f8fb6018a5446c6e2e500705c47dec6f496107eefe9cc1946e5849c65ec473f6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000154d3572e492b1bb3ab35f5dfd5d7_NeikiAnalytics.exe
Size

93KB
MD5

000154d3572e492b1bb3ab35f5dfd5d7
SHA1

d72148d1c6774d4d8befe31944d47dba2461d778
SHA256

f8fb6018a5446c6e2e500705c47dec6f496107eefe9cc1946e5849c65ec473f6
SHA512

862aa0b08236e9b38bbeaf8a3248e922dd41b39a5052a3c828b9e4ad089982dcd39d14e57c26bf33f2e2052613df569b0a712abc02f121f903749c9b7af4faf3
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71qCi6:1eOLK7hNIMLrCiS4+PwRjY5xhEAXQC5

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wiiwywtuu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wjt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wbmfrxy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wpvimnqu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wsglmdnnw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wpbwrh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wwsjtk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wpmee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wdbx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wmpx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wditfwmiu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	whjrvmthj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wbbl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wpmuga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wfarxaqm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wlqeracoc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wytaffg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wpw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wdt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wyomssr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wuhgbj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wcggwha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wdc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wmfimb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wtaaeaplg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wcls.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wwcw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	whvnta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wfkw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wguud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wyhvmf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wmiexsp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wyena.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wkrjn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wyfrxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wnajrk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wkwpyhns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wiuxqxr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wqiix.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wjqshgkd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wsbnrypk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wibjiol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wlvpt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wekgod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wurcn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wdiifxg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wstuin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wecaxo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wqbpeusr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wwkqf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wexd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wnpmoylv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	whftud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wffdj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wtosdx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	weuk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wkx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wrhec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	weebdbvq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	000154d3572e492b1bb3ab35f5dfd5d7_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wwonol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wuoyutlv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wnlhbtdxp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wmkus.exe

