b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe
Size

89KB
MD5

c3b6b8f73d1193fda400f7c9d557fe92
SHA1

1d17f4ac02cd999d3a0caa73db0aa6c1c83af1ae
SHA256

b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b
SHA512

5eac84509b5adc34ec6a177da5268c1cc1bff7ec94f9d28539354bcc9552f76556c3891e33ac319f4b21d3b33456568f3635fc9332f4f7d1350ba37340b81a6c
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71PvJdsJG5:1eOLK7hNIMLrCiS4+PwRjY5xhEAXVvx

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wnanxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wqgmlibo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	whybk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wbjlrdx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wimpdgwrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wmnpdj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wqpuu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wypnyy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wupsb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	woqxvae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	widgmsu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wirhevy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wclpoc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wjhjkin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wsmuttp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wnqgtx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wjixhro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wnundq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wofkabn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wwptofs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	waxjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wewsvp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wglprk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wlwydhti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wvjtuns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wgx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wrrxdt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	weima.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wais.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wewquyyn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wgggya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wbqdxod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wveb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	weuhxqs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wfdjpuj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	weygw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wtvvud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	whcxl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	waqqgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wqnuya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wxxytqvl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wgbrihr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wanj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wbncxmwsx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wjafirm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wspnn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wkkgn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wqrfxvpdj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wguobqy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wnwtrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wbcafla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wmywwq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wvoeop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wntcky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wmloo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wdokadn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wojxcnwr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	welitx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	whjjm.exe

Executes dropped EXE 64 IoCs

pid	Process
4672	wspnn.exe
340	wckkvf.exe
1476	wlwydhti.exe
912	wwrrdqpcf.exe
1184	wodyt.exe
3232	wanj.exe
3732	wnnlkm.exe
1832	welitx.exe
372	wimpdgwrt.exe
712	wfd.exe
1420	wvjtuns.exe
2384	wntcky.exe
3752	wnundq.exe
3316	wmloo.exe
4656	wnqgtx.exe
1256	wnqsl.exe
3828	wjixhro.exe
4168	woyvjao.exe
2604	wgoemid.exe
2476	wgggya.exe
2920	wofkabn.exe
3544	wkkgn.exe
208	wtvvud.exe
4920	wclpoc.exe
3972	wlwewfweq.exe
2304	whcxl.exe
1996	wxxqhp.exe
4572	wqrfxvpdj.exe
4692	wnxo.exe
2920	wmnpdj.exe
2944	wguobqy.exe
3500	wbncxmwsx.exe
2000	wfxunw.exe
712	woopiwv.exe
1192	wvad.exe
1804	wjafirm.exe
2172	wsn.exe
4392	wmimpukr.exe
340	wviqqv.exe
208	wnppnd.exe
1688	wwptofs.exe
3088	wbqdxod.exe
3648	wnanxh.exe
3316	wjhjkin.exe
4136	wqgmlibo.exe
3420	wfg.exe
4356	wrrxdt.exe
1568	wnwtrt.exe
3048	wirhevy.exe
4404	weima.exe
5016	waqqgy.exe
2080	wais.exe
2148	wewquyyn.exe
2624	whjjm.exe
4980	wveb.exe
4568	wvh.exe
224	weuhxqs.exe
2184	wqfsvk.exe
4244	wrwsi.exe
3716	wsmuttp.exe
3756	waxjc.exe
1464	wbcafla.exe
3320	wfdjpuj.exe
1348	wewsvp.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wypnyy = "\"C:\\Windows\\SysWOW64\\wypnyy.exe\""	wypnyy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wojxcnwr = "\"C:\\Windows\\SysWOW64\\wojxcnwr.exe\""	wojxcnwr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjixhro = "\"C:\\Windows\\SysWOW64\\wjixhro.exe\""	wjixhro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvad = "\"C:\\Windows\\SysWOW64\\wvad.exe\""	wvad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlwydhti = "\"C:\\Windows\\SysWOW64\\wlwydhti.exe\""	wlwydhti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdokadn = "\"C:\\Windows\\SysWOW64\\wdokadn.exe\""	wdokadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvh = "\"C:\\Windows\\SysWOW64\\wvh.exe\""	wvh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wglprk = "\"C:\\Windows\\SysWOW64\\wglprk.exe\""	wglprk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtvvud = "\"C:\\Windows\\SysWOW64\\wtvvud.exe\""	wtvvud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wguobqy = "\"C:\\Windows\\SysWOW64\\wguobqy.exe\""	wguobqy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqrfxvpdj = "\"C:\\Windows\\SysWOW64\\wqrfxvpdj.exe\""	wqrfxvpdj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wws = "\"C:\\Windows\\SysWOW64\\wws.exe\""	wws.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwrrdqpcf = "\"C:\\Windows\\SysWOW64\\wwrrdqpcf.exe\""	wwrrdqpcf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgoemid = "\"C:\\Windows\\SysWOW64\\wgoemid.exe\""	wgoemid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgx = "\"C:\\Windows\\SysWOW64\\wgx.exe\""	wgx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjhjkin = "\"C:\\Windows\\SysWOW64\\wjhjkin.exe\""	wjhjkin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgrtu = "\"C:\\Windows\\SysWOW64\\wgrtu.exe\""	wgrtu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnqsl = "\"C:\\Windows\\SysWOW64\\wnqsl.exe\""	wnqsl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnanxh = "\"C:\\Windows\\SysWOW64\\wnanxh.exe\""	wnanxh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbvfqefyb = "\"C:\\Windows\\SysWOW64\\wbvfqefyb.exe\""	wbvfqefyb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsjp = "\"C:\\Windows\\SysWOW64\\wsjp.exe\""	wsjp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgbrihr = "\"C:\\Windows\\SysWOW64\\wgbrihr.exe\""	wgbrihr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnqgtx = "\"C:\\Windows\\SysWOW64\\wnqgtx.exe\""	wnqgtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtkbvnf = "\"C:\\Windows\\SysWOW64\\wtkbvnf.exe\""	wtkbvnf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxklq = "\"C:\\Windows\\SysWOW64\\wxklq.exe\""	wxklq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsn = "\"C:\\Windows\\SysWOW64\\wsn.exe\""	wsn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrwsi = "\"C:\\Windows\\SysWOW64\\wrwsi.exe\""	wrwsi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\woqxvae = "\"C:\\Windows\\SysWOW64\\woqxvae.exe\""	woqxvae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wimpdgwrt = "\"C:\\Windows\\SysWOW64\\wimpdgwrt.exe\""	wimpdgwrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnundq = "\"C:\\Windows\\SysWOW64\\wnundq.exe\""	wnundq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofkabn = "\"C:\\Windows\\SysWOW64\\wofkabn.exe\""	wofkabn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wts = "\"C:\\Windows\\SysWOW64\\wts.exe\""	wts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfd = "\"C:\\Windows\\SysWOW64\\wfd.exe\""	wfd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wntcky = "\"C:\\Windows\\SysWOW64\\wntcky.exe\""	wntcky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\woopiwv = "\"C:\\Windows\\SysWOW64\\woopiwv.exe\""	woopiwv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmnpdj = "\"C:\\Windows\\SysWOW64\\wmnpdj.exe\""	wmnpdj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwbnhg = "\"C:\\Windows\\SysWOW64\\wwbnhg.exe\""	wwbnhg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wclpoc = "\"C:\\Windows\\SysWOW64\\wclpoc.exe\""	wclpoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqgmlibo = "\"C:\\Windows\\SysWOW64\\wqgmlibo.exe\""	wqgmlibo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfdjpuj = "\"C:\\Windows\\SysWOW64\\wfdjpuj.exe\""	wfdjpuj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsagxw = "\"C:\\Windows\\SysWOW64\\wsagxw.exe\""	wsagxw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwptofs = "\"C:\\Windows\\SysWOW64\\wwptofs.exe\""	wwptofs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whjjm = "\"C:\\Windows\\SysWOW64\\whjjm.exe\""	whjjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqfsvk = "\"C:\\Windows\\SysWOW64\\wqfsvk.exe\""	wqfsvk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmloo = "\"C:\\Windows\\SysWOW64\\wmloo.exe\""	wmloo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wviqqv = "\"C:\\Windows\\SysWOW64\\wviqqv.exe\""	wviqqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnppnd = "\"C:\\Windows\\SysWOW64\\wnppnd.exe\""	wnppnd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wais = "\"C:\\Windows\\SysWOW64\\wais.exe\""	wais.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wckkvf = "\"C:\\Windows\\SysWOW64\\wckkvf.exe\""	wckkvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waqqgy = "\"C:\\Windows\\SysWOW64\\waqqgy.exe\""	waqqgy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbncxmwsx = "\"C:\\Windows\\SysWOW64\\wbncxmwsx.exe\""	wbncxmwsx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmimpukr = "\"C:\\Windows\\SysWOW64\\wmimpukr.exe\""	wmimpukr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsmuttp = "\"C:\\Windows\\SysWOW64\\wsmuttp.exe\""	wsmuttp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wewsvp = "\"C:\\Windows\\SysWOW64\\wewsvp.exe\""	wewsvp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wanj = "\"C:\\Windows\\SysWOW64\\wanj.exe\""	wanj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxxqhp = "\"C:\\Windows\\SysWOW64\\wxxqhp.exe\""	wxxqhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqnuya = "\"C:\\Windows\\SysWOW64\\wqnuya.exe\""	wqnuya.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnwtrt = "\"C:\\Windows\\SysWOW64\\wnwtrt.exe\""	wnwtrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjafirm = "\"C:\\Windows\\SysWOW64\\wjafirm.exe\""	wjafirm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfg = "\"C:\\Windows\\SysWOW64\\wfg.exe\""	wfg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wewquyyn = "\"C:\\Windows\\SysWOW64\\wewquyyn.exe\""	wewquyyn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbcafla = "\"C:\\Windows\\SysWOW64\\wbcafla.exe\""	wbcafla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlwewfweq = "\"C:\\Windows\\SysWOW64\\wlwewfweq.exe\""	wlwewfweq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wspnn = "\"C:\\Windows\\SysWOW64\\wspnn.exe\""	wspnn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wnppnd.exe	wviqqv.exe
File opened for modification	C:\Windows\SysWOW64\weuhxqs.exe	wvh.exe
File opened for modification	C:\Windows\SysWOW64\wmnpdj.exe	wnxo.exe
File opened for modification	C:\Windows\SysWOW64\wmimpukr.exe	wsn.exe
File opened for modification	C:\Windows\SysWOW64\wkkkxq.exe	wupsb.exe
File created	C:\Windows\SysWOW64\woyvjao.exe	wjixhro.exe
File created	C:\Windows\SysWOW64\wofkabn.exe	wgggya.exe
File opened for modification	C:\Windows\SysWOW64\wsmuttp.exe	wrwsi.exe
File created	C:\Windows\SysWOW64\wwbnhg.exe	wsagxw.exe
File created	C:\Windows\SysWOW64\wgbrihr.exe	wwbnhg.exe
File opened for modification	C:\Windows\SysWOW64\wviqqv.exe	wmimpukr.exe
File opened for modification	C:\Windows\SysWOW64\wwptofs.exe	wnppnd.exe
File opened for modification	C:\Windows\SysWOW64\wnanxh.exe	wbqdxod.exe
File opened for modification	C:\Windows\SysWOW64\wewquyyn.exe	wais.exe
File opened for modification	C:\Windows\SysWOW64\wnqgtx.exe	wmloo.exe
File created	C:\Windows\SysWOW64\wkkgn.exe	wofkabn.exe
File created	C:\Windows\SysWOW64\wsmuttp.exe	wrwsi.exe
File opened for modification	C:\Windows\SysWOW64\woqxvae.exe	wgrtu.exe
File created	C:\Windows\SysWOW64\woopiwv.exe	wfxunw.exe
File created	C:\Windows\SysWOW64\wbqdxod.exe	wwptofs.exe
File created	C:\Windows\SysWOW64\wlwydhti.exe	wckkvf.exe
File created	C:\Windows\SysWOW64\wvoeop.exe	wxxytqvl.exe
File created	C:\Windows\SysWOW64\wqrfxvpdj.exe	wxxqhp.exe
File created	C:\Windows\SysWOW64\wvh.exe	wveb.exe
File opened for modification	C:\Windows\SysWOW64\wvh.exe	wveb.exe
File created	C:\Windows\SysWOW64\wujmoegnx.exe	weygw.exe
File created	C:\Windows\SysWOW64\wviqqv.exe	wmimpukr.exe
File opened for modification	C:\Windows\SysWOW64\wqgmlibo.exe	wjhjkin.exe
File created	C:\Windows\SysWOW64\wglprk.exe	wxklq.exe
File created	C:\Windows\SysWOW64\wgrtu.exe	wgbrihr.exe
File created	C:\Windows\SysWOW64\wsn.exe	wjafirm.exe
File opened for modification	C:\Windows\SysWOW64\wofkabn.exe	wgggya.exe
File created	C:\Windows\SysWOW64\wrwsi.exe	wqfsvk.exe
File created	C:\Windows\SysWOW64\widgmsu.exe	wujmoegnx.exe
File opened for modification	C:\Windows\SysWOW64\wqpjh.exe	wypnyy.exe
File opened for modification	C:\Windows\SysWOW64\welitx.exe	wnnlkm.exe
File created	C:\Windows\SysWOW64\wupsb.exe	wtkbvnf.exe
File created	C:\Windows\SysWOW64\wmywwq.exe	wewsvp.exe
File opened for modification	C:\Windows\SysWOW64\wmloo.exe	wnundq.exe
File created	C:\Windows\SysWOW64\waxjc.exe	wsmuttp.exe
File created	C:\Windows\SysWOW64\wjhjkin.exe	wnanxh.exe
File created	C:\Windows\SysWOW64\wewquyyn.exe	wais.exe
File opened for modification	C:\Windows\SysWOW64\wais.exe	waqqgy.exe
File created	C:\Windows\SysWOW64\wodyt.exe	wwrrdqpcf.exe
File opened for modification	C:\Windows\SysWOW64\wnxo.exe	wqrfxvpdj.exe
File created	C:\Windows\SysWOW64\wguobqy.exe	wmnpdj.exe
File opened for modification	C:\Windows\SysWOW64\wnundq.exe	wntcky.exe
File opened for modification	C:\Windows\SysWOW64\wkkgn.exe	wofkabn.exe
File opened for modification	C:\Windows\SysWOW64\wfxunw.exe	wbncxmwsx.exe
File created	C:\Windows\SysWOW64\whybk.exe	wqpuu.exe
File created	C:\Windows\SysWOW64\wmnpdj.exe	wnxo.exe
File created	C:\Windows\SysWOW64\wvad.exe	woopiwv.exe
File opened for modification	C:\Windows\SysWOW64\wjhjkin.exe	wnanxh.exe
File created	C:\Windows\SysWOW64\wfdjpuj.exe	wbcafla.exe
File opened for modification	C:\Windows\SysWOW64\wmywwq.exe	wewsvp.exe
File created	C:\Windows\SysWOW64\wanj.exe	wodyt.exe
File created	C:\Windows\SysWOW64\wqpjh.exe	wypnyy.exe
File opened for modification	C:\Windows\SysWOW64\wgbrihr.exe	wwbnhg.exe
File created	C:\Windows\SysWOW64\wxxqhp.exe	whcxl.exe
File created	C:\Windows\SysWOW64\wbncxmwsx.exe	wguobqy.exe
File opened for modification	C:\Windows\SysWOW64\widgmsu.exe	wujmoegnx.exe
File created	C:\Windows\SysWOW64\wtkbvnf.exe	wdokadn.exe
File opened for modification	C:\Windows\SysWOW64\wnqsl.exe	wnqgtx.exe
File created	C:\Windows\SysWOW64\wxxytqvl.exe	whybk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
4892	372	WerFault.exe	121
4516	712	WerFault.exe	124
632	208	WerFault.exe	170
4512	208	WerFault.exe	170
1040	1804	WerFault.exe	213
4692	2172	WerFault.exe	216
1220	4136	WerFault.exe	245
408	4356	WerFault.exe	253
3344	2148	WerFault.exe	273
1048	2184	WerFault.exe	321
5072	4980	WerFault.exe	347
3824	2372	WerFault.exe	350

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 4672	4900	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe	86
PID 4900 wrote to memory of 4672	4900	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe	86
PID 4900 wrote to memory of 4672	4900	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe	86
PID 4900 wrote to memory of 1484	4900	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe	88
PID 4900 wrote to memory of 1484	4900	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe	88
PID 4900 wrote to memory of 1484	4900	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe	88
PID 4672 wrote to memory of 340	4672	wspnn.exe	95
PID 4672 wrote to memory of 340	4672	wspnn.exe	95
PID 4672 wrote to memory of 340	4672	wspnn.exe	95
PID 4672 wrote to memory of 2820	4672	wspnn.exe	96
PID 4672 wrote to memory of 2820	4672	wspnn.exe	96
PID 4672 wrote to memory of 2820	4672	wspnn.exe	96
PID 340 wrote to memory of 1476	340	wckkvf.exe	101
PID 340 wrote to memory of 1476	340	wckkvf.exe	101
PID 340 wrote to memory of 1476	340	wckkvf.exe	101
PID 340 wrote to memory of 1216	340	wckkvf.exe	102
PID 340 wrote to memory of 1216	340	wckkvf.exe	102
PID 340 wrote to memory of 1216	340	wckkvf.exe	102
PID 1476 wrote to memory of 912	1476	wlwydhti.exe	104
PID 1476 wrote to memory of 912	1476	wlwydhti.exe	104
PID 1476 wrote to memory of 912	1476	wlwydhti.exe	104
PID 1476 wrote to memory of 1840	1476	wlwydhti.exe	105
PID 1476 wrote to memory of 1840	1476	wlwydhti.exe	105
PID 1476 wrote to memory of 1840	1476	wlwydhti.exe	105
PID 912 wrote to memory of 1184	912	wwrrdqpcf.exe	109
PID 912 wrote to memory of 1184	912	wwrrdqpcf.exe	109
PID 912 wrote to memory of 1184	912	wwrrdqpcf.exe	109
PID 912 wrote to memory of 4628	912	wwrrdqpcf.exe	110
PID 912 wrote to memory of 4628	912	wwrrdqpcf.exe	110
PID 912 wrote to memory of 4628	912	wwrrdqpcf.exe	110
PID 1184 wrote to memory of 3232	1184	wodyt.exe	112
PID 1184 wrote to memory of 3232	1184	wodyt.exe	112
PID 1184 wrote to memory of 3232	1184	wodyt.exe	112
PID 1184 wrote to memory of 4764	1184	wodyt.exe	113
PID 1184 wrote to memory of 4764	1184	wodyt.exe	113
PID 1184 wrote to memory of 4764	1184	wodyt.exe	113
PID 3232 wrote to memory of 3732	3232	wanj.exe	115
PID 3232 wrote to memory of 3732	3232	wanj.exe	115
PID 3232 wrote to memory of 3732	3232	wanj.exe	115
PID 3232 wrote to memory of 2428	3232	wanj.exe	116
PID 3232 wrote to memory of 2428	3232	wanj.exe	116
PID 3232 wrote to memory of 2428	3232	wanj.exe	116
PID 3732 wrote to memory of 1832	3732	wnnlkm.exe	118
PID 3732 wrote to memory of 1832	3732	wnnlkm.exe	118
PID 3732 wrote to memory of 1832	3732	wnnlkm.exe	118
PID 3732 wrote to memory of 1576	3732	wnnlkm.exe	119
PID 3732 wrote to memory of 1576	3732	wnnlkm.exe	119
PID 3732 wrote to memory of 1576	3732	wnnlkm.exe	119
PID 1832 wrote to memory of 372	1832	welitx.exe	121
PID 1832 wrote to memory of 372	1832	welitx.exe	121
PID 1832 wrote to memory of 372	1832	welitx.exe	121
PID 1832 wrote to memory of 1084	1832	welitx.exe	122
PID 1832 wrote to memory of 1084	1832	welitx.exe	122
PID 1832 wrote to memory of 1084	1832	welitx.exe	122
PID 372 wrote to memory of 712	372	wimpdgwrt.exe	124
PID 372 wrote to memory of 712	372	wimpdgwrt.exe	124
PID 372 wrote to memory of 712	372	wimpdgwrt.exe	124
PID 372 wrote to memory of 5032	372	wimpdgwrt.exe	125
PID 372 wrote to memory of 5032	372	wimpdgwrt.exe	125
PID 372 wrote to memory of 5032	372	wimpdgwrt.exe	125
PID 712 wrote to memory of 1420	712	wfd.exe	130
PID 712 wrote to memory of 1420	712	wfd.exe	130
PID 712 wrote to memory of 1420	712	wfd.exe	130
PID 712 wrote to memory of 1688	712	wfd.exe	131

C:\Users\Admin\AppData\Local\Temp\b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe
"C:\Users\Admin\AppData\Local\Temp\b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\SysWOW64\wspnn.exe
  "C:\Windows\system32\wspnn.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\SysWOW64\wckkvf.exe
    "C:\Windows\system32\wckkvf.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:340
  - - C:\Windows\SysWOW64\wlwydhti.exe
      "C:\Windows\system32\wlwydhti.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\SysWOW64\wwrrdqpcf.exe
        
        "C:\Windows\system32\wwrrdqpcf.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:912
      - C:\Windows\SysWOW64\wodyt.exe
        
        "C:\Windows\system32\wodyt.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\wanj.exe
        
        "C:\Windows\system32\wanj.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\wnnlkm.exe
        
        "C:\Windows\system32\wnnlkm.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\welitx.exe
        
        "C:\Windows\system32\welitx.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\wimpdgwrt.exe
        
        "C:\Windows\system32\wimpdgwrt.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\wfd.exe
        
        "C:\Windows\system32\wfd.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\wvjtuns.exe
        
        "C:\Windows\system32\wvjtuns.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1420
        
        C:\Windows\SysWOW64\wntcky.exe
        
        "C:\Windows\system32\wntcky.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\wnundq.exe
        
        "C:\Windows\system32\wnundq.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\wmloo.exe
        
        "C:\Windows\system32\wmloo.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\wnqgtx.exe
        
        "C:\Windows\system32\wnqgtx.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\wnqsl.exe
        
        "C:\Windows\system32\wnqsl.exe"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1256
        
        C:\Windows\SysWOW64\wjixhro.exe
        
        "C:\Windows\system32\wjixhro.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\woyvjao.exe
        
        "C:\Windows\system32\woyvjao.exe"
        19⤵
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\wgoemid.exe
        
        "C:\Windows\system32\wgoemid.exe"
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2604
        
        C:\Windows\SysWOW64\wgggya.exe
        
        "C:\Windows\system32\wgggya.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\wofkabn.exe
        
        "C:\Windows\system32\wofkabn.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\wkkgn.exe
        
        "C:\Windows\system32\wkkgn.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\wtvvud.exe
        
        "C:\Windows\system32\wtvvud.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:208
        
        C:\Windows\SysWOW64\wclpoc.exe
        
        "C:\Windows\system32\wclpoc.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4920
        
        C:\Windows\SysWOW64\wlwewfweq.exe
        
        "C:\Windows\system32\wlwewfweq.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3972
        
        C:\Windows\SysWOW64\whcxl.exe
        
        "C:\Windows\system32\whcxl.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\wxxqhp.exe
        
        "C:\Windows\system32\wxxqhp.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\wqrfxvpdj.exe
        
        "C:\Windows\system32\wqrfxvpdj.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\wnxo.exe
        
        "C:\Windows\system32\wnxo.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\wmnpdj.exe
        
        "C:\Windows\system32\wmnpdj.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\wguobqy.exe
        
        "C:\Windows\system32\wguobqy.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\wbncxmwsx.exe
        
        "C:\Windows\system32\wbncxmwsx.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\wfxunw.exe
        
        "C:\Windows\system32\wfxunw.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\woopiwv.exe
        
        "C:\Windows\system32\woopiwv.exe"
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:712
        
        C:\Windows\SysWOW64\wvad.exe
        
        "C:\Windows\system32\wvad.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1192
        
        C:\Windows\SysWOW64\wjafirm.exe
        
        "C:\Windows\system32\wjafirm.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\wsn.exe
        
        "C:\Windows\system32\wsn.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\wmimpukr.exe
        
        "C:\Windows\system32\wmimpukr.exe"
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\wviqqv.exe
        
        "C:\Windows\system32\wviqqv.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:340
        
        C:\Windows\SysWOW64\wnppnd.exe
        
        "C:\Windows\system32\wnppnd.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\wwptofs.exe
        
        "C:\Windows\system32\wwptofs.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\wbqdxod.exe
        
        "C:\Windows\system32\wbqdxod.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\wnanxh.exe
        
        "C:\Windows\system32\wnanxh.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\wjhjkin.exe
        
        "C:\Windows\system32\wjhjkin.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\wqgmlibo.exe
        
        "C:\Windows\system32\wqgmlibo.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4136
        
        C:\Windows\SysWOW64\wfg.exe
        
        "C:\Windows\system32\wfg.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3420
        
        C:\Windows\SysWOW64\wrrxdt.exe
        
        "C:\Windows\system32\wrrxdt.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\wnwtrt.exe
        
        "C:\Windows\system32\wnwtrt.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1568
        
        C:\Windows\SysWOW64\wirhevy.exe
        
        "C:\Windows\system32\wirhevy.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\weima.exe
        
        "C:\Windows\system32\weima.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\waqqgy.exe
        
        "C:\Windows\system32\waqqgy.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\wais.exe
        
        "C:\Windows\system32\wais.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\wewquyyn.exe
        
        "C:\Windows\system32\wewquyyn.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2148
        
        C:\Windows\SysWOW64\whjjm.exe
        
        "C:\Windows\system32\whjjm.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2624
        
        C:\Windows\SysWOW64\wveb.exe
        
        "C:\Windows\system32\wveb.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\wvh.exe
        
        "C:\Windows\system32\wvh.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\weuhxqs.exe
        
        "C:\Windows\system32\weuhxqs.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\wqfsvk.exe
        
        "C:\Windows\system32\wqfsvk.exe"
        59⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\wrwsi.exe
        
        "C:\Windows\system32\wrwsi.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\wsmuttp.exe
        
        "C:\Windows\system32\wsmuttp.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\waxjc.exe
        
        "C:\Windows\system32\waxjc.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\wbcafla.exe
        
        "C:\Windows\system32\wbcafla.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\wfdjpuj.exe
        
        "C:\Windows\system32\wfdjpuj.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3320
        
        C:\Windows\SysWOW64\wewsvp.exe
        
        "C:\Windows\system32\wewsvp.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\wmywwq.exe
        
        "C:\Windows\system32\wmywwq.exe"
        66⤵
        Checks computer location settings
        
        PID:4360
        
        C:\Windows\SysWOW64\wqnuya.exe
        
        "C:\Windows\system32\wqnuya.exe"
        67⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2184
        
        C:\Windows\SysWOW64\weygw.exe
        
        "C:\Windows\system32\weygw.exe"
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\wujmoegnx.exe
        
        "C:\Windows\system32\wujmoegnx.exe"
        69⤵
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\widgmsu.exe
        
        "C:\Windows\system32\widgmsu.exe"
        70⤵
        Checks computer location settings
        
        PID:1336
        
        C:\Windows\SysWOW64\wqpuu.exe
        
        "C:\Windows\system32\wqpuu.exe"
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\whybk.exe
        
        "C:\Windows\system32\whybk.exe"
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2820
        
        C:\Windows\SysWOW64\wxxytqvl.exe
        
        "C:\Windows\system32\wxxytqvl.exe"
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\wvoeop.exe
        
        "C:\Windows\system32\wvoeop.exe"
        74⤵
        Checks computer location settings
        
        PID:3040
        
        C:\Windows\SysWOW64\wypnyy.exe
        
        "C:\Windows\system32\wypnyy.exe"
        75⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\wqpjh.exe
        
        "C:\Windows\system32\wqpjh.exe"
        76⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\wdokadn.exe
        
        "C:\Windows\system32\wdokadn.exe"
        77⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\wtkbvnf.exe
        
        "C:\Windows\system32\wtkbvnf.exe"
        78⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:444
        
        C:\Windows\SysWOW64\wupsb.exe
        
        "C:\Windows\system32\wupsb.exe"
        79⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\wkkkxq.exe
        
        "C:\Windows\system32\wkkkxq.exe"
        80⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\wxklq.exe
        
        "C:\Windows\system32\wxklq.exe"
        81⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\wglprk.exe
        
        "C:\Windows\system32\wglprk.exe"
        82⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3320
        
        C:\Windows\SysWOW64\wsjp.exe
        
        "C:\Windows\system32\wsjp.exe"
        83⤵
        Adds Run key to start application
        
        PID:4140
        
        C:\Windows\SysWOW64\wbvfqefyb.exe
        
        "C:\Windows\system32\wbvfqefyb.exe"
        84⤵
        Adds Run key to start application
        
        PID:4772
        
        C:\Windows\SysWOW64\wfkdu.exe
        
        "C:\Windows\system32\wfkdu.exe"
        85⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\wrkdmew.exe
        
        "C:\Windows\system32\wrkdmew.exe"
        86⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\wsagxw.exe
        
        "C:\Windows\system32\wsagxw.exe"
        87⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\wwbnhg.exe
        
        "C:\Windows\system32\wwbnhg.exe"
        88⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\wgbrihr.exe
        
        "C:\Windows\system32\wgbrihr.exe"
        89⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\wgrtu.exe
        
        "C:\Windows\system32\wgrtu.exe"
        90⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\woqxvae.exe
        
        "C:\Windows\system32\woqxvae.exe"
        91⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3368
        
        C:\Windows\SysWOW64\wts.exe
        
        "C:\Windows\system32\wts.exe"
        92⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3780
        
        C:\Windows\SysWOW64\wws.exe
        
        "C:\Windows\system32\wws.exe"
        93⤵
        Adds Run key to start application
        
        PID:4692
        
        C:\Windows\SysWOW64\wbjlrdx.exe
        
        "C:\Windows\system32\wbjlrdx.exe"
        94⤵
        Checks computer location settings
        
        PID:4536
        
        C:\Windows\SysWOW64\wgx.exe
        
        "C:\Windows\system32\wgx.exe"
        95⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2328
        
        C:\Windows\SysWOW64\wojxcnwr.exe
        
        "C:\Windows\system32\wojxcnwr.exe"
        96⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:228
        
        C:\Windows\SysWOW64\wskgn.exe
        
        "C:\Windows\system32\wskgn.exe"
        97⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wojxcnwr.exe"
        97⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgx.exe"
        96⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbjlrdx.exe"
        95⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wws.exe"
        94⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wts.exe"
        93⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woqxvae.exe"
        92⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrtu.exe"
        91⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgbrihr.exe"
        90⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbnhg.exe"
        89⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsagxw.exe"
        88⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkdmew.exe"
        87⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfkdu.exe"
        86⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvfqefyb.exe"
        85⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjp.exe"
        84⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wglprk.exe"
        83⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxklq.exe"
        82⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkkkxq.exe"
        81⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wupsb.exe"
        80⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtkbvnf.exe"
        79⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdokadn.exe"
        78⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpjh.exe"
        77⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1620
        77⤵
        Program crash
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wypnyy.exe"
        76⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1252
        76⤵
        Program crash
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvoeop.exe"
        75⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxytqvl.exe"
        74⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whybk.exe"
        73⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpuu.exe"
        72⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\widgmsu.exe"
        71⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujmoegnx.exe"
        70⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weygw.exe"
        69⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqnuya.exe"
        68⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1416
        68⤵
        Program crash
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmywwq.exe"
        67⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wewsvp.exe"
        66⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfdjpuj.exe"
        65⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbcafla.exe"
        64⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waxjc.exe"
        63⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsmuttp.exe"
        62⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwsi.exe"
        61⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqfsvk.exe"
        60⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weuhxqs.exe"
        59⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvh.exe"
        58⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wveb.exe"
        57⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whjjm.exe"
        56⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wewquyyn.exe"
        55⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 1424
        55⤵
        Program crash
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wais.exe"
        54⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waqqgy.exe"
        53⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weima.exe"
        52⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirhevy.exe"
        51⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwtrt.exe"
        50⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrrxdt.exe"
        49⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1724
        49⤵
        Program crash
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfg.exe"
        48⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgmlibo.exe"
        47⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1248
        47⤵
        Program crash
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhjkin.exe"
        46⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnanxh.exe"
        45⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbqdxod.exe"
        44⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwptofs.exe"
        43⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnppnd.exe"
        42⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wviqqv.exe"
        41⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmimpukr.exe"
        40⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsn.exe"
        39⤵
        
        PID:876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 1592
        39⤵
        Program crash
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjafirm.exe"
        38⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1556
        38⤵
        Program crash
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvad.exe"
        37⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woopiwv.exe"
        36⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfxunw.exe"
        35⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbncxmwsx.exe"
        34⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wguobqy.exe"
        33⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmnpdj.exe"
        32⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnxo.exe"
        31⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqrfxvpdj.exe"
        30⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxqhp.exe"
        29⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whcxl.exe"
        28⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwewfweq.exe"
        27⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wclpoc.exe"
        26⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvvud.exe"
        25⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 116
        25⤵
        Program crash
        
        PID:632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1536
        25⤵
        Program crash
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkkgn.exe"
        24⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofkabn.exe"
        23⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgggya.exe"
        22⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgoemid.exe"
        21⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woyvjao.exe"
        20⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjixhro.exe"
        19⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqsl.exe"
        18⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqgtx.exe"
        17⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmloo.exe"
        16⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnundq.exe"
        15⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntcky.exe"
        14⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvjtuns.exe"
        13⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfd.exe"
        12⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 1164
        12⤵
        Program crash
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimpdgwrt.exe"
        11⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 116
        11⤵
        Program crash
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\welitx.exe"
        10⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnnlkm.exe"
        9⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wanj.exe"
        8⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wodyt.exe"
        7⤵
        
        PID:4764
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrrdqpcf.exe"
        6⤵
        
        PID:4628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwydhti.exe"
        5⤵
        
        PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckkvf.exe"
      4⤵
      PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wspnn.exe"
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe"
  2⤵
  PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 372 -ip 372
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 712 -ip 712
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 208 -ip 208
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 208 -ip 208
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1804 -ip 1804
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2172 -ip 2172
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4136 -ip 4136
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4356 -ip 4356
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2148 -ip 2148
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2184 -ip 2184
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4980 -ip 4980
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2372 -ip 2372
1⤵
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wanj.exe

Filesize
90KB

MD5
23820f99690fa8b075d895b20101413b

SHA1
60d7baeff8a14f734f9c5c83aa1f538ad6321320

SHA256
c1fc1753936d902c5c784a3eafce61d0fbf30479efeb3704b5be942cb95ecede

SHA512
1a2746bc59f96fadd95f7b47f8275aee6df82ee3b2d4c61f0f2464dc4d32110d58cd6f891441a1682ecc4754898bafbf52c738c51df32a34367308702e9bf744

Download Submit
C:\Windows\SysWOW64\wbncxmwsx.exe

Filesize
90KB

MD5
a83dde127ea3c825d91639d844a0f1c4

SHA1
61af5b769d1d6c1e3e858c476e34a77b445c74b0

SHA256
f7f68f1b146c612234233fcca824327867951807da529a1f4323fc45cbd75a07

SHA512
837dd4cadd8cdfa3285ad8839ae3b1dac7fdcb7e983f9f38722c74fba72a2f713bce811441272f0870700e98fe1e7eeed90ec9bc4a4ebe226399463a1f22acd5

Download Submit
C:\Windows\SysWOW64\wckkvf.exe

Filesize
89KB

MD5
05e5e9260de1e4c400511780e1571f83

SHA1
008c8a8b999beb4f941ba90205e243a11581b2f1

SHA256
208dad34fcc010b7fb20e8607baf67d617695a66c6520c49566513a5e29a4424

SHA512
88c1a277ff85eb39fbbdd864587680250cdbde3178603b921884a85dc7430829a5a3bf497737689704a15c393d322d5fdfef64c5855c4451db8bdc21e0e65ffd

Download Submit
C:\Windows\SysWOW64\wclpoc.exe

Filesize
90KB

MD5
52462e0977f341205df2a694a411b145

SHA1
195eed5eea54bd733f9dda21033352a7f9c705a0

SHA256
b3e71846e37072d78e29692b8bf98bc890660e29098543abde6c752490a616c1

SHA512
edf8d392a8868ce9955128cde4594c083a24a1b5c73d734bd92a92e42ecdaa1d98c045ac5d4d69ad302951973db2187552a0ca38a30257e8cc4b4a07cdd51420

Download Submit
C:\Windows\SysWOW64\welitx.exe

Filesize
90KB

MD5
c0ebef4d7cc3798207b13a1ad3773bc2

SHA1
03430ecfec869f7ca6075a27e4f361d8f3ec74fc

SHA256
9fe02d47cbe1504cf1d53e80c84c420e25cdf5cbc6b1973e7a445de1c495eafa

SHA512
c0a3f355f8a9ad6b5ba173b9b7c211ddff2a6b9bfdd8ee5b45dbb70e813a06b62bfd118ca7452667729270144e35e6bcae09fca7c0755479cb41b79b98802b0f

Download Submit
C:\Windows\SysWOW64\wfd.exe

Filesize
90KB

MD5
fdc44df041c83de9eeb63b9d46a59b78

SHA1
434a9d6f0b80e28e6b4c241b0e55cb5a5cda7c95

SHA256
c19270293f3c1faf41b3b06c918da9d073644801f732f07c779ba0ba6df3f6d0

SHA512
2c646879cdadfaeabc30d9bd5e49e04e2ee88359920dab555d5e6668ed6228d3f639c144915979ba354ba7203b2e1dcc58254102ac38754140e099bbfb576b8c

Download Submit
C:\Windows\SysWOW64\wgggya.exe

Filesize
90KB

MD5
21f27817e567a5382ac3673bbaa54702

SHA1
aa85f6e305af5326c36d7d8fc1c5074a73ed4812

SHA256
2761419eaac99fd7891a27d74e66a05f0e70d23e946bfaf44a149e6297393d74

SHA512
f8a1bec4810661067d3a3c67b8cd9a187d42086e5b05909668ba46d4e3d97d3af4c6a1a619ac7a5d983da133915835b753bcfea16997ced6e2304414f9cb79ec

Download Submit
C:\Windows\SysWOW64\wgoemid.exe

Filesize
90KB

MD5
2730ce42fdd95e78581b628bb1fb1afa

SHA1
bf713d150c4bc828b27d093a3c02a498f14056b2

SHA256
a6bc32cfbef8e1ae533a112323ee402c0ebed870ecd1e873e11d3cd7f3a0cef1

SHA512
5dcd47c04a0230fe1563ad011a0a729cd7f1611c1240595505a9334649577c33ec1b962a7bd14dc876dc77237f80ddd1d62f30a60d7bb6ad5927df3b291a79f0

Download Submit
C:\Windows\SysWOW64\wguobqy.exe

Filesize
90KB

MD5
f06f0db71b240d0273c48e159309d45f

SHA1
4de3ffaf6fa09c6e214c9401386449f104a2842a

SHA256
671c2894359bf63d03016110acfa7344a419465b0f68b464e755f655af90ac5d

SHA512
3e04e756b723dce30b45bd8bd31a909dc025a4c25e53b415f46b5667398abdfc04220dddeafae236643da5c5d29de2ab9dccd53ee11bb53c213a304130a0f14d

Download Submit
C:\Windows\SysWOW64\whcxl.exe

Filesize
90KB

MD5
83298f2bf0a9b8abdf69ce4b0f9f20f5

SHA1
a532ed7b3d3c1a9816d4f1160dec7495bc3ae9f3

SHA256
104bdbe0567dad3a23ac7c1ba6eba6af0a10350ba9a67812665ea26aae86f22b

SHA512
3c72542227f16d76f654ecf48cd9a487230270bfc2012e6ce8446365022bfb7e3a7ef6dbdb15ac6cdf4c0ba4b0cfa7a4268d2cd1971e7c0018a60711b0620f35

Download Submit
C:\Windows\SysWOW64\wimpdgwrt.exe

Filesize
90KB

MD5
fc0fe654ac9a721c25b139e847f46606

SHA1
f8b9a9319b559bc71c7bb8e44afc56c0223716b5

SHA256
77aedd6ca520d4e1778185f7318f04a57bd974cbc1437690ce30a24557e5155c

SHA512
8e1e02c34ebb3ba8584eefceb1140d3e6e3d40c6fb03b2bec70bbcd3ff36908a6bb09b74b1d2bcf000c6881aa97104c2c39a0e60923d4e28e262d4d78082dd05

Download Submit
C:\Windows\SysWOW64\wjixhro.exe

Filesize
90KB

MD5
7a442ee760473f647dea71d0361e126b

SHA1
816d37a9eb1369b9eff45de8d8e366ccbe44f747

SHA256
2248ab12ab159b0207c38675a0166afdded5aa8e73fa38d351e593b959705e40

SHA512
5bf1ba7c1f901e79e976e2b2760573b484da98ae941d546a25843692375166849b310b8e14760cbbd25b45a8e95f0edd558d41cab6d9fe5ae71ee38020bb4474

Download Submit
C:\Windows\SysWOW64\wkkgn.exe

Filesize
90KB

MD5
95025279b708dc6748d5e09bf0313d07

SHA1
343eb6f303f1a09ff906628a299516718e370863

SHA256
ee7e49e9a23b17ff9103d281159216a1870bba50ce558e2b0553150555c0b737

SHA512
c17bb69c017b2ba6ffad26041a2094167edd506382ce54d076bfdbb099945624aa2730d1c28443762b54242c50ce4a4294f49286aa3992aa678a3ab1e74fde31

Download Submit
C:\Windows\SysWOW64\wlwewfweq.exe

Filesize
90KB

MD5
8c7e0c574071450fa4e415fae5ddb50d

SHA1
939ef8242f4ee30309974ed04282a25d521b088e

SHA256
146036d3a7d75fd133f8bc3011ce86b986affa489af00d883185ee77455b899f

SHA512
e086a7366dfbd89afb2a84a6c8bae7166e687b10e5c2f3757315119b23d73de742fe9287b79c9eff65498dff6a39d9a2817289f63f79c2a895737e2566d2e680

Download Submit
C:\Windows\SysWOW64\wlwydhti.exe

Filesize
89KB

MD5
9461864f66a9deafb43b9a9cbf9628a1

SHA1
7d05c9cddb981b4b487bb97caae7ae4c3491de6d

SHA256
72cbd0c2d0892103839250b2854165552a5b6f1e59e4e7ff2155d74017f7876c

SHA512
a467bccdb3d23f930538ce1ecf95fb551bc42748c43d3ded98b2faae67a5db9d0092aa917ff921332ec47962b7ce937e26cee65e82263394fc87af63971a3be8

Download Submit
C:\Windows\SysWOW64\wmloo.exe

Filesize
90KB

MD5
67a704dbd1b894538056637b631fce5c

SHA1
2154e9551486d11fcb12c6f76839df708dfb18f3

SHA256
629a233ced217bab34772f15e57aa7236da05bd378ded90a8384ace5c6dacbc1

SHA512
82c8bb4b64512d601b618004b6bbf63a54ab5dce0828adc8274fdbe22fb8b5f6585e2b97f41fb4f7009563a380a360b7f59e451045fe0213d0789d9f48811fce

Download Submit
C:\Windows\SysWOW64\wmnpdj.exe

Filesize
90KB

MD5
984709b62b828b9d343be76b7d39e645

SHA1
dc2ad59b0da3d6012439a980f4c995b295839689

SHA256
cb4c80049c7f994b55563e521b848d0331ad0aa62fc3fb1dd2879308dcc0b433

SHA512
9e4f51b24ec51dbd9118c255637810343294e8bdec81d49a54958965ef378363b7797ade5cba0dbdb9a55da7cb79ec579805d7880fb338a79dcb0cf6d93c2a6b

Download Submit
C:\Windows\SysWOW64\wnnlkm.exe

Filesize
90KB

MD5
a6c24ca9faa261ada9ef3f9b6d9028f5

SHA1
a0fb98208400c2fccbb486e54c6b511fc49a7f94

SHA256
894bf37cab816c2d745a413d76ed0c7d19abe3d89351804550ffd7e253e04407

SHA512
3799294ddd8f5d626a686e2f7b7e63b4011d53a1dddc38d1b44c129c2f5161218e61c95d6758626a644b59cd91d1f86718623504a045d78119b52db097647290

Download Submit
C:\Windows\SysWOW64\wnqgtx.exe

Filesize
90KB

MD5
7943a863e9b69706a01e8d922b4cb4fb

SHA1
24b158870567f514ddd645da8cf08038b46a017a

SHA256
8fdabdbee424d145cb55572e5c6751eac1c4a102f0e7edd31cbe98deb54508f2

SHA512
239ed17e66ca38cf7f0167ff036c08191434d2c7cb81bf5c284751540d224d6cd8c6869b339bf05b5c8505621d757be00f1f40ac0073cdba348e63bf4140767a

Download Submit
C:\Windows\SysWOW64\wnqsl.exe

Filesize
90KB

MD5
cc846595a30123fc6620185298373716

SHA1
f26006cefb5e4a383566ea252031e52fdbbf8ff3

SHA256
e2dc075be586f6f91beee62d85907fc9dfe3714c6c1c7c16960fd8d76d4dd851

SHA512
4fd404e0a50b4709960a196661ea750cf651c7ee4bcfc6bd323bfe61178c80550fae60bf1ae640ff91417d912eff4bf41eb2d8de80f64acf5e1f3b3421562ff3

Download Submit
C:\Windows\SysWOW64\wntcky.exe

Filesize
90KB

MD5
d079ee0656766b3adf700b802daad6ce

SHA1
f70c2ca5d6a256ad4145fad94d5389d24cd9bffd

SHA256
cb206dfdcc1d7a6091d6da32c06fb529698d02fa306fd3160deda56b8de304e3

SHA512
87dc5ef81115c3c53a0a87729b61c181e094e5ceb29cdc1b9c507842a1ff6e0af5d876987254d09fbcd13dd68957d1e06d76b7dbdd3f3cf27ba6232044f02d41

Download Submit
C:\Windows\SysWOW64\wnundq.exe

Filesize
90KB

MD5
4ca01cf9f934cd12f0020945352ac9a7

SHA1
1a0a17b5b7ba68716d28df67d705862448c143f6

SHA256
15a8ae87d23bccab85a4c514fa7f0e100c458141de07d4e3e3c13a5ab5c87c28

SHA512
2532ddd38b17883312808c33c8d3eb43b7ee5d5ea870f210339c8931ea83d30c1ffe7302aed8892d7b3e0e8d17b77397c35a72227bc383e82cd0bf7462a2218e

Download Submit
C:\Windows\SysWOW64\wnxo.exe

Filesize
90KB

MD5
fd75357e1418022f67e6b0d3998c5b57

SHA1
014cb4c1428e2a8461eaa92ffe0bd2e1c33d7dc2

SHA256
e59c4f8c6633ded7692dc6f7108a3182e7a7594117eb52ddc9f2e25cbe2d902f

SHA512
3a309b7506a5b9b222844aee6e946fcc026fd8e1ac3a22f4ae3c8d38f0b26f1d74c71e91b55ceeae60c6ff8b58e2c8c9c15ebb7e5f6f0540ade1c24762215b2d

Download Submit
C:\Windows\SysWOW64\wodyt.exe

Filesize
89KB

MD5
ab44ad9da19a8460c289f92a73573c8f

SHA1
52b3d4709894adb91d6b72c96cfaa2ccf84cdb2b

SHA256
5720c9aa2a326121319ac51c957d2ade68007051ba4877441ef9373a1d8b32bc

SHA512
7bd01343d339ae6e87726e3c33a5aad18086a9b7e727b2a28c3b89d3fcb4860102d6ca1a59bcb73722798a292ef5ad75d8ae938529b25da8161ee3793d08b817

Download Submit
C:\Windows\SysWOW64\wofkabn.exe

Filesize
90KB

MD5
c102fb02c9502c44bb587493ff716d9c

SHA1
7c7c024cece28455c082032db125b2a34201d981

SHA256
949ce86504e09847b405a9827f358f3a1da13bf6b421c194adab07242486c48c

SHA512
56e7b481790a663a398c1b1f9df40b28f7682a3b6bcd112d4089edaf132da4ce485dbc9aef13a3fb19147c48cf5a31100a00eb967d1c3ed33a001d59c0b8533b

Download Submit
C:\Windows\SysWOW64\woyvjao.exe

Filesize
90KB

MD5
7e1c8512a0cb9206a2d8599d4a7a5892

SHA1
4a7b187d4d7d1b26b309d43994927674349309a3

SHA256
7d927a7148c6132857f870dacd401422220fda85f80b66415bff5708cab759bd

SHA512
f0540d7a2ffa3daf831d878509a7fb9a013b0ca18366883182970b8db22599922a1d3e42df205d0880f4aeb03f8c71f6476de5bd36de4cd6df61557f4640a975

Download Submit
C:\Windows\SysWOW64\wqrfxvpdj.exe

Filesize
90KB

MD5
f89e74d708725af4a56f21e95a5423a4

SHA1
5776d3d77dfa49d5cdf6ecfa2cc6326657e87e02

SHA256
7d018a786acd28b0c24cbd6eb8452c50ba3bcb50713ca2e448fb5f32ea881deb

SHA512
c826eadab602e952f830e669c610be7326468600b7c22cb2e5f72f4bf913e2bb4aa016d1573a5c4f73b812ab20575deef515cae4341e720726fc259c0afce043

Download Submit
C:\Windows\SysWOW64\wspnn.exe

Filesize
89KB

MD5
6382474aa393c44baae486bf8d7adc04

SHA1
a43e973a5b48b69d4fec9b7819fe75ff1317f9f3

SHA256
488ba5a8ae5b7cc9b852704e8aae3a58dbe8609317e31c801ab07da0dbc68db0

SHA512
0839862e9993d5a380ae78fd95fae74911176a4edd89ec21388ae5f9e874bd1748c42693d039dee8078db810e6614e16bed20f14171834315514850f7074c57a

Download Submit
C:\Windows\SysWOW64\wtvvud.exe

Filesize
90KB

MD5
466c72e9afa30f7949cf55f58f7a4869

SHA1
808d9c75c20fd453323b7ff58fd5e916cba8ba9c

SHA256
0a773bf69b9963bd6c970df82bf0a769b25a72dfd11c2120d31bb57d42fe94f5

SHA512
a980e5f9b4f51630daa36f1f68125496e8a047516960e110bb8600840a3d2a440d45e54a253f3dc62267616ef0798ac6bc7269b7dad910a9e4fc1a336f4f4492

Download Submit
C:\Windows\SysWOW64\wvjtuns.exe

Filesize
90KB

MD5
41f6c31aaa7ba0d8aff759ca43672112

SHA1
f5b08dbe8e902e2a9899986f6ca809a06ed1f4df

SHA256
7a2d7fefbea43286b657b3b9b4d745758a2bd5d3bbdaf22d6877a66928a84281

SHA512
45cec9bc0bbb72b8b9fc0b8954224a1af8df5c8cfcb2630f625c949e4fb75538de5cd212bf9a9d7fcc732ce8e9286bfb1b7eccda36ea1835957265b44080b8aa

Download Submit
C:\Windows\SysWOW64\wwrrdqpcf.exe

Filesize
89KB

MD5
b3191dfae75fdbbac6e91002fdec9b35

SHA1
74286673ea2be85e40683e241f381f2c88d1bc98

SHA256
f758f4f67c31edb82cb8c19b8509407bc2d7d9357c6b66f4c915c22cf8c43872

SHA512
16fa20962c9cb4b3fd770bc947b2c7c9e736c92cfa29ec156d175092bc637d70afe66acbb0162caf10561a12bdf29b010371cf1b78a2be1376ebf203938281c6

Download Submit
C:\Windows\SysWOW64\wxxqhp.exe

Filesize
90KB

MD5
943a920625b81aa8f2ad3eb50bd479b7

SHA1
5f7abd70904fc9f65fc01171f1999524a1b6dd9d

SHA256
96023632a8c5cdd789a4ea58d0d167ccf55c3ca3773f93f30ea3a3a3c6806556

SHA512
d7cb47d57e0a9338689f6d85f92f7260febd8d35546a75da47ff0b5e7343d65678b8d9ec38ba7c08daf27da967aba825c5264c8aee182ead07fcdeeb904a0029

Download Submit
memory/208-250-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/208-411-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/208-401-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/224-553-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/340-402-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/340-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/340-33-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/340-392-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/372-105-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/712-359-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/712-115-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/912-54-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/912-43-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1184-64-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1192-368-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1192-358-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1256-178-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1348-611-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1420-125-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1464-594-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1476-32-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1476-44-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1568-469-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1568-478-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1688-419-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1688-410-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1804-377-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1804-367-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1832-95-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1832-84-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1996-281-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1996-293-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2000-350-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2080-512-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2148-511-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2148-521-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2172-376-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2184-562-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2184-628-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2304-270-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2304-282-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2384-136-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2476-209-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2476-220-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2604-210-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2604-198-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2624-520-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2624-529-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2920-324-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2920-230-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2944-334-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3048-487-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3088-428-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3088-420-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3232-74-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3316-146-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3316-157-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3316-436-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3316-445-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3320-603-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3320-595-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3420-461-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3500-342-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3544-240-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3648-437-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3716-578-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3732-85-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3752-135-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3752-147-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3756-586-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3828-188-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3972-271-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4136-453-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4168-199-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4244-627-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4244-570-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4244-561-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4356-470-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4360-619-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4392-393-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4404-495-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4404-486-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4568-545-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4572-292-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4572-304-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4656-168-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4656-158-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4672-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4672-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4692-314-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4692-303-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4900-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4900-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4920-260-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4980-537-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5016-503-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads