40d5a12a932c19be45d7d832f40199e27ba456b1a450481131c7924e1bff6e5c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40d5a12a932c19be45d7d832f40199e27ba456b1a450481131c7924e1bff6e5c.exe
Size

95KB
MD5

11e6c4227da68d04759f16043b01ed64
SHA1

ef60142534511a60c2261edaac6b144a46ecc26e
SHA256

40d5a12a932c19be45d7d832f40199e27ba456b1a450481131c7924e1bff6e5c
SHA512

6a3fd37b1dcec9ecd7426d7d70317e88167ac910a7a2eaba18b3af33c750814a194de6c0b900c5a4184daa2f640368af4dbba5fcd20bb74490a7b975acf3dc8e
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71qCiOx:1eOLK7hNIMLrCiS4+PwRjY5xhEAXQC7

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wyir.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	waskhfps.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wnncetf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wyesoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wgn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wimrkr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wohglupy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wsmkgjge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wiwtgwdj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	why.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wvenhur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wktrqe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wddxjjh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wlehatxvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wogdwbi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wnwhs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wbebms.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wumwugtfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wvexhg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wffpnnut.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wpgss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wxdmrqhii.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wbwool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wngcdu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wglprk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wibc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	weysk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wxlevv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wasokppfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wacr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wbvgskuan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wuf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wxurcfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wsemls.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wraidb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wfxm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wiqckg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wbwcgn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wixtdpo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wbwuim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wxbtuu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wckrf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wpqvlpyh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wfkog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wwptsss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wdrojs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wlppeyick.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wghkjr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wnposf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wummwu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wtjx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	whqmk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wiwdok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wiqyki.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	weipxaj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wfbemfwn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wqgloj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wyfef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wiptx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wwwns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wtnsnw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wcgpv.exe

Executes dropped EXE 64 IoCs

pid	Process
4528	wcgpv.exe
4000	wlppeyick.exe
1264	wraidb.exe
3776	wghkjr.exe
2208	wfxm.exe
1340	wxdmrqhii.exe
4724	wyir.exe
3692	wiivde.exe
2644	wasokppfd.exe
4160	wffet.exe
3964	wffpnnut.exe
2088	wbwuim.exe
4408	wlrqply.exe
1420	wktrqe.exe
1288	wxbtuu.exe
1492	wpgss.exe
2272	wohglupy.exe
4852	wddxjjh.exe
5008	wdfjbc.exe
3108	wiqyki.exe
752	wbhioq.exe
1060	weipxaj.exe
2456	weysk.exe
4472	wweqg.exe
1432	wjlt.exe
2244	wnmbvau.exe
3436	wsmkgjge.exe
4220	wdfwt.exe
3680	wckrf.exe
640	wpqvlpyh.exe
4876	wiwtgwdj.exe
4000	wacr.exe
3776	wokujwh.exe
4936	wfbemfwn.exe
4068	waskhfps.exe
2284	wnncetf.exe
680	wlehatxvc.exe
5020	wkfsrmef.exe
2644	wfkog.exe
3428	wqgloj.exe
3164	why.exe
3580	wyesoa.exe
5072	wyfef.exe
4020	wbvgskuan.exe
4584	wncj.exe
3468	wiptx.exe
2764	wummwu.exe
3352	wqncx.exe
1160	wfj.exe
3428	wwptsss.exe
2528	wogdwbi.exe
3268	wgn.exe
1784	wuf.exe
1060	wimrkr.exe
3632	wnwhs.exe
4160	wvenhur.exe
3856	wvgyynys.exe
4948	wdrojs.exe
5036	wtjx.exe
3428	wlah.exe
2852	whqmk.exe
3760	wuwpqasw.exe
3084	wnsefil.exe
3740	wiusij.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wacr = "\"C:\\Windows\\SysWOW64\\wacr.exe\""	wacr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wokujwh = "\"C:\\Windows\\SysWOW64\\wokujwh.exe\""	wokujwh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weysk = "\"C:\\Windows\\SysWOW64\\weysk.exe\""	weysk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wweqg = "\"C:\\Windows\\SysWOW64\\wweqg.exe\""	wweqg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjlt = "\"C:\\Windows\\SysWOW64\\wjlt.exe\""	wjlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiptx = "\"C:\\Windows\\SysWOW64\\wiptx.exe\""	wiptx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvgyynys = "\"C:\\Windows\\SysWOW64\\wvgyynys.exe\""	wvgyynys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wayxyext = "\"C:\\Windows\\SysWOW64\\wayxyext.exe\""	wayxyext.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlppeyick = "\"C:\\Windows\\SysWOW64\\wlppeyick.exe\""	wlppeyick.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdfjbc = "\"C:\\Windows\\SysWOW64\\wdfjbc.exe\""	wdfjbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wffet = "\"C:\\Windows\\SysWOW64\\wffet.exe\""	wffet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbvgskuan = "\"C:\\Windows\\SysWOW64\\wbvgskuan.exe\""	wbvgskuan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwptsss = "\"C:\\Windows\\SysWOW64\\wwptsss.exe\""	wwptsss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wngcdu = "\"C:\\Windows\\SysWOW64\\wngcdu.exe\""	wngcdu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrj = "\"C:\\Windows\\SysWOW64\\wrj.exe\""	wrj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyir = "\"C:\\Windows\\SysWOW64\\wyir.exe\""	wyir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wasokppfd = "\"C:\\Windows\\SysWOW64\\wasokppfd.exe\""	wasokppfd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpqvlpyh = "\"C:\\Windows\\SysWOW64\\wpqvlpyh.exe\""	wpqvlpyh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqgloj = "\"C:\\Windows\\SysWOW64\\wqgloj.exe\""	wqgloj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wixtdpo = "\"C:\\Windows\\SysWOW64\\wixtdpo.exe\""	wixtdpo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wraidb = "\"C:\\Windows\\SysWOW64\\wraidb.exe\""	wraidb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wghkjr = "\"C:\\Windows\\SysWOW64\\wghkjr.exe\""	wghkjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wimusjk = "\"C:\\Windows\\SysWOW64\\wimusjk.exe\""	wimusjk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlah = "\"C:\\Windows\\SysWOW64\\wlah.exe\""	wlah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwwns = "\"C:\\Windows\\SysWOW64\\wwwns.exe\""	wwwns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbhioq = "\"C:\\Windows\\SysWOW64\\wbhioq.exe\""	wbhioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsmkgjge = "\"C:\\Windows\\SysWOW64\\wsmkgjge.exe\""	wsmkgjge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgn = "\"C:\\Windows\\SysWOW64\\wgn.exe\""	wgn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdrojs = "\"C:\\Windows\\SysWOW64\\wdrojs.exe\""	wdrojs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbwool = "\"C:\\Windows\\SysWOW64\\wbwool.exe\""	wbwool.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wffpnnut = "\"C:\\Windows\\SysWOW64\\wffpnnut.exe\""	wffpnnut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxbtuu = "\"C:\\Windows\\SysWOW64\\wxbtuu.exe\""	wxbtuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfkog = "\"C:\\Windows\\SysWOW64\\wfkog.exe\""	wfkog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyfef = "\"C:\\Windows\\SysWOW64\\wyfef.exe\""	wyfef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnwhs = "\"C:\\Windows\\SysWOW64\\wnwhs.exe\""	wnwhs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whqmk = "\"C:\\Windows\\SysWOW64\\whqmk.exe\""	whqmk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlshc = "\"C:\\Windows\\SysWOW64\\wlshc.exe\""	wlshc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wumwugtfg = "\"C:\\Windows\\SysWOW64\\wumwugtfg.exe\""	wumwugtfg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpgss = "\"C:\\Windows\\SysWOW64\\wpgss.exe\""	wpgss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfbemfwn = "\"C:\\Windows\\SysWOW64\\wfbemfwn.exe\""	wfbemfwn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wphmyiy = "\"C:\\Windows\\SysWOW64\\wphmyiy.exe\""	wphmyiy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wibc = "\"C:\\Windows\\SysWOW64\\wibc.exe\""	wibc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqncx = "\"C:\\Windows\\SysWOW64\\wqncx.exe\""	wqncx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuwpqasw = "\"C:\\Windows\\SysWOW64\\wuwpqasw.exe\""	wuwpqasw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpx = "\"C:\\Windows\\SysWOW64\\wpx.exe\""	wpx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbwcgn = "\"C:\\Windows\\SysWOW64\\wbwcgn.exe\""	wbwcgn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcgpv = "\"C:\\Windows\\SysWOW64\\wcgpv.exe\""	wcgpv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\why = "\"C:\\Windows\\SysWOW64\\why.exe\""	why.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wncj = "\"C:\\Windows\\SysWOW64\\wncj.exe\""	wncj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wimrkr = "\"C:\\Windows\\SysWOW64\\wimrkr.exe\""	wimrkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiusij = "\"C:\\Windows\\SysWOW64\\wiusij.exe\""	wiusij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkecqeu = "\"C:\\Windows\\SysWOW64\\wkecqeu.exe\""	wkecqeu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsemls = "\"C:\\Windows\\SysWOW64\\wsemls.exe\""	wsemls.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wktrqe = "\"C:\\Windows\\SysWOW64\\wktrqe.exe\""	wktrqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wddxjjh = "\"C:\\Windows\\SysWOW64\\wddxjjh.exe\""	wddxjjh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvfr = "\"C:\\Windows\\SysWOW64\\wvfr.exe\""	wvfr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnposf = "\"C:\\Windows\\SysWOW64\\wnposf.exe\""	wnposf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlehatxvc = "\"C:\\Windows\\SysWOW64\\wlehatxvc.exe\""	wlehatxvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtnsnw = "\"C:\\Windows\\SysWOW64\\wtnsnw.exe\""	wtnsnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wogdwbi = "\"C:\\Windows\\SysWOW64\\wogdwbi.exe\""	wogdwbi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvenhur = "\"C:\\Windows\\SysWOW64\\wvenhur.exe\""	wvenhur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiwdok = "\"C:\\Windows\\SysWOW64\\wiwdok.exe\""	wiwdok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcfmh = "\"C:\\Windows\\SysWOW64\\wcfmh.exe\""	wcfmh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wglprk = "\"C:\\Windows\\SysWOW64\\wglprk.exe\""	wglprk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wlah.exe	wtjx.exe
File opened for modification	C:\Windows\SysWOW64\wcgpv.exe	40d5a12a932c19be45d7d832f40199e27ba456b1a450481131c7924e1bff6e5c.exe
File opened for modification	C:\Windows\SysWOW64\wnmbvau.exe	wjlt.exe
File created	C:\Windows\SysWOW64\wfj.exe	wqncx.exe
File opened for modification	C:\Windows\SysWOW64\wwptsss.exe	wfj.exe
File created	C:\Windows\SysWOW64\whqmk.exe	wlah.exe
File created	C:\Windows\SysWOW64\wnsefil.exe	wuwpqasw.exe
File created	C:\Windows\SysWOW64\wibc.exe	wrj.exe
File opened for modification	C:\Windows\SysWOW64\wbwuim.exe	wffpnnut.exe
File created	C:\Windows\SysWOW64\wlshc.exe	wxlevv.exe
File opened for modification	C:\Windows\SysWOW64\wdfwt.exe	wsmkgjge.exe
File created	C:\Windows\SysWOW64\wghkjr.exe	wraidb.exe
File created	C:\Windows\SysWOW64\wdfjbc.exe	wddxjjh.exe
File opened for modification	C:\Windows\SysWOW64\wiwtgwdj.exe	wpqvlpyh.exe
File opened for modification	C:\Windows\SysWOW64\wlehatxvc.exe	wnncetf.exe
File opened for modification	C:\Windows\SysWOW64\wogdwbi.exe	wwptsss.exe
File opened for modification	C:\Windows\SysWOW64\wiusij.exe	wnsefil.exe
File created	C:\Windows\SysWOW64\wcgpv.exe	40d5a12a932c19be45d7d832f40199e27ba456b1a450481131c7924e1bff6e5c.exe
File opened for modification	C:\Windows\SysWOW64\wyfef.exe	wyesoa.exe
File created	C:\Windows\SysWOW64\wvenhur.exe	wnwhs.exe
File opened for modification	C:\Windows\SysWOW64\wumwugtfg.exe	wxurcfa.exe
File created	C:\Windows\SysWOW64\wngcdu.exe	wayxyext.exe
File opened for modification	C:\Windows\SysWOW64\wkfsrmef.exe	wlehatxvc.exe
File opened for modification	C:\Windows\SysWOW64\wuf.exe	wgn.exe
File opened for modification	C:\Windows\SysWOW64\wimusjk.exe	wvfr.exe
File opened for modification	C:\Windows\SysWOW64\wixtdpo.exe	wphmyiy.exe
File created	C:\Windows\SysWOW64\wxnwsv.exe	wgvnpm.exe
File created	C:\Windows\SysWOW64\wraidb.exe	wlppeyick.exe
File created	C:\Windows\SysWOW64\wlrqply.exe	wbwuim.exe
File opened for modification	C:\Windows\SysWOW64\wbhioq.exe	wiqyki.exe
File opened for modification	C:\Windows\SysWOW64\wvenhur.exe	wnwhs.exe
File opened for modification	C:\Windows\SysWOW64\wyir.exe	wxdmrqhii.exe
File opened for modification	C:\Windows\SysWOW64\wbebms.exe	wiwdok.exe
File opened for modification	C:\Windows\SysWOW64\wgn.exe	wogdwbi.exe
File created	C:\Windows\SysWOW64\wddxjjh.exe	wohglupy.exe
File created	C:\Windows\SysWOW64\wckrf.exe	wdfwt.exe
File created	C:\Windows\SysWOW64\wfbemfwn.exe	wokujwh.exe
File opened for modification	C:\Windows\SysWOW64\wqgloj.exe	wfkog.exe
File created	C:\Windows\SysWOW64\wgn.exe	wogdwbi.exe
File created	C:\Windows\SysWOW64\wiwdok.exe	wlshc.exe
File created	C:\Windows\SysWOW64\wpdcrg.exe	wumwugtfg.exe
File opened for modification	C:\Windows\SysWOW64\wlrqply.exe	wbwuim.exe
File created	C:\Windows\SysWOW64\wyir.exe	wxdmrqhii.exe
File created	C:\Windows\SysWOW64\waskhfps.exe	wfbemfwn.exe
File created	C:\Windows\SysWOW64\wfkog.exe	wkfsrmef.exe
File opened for modification	C:\Windows\SysWOW64\wcfmh.exe	wpx.exe
File created	C:\Windows\SysWOW64\wvexhg.exe	wixtdpo.exe
File created	C:\Windows\SysWOW64\wxdmrqhii.exe	wfxm.exe
File opened for modification	C:\Windows\SysWOW64\wfbemfwn.exe	wokujwh.exe
File opened for modification	C:\Windows\SysWOW64\wnncetf.exe	waskhfps.exe
File created	C:\Windows\SysWOW64\why.exe	wqgloj.exe
File opened for modification	C:\Windows\SysWOW64\wbvgskuan.exe	wyfef.exe
File opened for modification	C:\Windows\SysWOW64\wkecqeu.exe	wtnsnw.exe
File opened for modification	C:\Windows\SysWOW64\wvfr.exe	wbebms.exe
File created	C:\Windows\SysWOW64\wumwugtfg.exe	wxurcfa.exe
File created	C:\Windows\SysWOW64\wpqvlpyh.exe	wckrf.exe
File opened for modification	C:\Windows\SysWOW64\wphmyiy.exe	wglprk.exe
File opened for modification	C:\Windows\SysWOW64\wjlt.exe	wweqg.exe
File opened for modification	C:\Windows\SysWOW64\wvgyynys.exe	wvenhur.exe
File opened for modification	C:\Windows\SysWOW64\wlah.exe	wtjx.exe
File opened for modification	C:\Windows\SysWOW64\wglprk.exe	wsemls.exe
File created	C:\Windows\SysWOW64\wiqckg.exe	wibc.exe
File opened for modification	C:\Windows\SysWOW64\wdfjbc.exe	wddxjjh.exe
File created	C:\Windows\SysWOW64\wktrqe.exe	wlrqply.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
1008	4000	WerFault.exe	93
2896	3964	WerFault.exe	126
2640	5008	WerFault.exe	153
3672	3436	WerFault.exe	181
3324	4876	WerFault.exe	195
1380	680	WerFault.exe	215
2044	2644	WerFault.exe	223
4132	2528	WerFault.exe	262
3432	1784	WerFault.exe	270
3988	3632	WerFault.exe	278
4200	2284	WerFault.exe	330
1636	5080	WerFault.exe	341

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 4528	3160	40d5a12a932c19be45d7d832f40199e27ba456b1a450481131c7924e1bff6e5c.exe	85
PID 3160 wrote to memory of 4528	3160	40d5a12a932c19be45d7d832f40199e27ba456b1a450481131c7924e1bff6e5c.exe	85
PID 3160 wrote to memory of 4528	3160	40d5a12a932c19be45d7d832f40199e27ba456b1a450481131c7924e1bff6e5c.exe	85
PID 3160 wrote to memory of 4616	3160	40d5a12a932c19be45d7d832f40199e27ba456b1a450481131c7924e1bff6e5c.exe	87
PID 3160 wrote to memory of 4616	3160	40d5a12a932c19be45d7d832f40199e27ba456b1a450481131c7924e1bff6e5c.exe	87
PID 3160 wrote to memory of 4616	3160	40d5a12a932c19be45d7d832f40199e27ba456b1a450481131c7924e1bff6e5c.exe	87
PID 4528 wrote to memory of 4000	4528	wcgpv.exe	93
PID 4528 wrote to memory of 4000	4528	wcgpv.exe	93
PID 4528 wrote to memory of 4000	4528	wcgpv.exe	93
PID 4528 wrote to memory of 3224	4528	wcgpv.exe	94
PID 4528 wrote to memory of 3224	4528	wcgpv.exe	94
PID 4528 wrote to memory of 3224	4528	wcgpv.exe	94
PID 4000 wrote to memory of 1264	4000	wlppeyick.exe	96
PID 4000 wrote to memory of 1264	4000	wlppeyick.exe	96
PID 4000 wrote to memory of 1264	4000	wlppeyick.exe	96
PID 4000 wrote to memory of 4444	4000	wlppeyick.exe	97
PID 4000 wrote to memory of 4444	4000	wlppeyick.exe	97
PID 4000 wrote to memory of 4444	4000	wlppeyick.exe	97
PID 1264 wrote to memory of 3776	1264	wraidb.exe	103
PID 1264 wrote to memory of 3776	1264	wraidb.exe	103
PID 1264 wrote to memory of 3776	1264	wraidb.exe	103
PID 1264 wrote to memory of 1160	1264	wraidb.exe	104
PID 1264 wrote to memory of 1160	1264	wraidb.exe	104
PID 1264 wrote to memory of 1160	1264	wraidb.exe	104
PID 3776 wrote to memory of 2208	3776	wghkjr.exe	106
PID 3776 wrote to memory of 2208	3776	wghkjr.exe	106
PID 3776 wrote to memory of 2208	3776	wghkjr.exe	106
PID 3776 wrote to memory of 2828	3776	wghkjr.exe	107
PID 3776 wrote to memory of 2828	3776	wghkjr.exe	107
PID 3776 wrote to memory of 2828	3776	wghkjr.exe	107
PID 2208 wrote to memory of 1340	2208	wfxm.exe	110
PID 2208 wrote to memory of 1340	2208	wfxm.exe	110
PID 2208 wrote to memory of 1340	2208	wfxm.exe	110
PID 2208 wrote to memory of 1952	2208	wfxm.exe	111
PID 2208 wrote to memory of 1952	2208	wfxm.exe	111
PID 2208 wrote to memory of 1952	2208	wfxm.exe	111
PID 1340 wrote to memory of 4724	1340	wxdmrqhii.exe	113
PID 1340 wrote to memory of 4724	1340	wxdmrqhii.exe	113
PID 1340 wrote to memory of 4724	1340	wxdmrqhii.exe	113
PID 1340 wrote to memory of 4044	1340	wxdmrqhii.exe	114
PID 1340 wrote to memory of 4044	1340	wxdmrqhii.exe	114
PID 1340 wrote to memory of 4044	1340	wxdmrqhii.exe	114
PID 4724 wrote to memory of 3692	4724	wyir.exe	117
PID 4724 wrote to memory of 3692	4724	wyir.exe	117
PID 4724 wrote to memory of 3692	4724	wyir.exe	117
PID 4724 wrote to memory of 2728	4724	wyir.exe	118
PID 4724 wrote to memory of 2728	4724	wyir.exe	118
PID 4724 wrote to memory of 2728	4724	wyir.exe	118
PID 3692 wrote to memory of 2644	3692	wiivde.exe	120
PID 3692 wrote to memory of 2644	3692	wiivde.exe	120
PID 3692 wrote to memory of 2644	3692	wiivde.exe	120
PID 3692 wrote to memory of 4512	3692	wiivde.exe	121
PID 3692 wrote to memory of 4512	3692	wiivde.exe	121
PID 3692 wrote to memory of 4512	3692	wiivde.exe	121
PID 2644 wrote to memory of 4160	2644	wasokppfd.exe	123
PID 2644 wrote to memory of 4160	2644	wasokppfd.exe	123
PID 2644 wrote to memory of 4160	2644	wasokppfd.exe	123
PID 2644 wrote to memory of 2304	2644	wasokppfd.exe	124
PID 2644 wrote to memory of 2304	2644	wasokppfd.exe	124
PID 2644 wrote to memory of 2304	2644	wasokppfd.exe	124
PID 4160 wrote to memory of 3964	4160	wffet.exe	126
PID 4160 wrote to memory of 3964	4160	wffet.exe	126
PID 4160 wrote to memory of 3964	4160	wffet.exe	126
PID 4160 wrote to memory of 4504	4160	wffet.exe	127

C:\Users\Admin\AppData\Local\Temp\40d5a12a932c19be45d7d832f40199e27ba456b1a450481131c7924e1bff6e5c.exe
"C:\Users\Admin\AppData\Local\Temp\40d5a12a932c19be45d7d832f40199e27ba456b1a450481131c7924e1bff6e5c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\SysWOW64\wcgpv.exe
  "C:\Windows\system32\wcgpv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\SysWOW64\wlppeyick.exe
    "C:\Windows\system32\wlppeyick.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\SysWOW64\wraidb.exe
      "C:\Windows\system32\wraidb.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1264
    - - C:\Windows\SysWOW64\wghkjr.exe
        
        "C:\Windows\system32\wghkjr.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3776
      - C:\Windows\SysWOW64\wfxm.exe
        
        "C:\Windows\system32\wfxm.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\wxdmrqhii.exe
        
        "C:\Windows\system32\wxdmrqhii.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\wyir.exe
        
        "C:\Windows\system32\wyir.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\wiivde.exe
        
        "C:\Windows\system32\wiivde.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\wasokppfd.exe
        
        "C:\Windows\system32\wasokppfd.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\wffet.exe
        
        "C:\Windows\system32\wffet.exe"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\wffpnnut.exe
        
        "C:\Windows\system32\wffpnnut.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\wbwuim.exe
        
        "C:\Windows\system32\wbwuim.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\wlrqply.exe
        
        "C:\Windows\system32\wlrqply.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\wktrqe.exe
        
        "C:\Windows\system32\wktrqe.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1420
        
        C:\Windows\SysWOW64\wxbtuu.exe
        
        "C:\Windows\system32\wxbtuu.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1288
        
        C:\Windows\SysWOW64\wpgss.exe
        
        "C:\Windows\system32\wpgss.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1492
        
        C:\Windows\SysWOW64\wohglupy.exe
        
        "C:\Windows\system32\wohglupy.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\wddxjjh.exe
        
        "C:\Windows\system32\wddxjjh.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\wdfjbc.exe
        
        "C:\Windows\system32\wdfjbc.exe"
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5008
        
        C:\Windows\SysWOW64\wiqyki.exe
        
        "C:\Windows\system32\wiqyki.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\wbhioq.exe
        
        "C:\Windows\system32\wbhioq.exe"
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:752
        
        C:\Windows\SysWOW64\weipxaj.exe
        
        "C:\Windows\system32\weipxaj.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\weysk.exe
        
        "C:\Windows\system32\weysk.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2456
        
        C:\Windows\SysWOW64\wweqg.exe
        
        "C:\Windows\system32\wweqg.exe"
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\wjlt.exe
        
        "C:\Windows\system32\wjlt.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\wnmbvau.exe
        
        "C:\Windows\system32\wnmbvau.exe"
        27⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\wsmkgjge.exe
        
        "C:\Windows\system32\wsmkgjge.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\wdfwt.exe
        
        "C:\Windows\system32\wdfwt.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\wckrf.exe
        
        "C:\Windows\system32\wckrf.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\wpqvlpyh.exe
        
        "C:\Windows\system32\wpqvlpyh.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\wiwtgwdj.exe
        
        "C:\Windows\system32\wiwtgwdj.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\wacr.exe
        
        "C:\Windows\system32\wacr.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4000
        
        C:\Windows\SysWOW64\wokujwh.exe
        
        "C:\Windows\system32\wokujwh.exe"
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\wfbemfwn.exe
        
        "C:\Windows\system32\wfbemfwn.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\waskhfps.exe
        
        "C:\Windows\system32\waskhfps.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\wnncetf.exe
        
        "C:\Windows\system32\wnncetf.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\wlehatxvc.exe
        
        "C:\Windows\system32\wlehatxvc.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\wkfsrmef.exe
        
        "C:\Windows\system32\wkfsrmef.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\wfkog.exe
        
        "C:\Windows\system32\wfkog.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\wqgloj.exe
        
        "C:\Windows\system32\wqgloj.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\why.exe
        
        "C:\Windows\system32\why.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3164
        
        C:\Windows\SysWOW64\wyesoa.exe
        
        "C:\Windows\system32\wyesoa.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\wyfef.exe
        
        "C:\Windows\system32\wyfef.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\wbvgskuan.exe
        
        "C:\Windows\system32\wbvgskuan.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4020
        
        C:\Windows\SysWOW64\wncj.exe
        
        "C:\Windows\system32\wncj.exe"
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4584
        
        C:\Windows\SysWOW64\wiptx.exe
        
        "C:\Windows\system32\wiptx.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3468
        
        C:\Windows\SysWOW64\wummwu.exe
        
        "C:\Windows\system32\wummwu.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\wqncx.exe
        
        "C:\Windows\system32\wqncx.exe"
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\wfj.exe
        
        "C:\Windows\system32\wfj.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\wwptsss.exe
        
        "C:\Windows\system32\wwptsss.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\wogdwbi.exe
        
        "C:\Windows\system32\wogdwbi.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\wgn.exe
        
        "C:\Windows\system32\wgn.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\wuf.exe
        
        "C:\Windows\system32\wuf.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\wimrkr.exe
        
        "C:\Windows\system32\wimrkr.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1060
        
        C:\Windows\SysWOW64\wnwhs.exe
        
        "C:\Windows\system32\wnwhs.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\wvenhur.exe
        
        "C:\Windows\system32\wvenhur.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\wvgyynys.exe
        
        "C:\Windows\system32\wvgyynys.exe"
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3856
        
        C:\Windows\SysWOW64\wdrojs.exe
        
        "C:\Windows\system32\wdrojs.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4948
        
        C:\Windows\SysWOW64\wtjx.exe
        
        "C:\Windows\system32\wtjx.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\wlah.exe
        
        "C:\Windows\system32\wlah.exe"
        61⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\whqmk.exe
        
        "C:\Windows\system32\whqmk.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2852
        
        C:\Windows\SysWOW64\wuwpqasw.exe
        
        "C:\Windows\system32\wuwpqasw.exe"
        63⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\wnsefil.exe
        
        "C:\Windows\system32\wnsefil.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\wiusij.exe
        
        "C:\Windows\system32\wiusij.exe"
        65⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3740
        
        C:\Windows\SysWOW64\wwwns.exe
        
        "C:\Windows\system32\wwwns.exe"
        66⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4940
        
        C:\Windows\SysWOW64\wtnsnw.exe
        
        "C:\Windows\system32\wtnsnw.exe"
        67⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\wkecqeu.exe
        
        "C:\Windows\system32\wkecqeu.exe"
        68⤵
        Adds Run key to start application
        
        PID:1868
        
        C:\Windows\SysWOW64\wxlevv.exe
        
        "C:\Windows\system32\wxlevv.exe"
        69⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\wlshc.exe
        
        "C:\Windows\system32\wlshc.exe"
        70⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3560
        
        C:\Windows\SysWOW64\wiwdok.exe
        
        "C:\Windows\system32\wiwdok.exe"
        71⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\wbebms.exe
        
        "C:\Windows\system32\wbebms.exe"
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\wvfr.exe
        
        "C:\Windows\system32\wvfr.exe"
        73⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\wimusjk.exe
        
        "C:\Windows\system32\wimusjk.exe"
        74⤵
        Adds Run key to start application
        
        PID:3216
        
        C:\Windows\SysWOW64\wpx.exe
        
        "C:\Windows\system32\wpx.exe"
        75⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\wcfmh.exe
        
        "C:\Windows\system32\wcfmh.exe"
        76⤵
        Adds Run key to start application
        
        PID:2484
        
        C:\Windows\SysWOW64\wxurcfa.exe
        
        "C:\Windows\system32\wxurcfa.exe"
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3272
        
        C:\Windows\SysWOW64\wumwugtfg.exe
        
        "C:\Windows\system32\wumwugtfg.exe"
        78⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\wpdcrg.exe
        
        "C:\Windows\system32\wpdcrg.exe"
        79⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\wayxyext.exe
        
        "C:\Windows\system32\wayxyext.exe"
        80⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\wngcdu.exe
        
        "C:\Windows\system32\wngcdu.exe"
        81⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4132
        
        C:\Windows\SysWOW64\wbwool.exe
        
        "C:\Windows\system32\wbwool.exe"
        82⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:636
        
        C:\Windows\SysWOW64\wsemls.exe
        
        "C:\Windows\system32\wsemls.exe"
        83⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\wglprk.exe
        
        "C:\Windows\system32\wglprk.exe"
        84⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\wphmyiy.exe
        
        "C:\Windows\system32\wphmyiy.exe"
        85⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\wixtdpo.exe
        
        "C:\Windows\system32\wixtdpo.exe"
        86⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\wvexhg.exe
        
        "C:\Windows\system32\wvexhg.exe"
        87⤵
        Checks computer location settings
        
        PID:768
        
        C:\Windows\SysWOW64\wrj.exe
        
        "C:\Windows\system32\wrj.exe"
        88⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\wibc.exe
        
        "C:\Windows\system32\wibc.exe"
        89⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\wiqckg.exe
        
        "C:\Windows\system32\wiqckg.exe"
        90⤵
        Checks computer location settings
        
        PID:2092
        
        C:\Windows\SysWOW64\wbwcgn.exe
        
        "C:\Windows\system32\wbwcgn.exe"
        91⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:888
        
        C:\Windows\SysWOW64\wnposf.exe
        
        "C:\Windows\system32\wnposf.exe"
        92⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4628
        
        C:\Windows\SysWOW64\wgvnpm.exe
        
        "C:\Windows\system32\wgvnpm.exe"
        93⤵
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\wxnwsv.exe
        
        "C:\Windows\system32\wxnwsv.exe"
        94⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgvnpm.exe"
        94⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnposf.exe"
        93⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwcgn.exe"
        92⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiqckg.exe"
        91⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibc.exe"
        90⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrj.exe"
        89⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvexhg.exe"
        88⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wixtdpo.exe"
        87⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphmyiy.exe"
        86⤵
        
        PID:184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wglprk.exe"
        85⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsemls.exe"
        84⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwool.exe"
        83⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wngcdu.exe"
        82⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wayxyext.exe"
        81⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpdcrg.exe"
        80⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wumwugtfg.exe"
        79⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxurcfa.exe"
        78⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcfmh.exe"
        77⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpx.exe"
        76⤵
        
        PID:432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1688
        76⤵
        Program crash
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimusjk.exe"
        75⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvfr.exe"
        74⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbebms.exe"
        73⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1588
        73⤵
        Program crash
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiwdok.exe"
        72⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlshc.exe"
        71⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxlevv.exe"
        70⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkecqeu.exe"
        69⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtnsnw.exe"
        68⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwwns.exe"
        67⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiusij.exe"
        66⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnsefil.exe"
        65⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwpqasw.exe"
        64⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whqmk.exe"
        63⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlah.exe"
        62⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtjx.exe"
        61⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrojs.exe"
        60⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgyynys.exe"
        59⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvenhur.exe"
        58⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwhs.exe"
        57⤵
        
        PID:432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1456
        57⤵
        Program crash
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimrkr.exe"
        56⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuf.exe"
        55⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1364
        55⤵
        Program crash
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgn.exe"
        54⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wogdwbi.exe"
        53⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1280
        53⤵
        Program crash
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwptsss.exe"
        52⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfj.exe"
        51⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqncx.exe"
        50⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wummwu.exe"
        49⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiptx.exe"
        48⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wncj.exe"
        47⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvgskuan.exe"
        46⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyfef.exe"
        45⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyesoa.exe"
        44⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\why.exe"
        43⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgloj.exe"
        42⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfkog.exe"
        41⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1244
        41⤵
        Program crash
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkfsrmef.exe"
        40⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlehatxvc.exe"
        39⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 1700
        39⤵
        Program crash
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnncetf.exe"
        38⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waskhfps.exe"
        37⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfbemfwn.exe"
        36⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wokujwh.exe"
        35⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wacr.exe"
        34⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiwtgwdj.exe"
        33⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1516
        33⤵
        Program crash
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpqvlpyh.exe"
        32⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckrf.exe"
        31⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdfwt.exe"
        30⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsmkgjge.exe"
        29⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1668
        29⤵
        Program crash
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnmbvau.exe"
        28⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjlt.exe"
        27⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wweqg.exe"
        26⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weysk.exe"
        25⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weipxaj.exe"
        24⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhioq.exe"
        23⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiqyki.exe"
        22⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdfjbc.exe"
        21⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1432
        21⤵
        Program crash
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wddxjjh.exe"
        20⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohglupy.exe"
        19⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpgss.exe"
        18⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxbtuu.exe"
        17⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wktrqe.exe"
        16⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrqply.exe"
        15⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwuim.exe"
        14⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wffpnnut.exe"
        13⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1692
        13⤵
        Program crash
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wffet.exe"
        12⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wasokppfd.exe"
        11⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiivde.exe"
        10⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyir.exe"
        9⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxdmrqhii.exe"
        8⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfxm.exe"
        7⤵
        
        PID:1952
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghkjr.exe"
        6⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wraidb.exe"
        5⤵
        
        PID:1160
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlppeyick.exe"
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 1492
      4⤵
      Program crash
      PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcgpv.exe"
    3⤵
    PID:3224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\40d5a12a932c19be45d7d832f40199e27ba456b1a450481131c7924e1bff6e5c.exe"
  2⤵
  PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4000 -ip 4000
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3964 -ip 3964
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5008 -ip 5008
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3436 -ip 3436
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4876 -ip 4876
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 680 -ip 680
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2644 -ip 2644
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2528 -ip 2528
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1784 -ip 1784
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3632 -ip 3632
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2284 -ip 2284
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5080 -ip 5080
1⤵
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wacr.exe

Filesize
96KB

MD5
884d1856baaaf05ee54dd3042204a949

SHA1
b883e3cef906cb97d889cde30b68bff6e2ca29d3

SHA256
e55f9623971bd1d38c92e0edde38a5fb0a8bdeda3e41cded755b277ca505c338

SHA512
b39a6ab0bab78bfda65c2c282d568e365a71bab632aac3c8732bdf6df568f02bba01f5a7636a3404a189e58074627f861b1f5bf63f23619bf6fcc9382d0ff236

Download Submit
C:\Windows\SysWOW64\wasokppfd.exe

Filesize
95KB

MD5
12cd1324beef8587d97e4ea92e80be84

SHA1
c406430093c3a3391bfda41c595965a5874daebf

SHA256
239b1dc7386dac50aa234864be1d92ae14652b2cf6e6beb869ee63cc5fef5039

SHA512
a8c129b2615e2e0e6e9694f522dcf2c31d52eb2273d4bfd3e623f717328599c3944a017cab5fa1e1ff2fc61c3c251d9f12144a25bcd50ea5acb23381de7b6a23

Download Submit
C:\Windows\SysWOW64\wbhioq.exe

Filesize
95KB

MD5
e0d3b366ec955cf6fddc7e07498c5931

SHA1
259df66d2f02805cfccaf7f2ecfeb22eeedf5042

SHA256
e886b469c438a696eb1802c0fa1b165b2220db0d5941ecd471a9a44343be09d8

SHA512
5504d5c117cbb16f4a63db831b5562b168d43e6a93f2483576f271c41b4d439bbc4263ccc2b5d3a1686dfe2fa988344b0b4bc8c5291685cabd877fe94169df15

Download Submit
C:\Windows\SysWOW64\wbwuim.exe

Filesize
95KB

MD5
dc0f9aeb15b3d8398d4edf8e915d7b29

SHA1
b9580a2d549a26c4ea729091d9f1d905022011ff

SHA256
6f395d5b8628835b8cbc82cca8992b04c6bdf3ab01b769db8d03b39549a604f1

SHA512
ce3df34c4d732cc35aa5282d80858f5f8ad255ef014ab0cdeee7b1dfff3e9f18998065812251138d2f475acd6c571b3faf5b81a049c91dc0a8a5bbbccef5dc6e

Download Submit
C:\Windows\SysWOW64\wcgpv.exe

Filesize
95KB

MD5
2f91ee5661a53c713395b908dec6b007

SHA1
0f9abbb99c06c29f772d9a51bc5b18f75a33f42e

SHA256
8fee982b21c7a327dc1c910f907db412fdc709669efc2e20aefe9e8a9cfad8f6

SHA512
9e32808b3b6ce0de89ddc77129fa9a83ea818e2ca0b2ab33afa1c22f93902a5008e98fa5aa681890e5bf08e1157c0776bbdc4851b70616aa6ac1fb742485c438

Download Submit
C:\Windows\SysWOW64\wckrf.exe

Filesize
95KB

MD5
01816560fe86f03ec031687a124f724e

SHA1
bdab6a0f888244af0dec6e98b02dddcb2fcf77a4

SHA256
06be1f06e58c42e26102dd39b50d5710074c55ff63320f14e70b00a938ef3c84

SHA512
a4c67ff53fe4b0f7594ff262b5e117e7bb03ff0ffc8d24508cc1fec6fdb852426720ef3586eee555f486b96dcfcd9046476f2ab36b0bbd757ab6649bf7cd03dc

Download Submit
C:\Windows\SysWOW64\wddxjjh.exe

Filesize
95KB

MD5
ee5f7717a251bc636c27a1d9379b7a98

SHA1
31af4933ef4e3999b157f9002eedbb1ab1061175

SHA256
5796569903ccd683c7d50c2bdaba5bbb992f45f3a488100a9030fb56c13f489d

SHA512
8338845d563d280cfb3e88f9e3dabe14f62c4b3971fec75f0f6d40dc3556a6afdb1a76e2df207143537f2559c23ad9920159302e96e315d996cb16a5e9e469e0

Download Submit
C:\Windows\SysWOW64\wdfjbc.exe

Filesize
95KB

MD5
3acad876e32a6cd56eac5bd564c8a281

SHA1
5fb926930b4e98d8598078a7b7a81c85da5fe9b8

SHA256
cd192b688513c7e0d291b0d36e9c504bfc9e6d8c8c49b684d28f522aff849821

SHA512
24037b863d2b06e8292d446ff15831f8a25199caf0b59aa6863bacb841c3b17b16255d0d8b7a4b5afcf302afb73bea7ba190e119fe52e10f9f40e5a705a0e610

Download Submit
C:\Windows\SysWOW64\wdfwt.exe

Filesize
95KB

MD5
d3e2e71b3c5f2b90c4d3d109025e0fa4

SHA1
f8176ea81a548c59285ed75a3196ef7c23dde0b4

SHA256
03feca0b28095e7214fe7a69609283f2567791877ce1a1ceb69941ad6fbc41ce

SHA512
6e1af04ea5d06f1df79cf2fc14e12f624da60d06b657d948cb31a6aa025e628b83ecdf550730d60ed0e2c8bf031123a76bf8065f123c6404d2bcde8a70494daa

Download Submit
C:\Windows\SysWOW64\weipxaj.exe

Filesize
95KB

MD5
10ff5d90c7eb5835434fdb718f2ec98b

SHA1
ae70bebd1d03db0552d93c511ac2ccc1eeec1459

SHA256
2d962f84cbe8d38c689c880e131e2882e8eabdc051c28933d9f3738111948e84

SHA512
81bea3008e1b7b19d5b5e72b5d69107a60f3a9f014547339fe799a708a18f9a320121227ffcbf9e3b40800c8c7d108f7fa9224c4acddb3ed846b2a3664e2bb46

Download Submit
C:\Windows\SysWOW64\weysk.exe

Filesize
95KB

MD5
2c1c4033487aedd65d44aef06900ef80

SHA1
e8ebf94cee6980a84d0fd16bfabc18ec2d8af6d9

SHA256
b612e304aaf435f2bd6e60f35ccf4791f08a987c4e82f3ed9c6a1f797f807ede

SHA512
497a973e37978893b44c7bc7708ef709b91cc8911c29fa7bcf1440ce395912b970d823b67cfd6d1b7ae8d96faa94d49723d3b19e29a4b1cd9c85f5d2aba69dfe

Download Submit
C:\Windows\SysWOW64\wffet.exe

Filesize
95KB

MD5
74b36ff3d6525d682db1cfa175abf9b6

SHA1
b3383f7a34b3751540b1ff3ea7897d418b25433c

SHA256
fb46e299df7720cd361c719e2dbd739ad37a2178158f9f30be17cf61b63ce60f

SHA512
1aa179a640001d7774a46b24453a03a9d3ec909134f21b36990ed472cf8fb2645f40c914b23280b05ceac29d14d20973cb6cd88f9271d393bc8d7ee5c0350110

Download Submit
C:\Windows\SysWOW64\wffpnnut.exe

Filesize
95KB

MD5
5b583acc934893ef312c15f54370d130

SHA1
75ba1f52869313b8de9606ee5aa04ea0d155e958

SHA256
60d9790bcb238190f7b27d089ab0275fa4f73808d2f94358011abb3e7f949966

SHA512
fc5d531b7e2e216d3856c2dc804ae8704a2a11017e86ffb4eb3429adb04ae1a212554c309949bd69823ddabd83a06c62dfcd23a0adb1f207eca4ce3362368810

Download Submit
C:\Windows\SysWOW64\wfxm.exe

Filesize
95KB

MD5
2dfd54fe2ec3f2ab80a9a959194841e5

SHA1
572992421d816e15206e6c566e585a49ddf10570

SHA256
1331ddf5b0ca587a66fda9c1879895f482935cfd3f57c2c96a741edb42ed1525

SHA512
058239002f99e5a8c2eb0c2c12b878d43c9043fef2c9bf0f22c8e20a21c3fef0789b728c1a9a21a0bd7866cb8627426d789bbb336df2b70b26c15a864d32b3d8

Download Submit
C:\Windows\SysWOW64\wghkjr.exe

Filesize
95KB

MD5
ba2497735bdd6be7cf6d08f15f0abeaf

SHA1
1ae5398190b08a2b1127efa7601cb0e981ae6068

SHA256
d15b4416db993cff0ae952b151b1404402a9ba45439f75be6405c0f300ebbccb

SHA512
4b43df2cbc4751197c279ad11e9a1511b5b0b4b5a3300f925164055e4b14269cf521f447c2ebb9f2339e92998f28fe1bc8c08d0e5fb34b4662180c13b42ae140

Download Submit
C:\Windows\SysWOW64\wiivde.exe

Filesize
95KB

MD5
deacd941977a427f36a45f3ed6747a10

SHA1
1f2f6d8bbd9fa148fcba70d7afae8baa8da4bd2c

SHA256
d1946894e52a694c4c1fdc00c8f366c2894eea72cddebbc77cbd8b0eb69ccddb

SHA512
b2dc1f5d7e3707f59d4ec78bc77ce23e5e440ac6a6926e7a8f3ae5f7fd05bbf80655c1597387ac8b84e96b440c0969ab11ef02bf18a12cc3aebb2e2fd7e6b6c3

Download Submit
C:\Windows\SysWOW64\wiqyki.exe

Filesize
95KB

MD5
ccde349ead26f653a3f18de1c7169a31

SHA1
f1d382c042adfd294a4a2eea628d9c6c1ca219a8

SHA256
2a93b6b74d0444253c27dd11dcff9c777b51fe461238695d5042b1cc38a85e6b

SHA512
b7eefff65deffa0927f1fb62a22b0867dae86d9b254251b74c821920836f095e242dc63be63923706aeb0990eab8e73a9fdc6059ac4d29968f5bda240cce835a

Download Submit
C:\Windows\SysWOW64\wiwtgwdj.exe

Filesize
96KB

MD5
384d0f59a30bb26bbc0c47f1ad76ad67

SHA1
754116de854d41d03766c265a9008e45ad7df1bd

SHA256
29715c76e54c76ae0ecb873154c55184f3bf9dfb711028b2fab5498176dd6892

SHA512
87ae8a47b37bdbda8263f3c39c9973b27704a7c676c7e55d4e61010a92ffb9f07303b05ed2abecee8fa3680d6db10dcd7ad7fb1e973ea854f1f1f2c109508764

Download Submit
C:\Windows\SysWOW64\wjlt.exe

Filesize
95KB

MD5
69b30d7ca466eccd80b256e64e5f5c02

SHA1
37f2c6872dce604cf740a38eecbc07bec4ce98a7

SHA256
456d47359a3e5851ff634c121e2f20c61008ab83a08b3b7e87b0f5fdde340b1a

SHA512
01418685a9d4e4321a16328ad6ef293035b92a40a23486d239176a1a3483c98b3be4bf7e4e3a36cf51f92e48b1408472f5f229009cf726902a0125da2018a772

Download Submit
C:\Windows\SysWOW64\wktrqe.exe

Filesize
95KB

MD5
2d8ecbde79fb525471ae74e71c5ac5ce

SHA1
0f0054c83e4f0eb166f968cdf5db33d71bd76278

SHA256
cabbdab8e44617e1d96a0b5871c8e7b332ed25d1d627d715c7def57e120da41d

SHA512
564c04689226e80d047a4424b0dd4432a0c09212365d6f20a295d7ed95a50ac1ee9a037329ca271a2ee11bcf605d2d9f809547bde948a364d1aa97ce0255bf9a

Download Submit
C:\Windows\SysWOW64\wlppeyick.exe

Filesize
95KB

MD5
54f3e1c95e7ed9e3ac1c381ed770cfb1

SHA1
a3c78dbb1e5ff23f7e5963c2265329908896d9d6

SHA256
ac47ac11c7c2942188a2ea71c7b1f70507dc03107aa27076da36e698b30e7656

SHA512
cc5bf91434e1a6396654b44363586d7596ce1474757f383ec454a24be8f481720803a06a479e7a6d815ac194d9defcc3b6acc2f9defe36e4a75b39fbf197ee4e

Download Submit
C:\Windows\SysWOW64\wlrqply.exe

Filesize
95KB

MD5
21b596ae8d0594914b9754c4ebb59dfd

SHA1
0a61ada948c0ee02a1802f13b1a0bb82b5c72f5b

SHA256
f7822d5fbb6d9f7cfc96fdbea54958e17fd415564b8cbeb9fe9a90f6c4cdf45c

SHA512
886b4683b7b1ca2b53bf03a195229833c4b66c6ac7180152b222278ab47079a76412ae002ef6066ec066425effc279fb2d3507825613027ce4afa7c75faa1c4b

Download Submit
C:\Windows\SysWOW64\wnmbvau.exe

Filesize
95KB

MD5
9ef32fa2cfadb2ef7d0b36ed9737b40d

SHA1
2a4c7eb3a267f3f6b4e7db4bde1bee58d0f00753

SHA256
53dfb81367a03ac84a51dfe3efe8935470cf5bc4659b1b0e50a4b378364d9618

SHA512
781fa7dd09f3e1f7addf592c41913cfdecf4126060a9eaac5a265035eb3399e3dc729ecd0d9e666887682ba5d2a9976ebf3375a441018bb2a0277d08375c6fb1

Download Submit
C:\Windows\SysWOW64\wohglupy.exe

Filesize
95KB

MD5
a6e5b34ac8b3da43a6d0ed9467bb6634

SHA1
885527c67c361cca95f647bff6a041213f43a823

SHA256
79e15902f9423a37f972e95aebd14667d8ccd02f9b9d42aa96731d2eb999d835

SHA512
f06877c55a150923490d97fedb4ccdf6d29b728bdda1e8e795f1dcd3a3c82cbec11c59b022d5bfa8900674acfa6d5f07637bcb68a724f040ab8806745f4f8131

Download Submit
C:\Windows\SysWOW64\wpgss.exe

Filesize
95KB

MD5
abb8b28c4c43cffb3661a2481deffcb5

SHA1
eb9086550c46cdd4d469bb7b45602aba500ae5a1

SHA256
c045e48b6adbd6daa928bfe91057afb21fcb6dfaa718da4b4f6b35c02023ab6a

SHA512
35333155b70df32ea7c55ed85e1ae27faad50f7860d943ed18e4ae547357fa485d66955474b3261e603ad5b57bfd504933896dc36929800464162fa5b0155564

Download Submit
C:\Windows\SysWOW64\wpqvlpyh.exe

Filesize
95KB

MD5
090a17e236d23c8e6ab636c2dab41f45

SHA1
880bd631195ae1ab8500881724768bada69e1d96

SHA256
0cdd1c16343e54d98b0e7d74cbc004d1213b5306881b2f9b4f6c63a31596f03a

SHA512
dd8cbea3079263ecf57d5ac0ade4dc1d06e6c536873c53eaa6992b9c982ae065b093f49b209a12b3c62ef12635ef49616af1f39b836ce2ff9632a333393dd06f

Download Submit
C:\Windows\SysWOW64\wraidb.exe

Filesize
95KB

MD5
bbb32f9764afcec1e1d43b4f2026c2f2

SHA1
c1a1a2b2c644a46d77aa280183197c3137393d52

SHA256
3d5a291686f2059ca117c85db7259446aeca94e8ce80115a433d443396e9005c

SHA512
d42326e36e8d041e7446b59bb290e21e1a9398699d1a2d7869379152ba70fb85a6299b3f7e8e39329d83a1ed8151e8ee5b439c4cb4feb02d555757dd88f0ab1a

Download Submit
C:\Windows\SysWOW64\wsmkgjge.exe

Filesize
95KB

MD5
b990d1a4674ef0f4f6b36e4d3e328cdc

SHA1
3c1db9f1db7d483ab8f56034785a6bb6f9618494

SHA256
067dcf824075759628aad90844d7cb6657d623ac0a0b526248f16715bdf42b3a

SHA512
babf219a163c664593d03d7e475d13346792ce466320509bce42c330fd59d4293904874f604203bfbd00b11a4c790088537df618a035926380351c849c0491e7

Download Submit
C:\Windows\SysWOW64\wweqg.exe

Filesize
95KB

MD5
aa65f0a01c6ea5ca72718c676d471021

SHA1
655a1da792db9c771ac69c02318a116f2b4e75fd

SHA256
253773ea6e20e0a3c58cc0e720a551a26747d64ccde23c20a3ab3796209f6a71

SHA512
c06ac9610ecfb3d4af9212efe4ee8d095475d9f31488bf6116bff927d2e18f1e9367be92897b327bd2ce3e4ad0be77c0d60c854a3d9088c5bc0582a347020566

Download Submit
C:\Windows\SysWOW64\wxbtuu.exe

Filesize
95KB

MD5
11b77291690ad3586295b51ec3a32c78

SHA1
4722190eda0297d45f59b0e41f31780ab010aabf

SHA256
f14767e6709a4b2397c45b1cf00e04bd3c459ad3483d42396a9b0277d7b02238

SHA512
bea1cd9b89fb7e8f7be3af145e30530bdc519343452973b1afbd46634066ee0558b1c9a11d2bce128e40025b30dde91c9349121206319fcd3f5962367929004f

Download Submit
C:\Windows\SysWOW64\wxdmrqhii.exe

Filesize
95KB

MD5
ab5c6ca4946036d485239d2bd601bba6

SHA1
6bc83175fdffa019b90892057faf24f8c27b1b3b

SHA256
031d507e8d1efca8ff9e0d82073d1c2f98356231ba14921e5632552567040cca

SHA512
1c6e2c4349caa9a73ef8dbad64984ba2d92696eb3452b61bc4b712080c0f7bb7400e1bd83b89b5317577bbc67a16e58bd668a30bdb19d71ad2e1b577ec66be12

Download Submit
C:\Windows\SysWOW64\wyir.exe

Filesize
95KB

MD5
3168d33da895c97ad0ebc752b9d5072f

SHA1
0f0133618ec067cac72f719b7b24e7cf35f74456

SHA256
0ed629b273fb0b7ce1672e3bda0dc6f47adc35ad635ef2b3ecd47a6aef143337

SHA512
88cb04c499e3414f6f6df349f0c6c14ee7112da4c08dcc204644f1861ed977e96f6ebff40c55aa2f6d57b585749210d3b3ed31853d67cb5521b999a29fb1b4d1

Download Submit
memory/640-325-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/680-389-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/680-379-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/752-229-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1060-240-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1060-534-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1160-492-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1264-42-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1264-31-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1288-156-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1288-167-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1340-73-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1420-157-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1432-271-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1492-177-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1784-525-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2088-136-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2088-124-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2208-63-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2244-282-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2244-270-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2272-188-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2284-370-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2284-380-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2456-250-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2456-239-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2528-509-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2528-500-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2644-406-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2644-104-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2764-467-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2764-476-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2852-595-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3108-219-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3108-209-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3160-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3160-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3164-424-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3164-415-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3268-517-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3352-484-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3428-414-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3428-501-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3428-405-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3428-586-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3436-293-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3436-281-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3468-468-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3580-423-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3580-433-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3632-533-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3632-543-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3680-314-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3680-303-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3692-93-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3760-594-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3776-353-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3776-53-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3776-43-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3776-343-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3856-551-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3856-561-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3964-125-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4000-32-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4000-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4000-344-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4020-451-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4068-371-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4068-361-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4160-542-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4160-103-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4160-552-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4160-114-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4220-304-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4408-146-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4408-135-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4472-260-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4528-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4584-450-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4584-459-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4724-83-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4852-187-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4852-199-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4876-324-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4876-335-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4936-362-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4936-352-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4948-560-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4948-569-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5008-198-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5020-397-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5020-388-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5036-570-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5036-578-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5072-432-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5072-441-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads