082a6c5f125ae9b2aaf817be3c134f2857a2929bf0c8d5ee2355b52da01ff20a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cd7d9337473e5c75a67551177748780_NeikiAnalytics.exe
Size

83KB
MD5

2cd7d9337473e5c75a67551177748780
SHA1

7a4e3f40fd4a5ff8a23f2a01c577dd380b4de4bf
SHA256

082a6c5f125ae9b2aaf817be3c134f2857a2929bf0c8d5ee2355b52da01ff20a
SHA512

9b88b99e4bcbc6e196b3d1577fd40970a99b81eb63f847a114f16ffa98599a16d0438c10e785de7fa8ebcacb9fb6ffca793d093f05b19450cc46c363a2fff714
SSDEEP

1536:azUQz74LIvK/+Czax4IHVdmRvW1BDVwrVXwP:qUQz74TmFnmRvW1gXwP

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wnld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wlqngm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wxi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wvsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wiqriu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wgdm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wioudk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wobmvoy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wfp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wlpwef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wrbox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wmcpw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wfkebk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wmu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wrnklpn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wjmy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wcjnghnr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wiek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wypie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	warf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wqgomoqo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wiyxqwef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wenjv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wrfwfay.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wwvxhaja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	whayqv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wvffu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wgyqsgbe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wikadc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wqrh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wekmsexs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wvtsodeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wrxgfoo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wrw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wlrdbtk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wlurj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wnupmj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wekupt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wyhvmf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wvgxhvdm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wiaw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wjkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wnoqac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wyeuee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wlyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wwssy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wjsjw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wkfdprd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wgglswd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wrcjci.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wwdvbiai.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	whissrys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	woixw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wbl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wryljxq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wfoohaa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wlcgoi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wbgne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wlbmjulfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wlijmdsy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	2cd7d9337473e5c75a67551177748780_NeikiAnalytics.exe

Executes dropped EXE 64 IoCs

pid	Process
372	wryljxq.exe
776	wqwdqo.exe
2808	wlyrs.exe
3500	wqkhc.exe
2328	wwssy.exe
1004	wfoohaa.exe
4668	wll.exe
3064	wqgomoqo.exe
4828	wiyxqwef.exe
4852	wekupt.exe
436	wnsb.exe
2684	wxowmpelh.exe
3312	woggoy.exe
3484	wenjv.exe
4380	wekmsexs.exe
3068	wgvglsq.exe
4556	wrotxj.exe
2024	wcjnghnr.exe
2560	wyhvmf.exe
2840	wvtsodeh.exe
1032	wfcydc.exe
3116	wbl.exe
1452	wjsjw.exe
4584	wkfdprd.exe
4812	wlcgoi.exe
4680	wrxgfoo.exe
3776	wnld.exe
2440	wbrglcg.exe
3956	wbgne.exe
1044	wmu.exe
2328	wrfwfay.exe
1280	wrnklpn.exe
2392	wwyauvk.exe
4396	wlqngm.exe
916	wiek.exe
1056	wmmufr.exe
4120	wrjttx.exe
1980	wgdm.exe
3500	wlbmjulfc.exe
3784	wxi.exe
4072	wioudk.exe
4592	wwvxhaja.exe
752	wvsc.exe
720	woybdwr.exe
852	wobmvoy.exe
3144	wgglswd.exe
4476	wqch.exe
3244	wnbnhtp.exe
2404	wrw.exe
1668	wfp.exe
4252	wklcax.exe
3732	wvgxhvdm.exe
1408	wypie.exe
4592	wemhtj.exe
1824	wshy.exe
4584	wgvelnch.exe
3616	wlrdbtk.exe
2992	wrbox.exe
3752	wfgq.exe
1896	wrcjci.exe
1944	wbjo.exe
4808	wlpwef.exe
4644	wmcpw.exe
1236	wiaw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wqrh.exe	wya.exe
File opened for modification	C:\Windows\SysWOW64\wrfwfay.exe	wmu.exe
File opened for modification	C:\Windows\SysWOW64\wioudk.exe	wxi.exe
File opened for modification	C:\Windows\SysWOW64\wvgxhvdm.exe	wklcax.exe
File created	C:\Windows\SysWOW64\wlrdbtk.exe	wgvelnch.exe
File created	C:\Windows\SysWOW64\wwyauvk.exe	wrnklpn.exe
File created	C:\Windows\SysWOW64\wlqngm.exe	wwyauvk.exe
File opened for modification	C:\Windows\SysWOW64\wmcpw.exe	wlpwef.exe
File opened for modification	C:\Windows\SysWOW64\wiqriu.exe	wkeuh.exe
File created	C:\Windows\SysWOW64\wlyrs.exe	wqwdqo.exe
File created	C:\Windows\SysWOW64\wjsjw.exe	wbl.exe
File opened for modification	C:\Windows\SysWOW64\wlcgoi.exe	wkfdprd.exe
File opened for modification	C:\Windows\SysWOW64\wrnklpn.exe	wrfwfay.exe
File opened for modification	C:\Windows\SysWOW64\wikadc.exe	wvrnrmv.exe
File opened for modification	C:\Windows\SysWOW64\wjmy.exe	wnoqac.exe
File created	C:\Windows\SysWOW64\wll.exe	wfoohaa.exe
File created	C:\Windows\SysWOW64\wrotxj.exe	wgvglsq.exe
File created	C:\Windows\SysWOW64\wbl.exe	wfcydc.exe
File created	C:\Windows\SysWOW64\wmcpw.exe	wlpwef.exe
File opened for modification	C:\Windows\SysWOW64\woggoy.exe	wxowmpelh.exe
File opened for modification	C:\Windows\SysWOW64\wkfdprd.exe	wjsjw.exe
File opened for modification	C:\Windows\SysWOW64\wmu.exe	wbgne.exe
File created	C:\Windows\SysWOW64\wmmufr.exe	wiek.exe
File created	C:\Windows\SysWOW64\wqwdqo.exe	wryljxq.exe
File opened for modification	C:\Windows\SysWOW64\wqgomoqo.exe	wll.exe
File created	C:\Windows\SysWOW64\wnsb.exe	wekupt.exe
File opened for modification	C:\Windows\SysWOW64\wnsb.exe	wekupt.exe
File opened for modification	C:\Windows\SysWOW64\wsiehppdr.exe	wjkh.exe
File created	C:\Windows\SysWOW64\woixw.exe	wjmy.exe
File created	C:\Windows\SysWOW64\woybdwr.exe	wvsc.exe
File created	C:\Windows\SysWOW64\wfp.exe	wrw.exe
File opened for modification	C:\Windows\SysWOW64\wrcjci.exe	wfgq.exe
File created	C:\Windows\SysWOW64\wgd.exe	warf.exe
File created	C:\Windows\SysWOW64\wya.exe	wwdvbiai.exe
File opened for modification	C:\Windows\SysWOW64\wryljxq.exe	2cd7d9337473e5c75a67551177748780_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\wfcydc.exe	wvtsodeh.exe
File created	C:\Windows\SysWOW64\wfgq.exe	wrbox.exe
File created	C:\Windows\SysWOW64\wsiehppdr.exe	wjkh.exe
File opened for modification	C:\Windows\SysWOW64\wbjo.exe	wrcjci.exe
File created	C:\Windows\SysWOW64\wnupmj.exe	wikadc.exe
File opened for modification	C:\Windows\SysWOW64\wqwdqo.exe	wryljxq.exe
File created	C:\Windows\SysWOW64\wqkhc.exe	wlyrs.exe
File created	C:\Windows\SysWOW64\wwssy.exe	wqkhc.exe
File opened for modification	C:\Windows\SysWOW64\wbgne.exe	wbrglcg.exe
File opened for modification	C:\Windows\SysWOW64\wyhvmf.exe	wcjnghnr.exe
File created	C:\Windows\SysWOW64\wanfkdfmv.exe	wqrh.exe
File opened for modification	C:\Windows\SysWOW64\wkeuh.exe	whissrys.exe
File created	C:\Windows\SysWOW64\wnoqac.exe	wiqriu.exe
File opened for modification	C:\Windows\SysWOW64\wlijmdsy.exe	whayqv.exe
File created	C:\Windows\SysWOW64\wvffu.exe	wlijmdsy.exe
File created	C:\Windows\SysWOW64\wjkh.exe	wvffu.exe
File opened for modification	C:\Windows\SysWOW64\wfkebk.exe	wanfkdfmv.exe
File opened for modification	C:\Windows\SysWOW64\wmmufr.exe	wiek.exe
File opened for modification	C:\Windows\SysWOW64\wgdm.exe	wrjttx.exe
File opened for modification	C:\Windows\SysWOW64\wwvxhaja.exe	wioudk.exe
File opened for modification	C:\Windows\SysWOW64\wrbox.exe	wlrdbtk.exe
File created	C:\Windows\SysWOW64\wemhtj.exe	wypie.exe
File created	C:\Windows\SysWOW64\wyeuee.exe	woixw.exe
File opened for modification	C:\Windows\SysWOW64\wqkhc.exe	wlyrs.exe
File created	C:\Windows\SysWOW64\wiyxqwef.exe	wqgomoqo.exe
File created	C:\Windows\SysWOW64\wioudk.exe	wxi.exe
File created	C:\Windows\SysWOW64\wbjo.exe	wrcjci.exe
File created	C:\Windows\SysWOW64\wvrnrmv.exe	wlurj.exe
File created	C:\Windows\SysWOW64\wqrh.exe	wya.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1908	776	WerFault.exe	89
3732	1004	WerFault.exe	109
1476	4828	WerFault.exe	122
1872	4556	WerFault.exe	148
2236	3144	WerFault.exe	238
4120	2992	WerFault.exe	276
2964	4940	WerFault.exe	326
3300	2852	WerFault.exe	329
1792	4856	WerFault.exe	357

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 372	4376	2cd7d9337473e5c75a67551177748780_NeikiAnalytics.exe	85
PID 4376 wrote to memory of 372	4376	2cd7d9337473e5c75a67551177748780_NeikiAnalytics.exe	85
PID 4376 wrote to memory of 372	4376	2cd7d9337473e5c75a67551177748780_NeikiAnalytics.exe	85
PID 4376 wrote to memory of 4444	4376	2cd7d9337473e5c75a67551177748780_NeikiAnalytics.exe	87
PID 4376 wrote to memory of 4444	4376	2cd7d9337473e5c75a67551177748780_NeikiAnalytics.exe	87
PID 4376 wrote to memory of 4444	4376	2cd7d9337473e5c75a67551177748780_NeikiAnalytics.exe	87
PID 372 wrote to memory of 776	372	wryljxq.exe	89
PID 372 wrote to memory of 776	372	wryljxq.exe	89
PID 372 wrote to memory of 776	372	wryljxq.exe	89
PID 372 wrote to memory of 2748	372	wryljxq.exe	90
PID 372 wrote to memory of 2748	372	wryljxq.exe	90
PID 372 wrote to memory of 2748	372	wryljxq.exe	90
PID 776 wrote to memory of 2808	776	wqwdqo.exe	96
PID 776 wrote to memory of 2808	776	wqwdqo.exe	96
PID 776 wrote to memory of 2808	776	wqwdqo.exe	96
PID 776 wrote to memory of 4332	776	wqwdqo.exe	97
PID 776 wrote to memory of 4332	776	wqwdqo.exe	97
PID 776 wrote to memory of 4332	776	wqwdqo.exe	97
PID 2808 wrote to memory of 3500	2808	wlyrs.exe	102
PID 2808 wrote to memory of 3500	2808	wlyrs.exe	102
PID 2808 wrote to memory of 3500	2808	wlyrs.exe	102
PID 2808 wrote to memory of 1816	2808	wlyrs.exe	103
PID 2808 wrote to memory of 1816	2808	wlyrs.exe	103
PID 2808 wrote to memory of 1816	2808	wlyrs.exe	103
PID 3500 wrote to memory of 2328	3500	wqkhc.exe	106
PID 3500 wrote to memory of 2328	3500	wqkhc.exe	106
PID 3500 wrote to memory of 2328	3500	wqkhc.exe	106
PID 3500 wrote to memory of 3032	3500	wqkhc.exe	107
PID 3500 wrote to memory of 3032	3500	wqkhc.exe	107
PID 3500 wrote to memory of 3032	3500	wqkhc.exe	107
PID 2328 wrote to memory of 1004	2328	wwssy.exe	109
PID 2328 wrote to memory of 1004	2328	wwssy.exe	109
PID 2328 wrote to memory of 1004	2328	wwssy.exe	109
PID 2328 wrote to memory of 1668	2328	wwssy.exe	110
PID 2328 wrote to memory of 1668	2328	wwssy.exe	110
PID 2328 wrote to memory of 1668	2328	wwssy.exe	110
PID 1004 wrote to memory of 4668	1004	wfoohaa.exe	114
PID 1004 wrote to memory of 4668	1004	wfoohaa.exe	114
PID 1004 wrote to memory of 4668	1004	wfoohaa.exe	114
PID 1004 wrote to memory of 1408	1004	wfoohaa.exe	115
PID 1004 wrote to memory of 1408	1004	wfoohaa.exe	115
PID 1004 wrote to memory of 1408	1004	wfoohaa.exe	115
PID 4668 wrote to memory of 3064	4668	wll.exe	119
PID 4668 wrote to memory of 3064	4668	wll.exe	119
PID 4668 wrote to memory of 3064	4668	wll.exe	119
PID 4668 wrote to memory of 2052	4668	wll.exe	120
PID 4668 wrote to memory of 2052	4668	wll.exe	120
PID 4668 wrote to memory of 2052	4668	wll.exe	120
PID 3064 wrote to memory of 4828	3064	wqgomoqo.exe	122
PID 3064 wrote to memory of 4828	3064	wqgomoqo.exe	122
PID 3064 wrote to memory of 4828	3064	wqgomoqo.exe	122
PID 3064 wrote to memory of 2268	3064	wqgomoqo.exe	123
PID 3064 wrote to memory of 2268	3064	wqgomoqo.exe	123
PID 3064 wrote to memory of 2268	3064	wqgomoqo.exe	123
PID 4828 wrote to memory of 4852	4828	wiyxqwef.exe	125
PID 4828 wrote to memory of 4852	4828	wiyxqwef.exe	125
PID 4828 wrote to memory of 4852	4828	wiyxqwef.exe	125
PID 4828 wrote to memory of 764	4828	wiyxqwef.exe	126
PID 4828 wrote to memory of 764	4828	wiyxqwef.exe	126
PID 4828 wrote to memory of 764	4828	wiyxqwef.exe	126
PID 4852 wrote to memory of 436	4852	wekupt.exe	130
PID 4852 wrote to memory of 436	4852	wekupt.exe	130
PID 4852 wrote to memory of 436	4852	wekupt.exe	130
PID 4852 wrote to memory of 1028	4852	wekupt.exe	131

C:\Users\Admin\AppData\Local\Temp\2cd7d9337473e5c75a67551177748780_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2cd7d9337473e5c75a67551177748780_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\SysWOW64\wryljxq.exe
  "C:\Windows\system32\wryljxq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\SysWOW64\wqwdqo.exe
    "C:\Windows\system32\wqwdqo.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\SysWOW64\wlyrs.exe
      "C:\Windows\system32\wlyrs.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\wqkhc.exe
        
        "C:\Windows\system32\wqkhc.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3500
      - C:\Windows\SysWOW64\wwssy.exe
        
        "C:\Windows\system32\wwssy.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\wfoohaa.exe
        
        "C:\Windows\system32\wfoohaa.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\wll.exe
        
        "C:\Windows\system32\wll.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\wqgomoqo.exe
        
        "C:\Windows\system32\wqgomoqo.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\wiyxqwef.exe
        
        "C:\Windows\system32\wiyxqwef.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\wekupt.exe
        
        "C:\Windows\system32\wekupt.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\wnsb.exe
        
        "C:\Windows\system32\wnsb.exe"
        12⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\wxowmpelh.exe
        
        "C:\Windows\system32\wxowmpelh.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\woggoy.exe
        
        "C:\Windows\system32\woggoy.exe"
        14⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\wenjv.exe
        
        "C:\Windows\system32\wenjv.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\wekmsexs.exe
        
        "C:\Windows\system32\wekmsexs.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\wgvglsq.exe
        
        "C:\Windows\system32\wgvglsq.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\wrotxj.exe
        
        "C:\Windows\system32\wrotxj.exe"
        18⤵
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\wcjnghnr.exe
        
        "C:\Windows\system32\wcjnghnr.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\wyhvmf.exe
        
        "C:\Windows\system32\wyhvmf.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\wvtsodeh.exe
        
        "C:\Windows\system32\wvtsodeh.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\wfcydc.exe
        
        "C:\Windows\system32\wfcydc.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\wbl.exe
        
        "C:\Windows\system32\wbl.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\wjsjw.exe
        
        "C:\Windows\system32\wjsjw.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\wkfdprd.exe
        
        "C:\Windows\system32\wkfdprd.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\wlcgoi.exe
        
        "C:\Windows\system32\wlcgoi.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\wrxgfoo.exe
        
        "C:\Windows\system32\wrxgfoo.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\wnld.exe
        
        "C:\Windows\system32\wnld.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\wbrglcg.exe
        
        "C:\Windows\system32\wbrglcg.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\wbgne.exe
        
        "C:\Windows\system32\wbgne.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\wmu.exe
        
        "C:\Windows\system32\wmu.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1044
        
        C:\Windows\SysWOW64\wrfwfay.exe
        
        "C:\Windows\system32\wrfwfay.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\wrnklpn.exe
        
        "C:\Windows\system32\wrnklpn.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\wwyauvk.exe
        
        "C:\Windows\system32\wwyauvk.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\wlqngm.exe
        
        "C:\Windows\system32\wlqngm.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\wiek.exe
        
        "C:\Windows\system32\wiek.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\wmmufr.exe
        
        "C:\Windows\system32\wmmufr.exe"
        37⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\wrjttx.exe
        
        "C:\Windows\system32\wrjttx.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\wgdm.exe
        
        "C:\Windows\system32\wgdm.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\wlbmjulfc.exe
        
        "C:\Windows\system32\wlbmjulfc.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3500
        
        C:\Windows\SysWOW64\wxi.exe
        
        "C:\Windows\system32\wxi.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\wioudk.exe
        
        "C:\Windows\system32\wioudk.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\wwvxhaja.exe
        
        "C:\Windows\system32\wwvxhaja.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\wvsc.exe
        
        "C:\Windows\system32\wvsc.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\woybdwr.exe
        
        "C:\Windows\system32\woybdwr.exe"
        45⤵
        Executes dropped EXE
        
        PID:720
        
        C:\Windows\SysWOW64\wobmvoy.exe
        
        "C:\Windows\system32\wobmvoy.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\wgglswd.exe
        
        "C:\Windows\system32\wgglswd.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\wqch.exe
        
        "C:\Windows\system32\wqch.exe"
        48⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\wnbnhtp.exe
        
        "C:\Windows\system32\wnbnhtp.exe"
        49⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\wrw.exe
        
        "C:\Windows\system32\wrw.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\wfp.exe
        
        "C:\Windows\system32\wfp.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\wklcax.exe
        
        "C:\Windows\system32\wklcax.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\wvgxhvdm.exe
        
        "C:\Windows\system32\wvgxhvdm.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3732
        
        C:\Windows\SysWOW64\wypie.exe
        
        "C:\Windows\system32\wypie.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\wemhtj.exe
        
        "C:\Windows\system32\wemhtj.exe"
        55⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\wshy.exe
        
        "C:\Windows\system32\wshy.exe"
        56⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\wgvelnch.exe
        
        "C:\Windows\system32\wgvelnch.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\wlrdbtk.exe
        
        "C:\Windows\system32\wlrdbtk.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\wrbox.exe
        
        "C:\Windows\system32\wrbox.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\wfgq.exe
        
        "C:\Windows\system32\wfgq.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\wrcjci.exe
        
        "C:\Windows\system32\wrcjci.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\wbjo.exe
        
        "C:\Windows\system32\wbjo.exe"
        62⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\wlpwef.exe
        
        "C:\Windows\system32\wlpwef.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\wmcpw.exe
        
        "C:\Windows\system32\wmcpw.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\wiaw.exe
        
        "C:\Windows\system32\wiaw.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\SysWOW64\warf.exe
        
        "C:\Windows\system32\warf.exe"
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\wgd.exe
        
        "C:\Windows\system32\wgd.exe"
        67⤵
        Checks computer location settings
        
        PID:3132
        
        C:\Windows\SysWOW64\whayqv.exe
        
        "C:\Windows\system32\whayqv.exe"
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\wlijmdsy.exe
        
        "C:\Windows\system32\wlijmdsy.exe"
        69⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\wvffu.exe
        
        "C:\Windows\system32\wvffu.exe"
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\wjkh.exe
        
        "C:\Windows\system32\wjkh.exe"
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\wsiehppdr.exe
        
        "C:\Windows\system32\wsiehppdr.exe"
        72⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\wgyqsgbe.exe
        
        "C:\Windows\system32\wgyqsgbe.exe"
        73⤵
        Checks computer location settings
        
        PID:1108
        
        C:\Windows\SysWOW64\wlurj.exe
        
        "C:\Windows\system32\wlurj.exe"
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\wvrnrmv.exe
        
        "C:\Windows\system32\wvrnrmv.exe"
        75⤵
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\wikadc.exe
        
        "C:\Windows\system32\wikadc.exe"
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\wnupmj.exe
        
        "C:\Windows\system32\wnupmj.exe"
        77⤵
        Checks computer location settings
        
        PID:2488
        
        C:\Windows\SysWOW64\wwdvbiai.exe
        
        "C:\Windows\system32\wwdvbiai.exe"
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\wya.exe
        
        "C:\Windows\system32\wya.exe"
        79⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\wqrh.exe
        
        "C:\Windows\system32\wqrh.exe"
        80⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\wanfkdfmv.exe
        
        "C:\Windows\system32\wanfkdfmv.exe"
        81⤵
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\wfkebk.exe
        
        "C:\Windows\system32\wfkebk.exe"
        82⤵
        Checks computer location settings
        
        PID:812
        
        C:\Windows\SysWOW64\wrqhf.exe
        
        "C:\Windows\system32\wrqhf.exe"
        83⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\whissrys.exe
        
        "C:\Windows\system32\whissrys.exe"
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\wkeuh.exe
        
        "C:\Windows\system32\wkeuh.exe"
        85⤵
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\wiqriu.exe
        
        "C:\Windows\system32\wiqriu.exe"
        86⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\wnoqac.exe
        
        "C:\Windows\system32\wnoqac.exe"
        87⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\wjmy.exe
        
        "C:\Windows\system32\wjmy.exe"
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\woixw.exe
        
        "C:\Windows\system32\woixw.exe"
        89⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\wyeuee.exe
        
        "C:\Windows\system32\wyeuee.exe"
        90⤵
        Checks computer location settings
        
        PID:1520
        
        C:\Windows\SysWOW64\wnlwj.exe
        
        "C:\Windows\system32\wnlwj.exe"
        91⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyeuee.exe"
        91⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woixw.exe"
        90⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjmy.exe"
        89⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnoqac.exe"
        88⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiqriu.exe"
        87⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkeuh.exe"
        86⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whissrys.exe"
        85⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 116
        85⤵
        Program crash
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrqhf.exe"
        84⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfkebk.exe"
        83⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wanfkdfmv.exe"
        82⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqrh.exe"
        81⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wya.exe"
        80⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwdvbiai.exe"
        79⤵
        
        PID:100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnupmj.exe"
        78⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikadc.exe"
        77⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1460
        77⤵
        Program crash
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvrnrmv.exe"
        76⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 116
        76⤵
        Program crash
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlurj.exe"
        75⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgyqsgbe.exe"
        74⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsiehppdr.exe"
        73⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjkh.exe"
        72⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvffu.exe"
        71⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlijmdsy.exe"
        70⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whayqv.exe"
        69⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgd.exe"
        68⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warf.exe"
        67⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiaw.exe"
        66⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmcpw.exe"
        65⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlpwef.exe"
        64⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbjo.exe"
        63⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrcjci.exe"
        62⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfgq.exe"
        61⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrbox.exe"
        60⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1340
        60⤵
        Program crash
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrdbtk.exe"
        59⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgvelnch.exe"
        58⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wshy.exe"
        57⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemhtj.exe"
        56⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wypie.exe"
        55⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgxhvdm.exe"
        54⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wklcax.exe"
        53⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfp.exe"
        52⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrw.exe"
        51⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbnhtp.exe"
        50⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqch.exe"
        49⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgglswd.exe"
        48⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1448
        48⤵
        Program crash
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobmvoy.exe"
        47⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woybdwr.exe"
        46⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvsc.exe"
        45⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwvxhaja.exe"
        44⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wioudk.exe"
        43⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxi.exe"
        42⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlbmjulfc.exe"
        41⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgdm.exe"
        40⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjttx.exe"
        39⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmufr.exe"
        38⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiek.exe"
        37⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqngm.exe"
        36⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwyauvk.exe"
        35⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrnklpn.exe"
        34⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrfwfay.exe"
        33⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmu.exe"
        32⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbgne.exe"
        31⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbrglcg.exe"
        30⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnld.exe"
        29⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrxgfoo.exe"
        28⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlcgoi.exe"
        27⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkfdprd.exe"
        26⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjsjw.exe"
        25⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbl.exe"
        24⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfcydc.exe"
        23⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtsodeh.exe"
        22⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyhvmf.exe"
        21⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjnghnr.exe"
        20⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrotxj.exe"
        19⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1624
        19⤵
        Program crash
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgvglsq.exe"
        18⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekmsexs.exe"
        17⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wenjv.exe"
        16⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woggoy.exe"
        15⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxowmpelh.exe"
        14⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnsb.exe"
        13⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekupt.exe"
        12⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiyxqwef.exe"
        11⤵
        
        PID:764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 116
        11⤵
        Program crash
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgomoqo.exe"
        10⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wll.exe"
        9⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfoohaa.exe"
        8⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 116
        8⤵
        Program crash
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwssy.exe"
        7⤵
        
        PID:1668
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqkhc.exe"
        6⤵
        
        PID:3032
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyrs.exe"
        5⤵
        
        PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqwdqo.exe"
      4⤵
      PID:4332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 1692
      4⤵
      Program crash
      PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryljxq.exe"
    3⤵
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\2cd7d9337473e5c75a67551177748780_NeikiAnalytics.exe"
  2⤵
  PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 776 -ip 776
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1004 -ip 1004
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4828 -ip 4828
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4556 -ip 4556
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3144 -ip 3144
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2992 -ip 2992
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4940 -ip 4940
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2852 -ip 2852
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4856 -ip 4856
1⤵
PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wbgne.exe

Filesize
83KB

MD5
e505922ca120f65ad27769da070e294b

SHA1
f38283dfb1d5cc7dbe95241c80e8622d06a086df

SHA256
88cf5c837b47a7ebae34fbe70dcdad1fb678ab099360fcb210f707db2c8df0f4

SHA512
e69d9032b7e57196081f9b7d6599408263865176d80ac5b10c26de227771cba47f34547bd6abad134e3cd4477ba232a613ffcd803530b67bc0279c5c68c42bfc

Download Submit
C:\Windows\SysWOW64\wbl.exe

Filesize
83KB

MD5
2706770777aac7195b3711e9826d7734

SHA1
72f7b549eda6fea967d02509ece294a3f1326dc6

SHA256
be0472d935a4a2f77869b4b58aae47fedec99c255b91a18bb9b4a8a8dcc6d1f6

SHA512
8d8d282184a4d81f2294e72826b049d543e898e177c76d98ab0b0f30935dfff11b5f6400141d3fa69dd651a89ce74bca6d1bb1eebb2090c1ae67439dab28c27a

Download Submit
C:\Windows\SysWOW64\wbrglcg.exe

Filesize
83KB

MD5
f635be4933e14c2d6f897e717063a9e4

SHA1
d88fe236ffb443c25772932f1742c87ff8ebe79d

SHA256
e724cfd7cc789bd16d7028379af6d9fcbadd0edb24a66604a423c36c8ae49029

SHA512
4fd265216b5d51f5d9c33bd1ca1f2d1ed9f2f82756720e9425c350646a8e3b7eaabc2049ea76e1520d4867c120c11803f620691497f77b4d21607be7eb3dc078

Download Submit
C:\Windows\SysWOW64\wcjnghnr.exe

Filesize
83KB

MD5
cceb69febbf7c2c5500c02f9035ec8f5

SHA1
59ed2e609738177bb840996f68369575dd9d9409

SHA256
447b3d8fba89f2ad8d75cf33c177a594cea8c044db0d18bc7abb330fa4447e97

SHA512
aa555e9c04675e7a08c817f8b8b553c8c116e3c10c4ba4fe3d517e623739c5c3aa335e6a9e398680ac976408cec56709700861dfe622a002774cfbe4777dae72

Download Submit
C:\Windows\SysWOW64\wekmsexs.exe

Filesize
83KB

MD5
a5ea0029e66cf8ad6af50aa049bc8130

SHA1
f526ad86822f2b3992237991a0b33b9ec6b5c767

SHA256
487e516f4734607ddb62a81af63a976525f0c1a1c9867a33b8679ab4e4d6e591

SHA512
b0138816d312b34b694b57817b3c7ae1b7db8b4213e1392ae5c27d73bd780f4c5f9ed6f97b7189fc9294945d14e5448966c47498dcc8fccaf90de5be67ef271d

Download Submit
C:\Windows\SysWOW64\wekupt.exe

Filesize
83KB

MD5
61d69e1193456f2e72182d6831493333

SHA1
352eb135e0b52757b2ef703bae515bdf5e007997

SHA256
a901b2eeacb45a3ca41827090a4b0e8d9e87748a2ee8f8d8fe04ea0ce6e30328

SHA512
37fb91240a135000d5c499ce09fdf520a666939030f87f6122c268854f4f7b440305ed57e7aa000cd075d38d2239fdabfecf7040220bbc46795fd8d5b240c8ef

Download Submit
C:\Windows\SysWOW64\wenjv.exe

Filesize
83KB

MD5
95e4fbb2a4fac984e8c9a3221b03bf65

SHA1
dc469f26dca8e097808748ad7d88758e82404ff0

SHA256
5388ff41a8c2d74f1321fc5cbd6472f67012b2cdcfa5fb776f9e532f0f84cae5

SHA512
fdb1da02a91baee6cb7ce412a4c8f1102281b562b981ec1998889b6304dbbd8bfaeb4a308a70c49f421d65bb47fd95feaeb8c678be45a96d83aaa8ede5809c76

Download Submit
C:\Windows\SysWOW64\wfcydc.exe

Filesize
83KB

MD5
ea94e73788d53ab1c8602e3241482d59

SHA1
1e3f2eb8a8404f7de64b175ecc43890838382e11

SHA256
195d09de36e9075187e884a3f31f2f9ba9066521bc63be7634cba64088b36f7e

SHA512
41467632b89db40386eeda22eaae8c98a427bf34bb9219f35d98e9707ad6e742f671b6cc32981db5bec6fd921362ed294c87e4c5393d6b9e164cc30461b195eb

Download Submit
C:\Windows\SysWOW64\wfoohaa.exe

Filesize
83KB

MD5
93cf068353af9968b08a3485cd52ea67

SHA1
2bd4f91efc1e629e922b934afd6eda5bfe0d46eb

SHA256
0f494551097ac195455bf5c743e1043251c5a639548cf2d2728747b808c66ddb

SHA512
495a4742fcf06afffc95fea2b878c61a8fa0ea2991a216de0870d65985aaceaae261760a31382ff96e9ef61ffb631d2dcf99ae4263750736346a17d0e9be7434

Download Submit
C:\Windows\SysWOW64\wgvglsq.exe

Filesize
83KB

MD5
37a985636fdb44424d43c4dd614dc5c1

SHA1
08175e633fcf40519d401f9d0b0b87c574f7eccb

SHA256
e809bf57e8ed460d9d1319e97ccc26eef0a605291bc1f54116bd4c01def1b36e

SHA512
5ce66b2300892000ce1cdbcb4c142c234143207debb9994018bed317922f044752f18866783b6eec5f868acd8d3a129d64715905ef7bdddadbe97b0ee051d5d4

Download Submit
C:\Windows\SysWOW64\wiyxqwef.exe

Filesize
83KB

MD5
85ea0d6b971b701a8d2a2d46f2db1fcd

SHA1
885bded54f134afdaba83c94d3707b2ea958c103

SHA256
699943f1abf56e8eccfd22d9319cdbf732dc649c2ca661a24b166b1909f2d764

SHA512
6a898c9e73cf11110b80e8d692522dfbca96d09d4a9d0044cba38fab421feeaee7e1f0a9add805e6f04af2385a413209f2e3c3e46ee977585dbcd7fd46d88f79

Download Submit
C:\Windows\SysWOW64\wjsjw.exe

Filesize
83KB

MD5
a688c4730c65b23b1690bf8401fef564

SHA1
7723bd733fee5f25db17b034fd609a573b78a9e9

SHA256
c582b85eae33f51f7009cbe6ef8997db1db78a3e286daa7efa86c39e59966120

SHA512
a61dc9ada704b71c3bc81ab4903eccc1e2b460b2488851cde832fac52b1a7a7536a579e76cfb9281a4a222aa86efedb76b8ab59605ed0e84fe7684c77dd681e8

Download Submit
C:\Windows\SysWOW64\wkfdprd.exe

Filesize
83KB

MD5
30f87ddeacda16fd55d4307a5f705238

SHA1
d1fec98b2b782da6571c75c0e6c1309f82591042

SHA256
d561841df80c8e10fc3c689eff281457d789c0dcdb720fa8f16174bb99d3381a

SHA512
b20ac2cb081c356cf176a1123d8f93993338f570cf3bea1e21f16f705b7c263ae024257884c36892bf73f2e0893bff4837356d2d23000c0328c357b9e81c133a

Download Submit
C:\Windows\SysWOW64\wlcgoi.exe

Filesize
83KB

MD5
f93c547b21066675b8e569fe90f934fe

SHA1
0b04b03be650f9e002c7b278890904040ef2b4be

SHA256
8959fd07540da7a669e693e25f198e1eedf6bb62022d6a7a08ada4e734fd31ee

SHA512
1eb42a444e73b2de638ef8733c3dd6e59920809ec34f5f0347cda5ecffa3d5763b1e77fdf1bc35a0038ce217c518b158b87a1517b30f49225774d291a7b4433b

Download Submit
C:\Windows\SysWOW64\wll.exe

Filesize
83KB

MD5
af5bd9b05e3bfdfb109d57de6b5858b9

SHA1
3c473574384e45107113b1b0abb9a11a8ae5d057

SHA256
0feb8ead30d3d638d288594d804b92eac4ee24676500d80140e3368c63a6b5c8

SHA512
8c87d83e297a427cc8cceee6876ac6f4271eb0fcd8248d7541fbcff9a1f9d90f0f7570f24a629efbc36f023b4ddb31eea1ee30dfcd75e89127dff9ab6f9d2cc6

Download Submit
C:\Windows\SysWOW64\wlyrs.exe

Filesize
83KB

MD5
4a18bfabc459f31ea7dd943c386fc35e

SHA1
49c09b502228e844c5a65132cda53d39b8936b04

SHA256
3d93e10c53b041edfcdaded27e0f04784bf43984ff5d232a8b1e484a35173ae4

SHA512
22769aef24c5994336f2e5bdb26da0e3973b59b4cf08c9019b85f4ce349ce41109f9946a4d00bec7a0b15525c7b108e03e57f2dd3d14719e89da2f8c723a37f6

Download Submit
C:\Windows\SysWOW64\wmu.exe

Filesize
83KB

MD5
b61388563c8587e9a2c8719b9380b8a7

SHA1
342b5416b49558e8407b7eccbbca1b0f2fbfbb9d

SHA256
640b489992dedca60dddb48d6e9485f021d35ed05c243d29114de18ddf5f3961

SHA512
5c42ab7b341e9b0f5f0c25d8536a9274bad0e2314b9142905accb01e01e51beb0c77105738ff62be27b32fd6177e75fe5e1efbb29cdd6558c9e1d9abffc20231

Download Submit
C:\Windows\SysWOW64\wnld.exe

Filesize
83KB

MD5
48bd48c8441c81a3e5d33c7713ad5b80

SHA1
2aae277a819fbf29a8703e526a7c235b216d85c7

SHA256
76fbf076a0c3c8ce74dea9406b391fa64903c734adadb9297d91bf406681f9e5

SHA512
ba564df98d96faaf5327d88de228d4e502cde2f729d344d65e33cdef0b4eb26bae4b5dfd72f8d1f8c4cb825d02706f2d85abde86853726ac43f27623c36ce509

Download Submit
C:\Windows\SysWOW64\wnsb.exe

Filesize
83KB

MD5
68ac5fe1ef662c99f94e1b4d5ca71b38

SHA1
565c4d9b53c4ca18b5e98cdf68c419a1114e5515

SHA256
d0f830caf1cc1533e9ac48c41273c55908c39012e91a38cf0e9fdaf3e65ed42d

SHA512
340e08765351233fcaf4eafc12e88610c65808749e7b80d2a9eb9c089296bbdf9ab09820b7b612d76152e838284e5c463ab55067c47fc0b060c22b8aac9bfa8f

Download Submit
C:\Windows\SysWOW64\woggoy.exe

Filesize
83KB

MD5
ff3ef4df2bed6e0a786e12780c21c83e

SHA1
3064e3f72aef23e0b4042619eb81b4ba9230fbfd

SHA256
942cf2f83e03da73cf0d6656f95fec7318d7b449bba2794e3fd2a658b05039d0

SHA512
309e28efdbfd6d681c2ec18bcb92a926e1f8973ffd91ef2dcae4d42e9e13889e33c9c2c3804e932e70aebdebbfb4a1d59092470c4da4fe6ddac55d4cf1d9cb63

Download Submit
C:\Windows\SysWOW64\wqgomoqo.exe

Filesize
83KB

MD5
4909e2533a61b1bc38c57e9f118feadd

SHA1
2e33d2102d78957d50352630df24222aff79c042

SHA256
83df29a07259adef6ba2148afefea725dc42db7485e05b9339db848f40a29a9a

SHA512
b840165e4eb51fca21a2c94194dea93f96443b005289845f61e2f33d50d933eccf7b18b97391f454485fdde8647bc0a2befb5b2eb596ddc4639ecb24e122f985

Download Submit
C:\Windows\SysWOW64\wqkhc.exe

Filesize
83KB

MD5
fd7d151b545d34993b18c0d4bdcfaffd

SHA1
421bd2ee0a7c2b6ae64c01c753cf797cc7e6896e

SHA256
2d19a69737adf8dcf6ec1848ec1bd0bd27965217f68bea31590d0b5e2c2b730d

SHA512
028464196aac9758e0dc7e535192162cf42d61210a4e341caceb7311be921c555539870c5db44342a0fad325849af83bf8be401ccc75d107c8538d0cbf2a7f42

Download Submit
C:\Windows\SysWOW64\wqwdqo.exe

Filesize
83KB

MD5
ae62b52e463222b9f16a28c599e08aa2

SHA1
50fd96176f69ff2653406ef88d55a0d1c35e9ea5

SHA256
98d15bc0fa4180d0e9ee48a5f4b6e2d8ed667d71c71e6b180f0c3c5021935326

SHA512
8d9bf5053d7dcf679e033c10cfab89658f6b7737d1a1a85c3008ddd75775adc93334827138f8c55aa09293afc71d2c42f0df0c1f57013989cbe649ea148759bb

Download Submit
C:\Windows\SysWOW64\wrfwfay.exe

Filesize
83KB

MD5
936485e6bcde0dc8b9e531452191e1f4

SHA1
e6934c7c3c2ba877dcc71cb9234c1eee2e3848e6

SHA256
4278bb8c3b476516d444b5a9b39c44a94149eedf738e58f05e06b1c3bbd7e589

SHA512
ea134693db568d1e8efac97dec14eeb1c2ebfc490d8680496050ccf6ec52fdc8e11ccbdfb8dc3af7eccdfa5d98c867d1b37a6ddc57385f58c93ca29485fa3421

Download Submit
C:\Windows\SysWOW64\wrnklpn.exe

Filesize
84KB

MD5
696c6a24d02c6e566915cc8697268d24

SHA1
5830464a67d0853622cb892dacdda0839161d15f

SHA256
acb10b18dced3d490084176bb4da0362b87fc316aefb5c870a29db0cc7605fc7

SHA512
6bd09be4371e3e0877a425cc6a4f7414044f3d1decd25a39004bca9691653ccfd65fa10d4ce08aff6dda6eeb1e0d2dbbef170c345b733a45d32c2ed2980fc005

Download Submit
C:\Windows\SysWOW64\wrotxj.exe

Filesize
83KB

MD5
1025e71d7473c24c718c207d8725c360

SHA1
b11bd988495a4a3f816d9cb026fbc6a8f3b96e1c

SHA256
cc090fdfa7007a5397324b2f5223c4dc5a57d611060675cad952add5da1b52b3

SHA512
5de137cbd2dd6f77ce18c180529e35a5f95e281a931806f69847ffacb2a35df98d39d320d28f2e6180d16cdecd8296e42c8b334cdd1b3389b912dc5aba972af4

Download Submit
C:\Windows\SysWOW64\wrxgfoo.exe

Filesize
83KB

MD5
2738320a32a03cf4403a2991d2029894

SHA1
848ab92d8003d43536548745deab2b0e9d00f4ec

SHA256
37bb225500274228a32e5399d699cc5b78523acd524bfe6776f069e77b1e6e9a

SHA512
dad1a489e5674876751fb57dbe494e70b3445f7eaa75ecf20f151f928ae7e1010fe53fb42c19b7d49d978f89d4ed7ee568ac38922f58e4cf4277d626573e6940

Download Submit
C:\Windows\SysWOW64\wryljxq.exe

Filesize
83KB

MD5
24f3ae5dcc2855cb84a43aeef1656e65

SHA1
05e388c8fd4752ab098559bc321087e9c5072ac3

SHA256
ce1508af35a37ef1be88ce138afcd229d17f4b28df3546564ca8b2820bcdb4da

SHA512
973fdabb51c08143abbafa3cec3818a864b479c9cd8863924a83817c61cd7450d245ba6709e043d42c9229af7bad1d488681e554cfeaa3e39983731c4d4b6ea5

Download Submit
C:\Windows\SysWOW64\wvtsodeh.exe

Filesize
83KB

MD5
d06f4a7c0a9e8aadafe243092eb2e84e

SHA1
72c6bfac373fe0c5be1b9c9d4294473c0069f33a

SHA256
343eb8b5e108820ead15fbfd8235d90d448eaf9d1412d18b953f0989062b1fbe

SHA512
5d22129e1e1fa7f7f4a376af1a7310dda002ef12ea1fbe1058816c08e083d3570b93dbfa04e838de36e94f9395f4e7ea35cd40bba70ce0f008276d91ed3f766b

Download Submit
C:\Windows\SysWOW64\wwssy.exe

Filesize
83KB

MD5
c691fe700e686f86361d90924e358e22

SHA1
ba85cd9dc6f3fd7b896434bf07bfdb70e4b0a6db

SHA256
4586cb0574837200171f6d59698369a42ed8723f8164c94d780feabe2633b907

SHA512
ef7e8f1adc25ea866cbadb9e94f5dc21d96f9df9ef841971908f1e00d260e7d5dba710af546d446e1126552df7d5bc712c987c7ac1c47aabaa860cef65455fae

Download Submit
C:\Windows\SysWOW64\wxowmpelh.exe

Filesize
83KB

MD5
082c234c9647488ac7678856c356e655

SHA1
4a0226ca65cff4d5435435e5a763ecc572af0ba5

SHA256
0ea00c890621f502f06f902960e3a95412e9b715b1bc9174d3ae0e85712dc91a

SHA512
7cbf242f1879584ec8d214105d72463b049a4a55acf0af307c0d6848a6992f05b30371a485d22a0be9638a271daaef3d8ee69670dfbc1c73b91a348e5e14161d

Download Submit
C:\Windows\SysWOW64\wyhvmf.exe

Filesize
83KB

MD5
f1864b739f9416d67bf1b716ddce39cb

SHA1
e50cb480a334dfcd79fdbf4c6b548c3d47a0f94c

SHA256
79926ab7ad7b8641f2f8e4861d4c8de85776e142164ba7c0c8627cf8501e891f

SHA512
84001f8b1aaf6228109c5d7615ab9586c475f779dceff7ded20c508982e027af5ed37431785019ff0510159a7877e9ff63dc5f71f3371334bbe08806562c353a

Download Submit
memory/372-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/436-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/436-127-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/720-441-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/752-424-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/752-433-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/776-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/776-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/852-449-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/916-366-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1004-74-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1032-231-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1044-322-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1056-374-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1056-365-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1236-611-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1280-340-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1408-517-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1452-251-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1668-482-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1668-491-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1824-535-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1824-526-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1896-578-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1944-577-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1944-587-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1980-392-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1980-382-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2024-200-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2328-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2328-332-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2328-53-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2392-349-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2404-483-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2440-302-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2560-211-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2684-126-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2684-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2808-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2808-43-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2840-210-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2840-221-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2992-561-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2992-552-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3064-94-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3068-180-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3068-169-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3116-241-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3144-458-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3244-474-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3312-149-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3312-137-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3484-148-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3484-159-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3500-54-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3500-391-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3500-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3500-400-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3616-553-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3616-543-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3732-508-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3732-499-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3752-569-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3776-281-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3776-292-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3784-408-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3956-312-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4072-416-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4120-383-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4148-612-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4148-620-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4252-500-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4376-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4376-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4380-170-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4396-357-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4396-348-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4432-628-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4476-466-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4476-457-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4556-190-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4584-544-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4584-534-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4584-261-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4592-425-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4592-525-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4592-516-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4644-603-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4668-84-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4680-282-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4808-586-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4808-595-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4812-271-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4828-105-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4852-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4852-116-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download