d532877314c51b00e787158ef2ea183e3ba8cbd0bc0417904e81ecdd541a0b44

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe
Size

7KB
MD5

ea780905612f929a37c2dd655a8ddd04
SHA1

f2f082ac9eb60134e46a5e1e2d8edc3d29863974
SHA256

d532877314c51b00e787158ef2ea183e3ba8cbd0bc0417904e81ecdd541a0b44
SHA512

c348cc5caa85a52e8ee6ec14b7039e2114b34e26e92494460d1fcd38c3d97458413afda18b3930bb7139baf2202d3d51ba8ad0be2bf8748efc5391338d23fac7
SSDEEP

96:JgrLJIPQR9zt91GB6XfQdJi9Ypp91JaJsGjFP3nm6ZuiVbry3VBvmD8Zao:EXR9zNX9YXda95fuCAB4Wao

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4984	nwizAsktao.exe
4044	nwizAsktao.exe
4392	nwizAsktao.exe
4700	nwizAsktao.exe
3284	nwizAsktao.exe
3252	nwizAsktao.exe
4292	nwizAsktao.exe
2260	nwizAsktao.exe
3548	nwizAsktao.exe
1164	nwizAsktao.exe
2432	nwizAsktao.exe
392	nwizAsktao.exe
3544	nwizAsktao.exe
4200	nwizAsktao.exe
3196	nwizAsktao.exe
2300	nwizAsktao.exe
4800	nwizAsktao.exe
4140	nwizAsktao.exe
2512	nwizAsktao.exe
1720	nwizAsktao.exe
548	nwizAsktao.exe
2464	nwizAsktao.exe
2940	nwizAsktao.exe
3824	nwizAsktao.exe
3136	nwizAsktao.exe
4708	nwizAsktao.exe
1852	nwizAsktao.exe
5108	nwizAsktao.exe
2420	nwizAsktao.exe
3396	nwizAsktao.exe
1240	nwizAsktao.exe
1076	nwizAsktao.exe
4612	nwizAsktao.exe
1480	nwizAsktao.exe
1888	nwizAsktao.exe
3328	nwizAsktao.exe
5024	nwizAsktao.exe
4140	nwizAsktao.exe
2512	nwizAsktao.exe
2280	nwizAsktao.exe
548	nwizAsktao.exe
4392	nwizAsktao.exe
2940	nwizAsktao.exe
708	nwizAsktao.exe
3136	nwizAsktao.exe
4708	nwizAsktao.exe
1852	nwizAsktao.exe
3980	nwizAsktao.exe
540	nwizAsktao.exe
1176	nwizAsktao.exe
3568	nwizAsktao.exe
2724	nwizAsktao.exe
4420	nwizAsktao.exe
1056	nwizAsktao.exe
5116	nwizAsktao.exe
4448	nwizAsktao.exe
1888	nwizAsktao.exe
4384	nwizAsktao.exe
2388	nwizAsktao.exe
4192	nwizAsktao.exe
3300	nwizAsktao.exe
4044	nwizAsktao.exe
2460	nwizAsktao.exe
3452	nwizAsktao.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File opened for modification	C:\Windows\SysWOW64\nwizAsktao.exe	ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe
File created	C:\Windows\SysWOW64\nwizAsktao.exe	nwizAsktao.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwizAsktao.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4192	ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe
4192	ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe
4192	ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe
4192	ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe
4192	ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe
4192	ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe
4192	ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe
4192	ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe
4984	nwizAsktao.exe
4984	nwizAsktao.exe
4984	nwizAsktao.exe
4984	nwizAsktao.exe
4984	nwizAsktao.exe
4984	nwizAsktao.exe
4984	nwizAsktao.exe
4984	nwizAsktao.exe
4044	nwizAsktao.exe
4044	nwizAsktao.exe
4044	nwizAsktao.exe
4044	nwizAsktao.exe
4044	nwizAsktao.exe
4044	nwizAsktao.exe
4044	nwizAsktao.exe
4044	nwizAsktao.exe
4392	nwizAsktao.exe
4392	nwizAsktao.exe
4392	nwizAsktao.exe
4392	nwizAsktao.exe
4392	nwizAsktao.exe
4392	nwizAsktao.exe
4392	nwizAsktao.exe
4392	nwizAsktao.exe
4700	nwizAsktao.exe
4700	nwizAsktao.exe
4700	nwizAsktao.exe
4700	nwizAsktao.exe
4700	nwizAsktao.exe
4700	nwizAsktao.exe
4700	nwizAsktao.exe
4700	nwizAsktao.exe
3284	nwizAsktao.exe
3284	nwizAsktao.exe
3284	nwizAsktao.exe
3284	nwizAsktao.exe
3284	nwizAsktao.exe
3284	nwizAsktao.exe
3284	nwizAsktao.exe
3284	nwizAsktao.exe
3252	nwizAsktao.exe
3252	nwizAsktao.exe
3252	nwizAsktao.exe
3252	nwizAsktao.exe
3252	nwizAsktao.exe
3252	nwizAsktao.exe
3252	nwizAsktao.exe
3252	nwizAsktao.exe
4292	nwizAsktao.exe
4292	nwizAsktao.exe
4292	nwizAsktao.exe
4292	nwizAsktao.exe
4292	nwizAsktao.exe
4292	nwizAsktao.exe
4292	nwizAsktao.exe
4292	nwizAsktao.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4984	4192	ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe	82
PID 4192 wrote to memory of 4984	4192	ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe	82
PID 4192 wrote to memory of 4984	4192	ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe	82
PID 4192 wrote to memory of 4072	4192	ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe	83
PID 4192 wrote to memory of 4072	4192	ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe	83
PID 4192 wrote to memory of 4072	4192	ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe	83
PID 4984 wrote to memory of 4044	4984	nwizAsktao.exe	85
PID 4984 wrote to memory of 4044	4984	nwizAsktao.exe	85
PID 4984 wrote to memory of 4044	4984	nwizAsktao.exe	85
PID 4984 wrote to memory of 2144	4984	nwizAsktao.exe	86
PID 4984 wrote to memory of 2144	4984	nwizAsktao.exe	86
PID 4984 wrote to memory of 2144	4984	nwizAsktao.exe	86
PID 4044 wrote to memory of 4392	4044	nwizAsktao.exe	90
PID 4044 wrote to memory of 4392	4044	nwizAsktao.exe	90
PID 4044 wrote to memory of 4392	4044	nwizAsktao.exe	90
PID 4044 wrote to memory of 5048	4044	nwizAsktao.exe	91
PID 4044 wrote to memory of 5048	4044	nwizAsktao.exe	91
PID 4044 wrote to memory of 5048	4044	nwizAsktao.exe	91
PID 4392 wrote to memory of 4700	4392	nwizAsktao.exe	95
PID 4392 wrote to memory of 4700	4392	nwizAsktao.exe	95
PID 4392 wrote to memory of 4700	4392	nwizAsktao.exe	95
PID 4392 wrote to memory of 3608	4392	nwizAsktao.exe	96
PID 4392 wrote to memory of 3608	4392	nwizAsktao.exe	96
PID 4392 wrote to memory of 3608	4392	nwizAsktao.exe	96
PID 4700 wrote to memory of 3284	4700	nwizAsktao.exe	98
PID 4700 wrote to memory of 3284	4700	nwizAsktao.exe	98
PID 4700 wrote to memory of 3284	4700	nwizAsktao.exe	98
PID 4700 wrote to memory of 3024	4700	nwizAsktao.exe	99
PID 4700 wrote to memory of 3024	4700	nwizAsktao.exe	99
PID 4700 wrote to memory of 3024	4700	nwizAsktao.exe	99
PID 3284 wrote to memory of 3252	3284	nwizAsktao.exe	101
PID 3284 wrote to memory of 3252	3284	nwizAsktao.exe	101
PID 3284 wrote to memory of 3252	3284	nwizAsktao.exe	101
PID 3284 wrote to memory of 2740	3284	nwizAsktao.exe	102
PID 3284 wrote to memory of 2740	3284	nwizAsktao.exe	102
PID 3284 wrote to memory of 2740	3284	nwizAsktao.exe	102
PID 3252 wrote to memory of 4292	3252	nwizAsktao.exe	105
PID 3252 wrote to memory of 4292	3252	nwizAsktao.exe	105
PID 3252 wrote to memory of 4292	3252	nwizAsktao.exe	105
PID 3252 wrote to memory of 4156	3252	nwizAsktao.exe	106
PID 3252 wrote to memory of 4156	3252	nwizAsktao.exe	106
PID 3252 wrote to memory of 4156	3252	nwizAsktao.exe	106
PID 4292 wrote to memory of 2260	4292	nwizAsktao.exe	108
PID 4292 wrote to memory of 2260	4292	nwizAsktao.exe	108
PID 4292 wrote to memory of 2260	4292	nwizAsktao.exe	108
PID 4292 wrote to memory of 5076	4292	nwizAsktao.exe	109
PID 4292 wrote to memory of 5076	4292	nwizAsktao.exe	109
PID 4292 wrote to memory of 5076	4292	nwizAsktao.exe	109
PID 2260 wrote to memory of 3548	2260	nwizAsktao.exe	111
PID 2260 wrote to memory of 3548	2260	nwizAsktao.exe	111
PID 2260 wrote to memory of 3548	2260	nwizAsktao.exe	111
PID 2260 wrote to memory of 2152	2260	nwizAsktao.exe	112
PID 2260 wrote to memory of 2152	2260	nwizAsktao.exe	112
PID 2260 wrote to memory of 2152	2260	nwizAsktao.exe	112
PID 3548 wrote to memory of 1164	3548	nwizAsktao.exe	116
PID 3548 wrote to memory of 1164	3548	nwizAsktao.exe	116
PID 3548 wrote to memory of 1164	3548	nwizAsktao.exe	116
PID 3548 wrote to memory of 4076	3548	nwizAsktao.exe	117
PID 3548 wrote to memory of 4076	3548	nwizAsktao.exe	117
PID 3548 wrote to memory of 4076	3548	nwizAsktao.exe	117
PID 1164 wrote to memory of 2432	1164	nwizAsktao.exe	119
PID 1164 wrote to memory of 2432	1164	nwizAsktao.exe	119
PID 1164 wrote to memory of 2432	1164	nwizAsktao.exe	119
PID 1164 wrote to memory of 3644	1164	nwizAsktao.exe	120

C:\Users\Admin\AppData\Local\Temp\ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\SysWOW64\nwizAsktao.exe
  C:\Windows\system32\nwizAsktao.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\nwizAsktao.exe
    C:\Windows\system32\nwizAsktao.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\SysWOW64\nwizAsktao.exe
      C:\Windows\system32\nwizAsktao.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4700
      - C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        12⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        13⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        16⤵
        Executes dropped EXE
        
        PID:3196
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        18⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        19⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        21⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        25⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        30⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1240
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        33⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        35⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        36⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        39⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        41⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        44⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:708
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        50⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        52⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        53⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        55⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        56⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        57⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        58⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        60⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        63⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        64⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        65⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        66⤵
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        67⤵
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        69⤵
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        71⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        73⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        74⤵
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        75⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        76⤵
        Drops file in System32 directory
        
        PID:468
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        77⤵
        
        PID:448
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        78⤵
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        79⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        80⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        81⤵
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        83⤵
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        84⤵
        Drops file in System32 directory
        
        PID:652
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        85⤵
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        86⤵
        
        PID:412
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        87⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        88⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        89⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        90⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        91⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        92⤵
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        93⤵
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        94⤵
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        95⤵
        Drops file in System32 directory
        
        PID:3176
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        96⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        97⤵
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        98⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        99⤵
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        100⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        101⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        102⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        103⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        104⤵
        Drops file in System32 directory
        
        PID:2416
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        105⤵
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        106⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        107⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        108⤵
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        110⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        111⤵
        Drops file in System32 directory
        
        PID:4192
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        112⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        113⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        115⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        117⤵
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        118⤵
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        119⤵
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        120⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        121⤵
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        122⤵
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        123⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        124⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        126⤵
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        127⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        128⤵
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        129⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        130⤵
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        131⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        132⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        135⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        136⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        137⤵
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        138⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        139⤵
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        140⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        141⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        143⤵
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        145⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\nwizAsktao.exe
        
        C:\Windows\system32\nwizAsktao.exe
        146⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        146⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        144⤵
        
        PID:184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        143⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        142⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        140⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        139⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        138⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        137⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        136⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        134⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        133⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        130⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        128⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        127⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        125⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        124⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        123⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        122⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        121⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        119⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        118⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        115⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        114⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        113⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        112⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        111⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        110⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        109⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        108⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        106⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        105⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        104⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        103⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        102⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        101⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        100⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        98⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        97⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        95⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        94⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        93⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        92⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        91⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        89⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        86⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        84⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        83⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        82⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        80⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        79⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        78⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        77⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        76⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        74⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        72⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        71⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        70⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        69⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        68⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        67⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        66⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        65⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        64⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        63⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        61⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        60⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        58⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        57⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        56⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        55⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        54⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        53⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        52⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        51⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        50⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        48⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        47⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        46⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        45⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        43⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        40⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        38⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        37⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        36⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        35⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        34⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        33⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        31⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        30⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        29⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        28⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        27⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        26⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        25⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        24⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        23⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        19⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        17⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        16⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        15⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        14⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        13⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        12⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        11⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        10⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        9⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        8⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        6⤵
        
        PID:3024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
        5⤵
        
        PID:3608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
      4⤵
      PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizAsktao.exe"
    3⤵
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\ea780905612f929a37c2dd655a8ddd04_JaffaCakes118.exe"
  2⤵
  PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\nwizAsktao.exe

Filesize
7KB

MD5
ea780905612f929a37c2dd655a8ddd04

SHA1
f2f082ac9eb60134e46a5e1e2d8edc3d29863974

SHA256
d532877314c51b00e787158ef2ea183e3ba8cbd0bc0417904e81ecdd541a0b44

SHA512
c348cc5caa85a52e8ee6ec14b7039e2114b34e26e92494460d1fcd38c3d97458413afda18b3930bb7139baf2202d3d51ba8ad0be2bf8748efc5391338d23fac7

Download Submit