Executes dropped EXE 64 IoCs

pid	Process
3456	wbbl.exe
660	wffdj.exe
4992	wpbwrh.exe
3532	wibjiol.exe
2324	wkaf.exe
4620	wcggwha.exe
2136	wfkw.exe
3432	wpmuga.exe
2312	wecaxo.exe
1408	wguud.exe
4484	wyhvmf.exe
1756	wfanjku.exe
4620	wtosdx.exe
3484	wqbpeusr.exe
1896	weuk.exe
1032	wwonol.exe
4984	wlvpt.exe
428	wwsjtk.exe
4620	wewkwntk.exe
4176	wnajrk.exe
3628	wkwpyhns.exe
2596	wiuxqxr.exe
3580	wkx.exe
384	wfarxaqm.exe
3960	wdt.exe
4344	wdc.exe
5040	wqiix.exe
1208	wbmfrxy.exe
2912	wmkus.exe
2152	wpmee.exe
3584	wfpxp.exe
4428	wpswjcb.exe
4760	wlqeracoc.exe
4504	wekgod.exe
1948	wytaffg.exe
4476	wmiexsp.exe
3432	wuoyutlv.exe
1076	wjqshgkd.exe
1696	wcpewn.exe
4496	wdbx.exe
4584	wwkqf.exe
4292	wpvimnqu.exe
4092	wexd.exe
868	wmfimb.exe
4196	wiiwywtuu.exe
3028	wjxcjeu.exe
4860	wtaaeaplg.exe
4848	wpw.exe
4988	wyena.exe
384	wrhec.exe
1928	wyomssr.exe
2704	wkrjn.exe
3668	whfgnm.exe
1236	wwcw.exe
676	wnpmoylv.exe
3644	wmpx.exe
4484	wsbnrypk.exe
1140	wditfwmiu.exe
4708	whftud.exe
2376	weebdbvq.exe
3904	wjhdgf.exe
1928	wurcn.exe
2704	wjt.exe
4316	wuhgbj.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpswjcb = "\"C:\\Windows\\SysWOW64\\wpswjcb.exe\""	wpswjcb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyhvmf = "\"C:\\Windows\\SysWOW64\\wyhvmf.exe\""	wyhvmf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfanjku = "\"C:\\Windows\\SysWOW64\\wfanjku.exe\""	wfanjku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuhgbj = "\"C:\\Windows\\SysWOW64\\wuhgbj.exe\""	wuhgbj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkaf = "\"C:\\Windows\\SysWOW64\\wkaf.exe\""	wkaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbmfrxy = "\"C:\\Windows\\SysWOW64\\wbmfrxy.exe\""	wbmfrxy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmiexsp = "\"C:\\Windows\\SysWOW64\\wmiexsp.exe\""	wmiexsp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpvimnqu = "\"C:\\Windows\\SysWOW64\\wpvimnqu.exe\""	wpvimnqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyomssr = "\"C:\\Windows\\SysWOW64\\wyomssr.exe\""	wyomssr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmpx = "\"C:\\Windows\\SysWOW64\\wmpx.exe\""	wmpx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnlhbtdxp = "\"C:\\Windows\\SysWOW64\\wnlhbtdxp.exe\""	wnlhbtdxp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcggwha = "\"C:\\Windows\\SysWOW64\\wcggwha.exe\""	wcggwha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkwpyhns = "\"C:\\Windows\\SysWOW64\\wkwpyhns.exe\""	wkwpyhns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdc = "\"C:\\Windows\\SysWOW64\\wdc.exe\""	wdc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whjrvmthj = "\"C:\\Windows\\SysWOW64\\whjrvmthj.exe\""	whjrvmthj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnajrk = "\"C:\\Windows\\SysWOW64\\wnajrk.exe\""	wnajrk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuxqxr = "\"C:\\Windows\\SysWOW64\\wiuxqxr.exe\""	wiuxqxr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqiix = "\"C:\\Windows\\SysWOW64\\wqiix.exe\""	wqiix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwkqf = "\"C:\\Windows\\SysWOW64\\wwkqf.exe\""	wwkqf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wexd = "\"C:\\Windows\\SysWOW64\\wexd.exe\""	wexd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wditfwmiu = "\"C:\\Windows\\SysWOW64\\wditfwmiu.exe\""	wditfwmiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpmuga = "\"C:\\Windows\\SysWOW64\\wpmuga.exe\""	wpmuga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwcw = "\"C:\\Windows\\SysWOW64\\wwcw.exe\""	wwcw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqbpeusr = "\"C:\\Windows\\SysWOW64\\wqbpeusr.exe\""	wqbpeusr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpmee = "\"C:\\Windows\\SysWOW64\\wpmee.exe\""	wpmee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfpxp = "\"C:\\Windows\\SysWOW64\\wfpxp.exe\""	wfpxp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whfgnm = "\"C:\\Windows\\SysWOW64\\whfgnm.exe\""	whfgnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbbl = "\"C:\\Windows\\SysWOW64\\wbbl.exe\""	wbbl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjxcjeu = "\"C:\\Windows\\SysWOW64\\wjxcjeu.exe\""	wjxcjeu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whftud = "\"C:\\Windows\\SysWOW64\\whftud.exe\""	whftud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wurcn = "\"C:\\Windows\\SysWOW64\\wurcn.exe\""	wurcn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdiifxg = "\"C:\\Windows\\SysWOW64\\wdiifxg.exe\""	wdiifxg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wstuin = "\"C:\\Windows\\SysWOW64\\wstuin.exe\""	wstuin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wibjiol = "\"C:\\Windows\\SysWOW64\\wibjiol.exe\""	wibjiol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwonol = "\"C:\\Windows\\SysWOW64\\wwonol.exe\""	wwonol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdt = "\"C:\\Windows\\SysWOW64\\wdt.exe\""	wdt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcpewn = "\"C:\\Windows\\SysWOW64\\wcpewn.exe\""	wcpewn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpw = "\"C:\\Windows\\SysWOW64\\wpw.exe\""	wpw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnpmoylv = "\"C:\\Windows\\SysWOW64\\wnpmoylv.exe\""	wnpmoylv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsglmdnnw = "\"C:\\Windows\\SysWOW64\\wsglmdnnw.exe\""	wsglmdnnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\000154d3572e492b1bb3ab35f5dfd5d7_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\000154d3572e492b1bb3ab35f5dfd5d7_NeikiAnalytics.exe\""	000154d3572e492b1bb3ab35f5dfd5d7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlvpt = "\"C:\\Windows\\SysWOW64\\wlvpt.exe\""	wlvpt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfarxaqm = "\"C:\\Windows\\SysWOW64\\wfarxaqm.exe\""	wfarxaqm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrhec = "\"C:\\Windows\\SysWOW64\\wrhec.exe\""	wrhec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfkw = "\"C:\\Windows\\SysWOW64\\wfkw.exe\""	wfkw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wytaffg = "\"C:\\Windows\\SysWOW64\\wytaffg.exe\""	wytaffg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkrjn = "\"C:\\Windows\\SysWOW64\\wkrjn.exe\""	wkrjn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjt = "\"C:\\Windows\\SysWOW64\\wjt.exe\""	wjt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcls = "\"C:\\Windows\\SysWOW64\\wcls.exe\""	wcls.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyfrxh = "\"C:\\Windows\\SysWOW64\\wyfrxh.exe\""	wyfrxh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wguud = "\"C:\\Windows\\SysWOW64\\wguud.exe\""	wguud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weebdbvq = "\"C:\\Windows\\SysWOW64\\weebdbvq.exe\""	weebdbvq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjhdgf = "\"C:\\Windows\\SysWOW64\\wjhdgf.exe\""	wjhdgf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwsjtk = "\"C:\\Windows\\SysWOW64\\wwsjtk.exe\""	wwsjtk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtaaeaplg = "\"C:\\Windows\\SysWOW64\\wtaaeaplg.exe\""	wtaaeaplg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpbwrh = "\"C:\\Windows\\SysWOW64\\wpbwrh.exe\""	wpbwrh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weuk = "\"C:\\Windows\\SysWOW64\\weuk.exe\""	weuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wekgod = "\"C:\\Windows\\SysWOW64\\wekgod.exe\""	wekgod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjqshgkd = "\"C:\\Windows\\SysWOW64\\wjqshgkd.exe\""	wjqshgkd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdbx = "\"C:\\Windows\\SysWOW64\\wdbx.exe\""	wdbx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiwywtuu = "\"C:\\Windows\\SysWOW64\\wiiwywtuu.exe\""	wiiwywtuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whvnta = "\"C:\\Windows\\SysWOW64\\whvnta.exe\""	whvnta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wffdj = "\"C:\\Windows\\SysWOW64\\wffdj.exe\""	wffdj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuoyutlv = "\"C:\\Windows\\SysWOW64\\wuoyutlv.exe\""	wuoyutlv.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wfkw.exe	wcggwha.exe
File opened for modification	C:\Windows\SysWOW64\wkx.exe	wiuxqxr.exe
File created	C:\Windows\SysWOW64\wfarxaqm.exe	wkx.exe
File opened for modification	C:\Windows\SysWOW64\weebdbvq.exe	whftud.exe
File created	C:\Windows\SysWOW64\wcggwha.exe	wkaf.exe
File created	C:\Windows\SysWOW64\wwsjtk.exe	wlvpt.exe
File created	C:\Windows\SysWOW64\wexd.exe	wpvimnqu.exe
File opened for modification	C:\Windows\SysWOW64\wnpmoylv.exe	wwcw.exe
File opened for modification	C:\Windows\SysWOW64\whvnta.exe	wstuin.exe
File opened for modification	C:\Windows\SysWOW64\wffdj.exe	wbbl.exe
File created	C:\Windows\SysWOW64\wibjiol.exe	wpbwrh.exe
File created	C:\Windows\SysWOW64\wqbpeusr.exe	wtosdx.exe
File created	C:\Windows\SysWOW64\wkrjn.exe	wyomssr.exe
File created	C:\Windows\SysWOW64\wkaf.exe	wibjiol.exe
File created	C:\Windows\SysWOW64\wwonol.exe	weuk.exe
File opened for modification	C:\Windows\SysWOW64\whftud.exe	wditfwmiu.exe
File opened for modification	C:\Windows\SysWOW64\wbbl.exe	000154d3572e492b1bb3ab35f5dfd5d7_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\wkaf.exe	wibjiol.exe
File opened for modification	C:\Windows\SysWOW64\wqiix.exe	wdc.exe
File created	C:\Windows\SysWOW64\wfpxp.exe	wpmee.exe
File opened for modification	C:\Windows\SysWOW64\wpswjcb.exe	wfpxp.exe
File created	C:\Windows\SysWOW64\wpvimnqu.exe	wwkqf.exe
File created	C:\Windows\SysWOW64\wyhvmf.exe	wguud.exe
File created	C:\Windows\SysWOW64\wjxcjeu.exe	wiiwywtuu.exe
File created	C:\Windows\SysWOW64\wecaxo.exe	wpmuga.exe
File opened for modification	C:\Windows\SysWOW64\wwonol.exe	weuk.exe
File opened for modification	C:\Windows\SysWOW64\wjqshgkd.exe	wuoyutlv.exe
File created	C:\Windows\SysWOW64\wyac.exe	wbwrebg.exe
File opened for modification	C:\Windows\SysWOW64\wiuxqxr.exe	wkwpyhns.exe
File created	C:\Windows\SysWOW64\wytaffg.exe	wekgod.exe
File opened for modification	C:\Windows\SysWOW64\wuhgbj.exe	wjt.exe
File created	C:\Windows\SysWOW64\wlvpt.exe	wwonol.exe
File created	C:\Windows\SysWOW64\weebdbvq.exe	whftud.exe
File created	C:\Windows\SysWOW64\wditfwmiu.exe	wsbnrypk.exe
File created	C:\Windows\SysWOW64\wffdj.exe	wbbl.exe
File opened for modification	C:\Windows\SysWOW64\wcggwha.exe	wkaf.exe
File opened for modification	C:\Windows\SysWOW64\wnajrk.exe	wewkwntk.exe
File created	C:\Windows\SysWOW64\wmiexsp.exe	wytaffg.exe
File created	C:\Windows\SysWOW64\wiiwywtuu.exe	wmfimb.exe
File created	C:\Windows\SysWOW64\whfgnm.exe	wkrjn.exe
File created	C:\Windows\SysWOW64\whftud.exe	wditfwmiu.exe
File opened for modification	C:\Windows\SysWOW64\wpbwrh.exe	wffdj.exe
File opened for modification	C:\Windows\SysWOW64\wpmuga.exe	wfkw.exe
File created	C:\Windows\SysWOW64\wkwpyhns.exe	wnajrk.exe
File created	C:\Windows\SysWOW64\wdbx.exe	wcpewn.exe
File opened for modification	C:\Windows\SysWOW64\wdbx.exe	wcpewn.exe
File opened for modification	C:\Windows\SysWOW64\wecaxo.exe	wpmuga.exe
File created	C:\Windows\SysWOW64\wnajrk.exe	wewkwntk.exe
File created	C:\Windows\SysWOW64\wbmfrxy.exe	wqiix.exe
File opened for modification	C:\Windows\SysWOW64\wuoyutlv.exe	wmiexsp.exe
File opened for modification	C:\Windows\SysWOW64\wurcn.exe	wjhdgf.exe
File opened for modification	C:\Windows\SysWOW64\wmpx.exe	wnpmoylv.exe
File opened for modification	C:\Windows\SysWOW64\wditfwmiu.exe	wsbnrypk.exe
File created	C:\Windows\SysWOW64\wsbnrypk.exe	wmpx.exe
File created	C:\Windows\SysWOW64\wuhgbj.exe	wjt.exe
File created	C:\Windows\SysWOW64\whjrvmthj.exe	wcls.exe
File opened for modification	C:\Windows\SysWOW64\wfkw.exe	wcggwha.exe
File opened for modification	C:\Windows\SysWOW64\wkwpyhns.exe	wnajrk.exe
File created	C:\Windows\SysWOW64\wlqeracoc.exe	wpswjcb.exe
File opened for modification	C:\Windows\SysWOW64\wmiexsp.exe	wytaffg.exe
File created	C:\Windows\SysWOW64\wjqshgkd.exe	wuoyutlv.exe
File opened for modification	C:\Windows\SysWOW64\wstuin.exe	wyfrxh.exe
File opened for modification	C:\Windows\SysWOW64\wtaaeaplg.exe	wjxcjeu.exe
File opened for modification	C:\Windows\SysWOW64\wdiifxg.exe	wsglmdnnw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
5024	2136	WerFault.exe	114
1668	1408	WerFault.exe	126
3168	1408	WerFault.exe	126
3580	1408	WerFault.exe	126
3312	1408	WerFault.exe	126
2140	1032	WerFault.exe	156
4588	1208	WerFault.exe	194
4708	2912	WerFault.exe	197
4908	2912	WerFault.exe	197
5028	2704	WerFault.exe	318

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 3456	816	000154d3572e492b1bb3ab35f5dfd5d7_NeikiAnalytics.exe	90
PID 816 wrote to memory of 3456	816	000154d3572e492b1bb3ab35f5dfd5d7_NeikiAnalytics.exe	90
PID 816 wrote to memory of 3456	816	000154d3572e492b1bb3ab35f5dfd5d7_NeikiAnalytics.exe	90
PID 816 wrote to memory of 1744	816	000154d3572e492b1bb3ab35f5dfd5d7_NeikiAnalytics.exe	92
PID 816 wrote to memory of 1744	816	000154d3572e492b1bb3ab35f5dfd5d7_NeikiAnalytics.exe	92
PID 816 wrote to memory of 1744	816	000154d3572e492b1bb3ab35f5dfd5d7_NeikiAnalytics.exe	92
PID 3456 wrote to memory of 660	3456	wbbl.exe	96
PID 3456 wrote to memory of 660	3456	wbbl.exe	96
PID 3456 wrote to memory of 660	3456	wbbl.exe	96
PID 3456 wrote to memory of 1832	3456	wbbl.exe	97
PID 3456 wrote to memory of 1832	3456	wbbl.exe	97
PID 3456 wrote to memory of 1832	3456	wbbl.exe	97
PID 660 wrote to memory of 4992	660	wffdj.exe	99
PID 660 wrote to memory of 4992	660	wffdj.exe	99
PID 660 wrote to memory of 4992	660	wffdj.exe	99
PID 660 wrote to memory of 4480	660	wffdj.exe	100
PID 660 wrote to memory of 4480	660	wffdj.exe	100
PID 660 wrote to memory of 4480	660	wffdj.exe	100
PID 4992 wrote to memory of 3532	4992	wpbwrh.exe	103
PID 4992 wrote to memory of 3532	4992	wpbwrh.exe	103
PID 4992 wrote to memory of 3532	4992	wpbwrh.exe	103
PID 4992 wrote to memory of 1740	4992	wpbwrh.exe	104
PID 4992 wrote to memory of 1740	4992	wpbwrh.exe	104
PID 4992 wrote to memory of 1740	4992	wpbwrh.exe	104
PID 3532 wrote to memory of 2324	3532	wibjiol.exe	108
PID 3532 wrote to memory of 2324	3532	wibjiol.exe	108
PID 3532 wrote to memory of 2324	3532	wibjiol.exe	108
PID 3532 wrote to memory of 876	3532	wibjiol.exe	109
PID 3532 wrote to memory of 876	3532	wibjiol.exe	109
PID 3532 wrote to memory of 876	3532	wibjiol.exe	109
PID 2324 wrote to memory of 4620	2324	wkaf.exe	111
PID 2324 wrote to memory of 4620	2324	wkaf.exe	111
PID 2324 wrote to memory of 4620	2324	wkaf.exe	111
PID 2324 wrote to memory of 3020	2324	wkaf.exe	112
PID 2324 wrote to memory of 3020	2324	wkaf.exe	112
PID 2324 wrote to memory of 3020	2324	wkaf.exe	112
PID 4620 wrote to memory of 2136	4620	wcggwha.exe	114
PID 4620 wrote to memory of 2136	4620	wcggwha.exe	114
PID 4620 wrote to memory of 2136	4620	wcggwha.exe	114
PID 4620 wrote to memory of 884	4620	wcggwha.exe	115
PID 4620 wrote to memory of 884	4620	wcggwha.exe	115
PID 4620 wrote to memory of 884	4620	wcggwha.exe	115
PID 2136 wrote to memory of 3432	2136	wfkw.exe	117
PID 2136 wrote to memory of 3432	2136	wfkw.exe	117
PID 2136 wrote to memory of 3432	2136	wfkw.exe	117
PID 2136 wrote to memory of 2168	2136	wfkw.exe	118
PID 2136 wrote to memory of 2168	2136	wfkw.exe	118
PID 2136 wrote to memory of 2168	2136	wfkw.exe	118
PID 3432 wrote to memory of 2312	3432	wpmuga.exe	123
PID 3432 wrote to memory of 2312	3432	wpmuga.exe	123
PID 3432 wrote to memory of 2312	3432	wpmuga.exe	123
PID 3432 wrote to memory of 2732	3432	wpmuga.exe	124
PID 3432 wrote to memory of 2732	3432	wpmuga.exe	124
PID 3432 wrote to memory of 2732	3432	wpmuga.exe	124
PID 2312 wrote to memory of 1408	2312	wecaxo.exe	126
PID 2312 wrote to memory of 1408	2312	wecaxo.exe	126
PID 2312 wrote to memory of 1408	2312	wecaxo.exe	126
PID 2312 wrote to memory of 4496	2312	wecaxo.exe	127
PID 2312 wrote to memory of 4496	2312	wecaxo.exe	127
PID 2312 wrote to memory of 4496	2312	wecaxo.exe	127
PID 1408 wrote to memory of 4484	1408	wguud.exe	129
PID 1408 wrote to memory of 4484	1408	wguud.exe	129
PID 1408 wrote to memory of 4484	1408	wguud.exe	129
PID 1408 wrote to memory of 1648	1408	wguud.exe	130

C:\Users\Admin\AppData\Local\Temp\000154d3572e492b1bb3ab35f5dfd5d7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\000154d3572e492b1bb3ab35f5dfd5d7_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\SysWOW64\wbbl.exe
  "C:\Windows\system32\wbbl.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\SysWOW64\wffdj.exe
    "C:\Windows\system32\wffdj.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\SysWOW64\wpbwrh.exe
      "C:\Windows\system32\wpbwrh.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\SysWOW64\wibjiol.exe
        
        "C:\Windows\system32\wibjiol.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3532
      - C:\Windows\SysWOW64\wkaf.exe
        
        "C:\Windows\system32\wkaf.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\wcggwha.exe
        
        "C:\Windows\system32\wcggwha.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\wfkw.exe
        
        "C:\Windows\system32\wfkw.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\wpmuga.exe
        
        "C:\Windows\system32\wpmuga.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\wecaxo.exe
        
        "C:\Windows\system32\wecaxo.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\wguud.exe
        
        "C:\Windows\system32\wguud.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\wyhvmf.exe
        
        "C:\Windows\system32\wyhvmf.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4484
        
        C:\Windows\SysWOW64\wfanjku.exe
        
        "C:\Windows\system32\wfanjku.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1756
        
        C:\Windows\SysWOW64\wtosdx.exe
        
        "C:\Windows\system32\wtosdx.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\wqbpeusr.exe
        
        "C:\Windows\system32\wqbpeusr.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3484
        
        C:\Windows\SysWOW64\weuk.exe
        
        "C:\Windows\system32\weuk.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\wwonol.exe
        
        "C:\Windows\system32\wwonol.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\wlvpt.exe
        
        "C:\Windows\system32\wlvpt.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\wwsjtk.exe
        
        "C:\Windows\system32\wwsjtk.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:428
        
        C:\Windows\SysWOW64\wewkwntk.exe
        
        "C:\Windows\system32\wewkwntk.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\wnajrk.exe
        
        "C:\Windows\system32\wnajrk.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\wkwpyhns.exe
        
        "C:\Windows\system32\wkwpyhns.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\wiuxqxr.exe
        
        "C:\Windows\system32\wiuxqxr.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\wkx.exe
        
        "C:\Windows\system32\wkx.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\wfarxaqm.exe
        
        "C:\Windows\system32\wfarxaqm.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:384
        
        C:\Windows\SysWOW64\wdt.exe
        
        "C:\Windows\system32\wdt.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3960
        
        C:\Windows\SysWOW64\wdc.exe
        
        "C:\Windows\system32\wdc.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\wqiix.exe
        
        "C:\Windows\system32\wqiix.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\wbmfrxy.exe
        
        "C:\Windows\system32\wbmfrxy.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1208
        
        C:\Windows\SysWOW64\wmkus.exe
        
        "C:\Windows\system32\wmkus.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SysWOW64\wpmee.exe
        
        "C:\Windows\system32\wpmee.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\wfpxp.exe
        
        "C:\Windows\system32\wfpxp.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\wpswjcb.exe
        
        "C:\Windows\system32\wpswjcb.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\wlqeracoc.exe
        
        "C:\Windows\system32\wlqeracoc.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\wekgod.exe
        
        "C:\Windows\system32\wekgod.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\wytaffg.exe
        
        "C:\Windows\system32\wytaffg.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\wmiexsp.exe
        
        "C:\Windows\system32\wmiexsp.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\wuoyutlv.exe
        
        "C:\Windows\system32\wuoyutlv.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\wjqshgkd.exe
        
        "C:\Windows\system32\wjqshgkd.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1076
        
        C:\Windows\SysWOW64\wcpewn.exe
        
        "C:\Windows\system32\wcpewn.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\wdbx.exe
        
        "C:\Windows\system32\wdbx.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4496
        
        C:\Windows\SysWOW64\wwkqf.exe
        
        "C:\Windows\system32\wwkqf.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\wpvimnqu.exe
        
        "C:\Windows\system32\wpvimnqu.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\wexd.exe
        
        "C:\Windows\system32\wexd.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4092
        
        C:\Windows\SysWOW64\wmfimb.exe
        
        "C:\Windows\system32\wmfimb.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\wiiwywtuu.exe
        
        "C:\Windows\system32\wiiwywtuu.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\wjxcjeu.exe
        
        "C:\Windows\system32\wjxcjeu.exe"
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\wtaaeaplg.exe
        
        "C:\Windows\system32\wtaaeaplg.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4860
        
        C:\Windows\SysWOW64\wpw.exe
        
        "C:\Windows\system32\wpw.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4848
        
        C:\Windows\SysWOW64\wyena.exe
        
        "C:\Windows\system32\wyena.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\wrhec.exe
        
        "C:\Windows\system32\wrhec.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:384
        
        C:\Windows\SysWOW64\wyomssr.exe
        
        "C:\Windows\system32\wyomssr.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\wkrjn.exe
        
        "C:\Windows\system32\wkrjn.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\whfgnm.exe
        
        "C:\Windows\system32\whfgnm.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3668
        
        C:\Windows\SysWOW64\wwcw.exe
        
        "C:\Windows\system32\wwcw.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\wnpmoylv.exe
        
        "C:\Windows\system32\wnpmoylv.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\wmpx.exe
        
        "C:\Windows\system32\wmpx.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\wsbnrypk.exe
        
        "C:\Windows\system32\wsbnrypk.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\wditfwmiu.exe
        
        "C:\Windows\system32\wditfwmiu.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\whftud.exe
        
        "C:\Windows\system32\whftud.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\weebdbvq.exe
        
        "C:\Windows\system32\weebdbvq.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2376
        
        C:\Windows\SysWOW64\wjhdgf.exe
        
        "C:\Windows\system32\wjhdgf.exe"
        62⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\wurcn.exe
        
        "C:\Windows\system32\wurcn.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1928
        
        C:\Windows\SysWOW64\wjt.exe
        
        "C:\Windows\system32\wjt.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\wuhgbj.exe
        
        "C:\Windows\system32\wuhgbj.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4316
        
        C:\Windows\SysWOW64\wcls.exe
        
        "C:\Windows\system32\wcls.exe"
        66⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4304
        
        C:\Windows\SysWOW64\whjrvmthj.exe
        
        "C:\Windows\system32\whjrvmthj.exe"
        67⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2032
        
        C:\Windows\SysWOW64\wsglmdnnw.exe
        
        "C:\Windows\system32\wsglmdnnw.exe"
        68⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\wdiifxg.exe
        
        "C:\Windows\system32\wdiifxg.exe"
        69⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4356
        
        C:\Windows\SysWOW64\wnlhbtdxp.exe
        
        "C:\Windows\system32\wnlhbtdxp.exe"
        70⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4544
        
        C:\Windows\SysWOW64\wyfrxh.exe
        
        "C:\Windows\system32\wyfrxh.exe"
        71⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\wstuin.exe
        
        "C:\Windows\system32\wstuin.exe"
        72⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\whvnta.exe
        
        "C:\Windows\system32\whvnta.exe"
        73⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3748
        
        C:\Windows\SysWOW64\wbwrebg.exe
        
        "C:\Windows\system32\wbwrebg.exe"
        74⤵
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whvnta.exe"
        74⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wstuin.exe"
        73⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyfrxh.exe"
        72⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnlhbtdxp.exe"
        71⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdiifxg.exe"
        70⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsglmdnnw.exe"
        69⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whjrvmthj.exe"
        68⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcls.exe"
        67⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhgbj.exe"
        66⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjt.exe"
        65⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1256
        65⤵
        Program crash
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wurcn.exe"
        64⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhdgf.exe"
        63⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weebdbvq.exe"
        62⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whftud.exe"
        61⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wditfwmiu.exe"
        60⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsbnrypk.exe"
        59⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpx.exe"
        58⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnpmoylv.exe"
        57⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwcw.exe"
        56⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whfgnm.exe"
        55⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkrjn.exe"
        54⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyomssr.exe"
        53⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrhec.exe"
        52⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyena.exe"
        51⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpw.exe"
        50⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtaaeaplg.exe"
        49⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjxcjeu.exe"
        48⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiiwywtuu.exe"
        47⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmfimb.exe"
        46⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexd.exe"
        45⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvimnqu.exe"
        44⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwkqf.exe"
        43⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbx.exe"
        42⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcpewn.exe"
        41⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjqshgkd.exe"
        40⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuoyutlv.exe"
        39⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmiexsp.exe"
        38⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wytaffg.exe"
        37⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekgod.exe"
        36⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqeracoc.exe"
        35⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpswjcb.exe"
        34⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfpxp.exe"
        33⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpmee.exe"
        32⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmkus.exe"
        31⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 116
        31⤵
        Program crash
        
        PID:4708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1536
        31⤵
        Program crash
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbmfrxy.exe"
        30⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1408
        30⤵
        Program crash
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqiix.exe"
        29⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdc.exe"
        28⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdt.exe"
        27⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfarxaqm.exe"
        26⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkx.exe"
        25⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiuxqxr.exe"
        24⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkwpyhns.exe"
        23⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnajrk.exe"
        22⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wewkwntk.exe"
        21⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwsjtk.exe"
        20⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvpt.exe"
        19⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwonol.exe"
        18⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1428
        18⤵
        Program crash
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weuk.exe"
        17⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqbpeusr.exe"
        16⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtosdx.exe"
        15⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfanjku.exe"
        14⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyhvmf.exe"
        13⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wguud.exe"
        12⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1688
        12⤵
        Program crash
        
        PID:1668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1676
        12⤵
        Program crash
        
        PID:3168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 432
        12⤵
        Program crash
        
        PID:3580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 528
        12⤵
        Program crash
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wecaxo.exe"
        11⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpmuga.exe"
        10⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfkw.exe"
        9⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1192
        9⤵
        Program crash
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcggwha.exe"
        8⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkaf.exe"
        7⤵
        
        PID:3020
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibjiol.exe"
        6⤵
        
        PID:876
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbwrh.exe"
        5⤵
        
        PID:1740
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wffdj.exe"
      4⤵
      PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbbl.exe"
    3⤵
    PID:1832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\000154d3572e492b1bb3ab35f5dfd5d7_NeikiAnalytics.exe"
  2⤵
  PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2136 -ip 2136
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1408 -ip 1408
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1408 -ip 1408
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1408 -ip 1408
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1408 -ip 1408
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1032 -ip 1032
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1208 -ip 1208
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2912 -ip 2912
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2912 -ip 2912
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2704 -ip 2704
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wbbl.exe

Filesize
93KB

MD5
4137896e9b2f07e5b9a9a5bfda5bfd59

SHA1
b0e5d509f2be341790410a8ef6b76a60d5e5e8f1

SHA256
4d6bcf23d31e5383ac082d5b96fb1c4e20d016095116cd27924f40ed12b0f2c5

SHA512
f284f2761dff3ac573f54590c76c815338ad02c6000516f3c4cda65283ad9a6a3a6481b789d4129bd0b8b5e29449d19a042106eaf0d504a12a33aca8c0f5545c

Download Submit
C:\Windows\SysWOW64\wbmfrxy.exe

Filesize
94KB

MD5
6479cc049146ccb5dc1d12deb9019a3f

SHA1
955dabe3a38e9fb2a3d506c607b51abc3623c601

SHA256
5b0a8bd2d2856a6e57c2c3a817b1d275b9942ecbfc7b331561189df569539b82

SHA512
26f26555f34fedd6e77e0690d2673dbcabd58574ed53aa001bbd97457e67f78a3e93415cccaf5058ed61e4bec90b442b450308f226b736ee37a89f8aeda59180

Download Submit
C:\Windows\SysWOW64\wcggwha.exe

Filesize
93KB

MD5
c2ba4a91eabc1e6fdc6cd94d3c3dbea7

SHA1
b512aa22a9268218b72455e419935308df64036c

SHA256
660aaf258d3ccaba2e5404182bb4b9ab391db14f8c2e7105b347c857371158d2

SHA512
6b5b48555ce644afcae2e51704323afbb3a9797c1965d27be1a7cf2de09493d7779cdb32f8e7befe9b839841f8bca6fd9efa52e2ce862ecd78f0ce638ed1ca18

Download Submit
C:\Windows\SysWOW64\wdc.exe

Filesize
94KB

MD5
f41d7b7e1c75de6d3e8471138553bc6a

SHA1
ede75530f14405448efd2872041ca20b252531a6

SHA256
1a9fa455d9d9626e9b721107d6498a0e8bb90a1966e56012f8f3a8078217cf9b

SHA512
cb0d118fb5cde5574236a3f8e3b017de802317f2f5f57ceaea1715b4943ca717c0d2c0400a717534a532264dfe826c1519801b5069da1b1f1f38152e2c12d42f

Download Submit
C:\Windows\SysWOW64\wdt.exe

Filesize
94KB

MD5
b5ff0908d0338a15f1db3e05db69a8a4

SHA1
4e5ad775a00c5747be8524211072ddbe2cc9fc52

SHA256
e638a9ed2ac487c09f28c21914ab77d4758b62865150f259bfb7259a19092a93

SHA512
007d94c2605d2d5fe0137397bf51f3cb924ead037affc9a974e87db6869cc5307f2e8390cd12bb6e163828984c16f8158977e9060c033cd75b2c2a2d111191ff

Download Submit
C:\Windows\SysWOW64\wecaxo.exe

Filesize
93KB

MD5
a1f6c041b7417e7cb3f51e930ae025ac

SHA1
d94cc342e1780613703918961b1f401b6fc592bf

SHA256
8f568224eb72ba52e953dde3c322a8d3e362d2119ad7fa0e07eacd2c3e5b58d4

SHA512
fc79837a162a131935d06de365014814b233a4554e164fa43341acc7fa4270207a4d6f52213987bc2b2a41c4f87231111a5c7aec65914d41637f54f93399ccfb

Download Submit
C:\Windows\SysWOW64\weuk.exe

Filesize
93KB

MD5
632b9b428dd68383dbb4d81e4faa852d

SHA1
1cbf6d927c6140ec7d56a5ee29eea45e4ee4cca7

SHA256
933e8253bb32ed77c2aaff05b81903a0ff12175fb59a33d9fa755f850eed263a

SHA512
77dc4329f4fabeb6a1c7e14e1aeefe2eb181c5997563aed236fa95a2cd76cab0eeeb04e42d4ac4de202147ee688cc177544f511f7aa610beee3c04085aba6a9f

Download Submit
C:\Windows\SysWOW64\wewkwntk.exe

Filesize
94KB

MD5
f4134693e705303d203bd5cca173339b

SHA1
57e9d09e6dedb1a2b729ad7796686d0f523c7c18

SHA256
2349354d5805149b36e70ab4fcfa441165b78fdc39471cca330712e3a2378cba

SHA512
ab7040247f29b153757140399458934911094c1030d57f8085b83ebdcb36a385815839b5b19cbc669a91adac0149e33664a406e7b222a99101989e5a588da6e9

Download Submit
C:\Windows\SysWOW64\wfanjku.exe

Filesize
93KB

MD5
3c9dffbc950911fe45e1617f49088d59

SHA1
c598f6b7ee98059d6e85f37f0440718a6c63852d

SHA256
20569cc3bfdb60a5a9098ed404abe74f48324df5b84d1353510a13f3a9ab7fb0

SHA512
b025e9bf78d6d769483dab4cd95717d3ce0af4788c8f694d814eeaa4851c5ea1b2df6145c0f6b3fb1a107350c76658c6bda5130d96a05e02eabc77829e47aa75

Download Submit
C:\Windows\SysWOW64\wfarxaqm.exe

Filesize
94KB

MD5
6ef58e105893cbfa88ce14e3a1f1e9b2

SHA1
14fdfa721c7249aaa0f56e41ad5f9f147cceb9ef

SHA256
190ab5f6518a0476f7e63f2411a45a426c3220eea06513543a8bbae1bd955987

SHA512
e5f084a811a365b995022d01455b81323f645a763a82690749082ec6c018d743d66ad27f5bd8f70fac05362bc86b43cafe72cd5e3dab05cac5372a37ee34e2a4

Download Submit
C:\Windows\SysWOW64\wffdj.exe

Filesize
93KB

MD5
caa6f3bcd7e14ac573d146db64a2e8d9

SHA1
f8c52c661e767eb459eeb70b4220d9624e30806c

SHA256
8f89ae995339f15487de4e274e98ca8d8aeda0b02dd124fb0358b3564fb6d7ee

SHA512
8655168ceddc20662cb82694b3dad558079358bc609858dcc42284ed67461d4b57479aa30f442e24761f8a87806227d21a818aee191c683e36159a9fabf8e677

Download Submit
C:\Windows\SysWOW64\wfkw.exe

Filesize
93KB

MD5
ffe6f0cef807ecc8c6d8bb1e284a4964

SHA1
f676878173539c102f25bf6e2d950dcbdad2e5f1

SHA256
9ed2e707158446d2ca0fb4507c17c2754180084b58391b2a38f4b2daa8c32404

SHA512
3834b2fb2c91c8f785389ba45cb0627d36febb7510829e3eaae86a35606cf3267055dbc269826810bd91f6f855674fbf01307d373766fdd75896f31db72924aa

Download Submit
C:\Windows\SysWOW64\wfpxp.exe

Filesize
94KB

MD5
07470a63221956a15f0ab46e8cfa6dd2

SHA1
55ca32c3d3bfb3bcd88c59ed2d354abc8222484d

SHA256
14c7287ad1abcd6d5e0ad8d4ae8c89477e5173f94cea5ee0ddfc2710703ac280

SHA512
3dd7da590aff3a731099638fc4a9312a06b9c8e019a28cd814c5cf549e3494827dc59510c800c27b422525afc6b907eadebd4d58160f81e52e04419ebe45b1f6

Download Submit
C:\Windows\SysWOW64\wguud.exe

Filesize
93KB

MD5
9f2ac7c2be8d446a785b5f929c12ad0a

SHA1
12e0aa153481f347413b2570394b093e28f25e43

SHA256
1dc2f5c6558d6480672037c7724a47b97b06f37d5bdff159cc6279e955499441

SHA512
f5705e11b2a1365b97601d466cb17cbc5372335306d0118fc3d654e8e8bfad7554772690425a8863b29a7a5eda9307606cce65827b999b0e54c69d0e73d7ee7e

Download Submit
C:\Windows\SysWOW64\wibjiol.exe

Filesize
93KB

MD5
3295c523db39a1e8b648d9face488ba6

SHA1
14ac16ca8d933fc4f4f8945b57a0ae116cd7c536

SHA256
aa9fa6d26cad60e07d1c21cef37407871128f024cf8fe6e75ce1d4624eb78477

SHA512
561088ee25534b80964f628825dcca32b4bbaa7191c2d2a078466c8907df51461fc0005a30f230b1921a8321180397018a39ad93fb7f74950ce31b7c7ac355fc

Download Submit
C:\Windows\SysWOW64\wiuxqxr.exe

Filesize
94KB

MD5
d6b2597cc22ae655dd243e373e8af80a

SHA1
4fc9531e68c994a6cd3c6ec98ec8b09ce3233c42

SHA256
9d69e481b78865ff3d45316f52a26cb73d68c4971d6aa960fdf63965cba394dc

SHA512
6a7aa8d59564203092d7ee848c6888135b389a4488f9576fc3719c7e54cd5a01eca7b431e8834968988d468926872a3d5a33bd71dde4e06c9ce9451a21fc882a

Download Submit
C:\Windows\SysWOW64\wkaf.exe

Filesize
93KB

MD5
354f12e1d545bc1bc6f14f9e734cbde6

SHA1
89b206aa55729e703f727fa957008dbed9b0aeb0

SHA256
cf372e4279afe41ee443fc3d4def6cb41b4f700cf51f0f67709f03ec2d91dc9f

SHA512
fa0faca0cfc9e4afcf586df07b975e4dc6a4034be182002c4bea95e0d3d48e2ceb5bd7dc6dab68272d3aae50b55e9ab9792fb9540f67c88e32a6eaba0d8097a5

Download Submit
C:\Windows\SysWOW64\wkwpyhns.exe

Filesize
94KB

MD5
0e0fce3e02de9733848a6999719ca6c5

SHA1
7a7bae856897cc8ea4da6fb4a6820c3bb3d31fd3

SHA256
364a42a6dfd709f0f5c69ffc2f5facc6c14c653b9c0457d209a1c80358914a7a

SHA512
64b5a3f63d961fce303c28719dfb263ae13d7de0b1733820a55e70b410d93ad8aeab7eb0b03646862d630cfa712459d8de707e4ee7512642807e2c3ec4131737

Download Submit
C:\Windows\SysWOW64\wkx.exe

Filesize
94KB

MD5
7a2cc939c7ed4c7a74b37c86d5aa32db

SHA1
a3856051f518f0eff5ac7b2ad1c36b1a95307172

SHA256
779cec53cfc9dbe8ea3111a318afb75ac88419f64646ba7a3bdcfc4bc8fe4e61

SHA512
d6d79fafc6e6497e47a44958dc6eecae4a40530e50d222e6c290d92b6faf74ffedd483e03f4035f06386f36f25ec5b41aa41fde0446e804df1aa568bbc16a1fa

Download Submit
C:\Windows\SysWOW64\wlvpt.exe

Filesize
94KB

MD5
39e6e4f65d2589bf2967f03d5f3772af

SHA1
d6c9af55f4ef1a699e384581fbe4fe25c116dda7

SHA256
e3e7476329bc483032f092b3e6cfc3d05c9f93b57d40d8cbd7f996340a648fd3

SHA512
c85ccc081ab4621b39b40fb5831fae84fd037e7e38d272f340013ae067e3a4cfb8cdf97705648730fd550061d5f4be9813ccce1fe4627bbb6097e215dda6381d

Download Submit
C:\Windows\SysWOW64\wmkus.exe

Filesize
94KB

MD5
917db793523346a9ce9e863e54e2cb06

SHA1
9f695175be371e2e6cae6169f13f4c0b51154e6d

SHA256
02a9af27ae9757671e51f1076b737fc67a6f630709b3cf383537d919e5270846

SHA512
a15eeeded969af5b0af1db58b9feae3bc2619527f6e5048c42dcaed79484cb91c7018f26d74c57b54beccfc4420cb066bd69bb9bc52d4844182dc715f1b6a772

Download Submit
C:\Windows\SysWOW64\wnajrk.exe

Filesize
94KB

MD5
3f32dfe06e6c03fd0bc4338ce3ce6eb2

SHA1
cfa3cac3f9007fdbb041b0f58637f96a97dee0fb

SHA256
9211b97a007d52fc14d3b9cb52e693c7ad4f40bdb90430d7b17c7244682b29cd

SHA512
77f516cb24781ba786d86920a3447644be78d8bd4d1daac32ae26d3d8f544e91af7aff9ee032ce935dcbfb2f26b6fa285e19e5c85d930ac825aaeab7d745e021

Download Submit
C:\Windows\SysWOW64\wpbwrh.exe

Filesize
93KB

MD5
ebce0a782efce7e4bf8059eaa08e77d4

SHA1
04754ecda179b0357eef73910fcd679bde59e1f1

SHA256
47a620b147050f87f1679e7c4566997081eb825e35f363d9fe1210bddfbb0fbc

SHA512
cb64396963c122f86cbe0e93cb7c84674140296836eba514f87b213182608de8dd795e4b58db98df45b1b3de835d64804bca6a8237712c7ea58130f1645bf821

Download Submit
C:\Windows\SysWOW64\wpmee.exe

Filesize
94KB

MD5
4c53cdaf67700ca39c433263b7bfdc15

SHA1
2252e3a6c5a1069611c661551b0237bc2b8275da

SHA256
0091b98a91fb22775e2b50455c1ffa0e81df94d7f3635685600e973c255cae21

SHA512
434d7303f7cf273f8d30b29d38e93f6290097ef51c826775fa5090d4dcb07cd4747d22592029b769e591190296cb338c35389acb1d7877b3da28afe14fc6ad47

Download Submit
C:\Windows\SysWOW64\wpmuga.exe

Filesize
93KB

MD5
745728c85cee10af184e18a88f048485

SHA1
c7da7276b49dd238f12d88763020ff8813ff2514

SHA256
0cee237e3d399bf64623f0a1c21fde6c091da497971cc75fff40d1d24d21f5c4

SHA512
901259cb350c63b762b837093760ce1d0e98f3e127edb5c70acda8f10e4fed2848cec439b6807da9dafbcc675ae9e2547ce494505ec51576d518d0e9aaab8661

Download Submit
C:\Windows\SysWOW64\wpswjcb.exe

Filesize
94KB

MD5
ea9cd13ca6f64fa81bcdd431fa4d0d31

SHA1
9546087f139ce181e4658af96a201376404fd92e

SHA256
c0dda33497188feec3cf157f25eac9e9554db46b08d9440c125d5ff7f7707045

SHA512
d34d07f510b3a3d2b141eee57474d14d7bddb62c5387f9c81e5518323df560b28121fa7c87e5eec696934fb4ece1548b9d62d1459e3662711133170973108dac

Download Submit
C:\Windows\SysWOW64\wqbpeusr.exe

Filesize
93KB

MD5
4c00ff58ec25645b8174e14983aa749e

SHA1
87ee7a736244005dbc048322605dd8e37bf834be

SHA256
566edf4b9c39b57742a10822456fac11f515dca7a57e18e893b44241bb8ce1ec

SHA512
c083417aacb3fd80d7ea52b971c8e04b33c61a99c56fdd5db61d91d3899c3c3c84d3751aa1079b702d31d11d45c3df5139b6d8f691701759552a878d42eb686b

Download Submit
C:\Windows\SysWOW64\wqiix.exe

Filesize
94KB

MD5
809a045a08d62d62685b9c4d6c6f0dce

SHA1
616921ceba4cad667190def22cd806b70c23a780

SHA256
fd76b921f5deb8f2f28e979bf486fd90f6c6558480944b0ff859cb296b99c950

SHA512
fdb2a2ef578a0dc38004c985c36da3608b56bc2a9fc039b2ba6ce0b811a2f1a11b08c87137f8d572bd6eaf0f49a5bb2fc6e3900c0f8ae35626cf27bb87fb4c5a

Download Submit
C:\Windows\SysWOW64\wtosdx.exe

Filesize
93KB

MD5
129bb42f20faec9b5a7adaab4f0b6cf4

SHA1
ff6fccb3e23cccf392372eb0446ace2e4edd5c76

SHA256
fee069b3bc5886449ba9b0ee4831e0ba970e8c49f5f14950a1f96d21a8bee2ad

SHA512
11b1b34d43b1a8b4530f129aa53149fee2d8e2016204d588017162d1b22e5834c041bf44fae74f41a026e75f468610aab2beed0d5b6ad4a3d793541be7eb39a1

Download Submit
C:\Windows\SysWOW64\wwonol.exe

Filesize
94KB

MD5
8b54025212e6d327f5abb182af605344

SHA1
0cbdda93aa902c3ccca03596e88a8e40cb0d9bb5

SHA256
5acad92e5c1c903ebfa98c1b819e55519e2fbaf4abdda40d2e4463ffa58b1fce

SHA512
98ea28d83b6de8327f8ba1ba1cdfcaf451b2f6a7b2003b8327c5f3b3dcd46d9f153badcb6197d04e40053069201903d20b2294a5daa5b18bcd7188cbac169f5c

Download Submit
C:\Windows\SysWOW64\wwsjtk.exe

Filesize
94KB

MD5
a047e2997768bd6edb2679373e8272d5

SHA1
4b7fcb9e3cbeba7270497e4e553046854305a832

SHA256
fed0d9bd547ae2b0d09a536bec919ab20ce3804ddd62de87e961e68721a2d3af

SHA512
243213a7eb1697d7b1afa9834ef4115dc34d310fb0724d6f95586eaa23f777d4d3c4a8a13cb42bef5b8616961252a780b6ca5e52ff6bf114e17a2d25489a0ab4

Download Submit
C:\Windows\SysWOW64\wyhvmf.exe

Filesize
93KB

MD5
253a685b2d221e3eb6ad341f4916f2ce

SHA1
16d2f8c8738f810e368abb26a31e1dd90dccadd0

SHA256
a862faaf950828d3e29ecadb438ced7b7b134d7b6c64470840766a40989e2bae

SHA512
d980c0fcaa44e830c259581d40443008c3e71dc7731b47fc85694e068c661e636cf343ecc65f3e3cc77dfee53e36b19df407036fab3a728a33db330c735180f1

Download Submit
memory/384-260-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/384-484-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/384-493-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/428-199-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/660-33-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/660-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/676-534-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/816-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/816-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/868-442-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1032-178-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1032-167-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1076-393-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1076-384-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1140-558-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1208-302-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1236-526-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1408-116-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1696-402-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1756-136-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1896-168-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1928-592-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1928-501-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1948-358-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1948-367-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2032-628-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2136-73-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2136-84-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2152-323-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2312-94-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2312-105-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2324-63-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2376-566-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2376-576-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2596-239-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2704-601-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2704-510-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2912-312-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2912-301-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3028-459-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3432-375-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3432-95-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3432-385-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3456-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3456-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3484-157-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3484-146-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3532-53-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3580-249-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3584-333-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3584-322-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3628-229-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3644-542-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3668-518-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3668-509-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3904-584-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3904-575-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3960-259-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3960-271-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4092-434-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4176-219-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4196-450-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4292-426-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4304-610-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4304-619-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4316-611-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4316-600-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4344-281-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4428-341-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4476-376-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4484-126-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4484-115-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4484-550-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4496-410-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4496-401-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4504-349-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4504-359-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4544-644-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4584-418-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4620-74-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4620-147-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4620-198-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4620-209-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4708-567-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4760-350-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4848-476-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4860-467-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4860-458-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4984-188-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4988-475-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4988-485-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4992-43-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4992-32-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5012-627-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5012-636-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5040-291-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads