bb98d2f668a496736a13aa511e3becd97db1bb6afa7c1f3893a0682256e95d37

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d528c0a2dbd434030f15feddb918120_NeikiAnalytics.exe
Size

93KB
MD5

6d528c0a2dbd434030f15feddb918120
SHA1

f8890a4b8a188fe383cc24009db23d4df51ba006
SHA256

bb98d2f668a496736a13aa511e3becd97db1bb6afa7c1f3893a0682256e95d37
SHA512

3f545978ca7f6e470f0b3254c104043d8d4c6a06100ca144acc4a9f62fe984446dd8a97692b6d6f3ba6ea351f4506bccf5b7d8e945b4a0b88326b9589075cc99
SSDEEP

768:wrGLctww30POw9mKv2oMumjeEgzHI/fCREC3rHvDUXM+GpcS63uHzbQsWGhM1xHy:xch3vwSbax3rHV6+HwsWGhG5JiBzQr3G

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wpq.exewccck.exewwufywr.exewkfsrmef.exewnfp.exewlyfcq.exewltwebn.exewpvwcr.exewxct.exewcptoqjeo.exeworsbe.exewlxami.exewuuys.exewslwcfoo.exewbxrnqdq.exewefgl.exewbkhdlcnf.exewkevnvqjr.exewewfqa.exewtkampe.exewigvjwd.exewvgf.exewcqvxb.exewxmwdim.exewwdmc.exewsrjthfds.exewdvincy.exewhiihiax.exewwgtle.exewdc.exewuhfye.exewymefx.exewxrb.exewshwtvb.exewtmqmwld.exewmptrne.exewecj.exewgdhlpbq.exewvhbpoqhn.exewlqm.exe6d528c0a2dbd434030f15feddb918120_NeikiAnalytics.exewuiepsj.exewefbmve.exewwfctkicp.exewmkadsl.exewqxfbta.exewtycxjr.exewvkwqa.exewmrxmya.exewqclyahkr.exewyaxjrul.exewurrg.exewjhegkbts.exewqbktg.exewtchqed.exewuyquuj.exewrriqm.exewiptx.exewwtalcon.exewapt.exewmwbuvpp.exewgfhs.exewlrbcqs.exewshcqxxuw.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wpq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wccck.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wwufywr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wkfsrmef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wnfp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wlyfcq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wltwebn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wpvwcr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wxct.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wcptoqjeo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	worsbe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wlxami.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wuuys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wslwcfoo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wbxrnqdq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wefgl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wbkhdlcnf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wkevnvqjr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wewfqa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wtkampe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wigvjwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wvgf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wcqvxb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wxmwdim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wwdmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wsrjthfds.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wdvincy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	whiihiax.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wwgtle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wdc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wuhfye.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wymefx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wxrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wshwtvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wtmqmwld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wmptrne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wecj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wgdhlpbq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wvhbpoqhn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wlqm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	6d528c0a2dbd434030f15feddb918120_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wuiepsj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wefbmve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wwfctkicp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wmkadsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wqxfbta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wtycxjr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wvkwqa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wmrxmya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wqclyahkr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wyaxjrul.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wurrg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wjhegkbts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wqbktg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wtchqed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wuyquuj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wrriqm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wiptx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wwtalcon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wapt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wmwbuvpp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wgfhs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wlrbcqs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wshcqxxuw.exe

Executes dropped EXE 64 IoCs

Processes:

wtmqmwld.exewflhnpe.exewsrjthfds.exewdvincy.exewhiihiax.exewpq.exewapt.exewgfo.exewqclyahkr.exewaj.exewmptrne.exewwfctkicp.exewccck.exewewfqa.exewjeqpg.exewslwcfoo.exewuyquuj.exewpvwcr.exewkjymx.exewlgckm.exewxct.exewyaxjrul.exewihew.exewjeiu.exewurrg.exewtkampe.exewmwbuvpp.exewvou.exewkfsrmef.exewwgtle.exewdc.exewuiepsj.exewjhegkbts.exewuhfye.exewnfp.exewxmwdim.exewiptx.exewigvjwd.exewwtalcon.exewbxrnqdq.exewwdmc.exewecj.exewqbktg.exewmuyr.exewmkadsl.exewrskaafaf.exewcoghx.exewtchqed.exewefgl.exewgdhlpbq.exewqabbfuw.exewqxfbta.exewcptoqjeo.exewshcqxxuw.exewbnxnxte.exewncqqldk.exeworsbe.exewtycxjr.exewvkwqa.exewvhbpoqhn.exewsuwpm.exewwufywr.exewlxami.exewymefx.exe

pid	process
4544	wtmqmwld.exe
792	wflhnpe.exe
4728	wsrjthfds.exe
1840	wdvincy.exe
3784	whiihiax.exe
4652	wpq.exe
4468	wapt.exe
4844	wgfo.exe
556	wqclyahkr.exe
2336	waj.exe
4332	wmptrne.exe
1412	wwfctkicp.exe
2372	wccck.exe
672	wewfqa.exe
3368	wjeqpg.exe
3536	wslwcfoo.exe
2968	wuyquuj.exe
2544	wpvwcr.exe
4772	wkjymx.exe
3268	wlgckm.exe
776	wxct.exe
2972	wyaxjrul.exe
3116	wihew.exe
332	wjeiu.exe
4640	wurrg.exe
5028	wtkampe.exe
4332	wmwbuvpp.exe
540	wvou.exe
4652	wkfsrmef.exe
4352	wwgtle.exe
2012	wdc.exe
3612	wuiepsj.exe
2040	wjhegkbts.exe
3204	wuhfye.exe
2652	wnfp.exe
2004	wxmwdim.exe
2304	wiptx.exe
4544	wigvjwd.exe
2412	wwtalcon.exe
4468	wbxrnqdq.exe
4512	wwdmc.exe
2992	wecj.exe
4560	wqbktg.exe
2852	wmuyr.exe
1160	wmkadsl.exe
3368	wrskaafaf.exe
1972	wcoghx.exe
2856	wtchqed.exe
3032	wefgl.exe
4204	wgdhlpbq.exe
1280	wqabbfuw.exe
468	wqxfbta.exe
2184	wcptoqjeo.exe
4028	wshcqxxuw.exe
3020	wbnxnxte.exe
3176	wncqqldk.exe
5060	worsbe.exe
1676	wtycxjr.exe
1848	wvkwqa.exe
2108	wvhbpoqhn.exe
3948	wsuwpm.exe
4516	wwufywr.exe
3020	wlxami.exe
1640	wymefx.exe

Drops file in System32 directory 64 IoCs

Processes:

wewfqa.exewwgtle.exewmrxmya.exewqclyahkr.exewpvwcr.exewjeiu.exewecj.exewvgf.exewshwtvb.exewapt.exewyaxjrul.exewwdmc.exewrskaafaf.exewxsidy.exewhmccnhy.exewsrjthfds.exewwfctkicp.exewslwcfoo.exewtycxjr.exewiptx.exewcptoqjeo.exewbnxnxte.exewaj.exewuyquuj.exewihew.exewuhfye.exewmwbuvpp.exewwufywr.exewbkhdlcnf.exewpq.exewlgckm.exewkfsrmef.exewsuwpm.exewlrbcqs.exewtmqmwld.exewdvincy.exewbxrnqdq.exewmuyr.exewvhbpoqhn.exewflhnpe.exewkjymx.exewtkampe.exewigvjwd.exewjeqpg.exewxmwdim.exewefgl.exewgfo.exewuuys.exewrriqm.exewurrg.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wjeqpg.exe	wewfqa.exe
File opened for modification	C:\Windows\SysWOW64\wdc.exe	wwgtle.exe
File created	C:\Windows\SysWOW64\wkevnvqjr.exe	wmrxmya.exe
File opened for modification	C:\Windows\SysWOW64\waj.exe	wqclyahkr.exe
File created	C:\Windows\SysWOW64\wkjymx.exe	wpvwcr.exe
File opened for modification	C:\Windows\SysWOW64\wurrg.exe	wjeiu.exe
File opened for modification	C:\Windows\SysWOW64\wqbktg.exe	wecj.exe
File created	C:\Windows\SysWOW64\wlqm.exe	wvgf.exe
File created	C:\Windows\SysWOW64\wltwebn.exe	wshwtvb.exe
File opened for modification	C:\Windows\SysWOW64\wgfo.exe	wapt.exe
File created	C:\Windows\SysWOW64\wihew.exe	wyaxjrul.exe
File opened for modification	C:\Windows\SysWOW64\wecj.exe	wwdmc.exe
File created	C:\Windows\SysWOW64\wcoghx.exe	wrskaafaf.exe
File created	C:\Windows\SysWOW64\wvgf.exe	wxsidy.exe
File created	C:\Windows\SysWOW64\wrriqm.exe	whmccnhy.exe
File created	C:\Windows\SysWOW64\wdvincy.exe	wsrjthfds.exe
File opened for modification	C:\Windows\SysWOW64\wdvincy.exe	wsrjthfds.exe
File opened for modification	C:\Windows\SysWOW64\wccck.exe	wwfctkicp.exe
File opened for modification	C:\Windows\SysWOW64\wuyquuj.exe	wslwcfoo.exe
File opened for modification	C:\Windows\SysWOW64\wvkwqa.exe	wtycxjr.exe
File created	C:\Windows\SysWOW64\wigvjwd.exe	wiptx.exe
File created	C:\Windows\SysWOW64\wshcqxxuw.exe	wcptoqjeo.exe
File created	C:\Windows\SysWOW64\wncqqldk.exe	wbnxnxte.exe
File created	C:\Windows\SysWOW64\wgfo.exe	wapt.exe
File opened for modification	C:\Windows\SysWOW64\wmptrne.exe	waj.exe
File opened for modification	C:\Windows\SysWOW64\wpvwcr.exe	wuyquuj.exe
File opened for modification	C:\Windows\SysWOW64\wjeiu.exe	wihew.exe
File opened for modification	C:\Windows\SysWOW64\wnfp.exe	wuhfye.exe
File created	C:\Windows\SysWOW64\wvou.exe	wmwbuvpp.exe
File opened for modification	C:\Windows\SysWOW64\wvgf.exe	wxsidy.exe
File created	C:\Windows\SysWOW64\wlxami.exe	wwufywr.exe
File created	C:\Windows\SysWOW64\wgfhs.exe	wbkhdlcnf.exe
File opened for modification	C:\Windows\SysWOW64\wapt.exe	wpq.exe
File created	C:\Windows\SysWOW64\wccck.exe	wwfctkicp.exe
File created	C:\Windows\SysWOW64\wpvwcr.exe	wuyquuj.exe
File opened for modification	C:\Windows\SysWOW64\wxct.exe	wlgckm.exe
File opened for modification	C:\Windows\SysWOW64\wwgtle.exe	wkfsrmef.exe
File created	C:\Windows\SysWOW64\wwufywr.exe	wsuwpm.exe
File opened for modification	C:\Windows\SysWOW64\wlqm.exe	wvgf.exe
File created	C:\Windows\SysWOW64\wefbmve.exe	wlrbcqs.exe
File opened for modification	C:\Windows\SysWOW64\wflhnpe.exe	wtmqmwld.exe
File opened for modification	C:\Windows\SysWOW64\whiihiax.exe	wdvincy.exe
File created	C:\Windows\SysWOW64\wwdmc.exe	wbxrnqdq.exe
File created	C:\Windows\SysWOW64\wmkadsl.exe	wmuyr.exe
File opened for modification	C:\Windows\SysWOW64\wsuwpm.exe	wvhbpoqhn.exe
File opened for modification	C:\Windows\SysWOW64\wwdmc.exe	wbxrnqdq.exe
File created	C:\Windows\SysWOW64\wecj.exe	wwdmc.exe
File opened for modification	C:\Windows\SysWOW64\wsrjthfds.exe	wflhnpe.exe
File created	C:\Windows\SysWOW64\wlgckm.exe	wkjymx.exe
File created	C:\Windows\SysWOW64\wmwbuvpp.exe	wtkampe.exe
File opened for modification	C:\Windows\SysWOW64\wmwbuvpp.exe	wtkampe.exe
File created	C:\Windows\SysWOW64\wwtalcon.exe	wigvjwd.exe
File created	C:\Windows\SysWOW64\wslwcfoo.exe	wjeqpg.exe
File created	C:\Windows\SysWOW64\wurrg.exe	wjeiu.exe
File created	C:\Windows\SysWOW64\wiptx.exe	wxmwdim.exe
File opened for modification	C:\Windows\SysWOW64\wiptx.exe	wxmwdim.exe
File created	C:\Windows\SysWOW64\wgdhlpbq.exe	wefgl.exe
File opened for modification	C:\Windows\SysWOW64\wqclyahkr.exe	wgfo.exe
File opened for modification	C:\Windows\SysWOW64\wshwtvb.exe	wuuys.exe
File created	C:\Windows\SysWOW64\wltmb.exe	wrriqm.exe
File created	C:\Windows\SysWOW64\wflhnpe.exe	wtmqmwld.exe
File created	C:\Windows\SysWOW64\wjeiu.exe	wihew.exe
File created	C:\Windows\SysWOW64\wtkampe.exe	wurrg.exe
File opened for modification	C:\Windows\SysWOW64\wgfhs.exe	wbkhdlcnf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4660	4544	WerFault.exe	wigvjwd.exe
4840	4468	WerFault.exe	wbxrnqdq.exe
1044	4560	WerFault.exe	wqbktg.exe
1576	2108	WerFault.exe	wvhbpoqhn.exe
1824	756	WerFault.exe	wcqvxb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6d528c0a2dbd434030f15feddb918120_NeikiAnalytics.exewtmqmwld.exewflhnpe.exewsrjthfds.exewdvincy.exewhiihiax.exewpq.exewapt.exewgfo.exewqclyahkr.exewaj.exe

description	pid	process	target process
PID 3468 wrote to memory of 4544	3468	6d528c0a2dbd434030f15feddb918120_NeikiAnalytics.exe	wtmqmwld.exe
PID 3468 wrote to memory of 4544	3468	6d528c0a2dbd434030f15feddb918120_NeikiAnalytics.exe	wtmqmwld.exe
PID 3468 wrote to memory of 4544	3468	6d528c0a2dbd434030f15feddb918120_NeikiAnalytics.exe	wtmqmwld.exe
PID 3468 wrote to memory of 4268	3468	6d528c0a2dbd434030f15feddb918120_NeikiAnalytics.exe	cmd.exe
PID 3468 wrote to memory of 4268	3468	6d528c0a2dbd434030f15feddb918120_NeikiAnalytics.exe	cmd.exe
PID 3468 wrote to memory of 4268	3468	6d528c0a2dbd434030f15feddb918120_NeikiAnalytics.exe	cmd.exe
PID 4544 wrote to memory of 792	4544	wtmqmwld.exe	wflhnpe.exe
PID 4544 wrote to memory of 792	4544	wtmqmwld.exe	wflhnpe.exe
PID 4544 wrote to memory of 792	4544	wtmqmwld.exe	wflhnpe.exe
PID 4544 wrote to memory of 1160	4544	wtmqmwld.exe	cmd.exe
PID 4544 wrote to memory of 1160	4544	wtmqmwld.exe	cmd.exe
PID 4544 wrote to memory of 1160	4544	wtmqmwld.exe	cmd.exe
PID 792 wrote to memory of 4728	792	wflhnpe.exe	wsrjthfds.exe
PID 792 wrote to memory of 4728	792	wflhnpe.exe	wsrjthfds.exe
PID 792 wrote to memory of 4728	792	wflhnpe.exe	wsrjthfds.exe
PID 792 wrote to memory of 444	792	wflhnpe.exe	cmd.exe
PID 792 wrote to memory of 444	792	wflhnpe.exe	cmd.exe
PID 792 wrote to memory of 444	792	wflhnpe.exe	cmd.exe
PID 4728 wrote to memory of 1840	4728	wsrjthfds.exe	wdvincy.exe
PID 4728 wrote to memory of 1840	4728	wsrjthfds.exe	wdvincy.exe
PID 4728 wrote to memory of 1840	4728	wsrjthfds.exe	wdvincy.exe
PID 4728 wrote to memory of 3564	4728	wsrjthfds.exe	cmd.exe
PID 4728 wrote to memory of 3564	4728	wsrjthfds.exe	cmd.exe
PID 4728 wrote to memory of 3564	4728	wsrjthfds.exe	cmd.exe
PID 1840 wrote to memory of 3784	1840	wdvincy.exe	whiihiax.exe
PID 1840 wrote to memory of 3784	1840	wdvincy.exe	whiihiax.exe
PID 1840 wrote to memory of 3784	1840	wdvincy.exe	whiihiax.exe
PID 1840 wrote to memory of 3032	1840	wdvincy.exe	cmd.exe
PID 1840 wrote to memory of 3032	1840	wdvincy.exe	cmd.exe
PID 1840 wrote to memory of 3032	1840	wdvincy.exe	cmd.exe
PID 3784 wrote to memory of 4652	3784	whiihiax.exe	wpq.exe
PID 3784 wrote to memory of 4652	3784	whiihiax.exe	wpq.exe
PID 3784 wrote to memory of 4652	3784	whiihiax.exe	wpq.exe
PID 3784 wrote to memory of 3168	3784	whiihiax.exe	cmd.exe
PID 3784 wrote to memory of 3168	3784	whiihiax.exe	cmd.exe
PID 3784 wrote to memory of 3168	3784	whiihiax.exe	cmd.exe
PID 4652 wrote to memory of 4468	4652	wpq.exe	wapt.exe
PID 4652 wrote to memory of 4468	4652	wpq.exe	wapt.exe
PID 4652 wrote to memory of 4468	4652	wpq.exe	wapt.exe
PID 4652 wrote to memory of 1308	4652	wpq.exe	cmd.exe
PID 4652 wrote to memory of 1308	4652	wpq.exe	cmd.exe
PID 4652 wrote to memory of 1308	4652	wpq.exe	cmd.exe
PID 4468 wrote to memory of 4844	4468	wapt.exe	wgfo.exe
PID 4468 wrote to memory of 4844	4468	wapt.exe	wgfo.exe
PID 4468 wrote to memory of 4844	4468	wapt.exe	wgfo.exe
PID 4468 wrote to memory of 468	4468	wapt.exe	cmd.exe
PID 4468 wrote to memory of 468	4468	wapt.exe	cmd.exe
PID 4468 wrote to memory of 468	4468	wapt.exe	cmd.exe
PID 4844 wrote to memory of 556	4844	wgfo.exe	wqclyahkr.exe
PID 4844 wrote to memory of 556	4844	wgfo.exe	wqclyahkr.exe
PID 4844 wrote to memory of 556	4844	wgfo.exe	wqclyahkr.exe
PID 4844 wrote to memory of 2596	4844	wgfo.exe	cmd.exe
PID 4844 wrote to memory of 2596	4844	wgfo.exe	cmd.exe
PID 4844 wrote to memory of 2596	4844	wgfo.exe	cmd.exe
PID 556 wrote to memory of 2336	556	wqclyahkr.exe	waj.exe
PID 556 wrote to memory of 2336	556	wqclyahkr.exe	waj.exe
PID 556 wrote to memory of 2336	556	wqclyahkr.exe	waj.exe
PID 556 wrote to memory of 4536	556	wqclyahkr.exe	cmd.exe
PID 556 wrote to memory of 4536	556	wqclyahkr.exe	cmd.exe
PID 556 wrote to memory of 4536	556	wqclyahkr.exe	cmd.exe
PID 2336 wrote to memory of 4332	2336	waj.exe	wmptrne.exe
PID 2336 wrote to memory of 4332	2336	waj.exe	wmptrne.exe
PID 2336 wrote to memory of 4332	2336	waj.exe	wmptrne.exe
PID 2336 wrote to memory of 4960	2336	waj.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6d528c0a2dbd434030f15feddb918120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6d528c0a2dbd434030f15feddb918120_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\wtmqmwld.exe
"C:\Windows\system32\wtmqmwld.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\wflhnpe.exe
"C:\Windows\system32\wflhnpe.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\wsrjthfds.exe
"C:\Windows\system32\wsrjthfds.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\SysWOW64\wdvincy.exe
"C:\Windows\system32\wdvincy.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\whiihiax.exe
"C:\Windows\system32\whiihiax.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SysWOW64\wpq.exe
"C:\Windows\system32\wpq.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SysWOW64\wapt.exe
"C:\Windows\system32\wapt.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\wgfo.exe
"C:\Windows\system32\wgfo.exe"
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\wqclyahkr.exe
"C:\Windows\system32\wqclyahkr.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\waj.exe
"C:\Windows\system32\waj.exe"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\wmptrne.exe
"C:\Windows\system32\wmptrne.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
PID:4332

C:\Windows\SysWOW64\wwfctkicp.exe
"C:\Windows\system32\wwfctkicp.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1412

C:\Windows\SysWOW64\wccck.exe
"C:\Windows\system32\wccck.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
PID:2372

C:\Windows\SysWOW64\wewfqa.exe
"C:\Windows\system32\wewfqa.exe"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:672

C:\Windows\SysWOW64\wjeqpg.exe
"C:\Windows\system32\wjeqpg.exe"
16⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3368

C:\Windows\SysWOW64\wslwcfoo.exe
"C:\Windows\system32\wslwcfoo.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3536

C:\Windows\SysWOW64\wuyquuj.exe
"C:\Windows\system32\wuyquuj.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2968

C:\Windows\SysWOW64\wpvwcr.exe
"C:\Windows\system32\wpvwcr.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2544

C:\Windows\SysWOW64\wkjymx.exe
"C:\Windows\system32\wkjymx.exe"
20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4772

C:\Windows\SysWOW64\wlgckm.exe
"C:\Windows\system32\wlgckm.exe"
21⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3268

C:\Windows\SysWOW64\wxct.exe
"C:\Windows\system32\wxct.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
PID:776

C:\Windows\SysWOW64\wyaxjrul.exe
"C:\Windows\system32\wyaxjrul.exe"
23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2972

C:\Windows\SysWOW64\wihew.exe
"C:\Windows\system32\wihew.exe"
24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3116

C:\Windows\SysWOW64\wjeiu.exe
"C:\Windows\system32\wjeiu.exe"
25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:332

C:\Windows\SysWOW64\wurrg.exe
"C:\Windows\system32\wurrg.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4640

C:\Windows\SysWOW64\wtkampe.exe
"C:\Windows\system32\wtkampe.exe"
27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:5028

C:\Windows\SysWOW64\wmwbuvpp.exe
"C:\Windows\system32\wmwbuvpp.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4332

C:\Windows\SysWOW64\wvou.exe
"C:\Windows\system32\wvou.exe"
29⤵
- Executes dropped EXE
PID:540

C:\Windows\SysWOW64\wkfsrmef.exe
"C:\Windows\system32\wkfsrmef.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4652

C:\Windows\SysWOW64\wwgtle.exe
"C:\Windows\system32\wwgtle.exe"
31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4352

C:\Windows\SysWOW64\wdc.exe
"C:\Windows\system32\wdc.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
PID:2012

C:\Windows\SysWOW64\wuiepsj.exe
"C:\Windows\system32\wuiepsj.exe"
33⤵
- Checks computer location settings
- Executes dropped EXE
PID:3612

C:\Windows\SysWOW64\wjhegkbts.exe
"C:\Windows\system32\wjhegkbts.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
PID:2040

C:\Windows\SysWOW64\wuhfye.exe
"C:\Windows\system32\wuhfye.exe"
35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3204

C:\Windows\SysWOW64\wnfp.exe
"C:\Windows\system32\wnfp.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
PID:2652

C:\Windows\SysWOW64\wxmwdim.exe
"C:\Windows\system32\wxmwdim.exe"
37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2004

C:\Windows\SysWOW64\wiptx.exe
"C:\Windows\system32\wiptx.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2304

C:\Windows\SysWOW64\wigvjwd.exe
"C:\Windows\system32\wigvjwd.exe"
39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4544

C:\Windows\SysWOW64\wwtalcon.exe
"C:\Windows\system32\wwtalcon.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
PID:2412

C:\Windows\SysWOW64\wbxrnqdq.exe
"C:\Windows\system32\wbxrnqdq.exe"
41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4468

C:\Windows\SysWOW64\wwdmc.exe
"C:\Windows\system32\wwdmc.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4512

C:\Windows\SysWOW64\wecj.exe
"C:\Windows\system32\wecj.exe"
43⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2992

C:\Windows\SysWOW64\wqbktg.exe
"C:\Windows\system32\wqbktg.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
PID:4560

C:\Windows\SysWOW64\wmuyr.exe
"C:\Windows\system32\wmuyr.exe"
45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852

C:\Windows\SysWOW64\wmkadsl.exe
"C:\Windows\system32\wmkadsl.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
PID:1160

C:\Windows\SysWOW64\wrskaafaf.exe
"C:\Windows\system32\wrskaafaf.exe"
47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3368

C:\Windows\SysWOW64\wcoghx.exe
"C:\Windows\system32\wcoghx.exe"
48⤵
- Executes dropped EXE
PID:1972

C:\Windows\SysWOW64\wtchqed.exe
"C:\Windows\system32\wtchqed.exe"
49⤵
- Checks computer location settings
- Executes dropped EXE
PID:2856

C:\Windows\SysWOW64\wefgl.exe
"C:\Windows\system32\wefgl.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3032

C:\Windows\SysWOW64\wgdhlpbq.exe
"C:\Windows\system32\wgdhlpbq.exe"
51⤵
- Checks computer location settings
- Executes dropped EXE
PID:4204

C:\Windows\SysWOW64\wqabbfuw.exe
"C:\Windows\system32\wqabbfuw.exe"
52⤵
- Executes dropped EXE
PID:1280

C:\Windows\SysWOW64\wqxfbta.exe
"C:\Windows\system32\wqxfbta.exe"
53⤵
- Checks computer location settings
- Executes dropped EXE
PID:468

C:\Windows\SysWOW64\wcptoqjeo.exe
"C:\Windows\system32\wcptoqjeo.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2184

C:\Windows\SysWOW64\wshcqxxuw.exe
"C:\Windows\system32\wshcqxxuw.exe"
55⤵
- Checks computer location settings
- Executes dropped EXE
PID:4028

C:\Windows\SysWOW64\wbnxnxte.exe
"C:\Windows\system32\wbnxnxte.exe"
56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3020

C:\Windows\SysWOW64\wncqqldk.exe
"C:\Windows\system32\wncqqldk.exe"
57⤵
- Executes dropped EXE
PID:3176

C:\Windows\SysWOW64\worsbe.exe
"C:\Windows\system32\worsbe.exe"
58⤵
- Checks computer location settings
- Executes dropped EXE
PID:5060

C:\Windows\SysWOW64\wtycxjr.exe
"C:\Windows\system32\wtycxjr.exe"
59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1676

C:\Windows\SysWOW64\wvkwqa.exe
"C:\Windows\system32\wvkwqa.exe"
60⤵
- Checks computer location settings
- Executes dropped EXE
PID:1848

C:\Windows\SysWOW64\wvhbpoqhn.exe
"C:\Windows\system32\wvhbpoqhn.exe"
61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2108

C:\Windows\SysWOW64\wsuwpm.exe
"C:\Windows\system32\wsuwpm.exe"
62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3948

C:\Windows\SysWOW64\wwufywr.exe
"C:\Windows\system32\wwufywr.exe"
63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4516

C:\Windows\SysWOW64\wlxami.exe
"C:\Windows\system32\wlxami.exe"
64⤵
- Checks computer location settings
- Executes dropped EXE
PID:3020

C:\Windows\SysWOW64\wymefx.exe
"C:\Windows\system32\wymefx.exe"
65⤵
- Checks computer location settings
- Executes dropped EXE
PID:1640

C:\Windows\SysWOW64\wbkhdlcnf.exe
"C:\Windows\system32\wbkhdlcnf.exe"
66⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3236

C:\Windows\SysWOW64\wgfhs.exe
"C:\Windows\system32\wgfhs.exe"
67⤵
- Checks computer location settings
PID:4060

C:\Windows\SysWOW64\wxsidy.exe
"C:\Windows\system32\wxsidy.exe"
68⤵
- Drops file in System32 directory
PID:4204

C:\Windows\SysWOW64\wvgf.exe
"C:\Windows\system32\wvgf.exe"
69⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3416

C:\Windows\SysWOW64\wlqm.exe
"C:\Windows\system32\wlqm.exe"
70⤵
- Checks computer location settings
PID:1052

C:\Windows\SysWOW64\wmrxmya.exe
"C:\Windows\system32\wmrxmya.exe"
71⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1768

C:\Windows\SysWOW64\wkevnvqjr.exe
"C:\Windows\system32\wkevnvqjr.exe"
72⤵
- Checks computer location settings
PID:312

C:\Windows\SysWOW64\wcqvxb.exe
"C:\Windows\system32\wcqvxb.exe"
73⤵
- Checks computer location settings
PID:756

C:\Windows\SysWOW64\wuhgbj.exe
"C:\Windows\system32\wuhgbj.exe"
74⤵
PID:4256

C:\Windows\SysWOW64\wuuys.exe
"C:\Windows\system32\wuuys.exe"
75⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2856

C:\Windows\SysWOW64\wshwtvb.exe
"C:\Windows\system32\wshwtvb.exe"
76⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5028

C:\Windows\SysWOW64\wltwebn.exe
"C:\Windows\system32\wltwebn.exe"
77⤵
- Checks computer location settings
PID:4780

C:\Windows\SysWOW64\wlrbcqs.exe
"C:\Windows\system32\wlrbcqs.exe"
78⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3908

C:\Windows\SysWOW64\wefbmve.exe
"C:\Windows\system32\wefbmve.exe"
79⤵
- Checks computer location settings
PID:4684

C:\Windows\SysWOW64\wxrb.exe
"C:\Windows\system32\wxrb.exe"
80⤵
- Checks computer location settings
PID:848

C:\Windows\SysWOW64\wlyfcq.exe
"C:\Windows\system32\wlyfcq.exe"
81⤵
- Checks computer location settings
PID:2792

C:\Windows\SysWOW64\whmccnhy.exe
"C:\Windows\system32\whmccnhy.exe"
82⤵
- Drops file in System32 directory
PID:3952

C:\Windows\SysWOW64\wrriqm.exe
"C:\Windows\system32\wrriqm.exe"
83⤵
- Checks computer location settings
- Drops file in System32 directory
PID:8

C:\Windows\SysWOW64\wltmb.exe
"C:\Windows\system32\wltmb.exe"
84⤵
PID:184

C:\Windows\SysWOW64\wuqjhm.exe
"C:\Windows\system32\wuqjhm.exe"
85⤵
PID:2992

C:\Windows\SysWOW64\wyfgkv.exe
"C:\Windows\system32\wyfgkv.exe"
86⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuqjhm.exe"
86⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wltmb.exe"
85⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrriqm.exe"
84⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whmccnhy.exe"
83⤵
PID:3300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyfcq.exe"
82⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxrb.exe"
81⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wefbmve.exe"
80⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrbcqs.exe"
79⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wltwebn.exe"
78⤵
PID:440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wshwtvb.exe"
77⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuuys.exe"
76⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhgbj.exe"
75⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcqvxb.exe"
74⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1660
74⤵
- Program crash
PID:1824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkevnvqjr.exe"
73⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrxmya.exe"
72⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqm.exe"
71⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgf.exe"
70⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxsidy.exe"
69⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgfhs.exe"
68⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbkhdlcnf.exe"
67⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymefx.exe"
66⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlxami.exe"
65⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwufywr.exe"
64⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsuwpm.exe"
63⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvhbpoqhn.exe"
62⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 8
62⤵
- Program crash
PID:1576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkwqa.exe"
61⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtycxjr.exe"
60⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\worsbe.exe"
59⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wncqqldk.exe"
58⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbnxnxte.exe"
57⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wshcqxxuw.exe"
56⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcptoqjeo.exe"
55⤵
PID:4612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqxfbta.exe"
54⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqabbfuw.exe"
53⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgdhlpbq.exe"
52⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wefgl.exe"
51⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtchqed.exe"
50⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcoghx.exe"
49⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrskaafaf.exe"
48⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmkadsl.exe"
47⤵
PID:4668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmuyr.exe"
46⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqbktg.exe"
45⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1684
45⤵
- Program crash
PID:1044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wecj.exe"
44⤵
PID:468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwdmc.exe"
43⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbxrnqdq.exe"
42⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1640
42⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwtalcon.exe"
41⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigvjwd.exe"
40⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1668
40⤵
- Program crash
PID:4660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiptx.exe"
39⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxmwdim.exe"
38⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnfp.exe"
37⤵
PID:3768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhfye.exe"
36⤵
PID:3736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhegkbts.exe"
35⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuiepsj.exe"
34⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdc.exe"
33⤵
PID:472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwgtle.exe"
32⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkfsrmef.exe"
31⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvou.exe"
30⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmwbuvpp.exe"
29⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtkampe.exe"
28⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wurrg.exe"
27⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjeiu.exe"
26⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wihew.exe"
25⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyaxjrul.exe"
24⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxct.exe"
23⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlgckm.exe"
22⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjymx.exe"
21⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvwcr.exe"
20⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuyquuj.exe"
19⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wslwcfoo.exe"
18⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjeqpg.exe"
17⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wewfqa.exe"
16⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccck.exe"
15⤵
PID:4100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfctkicp.exe"
14⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmptrne.exe"
13⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waj.exe"
12⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqclyahkr.exe"
11⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgfo.exe"
10⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wapt.exe"
9⤵
PID:468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpq.exe"
8⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whiihiax.exe"
7⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvincy.exe"
6⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsrjthfds.exe"
5⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wflhnpe.exe"
4⤵
PID:444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtmqmwld.exe"
3⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\6d528c0a2dbd434030f15feddb918120_NeikiAnalytics.exe"
2⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4544 -ip 4544
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4468 -ip 4468
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4560 -ip 4560
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2108 -ip 2108
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 756 -ip 756
1⤵
PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YB09K3UP\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Windows\SysWOW64\waj.exe

Filesize
93KB

MD5
8ac1cd81828881f517620d61a4f6ca55

SHA1
df2307c78098c2d8d8f955db09127b5a0bceacfd

SHA256
47c719f799386d159dfe1a5fe3be6be3ede489a181b2dd8aad77aea89c2d3cd1

SHA512
3d5274e80c98035485ee1e43e0f281225ce34872cdd9b111bcf94591e1692f0c483e1d769995c6b1099b3424eb9ae9cd0ec119dea1b7b422f95d95dd534dd2ca

Download Submit
C:\Windows\SysWOW64\wapt.exe

Filesize
93KB

MD5
15382935d3ebd5f3004cf43a695f173f

SHA1
4dc513014ebd4460e0ebeafe092fde2ffbdf54f0

SHA256
41a3ce71d4e3695f42019e3f8c44b60472a2b2e1df6fb451b0cf5890b7516870

SHA512
5ad11b5729fc00410aa3df6585a82673b576f0ad5e9a431521b2f32b15838e8ad7e00006bd00734d852752c9adcb8c143af7912d6c8eacdb5bc57481e44313eb

Download Submit
C:\Windows\SysWOW64\wccck.exe

Filesize
93KB

MD5
72fecafa5ffb9f2c8837801db0132e3e

SHA1
d0c07e540ac969e5adaf422ade893315853349e0

SHA256
f907c21b2627784b2bfbee1ee814c28a63b3442f2ebdb5c43d58a4e107244945

SHA512
2dac276e5eab30b3fad390c39f8282f8851ae9d2876b440bea55dc7d0119826a688f31b56f7f22a637901d1707b7ffa20a2ef0642356a40ed57cb6968a9070c4

Download Submit
C:\Windows\SysWOW64\wdc.exe

Filesize
94KB

MD5
cfd04ba5147a9aa97debd6593b4be990

SHA1
ad46cd113cf23b2a01f9d1fba9038345ed9f6bfb

SHA256
ba00a782891b8faa2d1a9c066db81813fbe2fdc6b33243b60496995dd1c95683

SHA512
51eac1f1103d8b809df7be1724a91c237f55f5fcc3eb3c43114f3b499028a7a2cb5692dd1fbb00e403669ab8ae119002c9420ea9ef0fe748d5fc0fa076afc18c

Download Submit
C:\Windows\SysWOW64\wdvincy.exe

Filesize
93KB

MD5
b6e23b0173bd97f9d52e14125ea63d99

SHA1
b23cedfe43b6ed42bb18394a38741db293dadf40

SHA256
7e41d527f2bcb6ffe4258021326168eaee3df781421f7738ace3f0a31c5c2655

SHA512
dcb3b515ada5dbfd87e9cc777fe8dc0e413a5221eb4bf7f16b94eedb692c52a13f1e1c031a45281aab3921f6cfb959791435eac10ed69067e67dfcb4f900a6ce

Download Submit
C:\Windows\SysWOW64\wewfqa.exe

Filesize
93KB

MD5
6eb528f671f956d957d55a60448b80e9

SHA1
8250cd2a43335ac8726fefac79cc4e905ba97f5e

SHA256
15cd27cb9e70980902e147992201a81f761de2557851aaf682ed1a2f8ee0c5e0

SHA512
f207047291897bec861e41b7bcffc41377306c0d7ca06e0da4b64fa7d4a8b9f098a21fd8f1c4d84eac524885dcf9919c8b4dc4ff3cfc2b37207095271066e137

Download Submit
C:\Windows\SysWOW64\wflhnpe.exe

Filesize
93KB

MD5
90e865184c17fa9091b8c4f61f3e556a

SHA1
291a510d554ada3380662cc47951683677e5e69c

SHA256
fac656edecfeb414b3e751c84c6efdcbd8672335419cf007bc0c36736dadece9

SHA512
c423f4813070b96536bf36d071fe7292e849c3f488233b8dd6f22f5727207da162b350ef33d5150d3c518f0be6ff02770788da0dcb7d1021da75737d00db634f

Download Submit
C:\Windows\SysWOW64\wgfo.exe

Filesize
93KB

MD5
7a4f3435a809f06cb8064a63cbf3bde7

SHA1
4d5b683222f78a36348a44d75378907347f5990d

SHA256
90bff16d818c607108d3876745effd84b5db8d1c66b85631d0514319f30567a4

SHA512
8cca4ccd6f2c992f4d965fe062049daef8c66fbfa5c0c8a75737852be67734e88c5819ea1fb313399ae71d3543c7e608502207cfe7920b7957ada7625b962c8b

Download Submit
C:\Windows\SysWOW64\whiihiax.exe

Filesize
93KB

MD5
a5fe4b85a8d4dc5dace7b221831ebae0

SHA1
c38d09b6bf4065704cc8a518449bb9844edee17a

SHA256
27db148ede80dd4c9ab37e9d93b55c53038b78d8625e81d91d17cd8b22aa0f40

SHA512
025312940b87c8553e39f825b835e57802cf7008a2924d5df92d52ee1c6a7ed52a5415752f5c3670da955855fc89bb1e7b281fc10347f729059dfb5431c323c0

Download Submit
C:\Windows\SysWOW64\wihew.exe

Filesize
94KB

MD5
7a40e448479e7e91c4a2874d229fa7c4

SHA1
3e851687cea88a15f1593a0c96fc79c4c4789794

SHA256
284e1cbe3170dca45d53ea3625fb3a92a0e234d092d13220f5fc97b0f8ed0e69

SHA512
dac35f4bdd16cedc96a69be766d07ca119f64d407604c9d8fa5f76cf6107e7fe969ce2081fa050ddae3aedd9792fa4c50f04045315abeff5a4e9102bb5c0b8a5

Download Submit
C:\Windows\SysWOW64\wjeiu.exe

Filesize
94KB

MD5
e13a688d58c535ce29dbb996734ca997

SHA1
de70cc843c02f3108858970d8a8ab78ed8df4c9a

SHA256
7b8726be77c2a0c34a8200c94e0bcfede06f34359fd1744d496307a71f5356e2

SHA512
1de8feab5dfdb04bcaa9380571ee99fc7af653d5c8ad0bb24aa49b755c1dacfa7ffc55e2592de74086898e618b0ec229deb433a31d5574c9d38c6846189f2d04

Download Submit
C:\Windows\SysWOW64\wjeqpg.exe

Filesize
93KB

MD5
a0888d9947c0e28ab60890632ea7b2b4

SHA1
23741f008d8e6cf7a41a850deb93d4eab0506388

SHA256
31d25184637d5d6e94391e3bc9ea68e1930cd05722ce65ee403748705ef6fc2d

SHA512
d584477bed2dbecb7a4400a94a51b00a8d359d97b7f7539fe5dbe9263276532c66fef9a41d7f8e4aee73b63f088682b9ef54fcf5b0def106c65c8e2e5a7cd01d

Download Submit
C:\Windows\SysWOW64\wkfsrmef.exe

Filesize
94KB

MD5
f79ed32bac8b66d0b3754bcf031a86ef

SHA1
7df5acbbff4635362878658853717dcb73e76cda

SHA256
275eaa321fff86a0ce547d264bb8658f3d058767fad397b11c7bfcf61ab85ab5

SHA512
e024293c9439d64392dd0c4cb0fffd339987a1f288e45fb5fed7a2fbe339a2a7a4484866bbb79f2f67aecc8563d2f58834b8040c9eb06b7f12b3fce62d572244

Download Submit
C:\Windows\SysWOW64\wkjymx.exe

Filesize
93KB

MD5
7b2d49b324a0c1bbf0a58215f076d908

SHA1
8a2774775e1e79341aab0e01b287f2a3c3e88d97

SHA256
902f6444f530a82b5f3643c5943b13f40bca182c389fb55cdf88e8ef35001cb6

SHA512
28135a100f4fe2aca9265023e697c323194b097e9b292c907799a73a9e79bc5d9385b3dba0947fe17094c4b3b80d92bd5ce8d224c04ccf390f6692a1d31ceebb

Download Submit
C:\Windows\SysWOW64\wlgckm.exe

Filesize
93KB

MD5
78234fdf5d99d69bfdc31089a323f36b

SHA1
fd10b6523e6bf5634aa14d5d5e925f92578abce4

SHA256
6b6fceebc1467ebe66b8a28e87e67baee4b2adab7a76e3ea897788c7d5a30e22

SHA512
d6b19f437c5d9a83fa09d8c17dcf25dddc137897bf82bdfd77494e296dc13f4a367966663fdfd7b0abb7d8540319983f09d6d654ccf12f1c0709b3a9f293d96b

Download Submit
C:\Windows\SysWOW64\wmptrne.exe

Filesize
93KB

MD5
f9cb04ae04bd23d41c7192062af3f95e

SHA1
a2677524119d3463996af46aa5a1d8ec20ee3ac7

SHA256
fec38457f7ab26b0ffeff08a9eac816391936ca4fe61633c9526c763271671b9

SHA512
324cd582807e554c714dba7a1d328a10a36b2afc807a2d78f5cd829d2b20f0264bfb0602ffeb34a77bb774cf2a4919262b69f711cf8a2bf497fd4e61bda7c467

Download Submit
C:\Windows\SysWOW64\wmwbuvpp.exe

Filesize
94KB

MD5
7e851a47d89b26ccba7d92fa6bedc015

SHA1
2945c24052116b7de0be221925958425addac7f9

SHA256
0cbb83acf4d194bb405b804d426bc53e57a49250f5a385e0d44a7773c63c0f3a

SHA512
0ddae84555cd7518c9c4a168128ca7f7ca919b1a1d29982f7ed656675ecc5140881ea050bf2ad070623ba0a59d1a3e73388475885733ccb2aae99d56608dec9b

Download Submit
C:\Windows\SysWOW64\wpq.exe

Filesize
93KB

MD5
bb508f1d517b4ca217785fddc9714b1f

SHA1
f782b8ed074a91ebc369f74c823e497163f80a3b

SHA256
9ec2dfde39e142de05e8df72810aa3d0001c40cfc26a5fc60e4d64f883bd10c7

SHA512
dedebcfe0ed524990665f4a5b2b2746d83edd5cbeb6f5db14e72671e691d1e0e3bf820b19469a8db7de6978639dccd088397288ea159ff5427ad80c1e70f0dfd

Download Submit
C:\Windows\SysWOW64\wpvwcr.exe

Filesize
93KB

MD5
60ec2eed2330302fa797124737111481

SHA1
070aa4a4ca99051d6fa8fdc9783e1b974d85c95a

SHA256
e765c6b3a9dd43d4508a5bcd8abcea210b538bbcf95c46c9a492b4b59fbdc889

SHA512
c044c1763c576186c83605ee531e4601fa96f9fdf615d1df083fefdca80e9231d1967223029b2a467fdaa205f5f129830ed83b46c7f02bcbc082be6445be626a

Download Submit
C:\Windows\SysWOW64\wqclyahkr.exe

Filesize
93KB

MD5
29f6748d7b96e7f1f2b9182ba8f2b595

SHA1
7922546369f14a8393880573fe53f7d34a5a2d57

SHA256
eb1b9d29cb208ffaac765542c81a0493a217e47a3294edc5ffcbba6353bf053c

SHA512
6c5dea95546fd624e04bbd4f0d11d83d3acc71465ce0ed16f635fe939f48fbc039708df098feeb376bf3578503fdb9d5862b97dd91b8909ab76229e6fae70e10

Download Submit
C:\Windows\SysWOW64\wslwcfoo.exe

Filesize
93KB

MD5
37c1b959db3a1623de726212f9f224b2

SHA1
7d29c29443bab41cd7e5c5567664a47c631ad720

SHA256
8740b52599aee65ad2210e8f3f082309fc9aa1bc0a64931c880d36516d7b6565

SHA512
288fab7518be6618260b73393a6f09d6e4dff908d6870f1a98975c4325b278d52cbb4f1b9444eea1e9bc6d3b148d25ad1482fabbce94e2cef17d8ca16b38db13

Download Submit
C:\Windows\SysWOW64\wsrjthfds.exe

Filesize
93KB

MD5
a4d2b07135ab2f3defea0d04adc95542

SHA1
05131ceb781346137a24edded873f70a8ae00d7b

SHA256
798958ddfe08943b79f1930bdcba15434ab9a62ff7d38161015075759c506a26

SHA512
8b8446eebe6a30272fbaa4c61c78992a6b97b86865a134eeff3b8d617671507e88fbae0fa00a6ed7ed512cb705407aa1d0dbf247552e0c154a7d221d7fa754b4

Download Submit
C:\Windows\SysWOW64\wtkampe.exe

Filesize
94KB

MD5
c5384ef4ab291d4eed6ab20aa94c016c

SHA1
005e601b259386f60ad857cb021ec551e5e446a8

SHA256
284bbdfe161ac89544daa81ca2ff715a961bb2c2ae32750c2de59359c598cd43

SHA512
18259b1606a0316a5ee12e026daafa5af9a9c694f8324f4a7e16a47b18f41c0038b9cfa64259b011351b4826986abbf4d5b485245173ac4e880f00de5ccde172

Download Submit
C:\Windows\SysWOW64\wtmqmwld.exe

Filesize
93KB

MD5
863e9b4c7ff360628f8c6acb3158382f

SHA1
c4db9ed9896ff23f102ac666728b7679f8e97749

SHA256
c4b95682e279a7a0fae5e52c12f16ce7e6d155d35a93f8c251dd17ea5156b6ea

SHA512
32db0168ab95d12695f33842f7654d6e01ed6e56120a615b64144df28516010eff3b522650f7a7e39c331e93513f8579f5b2667b8e372a094b93bde75630b857

Download Submit
C:\Windows\SysWOW64\wuiepsj.exe

Filesize
94KB

MD5
021891614d60b882a655f455ae2a3ca4

SHA1
466790c72f35a6054a91eb28ad46497c3e894782

SHA256
73bd57c826bbc5d483773db8a63619fe867356a1281f25ed2b146db935311a02

SHA512
71b85a94090d470c0eae02cd60bfaa9d40da72c405fa9233fa8660f586628a116b8e036362fdbec250b8e089d96bd06d645326f1016598e32980574cb664fe2a

Download Submit
C:\Windows\SysWOW64\wurrg.exe

Filesize
94KB

MD5
bd2cd10d8c2835fec306dc80dd423572

SHA1
df2a77272b0e084604f22d732a0bbcd27f035b6a

SHA256
2fe11b28dba8675f01955d2c0a31f88124f0710db8209b3402efc62a765e0f7a

SHA512
f1afce6c9dbf0138d80bd24e7924cd6a6e97f5b7bd85787d405f4a7d3af7805b044dac2e35f8cc1b4bb3642d3c63d60f70ef99af16abe0cebc98c24cc65790e9

Download Submit
C:\Windows\SysWOW64\wuyquuj.exe

Filesize
93KB

MD5
1bb36e434bffdd920f50eb5539907fcb

SHA1
5569b93b1f1774f26d43ca5ef5d10413fe1213a0

SHA256
152b412d9bdcf51e848214ae6bd316bdbb3536f3a5fd8c46cf8dc8458006512f

SHA512
62b2a67eedfed8e1d057ca7fdeaa0d9a58bc7e38bdd7c0dd6ac44a5b9fad9cbc1d4a69ba6fcada15196cc386a32bd4c57bf3f2dd54c0eb2a8375ec95c4f99987

Download Submit
C:\Windows\SysWOW64\wvou.exe

Filesize
94KB

MD5
dd9d9a558b3afe1c48ab9a6ee45bdb7c

SHA1
2807a3772411e636c378003e9da6a8ba3556c5c0

SHA256
e0356c346b3cc046d58e56ef1fb60da3f02e5338711173fc592164169981b9c4

SHA512
54986101d1e89bd2158fd60c2fc40bcb9eb9f79ceaf4035ab003f5a2ea4ababfce9fac1adaa61de0701d508f21d53accf667821157c7d2cf992a67846b1f9037

Download Submit
C:\Windows\SysWOW64\wwfctkicp.exe

Filesize
93KB

MD5
287d17661a4750208675c7c2c81eaf8a

SHA1
264295a5324db0f9d55a175750184fcfdc84851e

SHA256
0d0175480f6967aed853205ab290e0da3c17600679fbb0f6548c75c14e097344

SHA512
b9c725b29fe3e9c1b6a05071ee99db5298800255174f90ff3fde6b107478b168900a10092d3d09792b52a92108cc42c7b9c5d7de2f0392a70e8cc0786eab49b2

Download Submit
C:\Windows\SysWOW64\wwgtle.exe

Filesize
94KB

MD5
7cf3fd20735cc6e965be1157d4e65911

SHA1
718a8c034ba512e1376c56da897f36ebcbb5789e

SHA256
0152dd85b4d88d95d41a24e2c8bc0a2a4869be5bac488c0de026ff1ad7ec1c1a

SHA512
761772ece0d5bc5776e15eea4fe84da1423e1ee0c1f73ed3462a45dd7aa358691aa63fe1c93d47e83d39598bbec89f6c9573fba6006f4c1d65308f8e0002e0f9

Download Submit
C:\Windows\SysWOW64\wxct.exe

Filesize
93KB

MD5
13f128080427e06d779d8c51a7bf38d6

SHA1
1824ed862faa8c4adfbddf3b59a1356c2aecc0ba

SHA256
12f23365e8be73540a7d63a63f3eb604c652d7e2d6b874f7dc449c40c20793c0

SHA512
7cbb256906ea88228391594b1f278e7c985dfab77b868b5ca5c3988d4108c32c79f1437cf2b707c6062cff0a7a3e2f1dba876861df3529e684d35d80d13d94ca

Download Submit
C:\Windows\SysWOW64\wyaxjrul.exe

Filesize
93KB

MD5
f832d1c257873d2a8c7c607ae348e5fe

SHA1
755a45c5a9a753fd3209859f6f17d32b36130868

SHA256
4bd8aed26cf78bfaf55ef5a69db434d826ea446e005f542c55b5f49fd56bf11a

SHA512
558db563b21c19c1ef09a9cf857ed445098d62fbfbc72a6cba408dc3c5e9b6eb7e7ebec7be3f7e1e8ca4879c18f55c5b099950e8b17771b57839c777ab84ace4

Download Submit
memory/332-261-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/468-512-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/540-304-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/540-293-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/556-103-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/556-92-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/672-154-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/776-219-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/776-230-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/792-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/792-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1052-654-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1052-644-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1160-454-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1280-504-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1412-134-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1640-612-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1676-563-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1768-653-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1840-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1848-571-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1972-470-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2004-377-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2012-335-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2040-352-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2040-343-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-579-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2184-521-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2304-378-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2304-386-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2336-114-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2372-144-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2412-402-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2544-198-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2544-185-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2652-360-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2652-369-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2852-446-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2852-437-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2856-479-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2968-186-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2972-240-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2992-429-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3020-529-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3020-538-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3020-603-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3032-478-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3032-488-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3116-250-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3176-547-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3204-361-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3236-611-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3236-620-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3268-208-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3268-220-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3368-462-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3368-165-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-645-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3468-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3468-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3536-175-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3536-164-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3612-344-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3784-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3948-587-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4028-520-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4028-530-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4060-628-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4204-496-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4204-487-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4204-636-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4332-294-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4332-113-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4332-124-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4352-325-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4468-82-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4468-401-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4468-412-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4512-421-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4512-411-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4516-595-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4544-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4544-403-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4560-438-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4640-272-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4652-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4652-315-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4652-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4728-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4772-197-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4772-209-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4844-93-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5028-282-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5028-271-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5060-555-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5060-546-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download