2a3eaa0fb6a6f951eca6286813ce3e3f28677ce122f9dfca2e9dd76d584e1914

Analysis

max time kernel
129s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0ab657acba3d2a1c109378013a75260_NeikiAnalytics.exe
Size

93KB
MD5

d0ab657acba3d2a1c109378013a75260
SHA1

58008baf760e290e3f4e30550340bf9850fb80c7
SHA256

2a3eaa0fb6a6f951eca6286813ce3e3f28677ce122f9dfca2e9dd76d584e1914
SHA512

fc9e5b7952c96d51647a1245e2c0c4a03d86081e73a1706194abc11e104975a0affdcb6bce799895d2dc2c7068c90530edeb5474fe3b2c9bf28063a58aee398e
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71qCiY:1eOLK7hNIMLrCiS4+PwRjY5xhEAXQC5

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 63 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wubhhjt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wjbrx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wspbldj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wblcoff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wgveroyq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wonjeo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wjlyb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wwkhgl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wxhu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wcqa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wnwsbh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wccqv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	d0ab657acba3d2a1c109378013a75260_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wbpgr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wlnh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wxowmpelh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wmbg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wcobsiuq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	whyy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	woecd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	whel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wlah.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wouuj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wikmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wmnrub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wbqpfgu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wpew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wbqdxod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wkxhqcbyj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wlsdlhhs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wlwnaq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wqphqgmfq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wbmds.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wrtdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	whhtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wntixf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wcffn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wakddxd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wxwy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wwquef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wxjkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wexuvvwsf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wdisnr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wivycl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wlkbjptn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wxiebtkd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wilcac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wioq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	waafl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wjlthcjx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wkwnkog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wpkau.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wqtop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wilyxlljs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wsixjnkg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wvgyynys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wxcay.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wtnbp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wjvray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wriuej.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wvuofo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wvffu.exe

Executes dropped EXE 63 IoCs

pid	Process
5036	wcqa.exe
4536	wcffn.exe
2396	wnwsbh.exe
2508	wgveroyq.exe
4448	wxiebtkd.exe
4520	wtnbp.exe
3980	wbpgr.exe
4692	wlsdlhhs.exe
4948	wilcac.exe
1164	wxowmpelh.exe
4196	waafl.exe
4816	wonjeo.exe
3588	wmbg.exe
5024	wakddxd.exe
4464	wxwy.exe
2404	wioq.exe
1800	wjlthcjx.exe
4112	wlwnaq.exe
1588	wpew.exe
3248	wjvray.exe
3216	wccqv.exe
4652	wexuvvwsf.exe
2432	wqphqgmfq.exe
3720	wwkhgl.exe
1936	wdisnr.exe
2368	woecd.exe
1592	whel.exe
2584	wbmds.exe
2424	wrtdr.exe
5064	wikmt.exe
4816	whhtl.exe
836	wilyxlljs.exe
4220	wriuej.exe
3032	wcobsiuq.exe
1160	wmnrub.exe
4980	wjlyb.exe
4100	wntixf.exe
3336	wivycl.exe
2752	wbqdxod.exe
1792	wxcay.exe
2968	wubhhjt.exe
3052	wlnh.exe
4536	wvuofo.exe
4200	wkxhqcbyj.exe
4744	wlkbjptn.exe
4732	wbqpfgu.exe
2216	wsixjnkg.exe
1004	wouuj.exe
3864	wvgyynys.exe
548	wjbrx.exe
4324	wxhu.exe
4720	wlah.exe
4836	wwquef.exe
836	wspbldj.exe
2404	whyy.exe
3708	wkwnkog.exe
3696	wpkau.exe
2392	wne.exe
5048	wblcoff.exe
1500	wvffu.exe
4524	wxjkh.exe
3592	wqtop.exe
1312	wdokadn.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxiebtkd = "\"C:\\Windows\\SysWOW64\\wxiebtkd.exe\""	wxiebtkd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wouuj = "\"C:\\Windows\\SysWOW64\\wouuj.exe\""	wouuj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wblcoff = "\"C:\\Windows\\SysWOW64\\wblcoff.exe\""	wblcoff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbpgr = "\"C:\\Windows\\SysWOW64\\wbpgr.exe\""	wbpgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsixjnkg = "\"C:\\Windows\\SysWOW64\\wsixjnkg.exe\""	wsixjnkg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxhu = "\"C:\\Windows\\SysWOW64\\wxhu.exe\""	wxhu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjbrx = "\"C:\\Windows\\SysWOW64\\wjbrx.exe\""	wjbrx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxjkh = "\"C:\\Windows\\SysWOW64\\wxjkh.exe\""	wxjkh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxowmpelh = "\"C:\\Windows\\SysWOW64\\wxowmpelh.exe\""	wxowmpelh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxwy = "\"C:\\Windows\\SysWOW64\\wxwy.exe\""	wxwy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wntixf = "\"C:\\Windows\\SysWOW64\\wntixf.exe\""	wntixf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wilcac = "\"C:\\Windows\\SysWOW64\\wilcac.exe\""	wilcac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvffu = "\"C:\\Windows\\SysWOW64\\wvffu.exe\""	wvffu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbqpfgu = "\"C:\\Windows\\SysWOW64\\wbqpfgu.exe\""	wbqpfgu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlah = "\"C:\\Windows\\SysWOW64\\wlah.exe\""	wlah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkwnkog = "\"C:\\Windows\\SysWOW64\\wkwnkog.exe\""	wkwnkog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnwsbh = "\"C:\\Windows\\SysWOW64\\wnwsbh.exe\""	wnwsbh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wakddxd = "\"C:\\Windows\\SysWOW64\\wakddxd.exe\""	wakddxd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcobsiuq = "\"C:\\Windows\\SysWOW64\\wcobsiuq.exe\""	wcobsiuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whuduirg = "\"C:\\Windows\\SysWOW64\\whuduirg.exe\""	whuduirg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whhtl = "\"C:\\Windows\\SysWOW64\\whhtl.exe\""	whhtl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wilyxlljs = "\"C:\\Windows\\SysWOW64\\wilyxlljs.exe\""	wilyxlljs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkxhqcbyj = "\"C:\\Windows\\SysWOW64\\wkxhqcbyj.exe\""	wkxhqcbyj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wspbldj = "\"C:\\Windows\\SysWOW64\\wspbldj.exe\""	wspbldj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdokadn = "\"C:\\Windows\\SysWOW64\\wdokadn.exe\""	wdokadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wioq = "\"C:\\Windows\\SysWOW64\\wioq.exe\""	wioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwkhgl = "\"C:\\Windows\\SysWOW64\\wwkhgl.exe\""	wwkhgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whel = "\"C:\\Windows\\SysWOW64\\whel.exe\""	whel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\woecd = "\"C:\\Windows\\SysWOW64\\woecd.exe\""	woecd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmnrub = "\"C:\\Windows\\SysWOW64\\wmnrub.exe\""	wmnrub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxcay = "\"C:\\Windows\\SysWOW64\\wxcay.exe\""	wxcay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvuofo = "\"C:\\Windows\\SysWOW64\\wvuofo.exe\""	wvuofo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpkau = "\"C:\\Windows\\SysWOW64\\wpkau.exe\""	wpkau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0ab657acba3d2a1c109378013a75260_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d0ab657acba3d2a1c109378013a75260_NeikiAnalytics.exe\""	d0ab657acba3d2a1c109378013a75260_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcffn = "\"C:\\Windows\\SysWOW64\\wcffn.exe\""	wcffn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wonjeo = "\"C:\\Windows\\SysWOW64\\wonjeo.exe\""	wonjeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvgyynys = "\"C:\\Windows\\SysWOW64\\wvgyynys.exe\""	wvgyynys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwquef = "\"C:\\Windows\\SysWOW64\\wwquef.exe\""	wwquef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wne = "\"C:\\Windows\\SysWOW64\\wne.exe\""	wne.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgveroyq = "\"C:\\Windows\\SysWOW64\\wgveroyq.exe\""	wgveroyq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrtdr = "\"C:\\Windows\\SysWOW64\\wrtdr.exe\""	wrtdr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wubhhjt = "\"C:\\Windows\\SysWOW64\\wubhhjt.exe\""	wubhhjt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whyy = "\"C:\\Windows\\SysWOW64\\whyy.exe\""	whyy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqtop = "\"C:\\Windows\\SysWOW64\\wqtop.exe\""	wqtop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtnbp = "\"C:\\Windows\\SysWOW64\\wtnbp.exe\""	wtnbp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlnh = "\"C:\\Windows\\SysWOW64\\wlnh.exe\""	wlnh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlkbjptn = "\"C:\\Windows\\SysWOW64\\wlkbjptn.exe\""	wlkbjptn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmbg = "\"C:\\Windows\\SysWOW64\\wmbg.exe\""	wmbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbmds = "\"C:\\Windows\\SysWOW64\\wbmds.exe\""	wbmds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wivycl = "\"C:\\Windows\\SysWOW64\\wivycl.exe\""	wivycl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waafl = "\"C:\\Windows\\SysWOW64\\waafl.exe\""	waafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wccqv = "\"C:\\Windows\\SysWOW64\\wccqv.exe\""	wccqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wexuvvwsf = "\"C:\\Windows\\SysWOW64\\wexuvvwsf.exe\""	wexuvvwsf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsdlhhs = "\"C:\\Windows\\SysWOW64\\wlsdlhhs.exe\""	wlsdlhhs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wikmt = "\"C:\\Windows\\SysWOW64\\wikmt.exe\""	wikmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wriuej = "\"C:\\Windows\\SysWOW64\\wriuej.exe\""	wriuej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjlyb = "\"C:\\Windows\\SysWOW64\\wjlyb.exe\""	wjlyb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcqa = "\"C:\\Windows\\SysWOW64\\wcqa.exe\""	wcqa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlwnaq = "\"C:\\Windows\\SysWOW64\\wlwnaq.exe\""	wlwnaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdisnr = "\"C:\\Windows\\SysWOW64\\wdisnr.exe\""	wdisnr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqphqgmfq = "\"C:\\Windows\\SysWOW64\\wqphqgmfq.exe\""	wqphqgmfq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbqdxod = "\"C:\\Windows\\SysWOW64\\wbqdxod.exe\""	wbqdxod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjlthcjx = "\"C:\\Windows\\SysWOW64\\wjlthcjx.exe\""	wjlthcjx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpew = "\"C:\\Windows\\SysWOW64\\wpew.exe\""	wpew.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wbpgr.exe	whuduirg.exe
File created	C:\Windows\SysWOW64\wxowmpelh.exe	wilcac.exe
File created	C:\Windows\SysWOW64\wkxhqcbyj.exe	wvuofo.exe
File created	C:\Windows\SysWOW64\wcffn.exe	wcqa.exe
File created	C:\Windows\SysWOW64\wdisnr.exe	wwkhgl.exe
File created	C:\Windows\SysWOW64\wwquef.exe	wlah.exe
File opened for modification	C:\Windows\SysWOW64\wkwnkog.exe	whyy.exe
File created	C:\Windows\SysWOW64\wnwsbh.exe	wcffn.exe
File opened for modification	C:\Windows\SysWOW64\wakddxd.exe	wmbg.exe
File opened for modification	C:\Windows\SysWOW64\wqphqgmfq.exe	wexuvvwsf.exe
File opened for modification	C:\Windows\SysWOW64\wbqdxod.exe	wivycl.exe
File opened for modification	C:\Windows\SysWOW64\wvuofo.exe	wlnh.exe
File created	C:\Windows\SysWOW64\wdokadn.exe	wqtop.exe
File opened for modification	C:\Windows\SysWOW64\wcqa.exe	d0ab657acba3d2a1c109378013a75260_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\wxiebtkd.exe	wgveroyq.exe
File created	C:\Windows\SysWOW64\wqphqgmfq.exe	wexuvvwsf.exe
File opened for modification	C:\Windows\SysWOW64\wgveroyq.exe	wnwsbh.exe
File opened for modification	C:\Windows\SysWOW64\wlkbjptn.exe	wkxhqcbyj.exe
File opened for modification	C:\Windows\SysWOW64\wpkau.exe	wkwnkog.exe
File opened for modification	C:\Windows\SysWOW64\wlwnaq.exe	wjlthcjx.exe
File created	C:\Windows\SysWOW64\wccqv.exe	wjvray.exe
File created	C:\Windows\SysWOW64\wwkhgl.exe	wqphqgmfq.exe
File opened for modification	C:\Windows\SysWOW64\wkxhqcbyj.exe	wvuofo.exe
File created	C:\Windows\SysWOW64\wlkbjptn.exe	wkxhqcbyj.exe
File opened for modification	C:\Windows\SysWOW64\wbqpfgu.exe	wlkbjptn.exe
File created	C:\Windows\SysWOW64\wxhu.exe	wjbrx.exe
File opened for modification	C:\Windows\SysWOW64\waafl.exe	wxowmpelh.exe
File opened for modification	C:\Windows\SysWOW64\wjvray.exe	wpew.exe
File opened for modification	C:\Windows\SysWOW64\whel.exe	woecd.exe
File created	C:\Windows\SysWOW64\wbpgr.exe	whuduirg.exe
File opened for modification	C:\Windows\SysWOW64\whhtl.exe	wikmt.exe
File opened for modification	C:\Windows\SysWOW64\wcobsiuq.exe	wriuej.exe
File created	C:\Windows\SysWOW64\wvgyynys.exe	wouuj.exe
File opened for modification	C:\Windows\SysWOW64\wxjkh.exe	wvffu.exe
File created	C:\Windows\SysWOW64\wgveroyq.exe	wnwsbh.exe
File opened for modification	C:\Windows\SysWOW64\wccqv.exe	wjvray.exe
File created	C:\Windows\SysWOW64\wmnrub.exe	wcobsiuq.exe
File opened for modification	C:\Windows\SysWOW64\wvgyynys.exe	wouuj.exe
File opened for modification	C:\Windows\SysWOW64\wne.exe	wpkau.exe
File created	C:\Windows\SysWOW64\wpew.exe	wlwnaq.exe
File opened for modification	C:\Windows\SysWOW64\wrtdr.exe	wbmds.exe
File created	C:\Windows\SysWOW64\wioq.exe	wxwy.exe
File created	C:\Windows\SysWOW64\wsixjnkg.exe	wbqpfgu.exe
File opened for modification	C:\Windows\SysWOW64\wouuj.exe	wsixjnkg.exe
File created	C:\Windows\SysWOW64\wpkau.exe	wkwnkog.exe
File opened for modification	C:\Windows\SysWOW64\wxcay.exe	wbqdxod.exe
File opened for modification	C:\Windows\SysWOW64\wxhu.exe	wjbrx.exe
File created	C:\Windows\SysWOW64\wblcoff.exe	wne.exe
File opened for modification	C:\Windows\SysWOW64\wqtop.exe	wxjkh.exe
File opened for modification	C:\Windows\SysWOW64\wntixf.exe	wjlyb.exe
File created	C:\Windows\SysWOW64\wonjeo.exe	waafl.exe
File created	C:\Windows\SysWOW64\woecd.exe	wdisnr.exe
File created	C:\Windows\SysWOW64\wlnh.exe	wubhhjt.exe
File opened for modification	C:\Windows\SysWOW64\whyy.exe	wspbldj.exe
File opened for modification	C:\Windows\SysWOW64\wcffn.exe	wcqa.exe
File created	C:\Windows\SysWOW64\wjlthcjx.exe	wioq.exe
File created	C:\Windows\SysWOW64\whel.exe	woecd.exe
File created	C:\Windows\SysWOW64\wrtdr.exe	wbmds.exe
File opened for modification	C:\Windows\SysWOW64\wmnrub.exe	wcobsiuq.exe
File opened for modification	C:\Windows\SysWOW64\wlnh.exe	wubhhjt.exe
File opened for modification	C:\Windows\SysWOW64\wjbrx.exe	wvgyynys.exe
File opened for modification	C:\Windows\SysWOW64\wwquef.exe	wlah.exe
File created	C:\Windows\SysWOW64\wlsdlhhs.exe	wbpgr.exe
File opened for modification	C:\Windows\SysWOW64\wioq.exe	wxwy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4864	2396	WerFault.exe	96
4196	2508	WerFault.exe	99
3040	4448	WerFault.exe	106
4912	1664	WerFault.exe	118
1968	3588	WerFault.exe	141
4152	4652	WerFault.exe	171
3024	4816	WerFault.exe	200
2172	4744	WerFault.exe	244
4328	5048	WerFault.exe	288

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 5036	652	d0ab657acba3d2a1c109378013a75260_NeikiAnalytics.exe	85
PID 652 wrote to memory of 5036	652	d0ab657acba3d2a1c109378013a75260_NeikiAnalytics.exe	85
PID 652 wrote to memory of 5036	652	d0ab657acba3d2a1c109378013a75260_NeikiAnalytics.exe	85
PID 652 wrote to memory of 4596	652	d0ab657acba3d2a1c109378013a75260_NeikiAnalytics.exe	87
PID 652 wrote to memory of 4596	652	d0ab657acba3d2a1c109378013a75260_NeikiAnalytics.exe	87
PID 652 wrote to memory of 4596	652	d0ab657acba3d2a1c109378013a75260_NeikiAnalytics.exe	87
PID 5036 wrote to memory of 4536	5036	wcqa.exe	91
PID 5036 wrote to memory of 4536	5036	wcqa.exe	91
PID 5036 wrote to memory of 4536	5036	wcqa.exe	91
PID 5036 wrote to memory of 1464	5036	wcqa.exe	92
PID 5036 wrote to memory of 1464	5036	wcqa.exe	92
PID 5036 wrote to memory of 1464	5036	wcqa.exe	92
PID 4536 wrote to memory of 2396	4536	wcffn.exe	96
PID 4536 wrote to memory of 2396	4536	wcffn.exe	96
PID 4536 wrote to memory of 2396	4536	wcffn.exe	96
PID 4536 wrote to memory of 3052	4536	wcffn.exe	97
PID 4536 wrote to memory of 3052	4536	wcffn.exe	97
PID 4536 wrote to memory of 3052	4536	wcffn.exe	97
PID 2396 wrote to memory of 2508	2396	wnwsbh.exe	99
PID 2396 wrote to memory of 2508	2396	wnwsbh.exe	99
PID 2396 wrote to memory of 2508	2396	wnwsbh.exe	99
PID 2396 wrote to memory of 1612	2396	wnwsbh.exe	100
PID 2396 wrote to memory of 1612	2396	wnwsbh.exe	100
PID 2396 wrote to memory of 1612	2396	wnwsbh.exe	100
PID 2508 wrote to memory of 4448	2508	wgveroyq.exe	106
PID 2508 wrote to memory of 4448	2508	wgveroyq.exe	106
PID 2508 wrote to memory of 4448	2508	wgveroyq.exe	106
PID 2508 wrote to memory of 4064	2508	wgveroyq.exe	107
PID 2508 wrote to memory of 4064	2508	wgveroyq.exe	107
PID 2508 wrote to memory of 4064	2508	wgveroyq.exe	107
PID 4448 wrote to memory of 4520	4448	wxiebtkd.exe	111
PID 4448 wrote to memory of 4520	4448	wxiebtkd.exe	111
PID 4448 wrote to memory of 4520	4448	wxiebtkd.exe	111
PID 4448 wrote to memory of 1384	4448	wxiebtkd.exe	112
PID 4448 wrote to memory of 1384	4448	wxiebtkd.exe	112
PID 4448 wrote to memory of 1384	4448	wxiebtkd.exe	112
PID 1664 wrote to memory of 3980	1664	whuduirg.exe	121
PID 1664 wrote to memory of 3980	1664	whuduirg.exe	121
PID 1664 wrote to memory of 3980	1664	whuduirg.exe	121
PID 1664 wrote to memory of 3732	1664	whuduirg.exe	122
PID 1664 wrote to memory of 3732	1664	whuduirg.exe	122
PID 1664 wrote to memory of 3732	1664	whuduirg.exe	122
PID 3980 wrote to memory of 4692	3980	wbpgr.exe	126
PID 3980 wrote to memory of 4692	3980	wbpgr.exe	126
PID 3980 wrote to memory of 4692	3980	wbpgr.exe	126
PID 3980 wrote to memory of 4464	3980	wbpgr.exe	127
PID 3980 wrote to memory of 4464	3980	wbpgr.exe	127
PID 3980 wrote to memory of 4464	3980	wbpgr.exe	127
PID 4692 wrote to memory of 4948	4692	wlsdlhhs.exe	129
PID 4692 wrote to memory of 4948	4692	wlsdlhhs.exe	129
PID 4692 wrote to memory of 4948	4692	wlsdlhhs.exe	129
PID 4692 wrote to memory of 3720	4692	wlsdlhhs.exe	130
PID 4692 wrote to memory of 3720	4692	wlsdlhhs.exe	130
PID 4692 wrote to memory of 3720	4692	wlsdlhhs.exe	130
PID 4948 wrote to memory of 1164	4948	wilcac.exe	132
PID 4948 wrote to memory of 1164	4948	wilcac.exe	132
PID 4948 wrote to memory of 1164	4948	wilcac.exe	132
PID 4948 wrote to memory of 5108	4948	wilcac.exe	133
PID 4948 wrote to memory of 5108	4948	wilcac.exe	133
PID 4948 wrote to memory of 5108	4948	wilcac.exe	133
PID 1164 wrote to memory of 4196	1164	wxowmpelh.exe	135
PID 1164 wrote to memory of 4196	1164	wxowmpelh.exe	135
PID 1164 wrote to memory of 4196	1164	wxowmpelh.exe	135
PID 1164 wrote to memory of 3524	1164	wxowmpelh.exe	136

C:\Users\Admin\AppData\Local\Temp\d0ab657acba3d2a1c109378013a75260_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d0ab657acba3d2a1c109378013a75260_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\SysWOW64\wcqa.exe
  "C:\Windows\system32\wcqa.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\wcffn.exe
    "C:\Windows\system32\wcffn.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\SysWOW64\wnwsbh.exe
      "C:\Windows\system32\wnwsbh.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\SysWOW64\wgveroyq.exe
        
        "C:\Windows\system32\wgveroyq.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\SysWOW64\wxiebtkd.exe
        
        "C:\Windows\system32\wxiebtkd.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\wtnbp.exe
        
        "C:\Windows\system32\wtnbp.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4520
        
        C:\Windows\SysWOW64\whuduirg.exe
        
        "C:\Windows\system32\whuduirg.exe"
        8⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\wbpgr.exe
        
        "C:\Windows\system32\wbpgr.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\wlsdlhhs.exe
        
        "C:\Windows\system32\wlsdlhhs.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\wilcac.exe
        
        "C:\Windows\system32\wilcac.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\wxowmpelh.exe
        
        "C:\Windows\system32\wxowmpelh.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\waafl.exe
        
        "C:\Windows\system32\waafl.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\wonjeo.exe
        
        "C:\Windows\system32\wonjeo.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4816
        
        C:\Windows\SysWOW64\wmbg.exe
        
        "C:\Windows\system32\wmbg.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\wakddxd.exe
        
        "C:\Windows\system32\wakddxd.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5024
        
        C:\Windows\SysWOW64\wxwy.exe
        
        "C:\Windows\system32\wxwy.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\wioq.exe
        
        "C:\Windows\system32\wioq.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\wjlthcjx.exe
        
        "C:\Windows\system32\wjlthcjx.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1800
        
        C:\Windows\SysWOW64\wlwnaq.exe
        
        "C:\Windows\system32\wlwnaq.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\wpew.exe
        
        "C:\Windows\system32\wpew.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\wjvray.exe
        
        "C:\Windows\system32\wjvray.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\wccqv.exe
        
        "C:\Windows\system32\wccqv.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3216
        
        C:\Windows\SysWOW64\wexuvvwsf.exe
        
        "C:\Windows\system32\wexuvvwsf.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\wqphqgmfq.exe
        
        "C:\Windows\system32\wqphqgmfq.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\wwkhgl.exe
        
        "C:\Windows\system32\wwkhgl.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\wdisnr.exe
        
        "C:\Windows\system32\wdisnr.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\woecd.exe
        
        "C:\Windows\system32\woecd.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\whel.exe
        
        "C:\Windows\system32\whel.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1592
        
        C:\Windows\SysWOW64\wbmds.exe
        
        "C:\Windows\system32\wbmds.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\wrtdr.exe
        
        "C:\Windows\system32\wrtdr.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2424
        
        C:\Windows\SysWOW64\wikmt.exe
        
        "C:\Windows\system32\wikmt.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\whhtl.exe
        
        "C:\Windows\system32\whhtl.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4816
        
        C:\Windows\SysWOW64\wilyxlljs.exe
        
        "C:\Windows\system32\wilyxlljs.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:836
        
        C:\Windows\SysWOW64\wriuej.exe
        
        "C:\Windows\system32\wriuej.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\wcobsiuq.exe
        
        "C:\Windows\system32\wcobsiuq.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\wmnrub.exe
        
        "C:\Windows\system32\wmnrub.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1160
        
        C:\Windows\SysWOW64\wjlyb.exe
        
        "C:\Windows\system32\wjlyb.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\wntixf.exe
        
        "C:\Windows\system32\wntixf.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4100
        
        C:\Windows\SysWOW64\wivycl.exe
        
        "C:\Windows\system32\wivycl.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\wbqdxod.exe
        
        "C:\Windows\system32\wbqdxod.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\wxcay.exe
        
        "C:\Windows\system32\wxcay.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1792
        
        C:\Windows\SysWOW64\wubhhjt.exe
        
        "C:\Windows\system32\wubhhjt.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\wlnh.exe
        
        "C:\Windows\system32\wlnh.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\wvuofo.exe
        
        "C:\Windows\system32\wvuofo.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\wkxhqcbyj.exe
        
        "C:\Windows\system32\wkxhqcbyj.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\wlkbjptn.exe
        
        "C:\Windows\system32\wlkbjptn.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\wbqpfgu.exe
        
        "C:\Windows\system32\wbqpfgu.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\wsixjnkg.exe
        
        "C:\Windows\system32\wsixjnkg.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\wouuj.exe
        
        "C:\Windows\system32\wouuj.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1004
        
        C:\Windows\SysWOW64\wvgyynys.exe
        
        "C:\Windows\system32\wvgyynys.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3864
        
        C:\Windows\SysWOW64\wjbrx.exe
        
        "C:\Windows\system32\wjbrx.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\wxhu.exe
        
        "C:\Windows\system32\wxhu.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4324
        
        C:\Windows\SysWOW64\wlah.exe
        
        "C:\Windows\system32\wlah.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4720
        
        C:\Windows\SysWOW64\wwquef.exe
        
        "C:\Windows\system32\wwquef.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4836
        
        C:\Windows\SysWOW64\wspbldj.exe
        
        "C:\Windows\system32\wspbldj.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\whyy.exe
        
        "C:\Windows\system32\whyy.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\wkwnkog.exe
        
        "C:\Windows\system32\wkwnkog.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3708
        
        C:\Windows\SysWOW64\wpkau.exe
        
        "C:\Windows\system32\wpkau.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\wne.exe
        
        "C:\Windows\system32\wne.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\wblcoff.exe
        
        "C:\Windows\system32\wblcoff.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5048
        
        C:\Windows\SysWOW64\wvffu.exe
        
        "C:\Windows\system32\wvffu.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\wxjkh.exe
        
        "C:\Windows\system32\wxjkh.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\wqtop.exe
        
        "C:\Windows\system32\wqtop.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\wdokadn.exe
        
        "C:\Windows\system32\wdokadn.exe"
        65⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqtop.exe"
        65⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxjkh.exe"
        64⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvffu.exe"
        63⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wblcoff.exe"
        62⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1372
        62⤵
        Program crash
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wne.exe"
        61⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpkau.exe"
        60⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkwnkog.exe"
        59⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whyy.exe"
        58⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wspbldj.exe"
        57⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwquef.exe"
        56⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlah.exe"
        55⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxhu.exe"
        54⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjbrx.exe"
        53⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgyynys.exe"
        52⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wouuj.exe"
        51⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsixjnkg.exe"
        50⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbqpfgu.exe"
        49⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkbjptn.exe"
        48⤵
        
        PID:436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1684
        48⤵
        Program crash
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkxhqcbyj.exe"
        47⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvuofo.exe"
        46⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnh.exe"
        45⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wubhhjt.exe"
        44⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxcay.exe"
        43⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbqdxod.exe"
        42⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivycl.exe"
        41⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntixf.exe"
        40⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjlyb.exe"
        39⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmnrub.exe"
        38⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcobsiuq.exe"
        37⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wriuej.exe"
        36⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wilyxlljs.exe"
        35⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whhtl.exe"
        34⤵
        
        PID:736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 748
        34⤵
        Program crash
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikmt.exe"
        33⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtdr.exe"
        32⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbmds.exe"
        31⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whel.exe"
        30⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woecd.exe"
        29⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdisnr.exe"
        28⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwkhgl.exe"
        27⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqphqgmfq.exe"
        26⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexuvvwsf.exe"
        25⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1280
        25⤵
        Program crash
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccqv.exe"
        24⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjvray.exe"
        23⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpew.exe"
        22⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwnaq.exe"
        21⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjlthcjx.exe"
        20⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wioq.exe"
        19⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwy.exe"
        18⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wakddxd.exe"
        17⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmbg.exe"
        16⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 1328
        16⤵
        Program crash
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wonjeo.exe"
        15⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waafl.exe"
        14⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxowmpelh.exe"
        13⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wilcac.exe"
        12⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsdlhhs.exe"
        11⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpgr.exe"
        10⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whuduirg.exe"
        9⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1560
        9⤵
        Program crash
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtnbp.exe"
        8⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxiebtkd.exe"
        7⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1448
        7⤵
        Program crash
        
        PID:3040
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgveroyq.exe"
        6⤵
        
        PID:4064
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 1476
        6⤵
        Program crash
        
        PID:4196
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwsbh.exe"
        5⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1344
        5⤵
        Program crash
        
        PID:4864
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcffn.exe"
      4⤵
      PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcqa.exe"
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\d0ab657acba3d2a1c109378013a75260_NeikiAnalytics.exe"
  2⤵
  PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2396 -ip 2396
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2508 -ip 2508
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4448 -ip 4448
1⤵
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1664 -ip 1664
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3588 -ip 3588
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4652 -ip 4652
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4816 -ip 4816
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4744 -ip 4744
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5048 -ip 5048
1⤵
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\waafl.exe

Filesize
94KB

MD5
1e00f61b701340fbdd5adeafbc2a0af5

SHA1
d6b41fc1ff6239c6a86a3ff30a8eddcad84989e8

SHA256
91af5b1c2fed0265bc771dcd30f8c32e00b04bd3842ff2189cc1005a9826f36c

SHA512
79917bdb6227adb999faf26f4529c875b22dc4ff6fb56e99deb1a26a584da7391846d9c88fce0603783ab73d97fcf4a3d48053f97bb1b73b76659d3dfb6c1fb8

Download Submit
C:\Windows\SysWOW64\wakddxd.exe

Filesize
94KB

MD5
e83b2aec91749d5ea711b0ce98c4cfa2

SHA1
10f7fa8a3124901a3450805f41db53d868a4a89f

SHA256
de592946b30c8d44ebc75fa7c14325b3b69de1133292715e20b78a15f0304b75

SHA512
a21ac545b6aa5b2a41d7ce41ba78d20a53dcadc874177a421b031b53fc708193836d3998097ee29dd82f0fd0fa353a05d751bbe86108de2fd73bb1f489de120d

Download Submit
C:\Windows\SysWOW64\wbmds.exe

Filesize
94KB

MD5
9f831fd0cbeb0cd29927b4adf8b17c0b

SHA1
f4235bb7c9d9f82be7fb6258806ac2be156f4dc5

SHA256
76913132ea5b81f965b2a039a5b8e617345bfadf8cf4fc0990ee96c7b78932ba

SHA512
920ecca241253fe40d1f3aa3690cdcfd00018a15da9bc323029ce73345af46d0f56a28a592ce4c5c315dc10ac8e0c914e9bccf81b960a531be5c23e65f57d6a0

Download Submit
C:\Windows\SysWOW64\wbpgr.exe

Filesize
94KB

MD5
933598d053aa27364f27c5304a3ca0cf

SHA1
379956013a580a86f7424c1c36e607f7f84ffa0e

SHA256
7ec8cabefd81e6bc47675eac52f12e6a992de69fe1276f274565ad69a1a1d671

SHA512
ee0c2cc512766eb8c63654a0fda37287193025cd1b4d9b8d8ccb3afb34d44d07fb7d51fda55f688974076eb4200d63e25620a22fcdffe60f92e9628536639e7a

Download Submit
C:\Windows\SysWOW64\wccqv.exe

Filesize
94KB

MD5
f58bf4095de3f453bfe30fa814c63e7c

SHA1
3e1d417d78270db756182ccdef30f1f752dd9aa5

SHA256
76d1b474f21175c5373aff6b7e96aa394de892e75002f7731c6fdbcf64a55afc

SHA512
e44c652f34b969eb5edee697d701a5dbc2f9e878b618172508765f172ff7b352b850176f0deafd901fa8461ded3b56d976beb38d53ec13cd893a1281eb1cbe83

Download Submit
C:\Windows\SysWOW64\wcffn.exe

Filesize
93KB

MD5
4a661f4bc70b66c21876f823c8dc154f

SHA1
8015d2a697d045cc022caea2fd1ab5c8f3bd2408

SHA256
c4acd0442bceff59a1c348720ac574c28c3ae2d970ef3eecce930c14f5ccae45

SHA512
61dbbc21b4ef5edddb2fff6961044a8a99fce02ebc2d4db7efb1e868e2640475b9b672fe9a092d0e43d9578ae1d261de044d725a19433e8b198f713aa2683a62

Download Submit
C:\Windows\SysWOW64\wcqa.exe

Filesize
93KB

MD5
62e7447353793d53203b4858d6308472

SHA1
5560b25b0a650bd510e08bd067514acd01fde341

SHA256
43cc983431c4f4d70088db99bf7501a16cf07814e82914cd22d0321c1e69b7d8

SHA512
a9772ef4b06819264c3ee837b2ea8242b50c6fb6a9d59958f612c70ad62ec7b16f7c0260dde4e283b998b0159715bd2a5d3c42a2e1813806b1b095b1d040314e

Download Submit
C:\Windows\SysWOW64\wdisnr.exe

Filesize
94KB

MD5
522ef6e4fcddc35c933e77e674537bf1

SHA1
c48cb5b14a3abce598618abeeb71e429b6acb390

SHA256
62a43aef3ee2c9d6fe3b00c0913a77a2d87f27917c3e4f6923b229fb2e24839b

SHA512
c703eb410d914f7ab1a4067619bf933ef5294610fd26ddb15227d0ffe1af3fec0c7b0cf91c286477ffed7f8a9e82a96f803c6b0ac3f7d10bca970e09390dd01d

Download Submit
C:\Windows\SysWOW64\wexuvvwsf.exe

Filesize
94KB

MD5
de0c7dfbe9c9717aad1a1d23f73e4bf4

SHA1
fd041223b8e6b917d62d92afb7f7996595b90ac2

SHA256
793aee8b5892d367b403e8a8305de0223048fe503a3c97fbcd49d13038895f22

SHA512
d322cad82c7bf607fc808be69b0d74734ec1ad57730d083d42b2e7d4c450ea420307413e3c7fc35bfd411e90ff8a4ca60149a169eecc9686a874cbcc5e0dcbb0

Download Submit
C:\Windows\SysWOW64\wgveroyq.exe

Filesize
94KB

MD5
f1772370cced63ad2b260a7d77b6ec83

SHA1
93ae0aea8ce1cbbca0b48aa006f2129e3b131b6d

SHA256
2e6c8bc3005a1408f27444367afff964672b56d8f6604c281ce7ca61df6f982b

SHA512
91a00bf56134145538b01150d5aa8d1ba5a8a6eb3fa25d10237a62b7ac5e891a062784bd8f8ee25ac763e4110d2a801031c6d336689687e53dcfc00db0223765

Download Submit
C:\Windows\SysWOW64\whel.exe

Filesize
94KB

MD5
fdd20eca537c2143a0ac734c7a720fb7

SHA1
90680b1dce724fc30b53a53cb0b6f6c9531d2676

SHA256
3c5b71ac567fd5289b5a935c464bf4f12998959a957aaf6374526286d3821f9e

SHA512
d4e52aedfde1fef07b7f1b96fa5caa7179b2e5461158486ab8ff37f4fbc10e97fa6330df5a1ffd5ac743231405a5431c3926cf83c16996e14d260077222f29fe

Download Submit
C:\Windows\SysWOW64\whhtl.exe

Filesize
94KB

MD5
7ae16748901744ef5eac0fdb4c1212c7

SHA1
2bc757434887b2d5f1fa9f963091fa0ac1158397

SHA256
20a9bf7ff88b0ca4a6ff252d664a0a8741fc1f9bf5d22a328d4b1b51b794368c

SHA512
b195edf98273642c190278ed280f71205def04f7bafa2f753d2a447607f79724fe2191a3fb8f49427bfcca8bf71a3f8578e921cdc9287d34aa59129252c24978

Download Submit
C:\Windows\SysWOW64\wikmt.exe

Filesize
94KB

MD5
64665ff6d119653dc20b512c051217ba

SHA1
fc66b98e439f5acb1f59d1993755a7bc1741637c

SHA256
cd4fc278c48f01d0254c9b3b01cb9b358549b0cb7c5bb289a92ada07b816b649

SHA512
81fac4195ac81c4be3ba176cf371ca53275c39a5a9b2b29df6d43a77996f8805c4646e7334e4a5e5ab47d6bc6abedec6aa10516b7ab3e46e39a70a3d285b4a38

Download Submit
C:\Windows\SysWOW64\wilcac.exe

Filesize
94KB

MD5
b46f19992443df4932008b0f7ab0029b

SHA1
a82ef41bf3d14f943f66c79d23fbec83f8b1bf9b

SHA256
fbf27f057117ed487e09c46f55619394cf6412236bd8394b96e9d5092da6e879

SHA512
5735513760af180bc2aa6da632f95650a621b6151ab3069bf798ce10d37b801a6aa558d7fcb0492e57482f2295abdfaa4f9db6bf759d92323895229efda72848

Download Submit
C:\Windows\SysWOW64\wilyxlljs.exe

Filesize
94KB

MD5
acca003967b547d095ab8f05644d61d1

SHA1
19cc5e58f197c24ea286904da07a98cd6eca156e

SHA256
ad181c678c7bf58aacd57946eec870915b440a958dc958c28f0f7be0eb79ca18

SHA512
4f472402b407ef795c635837e8fd2210eabc987aa2fbf7880efbe975ae987c77a8c8175769f2a07e6347e51fc55ba1394f2b664db0927d28aea3c48524314668

Download Submit
C:\Windows\SysWOW64\wioq.exe

Filesize
94KB

MD5
05f34163d3f15f8e117f2ab0ab4b0a64

SHA1
241c38fc58d91082c63050c397e0d12af698430f

SHA256
ff321c2ed18c649e6476fe5fb9f5903496564cc98b3a8f79a8b0dda3d10fe48d

SHA512
f5f56fd52fba16fa8f418690fbbb62becbbbf2c1b00e293c6532e87caca72f888251c4216e20abc30937e1e6755871d1e29408d4727c47724e16e773871cb7b9

Download Submit
C:\Windows\SysWOW64\wjlthcjx.exe

Filesize
94KB

MD5
ba0961de90a13c45fc820b8bdd9a1d83

SHA1
30104cddaab72174107964f7c3166d07037af6b0

SHA256
e8875aae1956ff08212373b2a86d7832fd48e5396a9026c1fda9cea6da906934

SHA512
0d50fa5cd4990ade30f87a6ff467d903f44ecd8cfe588e8bbab27ac46e4e7776df1f54e7e2b09c7ff83c97edfae38308070454ee1fccbd49a729256cf5f52d95

Download Submit
C:\Windows\SysWOW64\wjvray.exe

Filesize
94KB

MD5
819d5a203c0ea4c5925b1210e8df8eab

SHA1
d940acb7904de18d96a3a0b9986479f85a5d6a3f

SHA256
cdd1e3c38ff2c37da9c66c72ecbc081583e9d048f4277d2c269fe30e9135f59f

SHA512
0f0d20a6b95bd001c119b4962737bf6d71f375fe8e9360197883bf9d108c10812ca339c155c691e67bb64fda918c959ec1e35544fe31cecd8538ee8ff7e6484e

Download Submit
C:\Windows\SysWOW64\wlsdlhhs.exe

Filesize
94KB

MD5
684bc29159a1551ed6f29f6df94c1bd0

SHA1
31bebe34d2fe663dddf791d1fa38ca476687ab30

SHA256
aa940c7090db511138486ec982ba6d1b1ef7b562bf4c3e2e24cef44e731da93c

SHA512
6c9ebeb909dc7e77021cc6ab6c54373d3d4c8a26dbd2e996b346913f8dae14ab2258d95060e91a6e67d8c572a6178a9d59be7f87a32679b3d21c219fcfb68f9d

Download Submit
C:\Windows\SysWOW64\wlwnaq.exe

Filesize
94KB

MD5
9997faab091b7dd7227f28e7c33ddc28

SHA1
d1aeaeac2723b9b0a69c98af56884105ddc9bdc7

SHA256
ba91a5ded7bb1a41d605b4244eb35a831703f33a2dbde07c173e55d1921e308c

SHA512
4ced4dc4ef596917c24659570a71f10134792616801211cfabf499a356667fea21e0bfe0f60cdd5082b9f35d79ab3026ffe36fc716f683998876a9f2b632cdfb

Download Submit
C:\Windows\SysWOW64\wmbg.exe

Filesize
94KB

MD5
6cad7e84e741ce2b0cd62bd9b82725bb

SHA1
c551c4edcdd15d1d622e7252b81ea3db772a27b3

SHA256
b055d487d7410702a6e77a7b47208637303503f182c9ebca73d3ad4332398bdd

SHA512
0f9d37c6e194915e7d1daaf97c1a6dbc42537a7e651b6504b2036721b2b924313b5b3e204a17a52ad173292bcae2bebf99af73f50a1c282d759d91a250f703b1

Download Submit
C:\Windows\SysWOW64\wnwsbh.exe

Filesize
93KB

MD5
bc2a969ecd14cd4568afdd1dc3d06a4a

SHA1
3bcb5e40639d185e234fe740b708655dd56722fc

SHA256
edd0bb5a76a3787b905bb0ed69be875f256bbed17a0be126614664335f66e625

SHA512
d626c9013170bd73c97cbf7e291b4c1ade79476004dba6b8ba5f99f4b199625b5b43e9f34de2478b647d2bb4f646092d0da4d86807a7fef4f81bac92099678db

Download Submit
C:\Windows\SysWOW64\woecd.exe

Filesize
94KB

MD5
16fc8e682ce2189f50e31eda96b65de3

SHA1
5a00fd6e1a9125dd695f1a9c73156efc9db612f8

SHA256
e7f2789892b0fa24d98957cd7266dd23c6c8952044376bc13dbbcccbcc75fe9a

SHA512
b9b6a7f6fb6565cbe0b108737fd7d9e8368e20813e5226594e4a344222ebbae2d12c52795b00706320147bd0b3a7ac9209ebc3a8fa1666e65747703443c9e8aa

Download Submit
C:\Windows\SysWOW64\wonjeo.exe

Filesize
94KB

MD5
770113d3d0b34ed3650d45a5952cb5bc

SHA1
b30f1ac8735bd68c873f81cddbe23ba1560d8e9f

SHA256
1f8b488aac7ef0fa929db05c8ec28c885d62a6dac33c5ddf1fe3272e9797f3d4

SHA512
b6d0290bf8410ac6017bdcfc820cc86b3a29c2cdbbf1e195fdaa98bd24db4b8724c1ef4eae2373e6a1700243a83e801830e40cc3e9b301ffd7d609f3b4970b68

Download Submit
C:\Windows\SysWOW64\wpew.exe

Filesize
94KB

MD5
7c4853dd645b305a08894e83c8ca8791

SHA1
51d06109871f217c25b29cf54c8144c9bc7f5c40

SHA256
10db4328f4ff43421522437a394de8bbdf20cc203eb3cde9e63a5127e5afb67c

SHA512
6d59593b4799094524aafffd82761ffaa7d9b6588c7e0b4656230353468eff6cfa89cb2cd15a67832bfaad29f2ac30632fa4660d3652064560579d457ca3e512

Download Submit
C:\Windows\SysWOW64\wqphqgmfq.exe

Filesize
94KB

MD5
61b9fe7f2a4bab3ce46403ffe001fb2e

SHA1
3add0b5ed13374b8049341d1be781822e4e976f1

SHA256
bc9591973c3fb9871ada1ce0288df494cb3bc281a507c5a3a7b48aafeb87a7ae

SHA512
e1cfac5dc220c02cf6580137190fe9c66502d64d71f3617f470d10cf96cf3f4af3e3a0c8fdce4dceb79f303b694baa6b9b023ce3314981a8f7200d9ec562117b

Download Submit
C:\Windows\SysWOW64\wrtdr.exe

Filesize
94KB

MD5
615637d83c225d56adf3f791220f5b49

SHA1
8503523295a32bd2d8218d49fd45177c76e6a857

SHA256
cf772a3d10ed2b44a544ceaec5dcaf96d844b5271494c1e7724c2be875650d5c

SHA512
9eabd6b3fbe5774a8d345db7cbcff66c73325087e6cf32d7fe9c420981a5e0162a643457d7d7af299ec2b9c3825a6bebcb92ceecfcff4ac8daa9de6cf7245aba

Download Submit
C:\Windows\SysWOW64\wtnbp.exe

Filesize
94KB

MD5
39950f2ed611fdeec32f485bbe6361f1

SHA1
2597c6454ad7fbd45901560c7e88af49742c28b4

SHA256
5ae354967954c960d3f240eca71def7e2898cd50a5265891fcd08a6ec33a33c8

SHA512
f3b4fcbef82642b97a75f6eceb6b26bc66187e60b435115fc33273d5134a0576cf6479c3d56cc6c28be774f0fddb7359fecf4683248c6aacb380c35c8f9416b8

Download Submit
C:\Windows\SysWOW64\wwkhgl.exe

Filesize
94KB

MD5
d3c159d207c774484ea2ce7175126ef9

SHA1
dfa3f910605c4eceeb8594b404daa10755cbe614

SHA256
3ea238873455e106380a8d84f0962a91f341ba170a20b35e5430ab0c5dad38d4

SHA512
b3ed409c85914afe6ee03a9f86aac0cc2efcbd5640f1111fb686bdd1f791666dbd93f71c98833ec37f3be7813b886b1f20756251621a1d965ae465a0edaa0bea

Download Submit
C:\Windows\SysWOW64\wxiebtkd.exe

Filesize
94KB

MD5
3510c8b6998f128991d87887f3e82cfb

SHA1
e3bf7d1bad7cae57737a3f757f842175264aa433

SHA256
668bc817b64a895372456e88d66c97b71a25ae4289b5c1a5a68dceef7fbf0f99

SHA512
e2c60ba49ae3bfc8e1f122d50a493d019f27cd28a509320af08eef08d7edf85375451d9a245d8dee6317a36e8c0cd6cd111a9b4819f95cc9fa86fc54aac4f7df

Download Submit
C:\Windows\SysWOW64\wxowmpelh.exe

Filesize
94KB

MD5
c4db42011a18ebb5c4b0ded0a251ce60

SHA1
6af8bd99a9d97e43f28102f34fd16e60a8110c08

SHA256
fed4bc6b8b84ab37e7c7d1f2d0ac2246c9e5eb5ed2b74be0b0fb8ad8ab959836

SHA512
9a5ab80541292981d112441225dbe9ad2c7c30d6146fa49b4cc0e031552e134ef1607f7c0ccfc9aac8d6d9d59af159350c453579f6ba0f976377fd877325283d

Download Submit
C:\Windows\SysWOW64\wxwy.exe

Filesize
94KB

MD5
7754e31b163304a0e8764844d5670bb9

SHA1
3a0532754bf529405095514c85e871fe9083fa15

SHA256
aa8f3d9f97e594695167781436222f389003572a4f113c692df898422a90c7b4

SHA512
67b74ab9a89e77a5710072d4900cb5fef7c864e4d5c65e6675296b41f343f9cdd09317e6cb4925acd7fdd57c6705cfd2cc77ac13999efcb28c01186e175c04ef

Download Submit
memory/548-492-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/652-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/652-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/836-341-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/836-527-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/836-518-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1004-468-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1004-476-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1160-366-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1164-114-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1312-595-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1500-578-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1588-209-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1592-282-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1592-293-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1664-62-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1664-94-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1792-409-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1792-400-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1800-176-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1800-188-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1936-260-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1936-272-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2216-467-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2216-458-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2368-283-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2368-271-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2392-561-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2396-31-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2396-42-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2404-526-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2404-535-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2404-165-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2404-177-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2424-313-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2432-239-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2432-250-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2508-52-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2584-303-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2752-401-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2752-391-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2968-418-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3032-357-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3052-426-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3052-417-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3216-229-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3248-219-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3248-208-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3336-392-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3588-145-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3592-596-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3592-586-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3696-552-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3708-536-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3708-544-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3720-261-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3864-484-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3980-83-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4100-383-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4100-374-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4112-198-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4112-187-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4196-124-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4200-442-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4220-349-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4324-500-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4448-61-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4464-166-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4520-63-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4524-577-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4524-587-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4536-32-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4536-434-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4652-240-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4692-93-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4720-508-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4732-459-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4744-450-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4816-134-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4816-333-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4836-517-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4836-509-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4948-104-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4980-365-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4980-375-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5024-155-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5024-144-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5036-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5036-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5048-560-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5048-569-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5064-323-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads