563cc5db0720ea3a3e26ed0a1b2b8b0e3c0785a7b943d2e969744b272c4bd205f

Download Submit
C:\Windows\SysWOW64\wvtmgn.exe

Filesize
90KB

MD5
b390927e9e0aa3c8596b24fd6e0debc3

SHA1
62cb3d6afe64b410f6c92fe8214fd8ee8251e39a

SHA256
f1c69764344bab8400531d69e1d898bde160b25a63be69310a031d511c7c1cd1

SHA512
5235450e0fa1a5d60407d072fd167946cf06607a64d86a9e41bbefd62ece1e1def5bc038ece98cac469f9e1082d84c0c9e30cc1cd169f213aebdec706421cb28

Download Submit
C:\Windows\SysWOW64\wyud.exe

Filesize
89KB

MD5
116ce31de5055338d145e02b7e0d6a21

SHA1
febf1412370d6809f9ea7f2ba61df93ed67a81b6

SHA256
2b06d66de92350cf9d645de5b93c14161f0675bce77bd9ef929cdabdf40c5128

SHA512
5668cea3f6add1846059dcccd1800d7380187ba939630dd6fa09d0ffaa7d527e34adcf9b57fdd08e46e03b6d9fccfdf7a6b0069669826a3912a3453840a9e928

Download Submit
memory/8-355-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/8-345-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/220-130-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/232-405-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/232-414-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/540-406-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/656-506-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/764-170-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/764-181-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1080-431-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1080-440-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1328-274-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1328-66-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1328-54-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1484-551-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1528-202-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1532-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1532-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1552-253-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1552-160-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1552-264-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1700-602-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1728-315-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1728-304-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1844-44-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1844-32-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1928-542-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2028-559-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2028-568-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2028-150-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2036-464-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2088-87-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2248-9-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2248-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2336-472-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2336-354-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2336-364-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2356-201-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2356-212-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2576-514-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2576-524-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2592-171-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2676-326-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2772-294-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-242-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-254-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2896-560-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2896-232-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2896-550-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2940-619-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3000-33-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3000-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3004-284-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3144-337-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3144-325-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3216-423-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3224-448-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3252-388-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3252-397-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3312-86-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3312-98-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3388-119-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3388-108-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3468-43-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3468-55-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3580-585-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3700-576-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3740-380-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3820-191-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3876-481-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3908-456-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4000-610-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4056-593-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4056-584-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4116-372-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4116-363-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4176-533-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4232-389-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4716-129-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4716-140-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4756-243-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4772-109-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4772-97-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4792-76-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4792-65-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4796-305-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4908-432-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4932-618-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4932-627-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4976-489-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5040-222-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5040-346-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5040-336-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5056-515-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5056-505-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5084-497-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads