f8bf94a22db072f7b35db50dc58b6b00a8c76934f09f638cde1d583330b5ec92

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe
Size

93KB
MD5

7cef84bc078b5eaeaff9185b9a95a1c0
SHA1

3d8d17237bf0eb0db0ef9fd107080d68f63dce69
SHA256

f8bf94a22db072f7b35db50dc58b6b00a8c76934f09f638cde1d583330b5ec92
SHA512

3f8d18ae68b6b0c1616a1a8b4ed7dfe2b3bbacbb70d0d14ddb2ecf07f38dc4ee20a7ce5d5457e39291ec3d6ca35bd9e6b41ecadaecb98c6994b7ccca17c76437
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71qCiv:1eOLK7hNIMLrCiS4+PwRjY5xhEAXQCm

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wewquyyn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	werp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wukef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wvyyyos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wbbjegwj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wucbcu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wvsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wlnrqa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wiwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wah.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wllhy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	weqe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wcksjnae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wegdbonf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wounvq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wlufqt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wlpdl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wvdchcijh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wntkn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wgbaiuv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wmgfisq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wxidnb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wgea.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wiuqnxmb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wxgyyum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wkkyle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wluhubn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wpqnnh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wqjnbj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wadrihan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wwq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wpnsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wxklq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wrqv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wbditsgql.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wjs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wisl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	weucdt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wpbxsvg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	weicc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wycdtdh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wfukcm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wwkcd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wgjtgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wlsdwpj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wdcxtctu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wbmkw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wvjwbeg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wwqbrn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wogc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wquswhjgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wnpmoylv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wnfvpruig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wmkhly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wungsuq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wwrkfhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wlaiejkr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wtdmuo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wkwim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wdut.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wopoxml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	whmyuet.exe

Executes dropped EXE 64 IoCs

pid	Process
3948	wwqbrn.exe
648	wisl.exe
4888	wtdmuo.exe
3776	wcksjnae.exe
4864	wbbjegwj.exe
4236	wmkhly.exe
2628	wopoxml.exe
3948	weucdt.exe
4076	wxidnb.exe
4380	wucbcu.exe
4024	wgea.exe
4764	wlpdl.exe
3440	wvsc.exe
2068	wogc.exe
4604	wvdchcijh.exe
2276	wkwim.exe
1244	wdut.exe
3468	wntkn.exe
384	wpbxsvg.exe
952	wquswhjgi.exe
2904	wplksyfm.exe
2516	wpnsv.exe
5012	wewquyyn.exe
3080	wegdbonf.exe
2992	wiuqnxmb.exe
1576	wgbaiuv.exe
3116	wlsdwpj.exe
716	wkjur.exe
2264	wqjnbj.exe
224	wlaiejkr.exe
4480	wfukcm.exe
4380	wmeospf.exe
2448	werp.exe
3116	wounvq.exe
2852	wungsuq.exe
3948	wwrkfhe.exe
1368	wlufqt.exe
4412	wespiba.exe
3288	wnpmoylv.exe
932	wadrihan.exe
3424	wlnrqa.exe
4772	wiwg.exe
2940	wxklq.exe
2288	whmyuet.exe
2016	wrqv.exe
4368	wkkyle.exe
2924	wuuys.exe
1548	wxh.exe
1968	wluhubn.exe
632	wispd.exe
3000	wtkdqtx.exe
1128	wbditsgql.exe
3056	wpqnnh.exe
3116	wwq.exe
2876	wmgfisq.exe
1732	wwkcd.exe
3792	wukef.exe
2152	wgjtgy.exe
2844	wvyyyos.exe
4412	woaocst.exe
1608	wdcxtctu.exe
5100	wlcqd.exe
4356	wnfvpruig.exe
4636	weicc.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wounvq = "\"C:\\Windows\\SysWOW64\\wounvq.exe\""	wounvq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weicc = "\"C:\\Windows\\SysWOW64\\weicc.exe\""	weicc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wah = "\"C:\\Windows\\SysWOW64\\wah.exe\""	wah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbmkw = "\"C:\\Windows\\SysWOW64\\wbmkw.exe\""	wbmkw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wllhy = "\"C:\\Windows\\SysWOW64\\wllhy.exe\""	wllhy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weucdt = "\"C:\\Windows\\SysWOW64\\weucdt.exe\""	weucdt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgea = "\"C:\\Windows\\SysWOW64\\wgea.exe\""	wgea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvsc = "\"C:\\Windows\\SysWOW64\\wvsc.exe\""	wvsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpbxsvg = "\"C:\\Windows\\SysWOW64\\wpbxsvg.exe\""	wpbxsvg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmeospf = "\"C:\\Windows\\SysWOW64\\wmeospf.exe\""	wmeospf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvyyyos = "\"C:\\Windows\\SysWOW64\\wvyyyos.exe\""	wvyyyos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwqbrn = "\"C:\\Windows\\SysWOW64\\wwqbrn.exe\""	wwqbrn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wegdbonf = "\"C:\\Windows\\SysWOW64\\wegdbonf.exe\""	wegdbonf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkjur = "\"C:\\Windows\\SysWOW64\\wkjur.exe\""	wkjur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwrkfhe = "\"C:\\Windows\\SysWOW64\\wwrkfhe.exe\""	wwrkfhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkkyle = "\"C:\\Windows\\SysWOW64\\wkkyle.exe\""	wkkyle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbditsgql = "\"C:\\Windows\\SysWOW64\\wbditsgql.exe\""	wbditsgql.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wisl = "\"C:\\Windows\\SysWOW64\\wisl.exe\""	wisl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmkhly = "\"C:\\Windows\\SysWOW64\\wmkhly.exe\""	wmkhly.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wquswhjgi = "\"C:\\Windows\\SysWOW64\\wquswhjgi.exe\""	wquswhjgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgbaiuv = "\"C:\\Windows\\SysWOW64\\wgbaiuv.exe\""	wgbaiuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlnrqa = "\"C:\\Windows\\SysWOW64\\wlnrqa.exe\""	wlnrqa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wispd = "\"C:\\Windows\\SysWOW64\\wispd.exe\""	wispd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlpdl = "\"C:\\Windows\\SysWOW64\\wlpdl.exe\""	wlpdl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlcqd = "\"C:\\Windows\\SysWOW64\\wlcqd.exe\""	wlcqd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wycdtdh = "\"C:\\Windows\\SysWOW64\\wycdtdh.exe\""	wycdtdh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkwim = "\"C:\\Windows\\SysWOW64\\wkwim.exe\""	wkwim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wplksyfm = "\"C:\\Windows\\SysWOW64\\wplksyfm.exe\""	wplksyfm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\werp = "\"C:\\Windows\\SysWOW64\\werp.exe\""	werp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\woaocst = "\"C:\\Windows\\SysWOW64\\woaocst.exe\""	woaocst.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnfvpruig = "\"C:\\Windows\\SysWOW64\\wnfvpruig.exe\""	wnfvpruig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe\""	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfukcm = "\"C:\\Windows\\SysWOW64\\wfukcm.exe\""	wfukcm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wungsuq = "\"C:\\Windows\\SysWOW64\\wungsuq.exe\""	wungsuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wespiba = "\"C:\\Windows\\SysWOW64\\wespiba.exe\""	wespiba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuqnxmb = "\"C:\\Windows\\SysWOW64\\wiuqnxmb.exe\""	wiuqnxmb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxklq = "\"C:\\Windows\\SysWOW64\\wxklq.exe\""	wxklq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxh = "\"C:\\Windows\\SysWOW64\\wxh.exe\""	wxh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wopoxml = "\"C:\\Windows\\SysWOW64\\wopoxml.exe\""	wopoxml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wucbcu = "\"C:\\Windows\\SysWOW64\\wucbcu.exe\""	wucbcu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wogc = "\"C:\\Windows\\SysWOW64\\wogc.exe\""	wogc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpnsv = "\"C:\\Windows\\SysWOW64\\wpnsv.exe\""	wpnsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlaiejkr = "\"C:\\Windows\\SysWOW64\\wlaiejkr.exe\""	wlaiejkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlufqt = "\"C:\\Windows\\SysWOW64\\wlufqt.exe\""	wlufqt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wukef = "\"C:\\Windows\\SysWOW64\\wukef.exe\""	wukef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjs = "\"C:\\Windows\\SysWOW64\\wjs.exe\""	wjs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqjnbj = "\"C:\\Windows\\SysWOW64\\wqjnbj.exe\""	wqjnbj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whmyuet = "\"C:\\Windows\\SysWOW64\\whmyuet.exe\""	whmyuet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgjtgy = "\"C:\\Windows\\SysWOW64\\wgjtgy.exe\""	wgjtgy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbbjegwj = "\"C:\\Windows\\SysWOW64\\wbbjegwj.exe\""	wbbjegwj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvdchcijh = "\"C:\\Windows\\SysWOW64\\wvdchcijh.exe\""	wvdchcijh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsdwpj = "\"C:\\Windows\\SysWOW64\\wlsdwpj.exe\""	wlsdwpj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wadrihan = "\"C:\\Windows\\SysWOW64\\wadrihan.exe\""	wadrihan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxidnb = "\"C:\\Windows\\SysWOW64\\wxidnb.exe\""	wxidnb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdut = "\"C:\\Windows\\SysWOW64\\wdut.exe\""	wdut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wntkn = "\"C:\\Windows\\SysWOW64\\wntkn.exe\""	wntkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtkdqtx = "\"C:\\Windows\\SysWOW64\\wtkdqtx.exe\""	wtkdqtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmgfisq = "\"C:\\Windows\\SysWOW64\\wmgfisq.exe\""	wmgfisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxgyyum = "\"C:\\Windows\\SysWOW64\\wxgyyum.exe\""	wxgyyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcksjnae = "\"C:\\Windows\\SysWOW64\\wcksjnae.exe\""	wcksjnae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwq = "\"C:\\Windows\\SysWOW64\\wwq.exe\""	wwq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdcxtctu = "\"C:\\Windows\\SysWOW64\\wdcxtctu.exe\""	wdcxtctu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwkcd = "\"C:\\Windows\\SysWOW64\\wwkcd.exe\""	wwkcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvjwbeg = "\"C:\\Windows\\SysWOW64\\wvjwbeg.exe\""	wvjwbeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wucbcu.exe	wxidnb.exe
File opened for modification	C:\Windows\SysWOW64\wkwim.exe	wvdchcijh.exe
File created	C:\Windows\SysWOW64\wvyyyos.exe	wgjtgy.exe
File opened for modification	C:\Windows\SysWOW64\wlpdl.exe	wgea.exe
File created	C:\Windows\SysWOW64\wukef.exe	wwkcd.exe
File opened for modification	C:\Windows\SysWOW64\wkjur.exe	wlsdwpj.exe
File created	C:\Windows\SysWOW64\weucdt.exe	wopoxml.exe
File created	C:\Windows\SysWOW64\wdut.exe	wkwim.exe
File created	C:\Windows\SysWOW64\wntkn.exe	wdut.exe
File opened for modification	C:\Windows\SysWOW64\wpbxsvg.exe	wntkn.exe
File opened for modification	C:\Windows\SysWOW64\wegdbonf.exe	wewquyyn.exe
File created	C:\Windows\SysWOW64\wlsdwpj.exe	wgbaiuv.exe
File opened for modification	C:\Windows\SysWOW64\wvdchcijh.exe	wogc.exe
File created	C:\Windows\SysWOW64\wquswhjgi.exe	wpbxsvg.exe
File created	C:\Windows\SysWOW64\wnfvpruig.exe	wlcqd.exe
File opened for modification	C:\Windows\SysWOW64\wxidnb.exe	weucdt.exe
File opened for modification	C:\Windows\SysWOW64\wfukcm.exe	wlaiejkr.exe
File created	C:\Windows\SysWOW64\wounvq.exe	werp.exe
File opened for modification	C:\Windows\SysWOW64\wxklq.exe	wiwg.exe
File opened for modification	C:\Windows\SysWOW64\weqe.exe	wxgyyum.exe
File created	C:\Windows\SysWOW64\wogc.exe	wvsc.exe
File opened for modification	C:\Windows\SysWOW64\wdut.exe	wkwim.exe
File opened for modification	C:\Windows\SysWOW64\wlaiejkr.exe	wqjnbj.exe
File created	C:\Windows\SysWOW64\wungsuq.exe	wounvq.exe
File opened for modification	C:\Windows\SysWOW64\wwq.exe	wpqnnh.exe
File opened for modification	C:\Windows\SysWOW64\wvjwbeg.exe	wllhy.exe
File opened for modification	C:\Windows\SysWOW64\wpnsv.exe	wplksyfm.exe
File created	C:\Windows\SysWOW64\wmeospf.exe	wfukcm.exe
File created	C:\Windows\SysWOW64\wgjtgy.exe	wukef.exe
File opened for modification	C:\Windows\SysWOW64\wdcxtctu.exe	woaocst.exe
File opened for modification	C:\Windows\SysWOW64\wbbjegwj.exe	wcksjnae.exe
File created	C:\Windows\SysWOW64\wiuqnxmb.exe	wegdbonf.exe
File opened for modification	C:\Windows\SysWOW64\wqjnbj.exe	wkjur.exe
File created	C:\Windows\SysWOW64\werp.exe	wmeospf.exe
File opened for modification	C:\Windows\SysWOW64\wuuys.exe	wkkyle.exe
File created	C:\Windows\SysWOW64\wluhubn.exe	wxh.exe
File opened for modification	C:\Windows\SysWOW64\wwrkfhe.exe	wungsuq.exe
File created	C:\Windows\SysWOW64\wycdtdh.exe	wjs.exe
File created	C:\Windows\SysWOW64\wbditsgql.exe	wtkdqtx.exe
File created	C:\Windows\SysWOW64\wwq.exe	wpqnnh.exe
File opened for modification	C:\Windows\SysWOW64\wwkcd.exe	wmgfisq.exe
File created	C:\Windows\SysWOW64\wlcqd.exe	wdcxtctu.exe
File opened for modification	C:\Windows\SysWOW64\wllhy.exe	wah.exe
File created	C:\Windows\SysWOW64\wxbwgxugm.exe	weqe.exe
File opened for modification	C:\Windows\SysWOW64\wtkdqtx.exe	wispd.exe
File opened for modification	C:\Windows\SysWOW64\wvyyyos.exe	wgjtgy.exe
File opened for modification	C:\Windows\SysWOW64\wisl.exe	wwqbrn.exe
File opened for modification	C:\Windows\SysWOW64\wewquyyn.exe	wpnsv.exe
File created	C:\Windows\SysWOW64\wlaiejkr.exe	wqjnbj.exe
File opened for modification	C:\Windows\SysWOW64\wounvq.exe	werp.exe
File created	C:\Windows\SysWOW64\wlufqt.exe	wwrkfhe.exe
File opened for modification	C:\Windows\SysWOW64\wlnrqa.exe	wadrihan.exe
File created	C:\Windows\SysWOW64\wjs.exe	wbmkw.exe
File opened for modification	C:\Windows\SysWOW64\wah.exe	wycdtdh.exe
File created	C:\Windows\SysWOW64\wewquyyn.exe	wpnsv.exe
File opened for modification	C:\Windows\SysWOW64\wrqv.exe	whmyuet.exe
File created	C:\Windows\SysWOW64\wkkyle.exe	wrqv.exe
File opened for modification	C:\Windows\SysWOW64\wispd.exe	wluhubn.exe
File opened for modification	C:\Windows\SysWOW64\weicc.exe	wnfvpruig.exe
File opened for modification	C:\Windows\SysWOW64\wbmkw.exe	weicc.exe
File created	C:\Windows\SysWOW64\wxidnb.exe	weucdt.exe
File opened for modification	C:\Windows\SysWOW64\wadrihan.exe	wnpmoylv.exe
File opened for modification	C:\Windows\SysWOW64\wbditsgql.exe	wtkdqtx.exe
File opened for modification	C:\Windows\SysWOW64\wquswhjgi.exe	wpbxsvg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4736	3080	WerFault.exe	169
1156	716	WerFault.exe	184
5012	716	WerFault.exe	184
1760	932	WerFault.exe	224
4260	932	WerFault.exe	224
2024	1968	WerFault.exe	255
3032	3000	WerFault.exe	263

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 3948	4300	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe	90
PID 4300 wrote to memory of 3948	4300	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe	90
PID 4300 wrote to memory of 3948	4300	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe	90
PID 4300 wrote to memory of 1556	4300	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe	92
PID 4300 wrote to memory of 1556	4300	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe	92
PID 4300 wrote to memory of 1556	4300	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe	92
PID 3948 wrote to memory of 648	3948	wwqbrn.exe	94
PID 3948 wrote to memory of 648	3948	wwqbrn.exe	94
PID 3948 wrote to memory of 648	3948	wwqbrn.exe	94
PID 3948 wrote to memory of 2304	3948	wwqbrn.exe	95
PID 3948 wrote to memory of 2304	3948	wwqbrn.exe	95
PID 3948 wrote to memory of 2304	3948	wwqbrn.exe	95
PID 648 wrote to memory of 4888	648	wisl.exe	97
PID 648 wrote to memory of 4888	648	wisl.exe	97
PID 648 wrote to memory of 4888	648	wisl.exe	97
PID 648 wrote to memory of 3720	648	wisl.exe	98
PID 648 wrote to memory of 3720	648	wisl.exe	98
PID 648 wrote to memory of 3720	648	wisl.exe	98
PID 4888 wrote to memory of 3776	4888	wtdmuo.exe	102
PID 4888 wrote to memory of 3776	4888	wtdmuo.exe	102
PID 4888 wrote to memory of 3776	4888	wtdmuo.exe	102
PID 4888 wrote to memory of 4740	4888	wtdmuo.exe	103
PID 4888 wrote to memory of 4740	4888	wtdmuo.exe	103
PID 4888 wrote to memory of 4740	4888	wtdmuo.exe	103
PID 3776 wrote to memory of 4864	3776	wcksjnae.exe	107
PID 3776 wrote to memory of 4864	3776	wcksjnae.exe	107
PID 3776 wrote to memory of 4864	3776	wcksjnae.exe	107
PID 3776 wrote to memory of 4372	3776	wcksjnae.exe	108
PID 3776 wrote to memory of 4372	3776	wcksjnae.exe	108
PID 3776 wrote to memory of 4372	3776	wcksjnae.exe	108
PID 4864 wrote to memory of 4236	4864	wbbjegwj.exe	110
PID 4864 wrote to memory of 4236	4864	wbbjegwj.exe	110
PID 4864 wrote to memory of 4236	4864	wbbjegwj.exe	110
PID 4864 wrote to memory of 1312	4864	wbbjegwj.exe	111
PID 4864 wrote to memory of 1312	4864	wbbjegwj.exe	111
PID 4864 wrote to memory of 1312	4864	wbbjegwj.exe	111
PID 4236 wrote to memory of 2628	4236	wmkhly.exe	114
PID 4236 wrote to memory of 2628	4236	wmkhly.exe	114
PID 4236 wrote to memory of 2628	4236	wmkhly.exe	114
PID 4236 wrote to memory of 1948	4236	wmkhly.exe	115
PID 4236 wrote to memory of 1948	4236	wmkhly.exe	115
PID 4236 wrote to memory of 1948	4236	wmkhly.exe	115
PID 2628 wrote to memory of 3948	2628	wopoxml.exe	119
PID 2628 wrote to memory of 3948	2628	wopoxml.exe	119
PID 2628 wrote to memory of 3948	2628	wopoxml.exe	119
PID 2628 wrote to memory of 1156	2628	wopoxml.exe	120
PID 2628 wrote to memory of 1156	2628	wopoxml.exe	120
PID 2628 wrote to memory of 1156	2628	wopoxml.exe	120
PID 3948 wrote to memory of 4076	3948	weucdt.exe	122
PID 3948 wrote to memory of 4076	3948	weucdt.exe	122
PID 3948 wrote to memory of 4076	3948	weucdt.exe	122
PID 3948 wrote to memory of 4036	3948	weucdt.exe	123
PID 3948 wrote to memory of 4036	3948	weucdt.exe	123
PID 3948 wrote to memory of 4036	3948	weucdt.exe	123
PID 4076 wrote to memory of 4380	4076	wxidnb.exe	125
PID 4076 wrote to memory of 4380	4076	wxidnb.exe	125
PID 4076 wrote to memory of 4380	4076	wxidnb.exe	125
PID 4076 wrote to memory of 964	4076	wxidnb.exe	126
PID 4076 wrote to memory of 964	4076	wxidnb.exe	126
PID 4076 wrote to memory of 964	4076	wxidnb.exe	126
PID 4380 wrote to memory of 4024	4380	wucbcu.exe	128
PID 4380 wrote to memory of 4024	4380	wucbcu.exe	128
PID 4380 wrote to memory of 4024	4380	wucbcu.exe	128
PID 4380 wrote to memory of 3588	4380	wucbcu.exe	129

C:\Users\Admin\AppData\Local\Temp\7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\SysWOW64\wwqbrn.exe
  "C:\Windows\system32\wwqbrn.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\wisl.exe
    "C:\Windows\system32\wisl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\SysWOW64\wtdmuo.exe
      "C:\Windows\system32\wtdmuo.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Windows\SysWOW64\wcksjnae.exe
        
        "C:\Windows\system32\wcksjnae.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3776
      - C:\Windows\SysWOW64\wbbjegwj.exe
        
        "C:\Windows\system32\wbbjegwj.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\wmkhly.exe
        
        "C:\Windows\system32\wmkhly.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\wopoxml.exe
        
        "C:\Windows\system32\wopoxml.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\weucdt.exe
        
        "C:\Windows\system32\weucdt.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\wxidnb.exe
        
        "C:\Windows\system32\wxidnb.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\wucbcu.exe
        
        "C:\Windows\system32\wucbcu.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\wgea.exe
        
        "C:\Windows\system32\wgea.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\wlpdl.exe
        
        "C:\Windows\system32\wlpdl.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4764
        
        C:\Windows\SysWOW64\wvsc.exe
        
        "C:\Windows\system32\wvsc.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\wogc.exe
        
        "C:\Windows\system32\wogc.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\wvdchcijh.exe
        
        "C:\Windows\system32\wvdchcijh.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\wkwim.exe
        
        "C:\Windows\system32\wkwim.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\wdut.exe
        
        "C:\Windows\system32\wdut.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1244
        
        C:\Windows\SysWOW64\wntkn.exe
        
        "C:\Windows\system32\wntkn.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\wpbxsvg.exe
        
        "C:\Windows\system32\wpbxsvg.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:384
        
        C:\Windows\SysWOW64\wquswhjgi.exe
        
        "C:\Windows\system32\wquswhjgi.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:952
        
        C:\Windows\SysWOW64\wplksyfm.exe
        
        "C:\Windows\system32\wplksyfm.exe"
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\wpnsv.exe
        
        "C:\Windows\system32\wpnsv.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\wewquyyn.exe
        
        "C:\Windows\system32\wewquyyn.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\wegdbonf.exe
        
        "C:\Windows\system32\wegdbonf.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\wiuqnxmb.exe
        
        "C:\Windows\system32\wiuqnxmb.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2992
        
        C:\Windows\SysWOW64\wgbaiuv.exe
        
        "C:\Windows\system32\wgbaiuv.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\wlsdwpj.exe
        
        "C:\Windows\system32\wlsdwpj.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\wkjur.exe
        
        "C:\Windows\system32\wkjur.exe"
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\SysWOW64\wqjnbj.exe
        
        "C:\Windows\system32\wqjnbj.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\wlaiejkr.exe
        
        "C:\Windows\system32\wlaiejkr.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\wfukcm.exe
        
        "C:\Windows\system32\wfukcm.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\wmeospf.exe
        
        "C:\Windows\system32\wmeospf.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\werp.exe
        
        "C:\Windows\system32\werp.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\wounvq.exe
        
        "C:\Windows\system32\wounvq.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\wungsuq.exe
        
        "C:\Windows\system32\wungsuq.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\wwrkfhe.exe
        
        "C:\Windows\system32\wwrkfhe.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\wlufqt.exe
        
        "C:\Windows\system32\wlufqt.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1368
        
        C:\Windows\SysWOW64\wespiba.exe
        
        "C:\Windows\system32\wespiba.exe"
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4412
        
        C:\Windows\SysWOW64\wnpmoylv.exe
        
        "C:\Windows\system32\wnpmoylv.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\wadrihan.exe
        
        "C:\Windows\system32\wadrihan.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:932
        
        C:\Windows\SysWOW64\wlnrqa.exe
        
        "C:\Windows\system32\wlnrqa.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3424
        
        C:\Windows\SysWOW64\wiwg.exe
        
        "C:\Windows\system32\wiwg.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\wxklq.exe
        
        "C:\Windows\system32\wxklq.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2940
        
        C:\Windows\SysWOW64\whmyuet.exe
        
        "C:\Windows\system32\whmyuet.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\wrqv.exe
        
        "C:\Windows\system32\wrqv.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\wkkyle.exe
        
        "C:\Windows\system32\wkkyle.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\wuuys.exe
        
        "C:\Windows\system32\wuuys.exe"
        48⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\wxh.exe
        
        "C:\Windows\system32\wxh.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\wluhubn.exe
        
        "C:\Windows\system32\wluhubn.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\wispd.exe
        
        "C:\Windows\system32\wispd.exe"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\wtkdqtx.exe
        
        "C:\Windows\system32\wtkdqtx.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\wbditsgql.exe
        
        "C:\Windows\system32\wbditsgql.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1128
        
        C:\Windows\SysWOW64\wpqnnh.exe
        
        "C:\Windows\system32\wpqnnh.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\wwq.exe
        
        "C:\Windows\system32\wwq.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3116
        
        C:\Windows\SysWOW64\wmgfisq.exe
        
        "C:\Windows\system32\wmgfisq.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\wwkcd.exe
        
        "C:\Windows\system32\wwkcd.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\wukef.exe
        
        "C:\Windows\system32\wukef.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\wgjtgy.exe
        
        "C:\Windows\system32\wgjtgy.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\wvyyyos.exe
        
        "C:\Windows\system32\wvyyyos.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2844
        
        C:\Windows\SysWOW64\woaocst.exe
        
        "C:\Windows\system32\woaocst.exe"
        61⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4412
        
        C:\Windows\SysWOW64\wdcxtctu.exe
        
        "C:\Windows\system32\wdcxtctu.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\wlcqd.exe
        
        "C:\Windows\system32\wlcqd.exe"
        63⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\wnfvpruig.exe
        
        "C:\Windows\system32\wnfvpruig.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\weicc.exe
        
        "C:\Windows\system32\weicc.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\wbmkw.exe
        
        "C:\Windows\system32\wbmkw.exe"
        66⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\wjs.exe
        
        "C:\Windows\system32\wjs.exe"
        67⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\wycdtdh.exe
        
        "C:\Windows\system32\wycdtdh.exe"
        68⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\wah.exe
        
        "C:\Windows\system32\wah.exe"
        69⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\wllhy.exe
        
        "C:\Windows\system32\wllhy.exe"
        70⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\wvjwbeg.exe
        
        "C:\Windows\system32\wvjwbeg.exe"
        71⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1344
        
        C:\Windows\SysWOW64\wxgyyum.exe
        
        "C:\Windows\system32\wxgyyum.exe"
        72⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\weqe.exe
        
        "C:\Windows\system32\weqe.exe"
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2628
        
        C:\Windows\SysWOW64\wxbwgxugm.exe
        
        "C:\Windows\system32\wxbwgxugm.exe"
        74⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weqe.exe"
        74⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxgyyum.exe"
        73⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvjwbeg.exe"
        72⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllhy.exe"
        71⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wah.exe"
        70⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wycdtdh.exe"
        69⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjs.exe"
        68⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbmkw.exe"
        67⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weicc.exe"
        66⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnfvpruig.exe"
        65⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlcqd.exe"
        64⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcxtctu.exe"
        63⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woaocst.exe"
        62⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvyyyos.exe"
        61⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgjtgy.exe"
        60⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wukef.exe"
        59⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwkcd.exe"
        58⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmgfisq.exe"
        57⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwq.exe"
        56⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpqnnh.exe"
        55⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbditsgql.exe"
        54⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtkdqtx.exe"
        53⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1448
        53⤵
        Program crash
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wispd.exe"
        52⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wluhubn.exe"
        51⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1700
        51⤵
        Program crash
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxh.exe"
        50⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuuys.exe"
        49⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkkyle.exe"
        48⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrqv.exe"
        47⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whmyuet.exe"
        46⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxklq.exe"
        45⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiwg.exe"
        44⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnrqa.exe"
        43⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wadrihan.exe"
        42⤵
        
        PID:456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 116
        42⤵
        Program crash
        
        PID:1760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1536
        42⤵
        Program crash
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnpmoylv.exe"
        41⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wespiba.exe"
        40⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlufqt.exe"
        39⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrkfhe.exe"
        38⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wungsuq.exe"
        37⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wounvq.exe"
        36⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\werp.exe"
        35⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmeospf.exe"
        34⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfukcm.exe"
        33⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlaiejkr.exe"
        32⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqjnbj.exe"
        31⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjur.exe"
        30⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 116
        30⤵
        Program crash
        
        PID:1156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 1536
        30⤵
        Program crash
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsdwpj.exe"
        29⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgbaiuv.exe"
        28⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiuqnxmb.exe"
        27⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wegdbonf.exe"
        26⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 1424
        26⤵
        Program crash
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wewquyyn.exe"
        25⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpnsv.exe"
        24⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wplksyfm.exe"
        23⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wquswhjgi.exe"
        22⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbxsvg.exe"
        21⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntkn.exe"
        20⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdut.exe"
        19⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkwim.exe"
        18⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdchcijh.exe"
        17⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wogc.exe"
        16⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvsc.exe"
        15⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlpdl.exe"
        14⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgea.exe"
        13⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wucbcu.exe"
        12⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxidnb.exe"
        11⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weucdt.exe"
        10⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wopoxml.exe"
        9⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmkhly.exe"
        8⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbbjegwj.exe"
        7⤵
        
        PID:1312
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcksjnae.exe"
        6⤵
        
        PID:4372
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtdmuo.exe"
        5⤵
        
        PID:4740
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wisl.exe"
      4⤵
      PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwqbrn.exe"
    3⤵
    PID:2304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe"
  2⤵
  PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3080 -ip 3080
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 716 -ip 716
1⤵
PID:496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 716 -ip 716
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 932 -ip 932
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 932 -ip 932
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1968 -ip 1968
1⤵
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3000 -ip 3000
1⤵
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wbbjegwj.exe

Filesize
94KB

MD5
7c7299984eb4359afa7ec960d6803170

SHA1
092e690a32e5c4f0589bd097f44a5358399abf49

SHA256
9c00ec2ab6b80c4c6a80717ac54dae4389ee30d95a1ddba72cd9c82230d1fa63

SHA512
a144c13d5927a9cced67a455bb57d92938832c640313bc0b4116a3a40de3b87d20d6079f34752a2a687f11eb183ca3c0f15ce9862a286fe1d4075895725f84db

Download Submit
C:\Windows\SysWOW64\wcksjnae.exe

Filesize
94KB

MD5
bd383f10be5a5033ab50c8607f005999

SHA1
a32b273d20b553e8cf5cf4a275c9432df1c559b3

SHA256
aae8ac9e6e8d566b0c97500fd73816f682282b418346e0ff9e8d780b6e462887

SHA512
ce4a8828261247758069de1cc1f67fdac7b95748f7209b835f560c12c28d58923e5edd64d939c069493e8eb9942e88ad1f5095cb6b2b2f756ea68b45abd59106

Download Submit
C:\Windows\SysWOW64\wdut.exe

Filesize
94KB

MD5
2c2d13577ebfada64536a84f905aed6c

SHA1
4da5a47fd298dad4e04b63bce125d39fe3e2565a

SHA256
665b6994fc54d69dc71fb7056e2d938721dace2c9206afc0204cf3eff5dbbcb3

SHA512
7251530651de0b1f06d82b77b15a4d2ac07a259f0c62e9f0a34a5ffcdfab0a41d40bac73fa482deb1dbfd7c24cd7e9f5c31ee9351f4d55e37d620c2c42a3fa5a

Download Submit
C:\Windows\SysWOW64\wegdbonf.exe

Filesize
94KB

MD5
3dd7dbc2d35aea88bf2fa79dd8c51029

SHA1
95933e0ad72d56810e3b8c9468740971d03a8311

SHA256
4276f97f95ea901a1b4165a23871976608c101b23e3e1ab53f8dc5d85bf0fccb

SHA512
a6fafd38237c5f744bbd7d9ea33ce68516becfb1f8a1b0ce70250e73387a2b7047d07da8840def0144a2ada241f1168cd9c9b9e79e25f3a80eae3552dceb8908

Download Submit
C:\Windows\SysWOW64\weucdt.exe

Filesize
94KB

MD5
1ad1d695d817bcfca16e1c38e89ac4cc

SHA1
a84d982044acaec6909e18e8a796cbffc65075cd

SHA256
b7980c424de8684c716c8f6ca5b743fc893bd708ef65a8a3a0b1c3ceec5e9db3

SHA512
065e555cccc590f5d8be45ac054470b440250cf359d67037077ec9af0727a7d13803453ac603780880255eef27b47c7e84d2d1c5ae0daea48fc0d8252b385a12

Download Submit
C:\Windows\SysWOW64\wewquyyn.exe

Filesize
94KB

MD5
de5ea5689402d30a3f06f0374b5f31b6

SHA1
9aa4dd976d25856d98934b2e886954edd2e81c80

SHA256
016dae4cf44cab37ce400be63472cb7d3e84c80d185a3a08b549119db0af8b61

SHA512
cfac43caa43e245256a5f5773284a41eddb27914f8d27cf48e99fb8cdcffd0dac7c95538b8a10d474043b4b20759a659e09914c0d59408374188172b5d0b1fff

Download Submit
C:\Windows\SysWOW64\wfukcm.exe

Filesize
94KB

MD5
37cd5ec07a98e9964e4dd2e58a3eac92

SHA1
973e04ac3f7874f0f3f9291dd23a9436915b0df6

SHA256
dc17fd765f21efc2b24f81061361f1c36d61431ff6de7cc17147060f07f954ca

SHA512
a36903e224401d3431e87d248e447310cea2c3afbd951a6359e49aa1b5676751f62093fd9f49aebad1926999f80fe71be3c8f42bb6692ac7f8df2c28248906cf

Download Submit
C:\Windows\SysWOW64\wgbaiuv.exe

Filesize
94KB

MD5
f0d086020f28bcca9bee90e94e59c1c1

SHA1
cc4be0f71a6e40c1c53ff0d1f126caeeb811fe11

SHA256
ea5aa4f967fab9f490aae1a03206254c4255b2d00551f158f71a5a2d8e28ca2c

SHA512
7faa462ec693119461ad9300d72a82079c9600dd7fdf8b8027d7031cacaa4df128d5622c48ea8b889257b8ca8fed0300ddf587bd82d878215dd14e1e54b309e1

Download Submit
C:\Windows\SysWOW64\wgea.exe

Filesize
94KB

MD5
73665d98a88e3c15ba54803979295db7

SHA1
1bb0acfc0b6473b24e652c202e76e86b784c3ca8

SHA256
3e0720ab965837c4f068cda815d67906ae3cf5e4d9ebfd08d4856ad6f821e5e6

SHA512
81eb6845a53deac04c3e80ffb052b74e4c669c8f6275e41efba28f327d4e1a0bcd061a11bec592f14fc2ed5579e3aabc098b0ddf4aa456bd1eb25438ada25778

Download Submit
C:\Windows\SysWOW64\wisl.exe

Filesize
93KB

MD5
67e9329fecad366490ec9dfb1306769c

SHA1
2cc489adfb3b9ffc30a40413e7b06d51e0d0f034

SHA256
4ca9b904602c477384569bdad2eaf7c322450e2d3854300c1a666697ea757e8d

SHA512
310b62cea9f53bd026d539c52636a4d5f03ad844a0dd35431e0dac1412dd88e7fb1b49fa92098624e16c47bf173059118c41d1fe2c9722f2623affc0aa5cf0e3

Download Submit
C:\Windows\SysWOW64\wiuqnxmb.exe

Filesize
94KB

MD5
87c9a9c0c91a663a38bcd74d6d2a16d7

SHA1
1e05665eeeae7bf4b0bebd64bea1aec8798ea010

SHA256
95309d6cc022c725730a74dd188be0de55567d386feeff7a31de63d444965922

SHA512
87c2e30397ddef1ebf12f81a2b7d88afc4cca0f334997dd2b3c0522846ee71783d3b138729111615825f53fe88d789e7fb3f2d2fc12a6ae5327aa0135c82b634

Download Submit
C:\Windows\SysWOW64\wkjur.exe

Filesize
94KB

MD5
f6003a90a76554283d1035eeb9300490

SHA1
570b91ccf5f8f3b845290be0c7cd04d6f674f434

SHA256
e95c8cf0ea745ff471c866042000f4c5957bd963798da3b60596fd9ce176a105

SHA512
231d5300dfd346a6e1ce2991277a73deb9563c09abd6c1c6fd2e919f82abcd2506af9f9081d7d0086102480a170756d119ea23df89ff03e03c7f556fcb066451

Download Submit
C:\Windows\SysWOW64\wkwim.exe

Filesize
94KB

MD5
74f7b0322ecb844487e7ec56be5fad21

SHA1
859172bbd6a9473850bf1a94614e02c85969c991

SHA256
c4e4e9dec0e224300c7db40499f9a933e0b76e0d364ec7b1883a702865648729

SHA512
1861e4e783682c319cff58ed531d58de09102df26ee7dc3c7f0f4774148cd604b59b15aa4a661b5b747eab656193ab3db4cef3cee3302705a7dab3e575471a4e

Download Submit
C:\Windows\SysWOW64\wlaiejkr.exe

Filesize
94KB

MD5
840067996d5915bbba266e834fcba19c

SHA1
4b33ede3b36db09c3b3befc32938462d20643740

SHA256
6f8237ad2d86025d377a32534eca598db84516680478ce9b2318ba752036c8cf

SHA512
af5ee1754c51541760acc4f96082cbace1bc7e58906ba1dd2980bb167fbd83bbe2262072fa3f216926d6974e9e810c7fa2180335424253b39c88832ae85088c8

Download Submit
C:\Windows\SysWOW64\wlpdl.exe

Filesize
94KB

MD5
9f67bf9f94ac0a3c9da7d8a230d5342e

SHA1
8a8bcdd670379b819e679c29c3f7b27157234b30

SHA256
0394300802363f59fc645cb677db18fcad23a3b65f79aee6e07017e8023d8b1d

SHA512
b1545e1726d89178feaf882ebfe934730d8797e501560c6b3a643d74d3e5f83aae98b7ebd0faf9df54022cccbecbc3aafe677b88e177919624a09713221d2c92

Download Submit
C:\Windows\SysWOW64\wlsdwpj.exe

Filesize
94KB

MD5
cdfa1b24042dd869b6ba9c68416a879a

SHA1
d812141f12ab6f1ca3178d34e5a4518d348c185a

SHA256
f8e4c7319b527fbbac354928a360c3c1393f0a5b6c8a0f4f2e2783dd6ee4193f

SHA512
4e754f5558f832420e606fafa69588c8788f566eedd5216e914f616f23bf6dc94d4004568307e1341c1ccc8f184382d27e71c8df759219c1481865c7cc7dca4c

Download Submit
C:\Windows\SysWOW64\wmeospf.exe

Filesize
94KB

MD5
fbc3f2fd7bbc41775ff476993519e93a

SHA1
6a40a1ec4386c8bcfbb5b51a2193360a61912e2a

SHA256
372e4b6c0cfddfcc5c4902f95f3a9230bff4b08553272ba5c0bf7f408f19f6a3

SHA512
774fbf94a59ba2f2ace16eef2f5481bc9b7e5441ad52f84e2577ab878a622c9d644e6526af6a697cadcfba60357b2361ee41865ddca83389be2d6689dd203c68

Download Submit
C:\Windows\SysWOW64\wmkhly.exe

Filesize
94KB

MD5
ecceadc367b43e79e5fa3433a78ecade

SHA1
c24886c4c42f7e24a9609fe847b5924cc865fe04

SHA256
fb29934494ad53e5838db0215d03f2b9f8d3c97f2fec0fa8a2dc429d22795f86

SHA512
488ac61e128d509627c76871395cc1d953c20ddd8199bc9ab3a51cf2c71f38ecedaa4f5e67033dda8fce408ddcc7de79ce811a5eeabc8c0c180324c4d48ec053

Download Submit
C:\Windows\SysWOW64\wntkn.exe

Filesize
94KB

MD5
9a4c9819bcde651bdf12ba9f28c094b7

SHA1
879bebb88a25c1c017e4026c77df4664131ca3b9

SHA256
2090f2af577cbc92e23c1fc562c04221969cc9d6e6875e080c985a510bc09982

SHA512
500a3ccfa1dadb38dcb4f319280d3866f9984c881ab772b4d0a76b5507f1b31df2b26f49bb14d269c5155e5377b158d1d7a58c5ea9e3eb72a82ac4ab646bbdc6

Download Submit
C:\Windows\SysWOW64\wogc.exe

Filesize
94KB

MD5
ebc598a7b13f52c889067f94fd17b4e3

SHA1
f425505ef18c1dc97ad49bb01f8e89a0638b84d5

SHA256
4acb983c7e7b26a2cee6b34ba11238692c9a50a2018d3e5368cf1d4faf2760f0

SHA512
b7c0cd39202d2fae0e20d9ec9f6d479f11e5b7e68fcbe5c7e0e4a8b176ce75b06730f3e2ca24848fa11ba26df9c4a9fac8814810282f09920b62d7267830dff3

Download Submit
C:\Windows\SysWOW64\wopoxml.exe

Filesize
94KB

MD5
d8914b86084e3b945f1cd522d533b349

SHA1
70c600612ea296b1f238b3651eead973791fbfc2

SHA256
36ceebf61d14496e89a14b3e29c8bb1c0f45dfcef556d0e2af9ce724c7cc064c

SHA512
26ac3c224f97076d405b322b403da5074566a99bae3f77e312194d0b8f70fd1199df038435f4ed3d65dbf52c6334548a556cc4f4c9c41a2c8f13e3f99fde4366

Download Submit
C:\Windows\SysWOW64\wpbxsvg.exe

Filesize
94KB

MD5
6388b1e5dec714893d3e1dfa8bc9bf39

SHA1
2e874a1643c34cec405db5dfb49a2ba5636e3218

SHA256
83f85efc915b03cf0bb289ea2234470981fb8d3dd1f0e41d30860e0ba0e023be

SHA512
e5c56ca9702bf509b4669aea3c267d79af1349bad6fbaa5332c84f0063ce95e69f1d59d3621a48560ffbe24b4814bc353ea2c390d2fb2be4cfaf78f80da6ce7b

Download Submit
C:\Windows\SysWOW64\wplksyfm.exe

Filesize
94KB

MD5
0dfca78a017d0b8cfdb40e5a040ddf71

SHA1
0010f8c108cb5b645535da571eb8c49c02a70b22

SHA256
729bac47f3afb0b89ec01e5d0f597f1332684821d40885930e6ec5e6b3788d82

SHA512
a891120e1d1ed1d8a759100abdff3d982113e58282955319e273e78c6c882c069b03960a77e8ea476afda6c136e2df9e64104b7508a7a10e3a343b87b2240c31

Download Submit
C:\Windows\SysWOW64\wpnsv.exe

Filesize
94KB

MD5
f4a0c2bcfd02680e392e5996f5df2eed

SHA1
f27175eb9beb2e10f733080e843248a7dadccb4a

SHA256
d6ab4e5ee461c115d76dda2f14c2ba12668c9e7a8a3d13e8de974f3e6555840f

SHA512
71db92f2ce655efae8990702fa70c5d09002785768bf8013834beddc663413b902ef98469384684275aa316fcb1f8e1124f2c986a9fd255a8004faa855168001

Download Submit
C:\Windows\SysWOW64\wqjnbj.exe

Filesize
94KB

MD5
df9a1b69927d141978b39956a6a35e67

SHA1
4135e746b721db72f34fd0d17fbb9b8c31706b74

SHA256
83d3186e436af9becb822a0beb37097f2463aff6fe884ea7fdbfe6c3b7560420

SHA512
999be83605f115e9f50e5211495cae3fb12aa9311b6078221b91d83cf8d666d79623aa846a1ac5454588cfd0973f9878b20d797422abe9ae1f9b64b00f092bb3

Download Submit
C:\Windows\SysWOW64\wquswhjgi.exe

Filesize
94KB

MD5
e628607f34b4f6a4fd714137053046ae

SHA1
1362110edcece973404a4f316668cd2c047c593d

SHA256
46c0cbe8263c36c0ae955231edf3aac5759673e3494270685ee2e292d72d5777

SHA512
793cfae5c06b01555beb3cc511e089ca262cfad8ef52c09ec80df87e0ce39fd54e0de9eb271745eadbe6fd949cef708e5ef86cb2eeb75af40b41ece6c2e4e4d6

Download Submit
C:\Windows\SysWOW64\wtdmuo.exe

Filesize
94KB

MD5
783bbfa4d9e43c4108338d8df86de7e6

SHA1
947495ffc146d94c82a62fc2dea0d0131eaeb826

SHA256
c9fa6e29196c0cef7a37e207b94132982a805928173eb0b319e0014e1d92f7a6

SHA512
2ff2b09908fd5db7839af27a74e262d24176a0a38de5913676f7d344fd2e0e69a870cb64958cf5ef335bf69bfb8e2969b786cdb66626d23c1d9310023d5c16dc

Download Submit
C:\Windows\SysWOW64\wucbcu.exe

Filesize
94KB

MD5
f0d92f4f5472a88b7d6d44c6da2b175f

SHA1
dfd9a36e4218870a0127c9b77bfee073d764ab49

SHA256
f4f978fb201c2dd3c78403ee885303ecc154ae7b6683f1a1893d4bc60bcc4b10

SHA512
f33e95380ea62e2dbe2171cc5c3de476514cecb17fd193f4d8c998d12d60179070fc6e7d00013e23ce2582b2799f540eae89b95f67a24d0fb7d6674b2b05ff61

Download Submit
C:\Windows\SysWOW64\wvdchcijh.exe

Filesize
94KB

MD5
36bf855c954e3823752a1b5f78332a1e

SHA1
ae6d762ccf18e6ba10aff37c32dee4169f7a36df

SHA256
abacdf37f9c66c99189af98f2a26eb23bf71c130a47d6a3cbc391b9451547ee7

SHA512
f0a9d9c3af1749bf6e4892ab944959bca571a2646e1b4345c23c973917508e043b4e7c43106cba3c1c386daf37c7f946d25a36b6658e9f09ce47832115ba01a8

Download Submit
C:\Windows\SysWOW64\wvsc.exe

Filesize
94KB

MD5
60e6f1d26f669a6e52c544c0c1d2c0f3

SHA1
fac77360cb4e15ac4a7233af3592b9321c5b858b

SHA256
db666598fe1c289bf6a2bba49ebb53c3589cfa00e94b7a3b3dfe41f15f68cfec

SHA512
8683dc5a76dd258acffc54be358c1301248dc397cf9bc1312969661d0e1863460129d7a3e369bfaae07769c408c5f4fd02a281bf897a47138ec044c903eaae96

Download Submit
C:\Windows\SysWOW64\wwqbrn.exe

Filesize
93KB

MD5
5a2310624fa5904680cce57b53dbb1d0

SHA1
d18fb28a9cb091a9ae3ead0bace8b3dda387ed29

SHA256
6c6e1f7426c7ef921a8fb747840640cdefb2b66766771a2887882468bb30424e

SHA512
f1fb7030a4dfbbed9da216db82ef74da60f31c1d59adc8cd498cd2024db4934e04e75e179bdbe8d59b3d21f7a9874de455d80ad0f9beca687aff875995972f15

Download Submit
C:\Windows\SysWOW64\wxidnb.exe

Filesize
94KB

MD5
4ae81e7c375c376b710a57be8c0a61cc

SHA1
2a19ab41571acafb69c5326067c2729ee9f85f26

SHA256
739d8d6b4ecb28bd0e4b0966004f680a1ddc8c655aab2d48cb09ab857cb83f33

SHA512
f085891f4ddf9b996fffe1871dee3212eeb7909d3201be6a63a89bca897428b6bb0fd04cbe93a9d29b43b4123b690b52a71ed9f7ea2c214f5d46f9eb5d48b388

Download Submit
memory/224-316-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/384-205-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/384-193-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/632-479-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/648-30-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/716-296-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/932-399-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/932-390-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/952-204-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/952-215-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1128-495-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1244-183-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1312-623-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1344-639-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1368-374-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1432-599-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1440-607-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1548-463-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1576-276-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1608-567-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1732-527-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1968-471-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2016-439-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2068-141-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2068-152-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2152-543-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2264-306-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2276-631-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2276-172-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2288-431-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2448-342-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2516-236-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2628-655-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2628-80-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2844-551-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2852-358-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2876-519-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2904-225-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2924-455-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2940-423-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2992-266-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3000-487-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3056-503-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3080-256-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3116-511-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3116-286-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3116-350-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3288-391-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3424-407-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3440-142-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3468-182-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3468-194-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3776-50-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3792-535-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3948-366-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3948-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3948-90-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3964-615-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4024-121-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4076-100-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4236-70-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4300-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4300-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4356-583-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4368-447-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4380-334-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4380-110-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4412-382-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4412-559-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4480-326-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4604-162-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4636-591-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4764-120-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4764-131-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4764-647-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4772-415-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4864-60-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4888-40-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5012-246-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5100-575-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads