0b54ebb24f8c0d7dfadd75ba25903a02800ae3e29326afec429aeae6a64c61cf

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe
Size

104KB
MD5

c63bb200e4bd7823efcb4522194bc8d0
SHA1

423c9a159a61f1e0311c82ca8ffdf2fe4e308c68
SHA256

0b54ebb24f8c0d7dfadd75ba25903a02800ae3e29326afec429aeae6a64c61cf
SHA512

83c1d64e5f96d8af8daabb5e9768fb3f961301badae0d7d54b278c7fba0872c85bf0f60c247b984d17110c24c2d3489845c5ff4481b6775d2d40d04e605c8bf9
SSDEEP

1536:2zfXIsxrhzk2nfsW3ou3yWW2dvcW6eHcBwUi6vWE0Dl27b58XBdqaMGxuA11:yfjxrhzk2nfsWhP7dvavi6vWEbh8Xv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2824	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2144	wgwd.exe
2704	wydhrj.exe
2732	wgkpn.exe
1800	wqn.exe
2940	wgrlew.exe
616	wmjegb.exe
288	wurnc.exe
2220	wjfsatvi.exe
1432	wtmy.exe
2824	wraxtm.exe
1200	wcrmmh.exe
2888	wruie.exe
2732	wudv.exe
2768	wofnqni.exe
1472	wpykaa.exe
968	womihxb.exe
1820	weeur.exe
908	wbqtxi.exe
2220	wmij.exe
2692	whaqti.exe
2460	wvoxqwlac.exe
2240	wcod.exe
2428	wur.exe
2272	wttl.exe
1488	wmu.exe
2308	wkicu.exe
1612	wubrod.exe
920	wwmm.exe
1004	whrmmp.exe
2908	wgsalm.exe
2896	wujm.exe
1848	wonf.exe
1772	wyft.exe
576	wshm.exe
696	waaf.exe
1668	wwyaolb.exe
968	wegkjp.exe
2060	wwjbrt.exe
1724	wlmwj.exe
2672	weaayo.exe
2704	wxqh.exe
3044	wvdggpnwi.exe
2024	wgvuam.exe
2312	wbxnirygu.exe
2084	wqwvjpcm.exe
1256	wfaqad.exe
2980	wxbijh.exe
2812	wjjoud.exe
2648	waxut.exe
2676	wkokmms.exe
2040	wddytxck.exe
2164	wqhffoyp.exe
2820	wfysob.exe
1164	wdnrvycr.exe
1676	woego.exe
2832	wlreus.exe
704	wsxnp.exe
2060	wuwtukas.exe
3012	wjoffy.exe
2316	whbdlvd.exe
1968	wojmga.exe
1764	wivpvgk.exe
568	wte.exe
1520	wqrsoywo.exe

Loads dropped DLL 64 IoCs

pid	Process
2244	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe
2244	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe
2244	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe
2244	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe
2144	wgwd.exe
2144	wgwd.exe
2144	wgwd.exe
2144	wgwd.exe
2704	wydhrj.exe
2704	wydhrj.exe
2704	wydhrj.exe
2704	wydhrj.exe
2732	wgkpn.exe
2732	wgkpn.exe
2732	wgkpn.exe
2732	wgkpn.exe
1800	wqn.exe
1800	wqn.exe
1800	wqn.exe
1800	wqn.exe
2940	wgrlew.exe
2940	wgrlew.exe
2940	wgrlew.exe
2940	wgrlew.exe
616	wmjegb.exe
616	wmjegb.exe
616	wmjegb.exe
616	wmjegb.exe
288	wurnc.exe
288	wurnc.exe
288	wurnc.exe
288	wurnc.exe
2220	wjfsatvi.exe
2220	wjfsatvi.exe
2220	wjfsatvi.exe
2220	wjfsatvi.exe
1432	wtmy.exe
1432	wtmy.exe
1432	wtmy.exe
1432	wtmy.exe
2824	wraxtm.exe
2824	wraxtm.exe
2824	wraxtm.exe
2824	wraxtm.exe
1200	wcrmmh.exe
1200	wcrmmh.exe
1200	wcrmmh.exe
1200	wcrmmh.exe
2888	wruie.exe
2888	wruie.exe
2888	wruie.exe
2888	wruie.exe
2732	wudv.exe
2732	wudv.exe
2732	wudv.exe
2732	wudv.exe
2768	wofnqni.exe
2768	wofnqni.exe
2768	wofnqni.exe
2768	wofnqni.exe
1472	wpykaa.exe
1472	wpykaa.exe
1472	wpykaa.exe
1472	wpykaa.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wgasdryg.exe	wlxatlxf.exe
File created	C:\Windows\SysWOW64\wqhffoyp.exe	wddytxck.exe
File created	C:\Windows\SysWOW64\wtxhi.exe	weguxhe.exe
File opened for modification	C:\Windows\SysWOW64\wpmm.exe	wauchd.exe
File created	C:\Windows\SysWOW64\waqrgjjn.exe	wcpehne.exe
File created	C:\Windows\SysWOW64\wubrod.exe	wkicu.exe
File created	C:\Windows\SysWOW64\wshm.exe	wyft.exe
File opened for modification	C:\Windows\SysWOW64\wkokmms.exe	waxut.exe
File created	C:\Windows\SysWOW64\wojmga.exe	whbdlvd.exe
File opened for modification	C:\Windows\SysWOW64\wte.exe	wivpvgk.exe
File created	C:\Windows\SysWOW64\wkicu.exe	wmu.exe
File opened for modification	C:\Windows\SysWOW64\wjplocsi.exe	waxvufi.exe
File created	C:\Windows\SysWOW64\wauchd.exe	wchcb.exe
File created	C:\Windows\SysWOW64\wujm.exe	wgsalm.exe
File created	C:\Windows\SysWOW64\wqrsoywo.exe	wte.exe
File created	C:\Windows\SysWOW64\waiwxo.exe	wjplocsi.exe
File opened for modification	C:\Windows\SysWOW64\wokspcct.exe	waiwxo.exe
File created	C:\Windows\SysWOW64\whrmmp.exe	wwmm.exe
File created	C:\Windows\SysWOW64\whaqti.exe	wmij.exe
File created	C:\Windows\SysWOW64\wlreus.exe	woego.exe
File created	C:\Windows\SysWOW64\wpmm.exe	wauchd.exe
File opened for modification	C:\Windows\SysWOW64\wgsalm.exe	whrmmp.exe
File created	C:\Windows\SysWOW64\waxut.exe	wjjoud.exe
File created	C:\Windows\SysWOW64\wddytxck.exe	wkokmms.exe
File opened for modification	C:\Windows\SysWOW64\wywhor.exe	whsogm.exe
File opened for modification	C:\Windows\SysWOW64\wmu.exe	wttl.exe
File created	C:\Windows\SysWOW64\wkokmms.exe	waxut.exe
File opened for modification	C:\Windows\SysWOW64\wjoffy.exe	wuwtukas.exe
File opened for modification	C:\Windows\SysWOW64\wchcb.exe	wpbxn.exe
File opened for modification	C:\Windows\SysWOW64\wvoxqwlac.exe	whaqti.exe
File opened for modification	C:\Windows\SysWOW64\whbdlvd.exe	wjoffy.exe
File created	C:\Windows\SysWOW64\wcod.exe	wvoxqwlac.exe
File opened for modification	C:\Windows\SysWOW64\wqhffoyp.exe	wddytxck.exe
File opened for modification	C:\Windows\SysWOW64\wjfsatvi.exe	wurnc.exe
File opened for modification	C:\Windows\SysWOW64\wcod.exe	wvoxqwlac.exe
File opened for modification	C:\Windows\SysWOW64\wwmm.exe	wubrod.exe
File opened for modification	C:\Windows\SysWOW64\wddytxck.exe	wkokmms.exe
File opened for modification	C:\Windows\SysWOW64\woego.exe	wdnrvycr.exe
File opened for modification	C:\Windows\SysWOW64\waxvufi.exe	wgktgav.exe
File opened for modification	C:\Windows\SysWOW64\wbqtxi.exe	weeur.exe
File opened for modification	C:\Windows\SysWOW64\wegkjp.exe	wwyaolb.exe
File created	C:\Windows\SysWOW64\wqwvjpcm.exe	wbxnirygu.exe
File created	C:\Windows\SysWOW64\wcggfmfbb.exe	wqycsr.exe
File created	C:\Windows\SysWOW64\wgktgav.exe	wyqaeup.exe
File created	C:\Windows\SysWOW64\wlxswa.exe	wokspcct.exe
File opened for modification	C:\Windows\SysWOW64\wujm.exe	wgsalm.exe
File opened for modification	C:\Windows\SysWOW64\wofnqni.exe	wudv.exe
File created	C:\Windows\SysWOW64\wgsalm.exe	whrmmp.exe
File opened for modification	C:\Windows\SysWOW64\wsxnp.exe	wlreus.exe
File opened for modification	C:\Windows\SysWOW64\wyqaeup.exe	wgasdryg.exe
File created	C:\Windows\SysWOW64\wmu.exe	wttl.exe
File created	C:\Windows\SysWOW64\wwmm.exe	wubrod.exe
File opened for modification	C:\Windows\SysWOW64\wshm.exe	wyft.exe
File opened for modification	C:\Windows\SysWOW64\wbxnirygu.exe	wgvuam.exe
File opened for modification	C:\Windows\SysWOW64\waxut.exe	wjjoud.exe
File opened for modification	C:\Windows\SysWOW64\wraxtm.exe	wtmy.exe
File created	C:\Windows\SysWOW64\wokspcct.exe	waiwxo.exe
File opened for modification	C:\Windows\SysWOW64\wurnc.exe	wmjegb.exe
File opened for modification	C:\Windows\SysWOW64\wmjegb.exe	wgrlew.exe
File opened for modification	C:\Windows\SysWOW64\wwjbrt.exe	wegkjp.exe
File opened for modification	C:\Windows\SysWOW64\wpbxn.exe	wsajoowy.exe
File created	C:\Windows\SysWOW64\wmjegb.exe	wgrlew.exe
File opened for modification	C:\Windows\SysWOW64\wubrod.exe	wkicu.exe
File created	C:\Windows\SysWOW64\wdnrvycr.exe	wfysob.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
964	2084	WerFault.exe	163

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2144	2244	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe	28
PID 2244 wrote to memory of 2144	2244	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe	28
PID 2244 wrote to memory of 2144	2244	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe	28
PID 2244 wrote to memory of 2144	2244	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe	28
PID 2244 wrote to memory of 2824	2244	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe	29
PID 2244 wrote to memory of 2824	2244	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe	29
PID 2244 wrote to memory of 2824	2244	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe	29
PID 2244 wrote to memory of 2824	2244	c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe	29
PID 2144 wrote to memory of 2704	2144	wgwd.exe	31
PID 2144 wrote to memory of 2704	2144	wgwd.exe	31
PID 2144 wrote to memory of 2704	2144	wgwd.exe	31
PID 2144 wrote to memory of 2704	2144	wgwd.exe	31
PID 2144 wrote to memory of 2916	2144	wgwd.exe	32
PID 2144 wrote to memory of 2916	2144	wgwd.exe	32
PID 2144 wrote to memory of 2916	2144	wgwd.exe	32
PID 2144 wrote to memory of 2916	2144	wgwd.exe	32
PID 2704 wrote to memory of 2732	2704	wydhrj.exe	34
PID 2704 wrote to memory of 2732	2704	wydhrj.exe	34
PID 2704 wrote to memory of 2732	2704	wydhrj.exe	34
PID 2704 wrote to memory of 2732	2704	wydhrj.exe	34
PID 2704 wrote to memory of 1692	2704	wydhrj.exe	35
PID 2704 wrote to memory of 1692	2704	wydhrj.exe	35
PID 2704 wrote to memory of 1692	2704	wydhrj.exe	35
PID 2704 wrote to memory of 1692	2704	wydhrj.exe	35
PID 2732 wrote to memory of 1800	2732	wgkpn.exe	37
PID 2732 wrote to memory of 1800	2732	wgkpn.exe	37
PID 2732 wrote to memory of 1800	2732	wgkpn.exe	37
PID 2732 wrote to memory of 1800	2732	wgkpn.exe	37
PID 2732 wrote to memory of 1924	2732	wgkpn.exe	38
PID 2732 wrote to memory of 1924	2732	wgkpn.exe	38
PID 2732 wrote to memory of 1924	2732	wgkpn.exe	38
PID 2732 wrote to memory of 1924	2732	wgkpn.exe	38
PID 1800 wrote to memory of 2940	1800	wqn.exe	40
PID 1800 wrote to memory of 2940	1800	wqn.exe	40
PID 1800 wrote to memory of 2940	1800	wqn.exe	40
PID 1800 wrote to memory of 2940	1800	wqn.exe	40
PID 1800 wrote to memory of 2620	1800	wqn.exe	41
PID 1800 wrote to memory of 2620	1800	wqn.exe	41
PID 1800 wrote to memory of 2620	1800	wqn.exe	41
PID 1800 wrote to memory of 2620	1800	wqn.exe	41
PID 2940 wrote to memory of 616	2940	wgrlew.exe	43
PID 2940 wrote to memory of 616	2940	wgrlew.exe	43
PID 2940 wrote to memory of 616	2940	wgrlew.exe	43
PID 2940 wrote to memory of 616	2940	wgrlew.exe	43
PID 2940 wrote to memory of 444	2940	wgrlew.exe	44
PID 2940 wrote to memory of 444	2940	wgrlew.exe	44
PID 2940 wrote to memory of 444	2940	wgrlew.exe	44
PID 2940 wrote to memory of 444	2940	wgrlew.exe	44
PID 616 wrote to memory of 288	616	wmjegb.exe	46
PID 616 wrote to memory of 288	616	wmjegb.exe	46
PID 616 wrote to memory of 288	616	wmjegb.exe	46
PID 616 wrote to memory of 288	616	wmjegb.exe	46
PID 616 wrote to memory of 2868	616	wmjegb.exe	47
PID 616 wrote to memory of 2868	616	wmjegb.exe	47
PID 616 wrote to memory of 2868	616	wmjegb.exe	47
PID 616 wrote to memory of 2868	616	wmjegb.exe	47
PID 288 wrote to memory of 2220	288	wurnc.exe	49
PID 288 wrote to memory of 2220	288	wurnc.exe	49
PID 288 wrote to memory of 2220	288	wurnc.exe	49
PID 288 wrote to memory of 2220	288	wurnc.exe	49
PID 288 wrote to memory of 3032	288	wurnc.exe	50
PID 288 wrote to memory of 3032	288	wurnc.exe	50
PID 288 wrote to memory of 3032	288	wurnc.exe	50
PID 288 wrote to memory of 3032	288	wurnc.exe	50

C:\Users\Admin\AppData\Local\Temp\c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\wgwd.exe
  "C:\Windows\system32\wgwd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\wydhrj.exe
    "C:\Windows\system32\wydhrj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\wgkpn.exe
      "C:\Windows\system32\wgkpn.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\wqn.exe
        
        "C:\Windows\system32\wqn.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Windows\SysWOW64\wgrlew.exe
        
        "C:\Windows\system32\wgrlew.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\wmjegb.exe
        
        "C:\Windows\system32\wmjegb.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\SysWOW64\wurnc.exe
        
        "C:\Windows\system32\wurnc.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:288
        
        C:\Windows\SysWOW64\wjfsatvi.exe
        
        "C:\Windows\system32\wjfsatvi.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2220
        
        C:\Windows\SysWOW64\wtmy.exe
        
        "C:\Windows\system32\wtmy.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\wraxtm.exe
        
        "C:\Windows\system32\wraxtm.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2824
        
        C:\Windows\SysWOW64\wcrmmh.exe
        
        "C:\Windows\system32\wcrmmh.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1200
        
        C:\Windows\SysWOW64\wruie.exe
        
        "C:\Windows\system32\wruie.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2888
        
        C:\Windows\SysWOW64\wudv.exe
        
        "C:\Windows\system32\wudv.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\wofnqni.exe
        
        "C:\Windows\system32\wofnqni.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2768
        
        C:\Windows\SysWOW64\wpykaa.exe
        
        "C:\Windows\system32\wpykaa.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1472
        
        C:\Windows\SysWOW64\womihxb.exe
        
        "C:\Windows\system32\womihxb.exe"
        17⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\weeur.exe
        
        "C:\Windows\system32\weeur.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\wbqtxi.exe
        
        "C:\Windows\system32\wbqtxi.exe"
        19⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\wmij.exe
        
        "C:\Windows\system32\wmij.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\whaqti.exe
        
        "C:\Windows\system32\whaqti.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\wvoxqwlac.exe
        
        "C:\Windows\system32\wvoxqwlac.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\wcod.exe
        
        "C:\Windows\system32\wcod.exe"
        23⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\wur.exe
        
        "C:\Windows\system32\wur.exe"
        24⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\wttl.exe
        
        "C:\Windows\system32\wttl.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\wmu.exe
        
        "C:\Windows\system32\wmu.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\wkicu.exe
        
        "C:\Windows\system32\wkicu.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\wubrod.exe
        
        "C:\Windows\system32\wubrod.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\wwmm.exe
        
        "C:\Windows\system32\wwmm.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\whrmmp.exe
        
        "C:\Windows\system32\whrmmp.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1004
        
        C:\Windows\SysWOW64\wgsalm.exe
        
        "C:\Windows\system32\wgsalm.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\wujm.exe
        
        "C:\Windows\system32\wujm.exe"
        32⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\wonf.exe
        
        "C:\Windows\system32\wonf.exe"
        33⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\wyft.exe
        
        "C:\Windows\system32\wyft.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\wshm.exe
        
        "C:\Windows\system32\wshm.exe"
        35⤵
        Executes dropped EXE
        
        PID:576
        
        C:\Windows\SysWOW64\waaf.exe
        
        "C:\Windows\system32\waaf.exe"
        36⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\SysWOW64\wwyaolb.exe
        
        "C:\Windows\system32\wwyaolb.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\wegkjp.exe
        
        "C:\Windows\system32\wegkjp.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\wwjbrt.exe
        
        "C:\Windows\system32\wwjbrt.exe"
        39⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\wlmwj.exe
        
        "C:\Windows\system32\wlmwj.exe"
        40⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\weaayo.exe
        
        "C:\Windows\system32\weaayo.exe"
        41⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\wxqh.exe
        
        "C:\Windows\system32\wxqh.exe"
        42⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\wvdggpnwi.exe
        
        "C:\Windows\system32\wvdggpnwi.exe"
        43⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\wgvuam.exe
        
        "C:\Windows\system32\wgvuam.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\wbxnirygu.exe
        
        "C:\Windows\system32\wbxnirygu.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\wqwvjpcm.exe
        
        "C:\Windows\system32\wqwvjpcm.exe"
        46⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\Windows\SysWOW64\wfaqad.exe
        
        "C:\Windows\system32\wfaqad.exe"
        47⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\wxbijh.exe
        
        "C:\Windows\system32\wxbijh.exe"
        48⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\wjjoud.exe
        
        "C:\Windows\system32\wjjoud.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\waxut.exe
        
        "C:\Windows\system32\waxut.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2648
        
        C:\Windows\SysWOW64\wkokmms.exe
        
        "C:\Windows\system32\wkokmms.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\wddytxck.exe
        
        "C:\Windows\system32\wddytxck.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\wqhffoyp.exe
        
        "C:\Windows\system32\wqhffoyp.exe"
        53⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\wfysob.exe
        
        "C:\Windows\system32\wfysob.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2820
        
        C:\Windows\SysWOW64\wdnrvycr.exe
        
        "C:\Windows\system32\wdnrvycr.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1164
        
        C:\Windows\SysWOW64\woego.exe
        
        "C:\Windows\system32\woego.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\wlreus.exe
        
        "C:\Windows\system32\wlreus.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\wsxnp.exe
        
        "C:\Windows\system32\wsxnp.exe"
        58⤵
        Executes dropped EXE
        
        PID:704
        
        C:\Windows\SysWOW64\wuwtukas.exe
        
        "C:\Windows\system32\wuwtukas.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\wjoffy.exe
        
        "C:\Windows\system32\wjoffy.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\whbdlvd.exe
        
        "C:\Windows\system32\whbdlvd.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\wojmga.exe
        
        "C:\Windows\system32\wojmga.exe"
        62⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\wivpvgk.exe
        
        "C:\Windows\system32\wivpvgk.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\wte.exe
        
        "C:\Windows\system32\wte.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:568
        
        C:\Windows\SysWOW64\wqrsoywo.exe
        
        "C:\Windows\system32\wqrsoywo.exe"
        65⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\whsogm.exe
        
        "C:\Windows\system32\whsogm.exe"
        66⤵
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\wywhor.exe
        
        "C:\Windows\system32\wywhor.exe"
        67⤵
        
        PID:696
        
        C:\Windows\SysWOW64\wekkmxxk.exe
        
        "C:\Windows\system32\wekkmxxk.exe"
        68⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\wxnbueyk.exe
        
        "C:\Windows\system32\wxnbueyk.exe"
        69⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\weguxhe.exe
        
        "C:\Windows\system32\weguxhe.exe"
        70⤵
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\wtxhi.exe
        
        "C:\Windows\system32\wtxhi.exe"
        71⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\wsajoowy.exe
        
        "C:\Windows\system32\wsajoowy.exe"
        72⤵
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\wpbxn.exe
        
        "C:\Windows\system32\wpbxn.exe"
        73⤵
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\wchcb.exe
        
        "C:\Windows\system32\wchcb.exe"
        74⤵
        Drops file in System32 directory
        
        PID:1780
        
        C:\Windows\SysWOW64\wauchd.exe
        
        "C:\Windows\system32\wauchd.exe"
        75⤵
        Drops file in System32 directory
        
        PID:992
        
        C:\Windows\SysWOW64\wpmm.exe
        
        "C:\Windows\system32\wpmm.exe"
        76⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\wmylxmtst.exe
        
        "C:\Windows\system32\wmylxmtst.exe"
        77⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\wob.exe
        
        "C:\Windows\system32\wob.exe"
        78⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\wqycsr.exe
        
        "C:\Windows\system32\wqycsr.exe"
        79⤵
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\wcggfmfbb.exe
        
        "C:\Windows\system32\wcggfmfbb.exe"
        80⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\wysglkuf.exe
        
        "C:\Windows\system32\wysglkuf.exe"
        81⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\wrlmel.exe
        
        "C:\Windows\system32\wrlmel.exe"
        82⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\wtyib.exe
        
        "C:\Windows\system32\wtyib.exe"
        83⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\wncbk.exe
        
        "C:\Windows\system32\wncbk.exe"
        84⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\wldoj.exe
        
        "C:\Windows\system32\wldoj.exe"
        85⤵
        
        PID:568
        
        C:\Windows\SysWOW64\wskxfgmo.exe
        
        "C:\Windows\system32\wskxfgmo.exe"
        86⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\wlxatlxf.exe
        
        "C:\Windows\system32\wlxatlxf.exe"
        87⤵
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\wgasdryg.exe
        
        "C:\Windows\system32\wgasdryg.exe"
        88⤵
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\wyqaeup.exe
        
        "C:\Windows\system32\wyqaeup.exe"
        89⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\wgktgav.exe
        
        "C:\Windows\system32\wgktgav.exe"
        90⤵
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\waxvufi.exe
        
        "C:\Windows\system32\waxvufi.exe"
        91⤵
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\wjplocsi.exe
        
        "C:\Windows\system32\wjplocsi.exe"
        92⤵
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\waiwxo.exe
        
        "C:\Windows\system32\waiwxo.exe"
        93⤵
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\wokspcct.exe
        
        "C:\Windows\system32\wokspcct.exe"
        94⤵
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\wlxswa.exe
        
        "C:\Windows\system32\wlxswa.exe"
        95⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\wcpehne.exe
        
        "C:\Windows\system32\wcpehne.exe"
        96⤵
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\waqrgjjn.exe
        
        "C:\Windows\system32\waqrgjjn.exe"
        97⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcpehne.exe"
        97⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlxswa.exe"
        96⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wokspcct.exe"
        95⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waiwxo.exe"
        94⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjplocsi.exe"
        93⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waxvufi.exe"
        92⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgktgav.exe"
        91⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyqaeup.exe"
        90⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgasdryg.exe"
        89⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlxatlxf.exe"
        88⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wskxfgmo.exe"
        87⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wldoj.exe"
        86⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wncbk.exe"
        85⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtyib.exe"
        84⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrlmel.exe"
        83⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wysglkuf.exe"
        82⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcggfmfbb.exe"
        81⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqycsr.exe"
        80⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wob.exe"
        79⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmylxmtst.exe"
        78⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpmm.exe"
        77⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wauchd.exe"
        76⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchcb.exe"
        75⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbxn.exe"
        74⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsajoowy.exe"
        73⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxhi.exe"
        72⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weguxhe.exe"
        71⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxnbueyk.exe"
        70⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekkmxxk.exe"
        69⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywhor.exe"
        68⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whsogm.exe"
        67⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqrsoywo.exe"
        66⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wte.exe"
        65⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivpvgk.exe"
        64⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wojmga.exe"
        63⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whbdlvd.exe"
        62⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjoffy.exe"
        61⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwtukas.exe"
        60⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxnp.exe"
        59⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlreus.exe"
        58⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woego.exe"
        57⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnrvycr.exe"
        56⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfysob.exe"
        55⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqhffoyp.exe"
        54⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wddytxck.exe"
        53⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkokmms.exe"
        52⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waxut.exe"
        51⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjjoud.exe"
        50⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxbijh.exe"
        49⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfaqad.exe"
        48⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqwvjpcm.exe"
        47⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 180
        47⤵
        Program crash
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbxnirygu.exe"
        46⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgvuam.exe"
        45⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdggpnwi.exe"
        44⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxqh.exe"
        43⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weaayo.exe"
        42⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlmwj.exe"
        41⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjbrt.exe"
        40⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wegkjp.exe"
        39⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwyaolb.exe"
        38⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waaf.exe"
        37⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wshm.exe"
        36⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyft.exe"
        35⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wonf.exe"
        34⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujm.exe"
        33⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsalm.exe"
        32⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whrmmp.exe"
        31⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwmm.exe"
        30⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wubrod.exe"
        29⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkicu.exe"
        28⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmu.exe"
        27⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wttl.exe"
        26⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wur.exe"
        25⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcod.exe"
        24⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvoxqwlac.exe"
        23⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whaqti.exe"
        22⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmij.exe"
        21⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbqtxi.exe"
        20⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weeur.exe"
        19⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womihxb.exe"
        18⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpykaa.exe"
        17⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofnqni.exe"
        16⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudv.exe"
        15⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wruie.exe"
        14⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcrmmh.exe"
        13⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wraxtm.exe"
        12⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtmy.exe"
        11⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjfsatvi.exe"
        10⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wurnc.exe"
        9⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmjegb.exe"
        8⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrlew.exe"
        7⤵
        
        PID:444
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqn.exe"
        6⤵
        
        PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkpn.exe"
        5⤵
        
        PID:1924
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydhrj.exe"
      4⤵
      PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwd.exe"
    3⤵
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\c63bb200e4bd7823efcb4522194bc8d0_NEIKI.exe"
  2⤵
  - Deletes itself
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OLXC0ZJW.txt

Filesize
98B

MD5
b5cfd5ce74eb140a96c58f36c3ce7da3

SHA1
88f293c28edef91be0d8959d8c5f70b909f1dc50

SHA256
7aa47390224e3069d9b86f74b7b190d1b91caebedb364b9a633d83d907676ca6

SHA512
968a49b0ff5b06575364f61c84a3c101edd0d2c1177f70f9c6e62527a0ec69a9c4a38db7617871ef8c3bfce1c6a4fd63b24114a1503f92dfef2136ad44c58d12

Download Submit
\Windows\SysWOW64\wcrmmh.exe

Filesize
105KB

MD5
322760a556efb52b5b2b21d7439b6663

SHA1
19e23901b0797e994bf3cc8206e0de92fad8e17a

SHA256
8729d813196a9c115a5e73c7d2be48761ab979076e44c788f489c7670effce15

SHA512
b03a4a334fbe869b7372b5d80845825f6b251fa2ca8b1fa906ff10769052a9f17866bf53e8307aa3d510abd7f1713217d02e1ebf30195eb16cf1139e995aebd6

Download Submit
\Windows\SysWOW64\wgkpn.exe

Filesize
104KB

MD5
d777f1ef846673af2699cf6ab0841b84

SHA1
60b9d34023c4d09f8341bb051032bc23551b8c94

SHA256
fdca61afd86e5afb81e2357fef091de9edf541a9db27e4c303db324aa77c1a8d

SHA512
ba47826e89437e81234c7b5809d3dd6cef0c5daecea09f3b95b99934624fb6c9e77be08d7c6a38468bb2d34300f31379ddafeafd5ccc099b942d318c7a1269aa

Download Submit
\Windows\SysWOW64\wgrlew.exe

Filesize
105KB

MD5
e68700afecf699650e5eaf35d6d08ff5

SHA1
220ac5feb26ce2e7820fec3c3c1d0f012fbea13c

SHA256
923f20cc57f70e67119c02b03212748e4385ad1a41b957a6c5465e6b4caeb809

SHA512
4c5497b2fc557c534ebf6a5dd7e5330b76af647e59c47c96d0464700a7e2cbb9b522d26daadfdb527659761a53b208812b107fed8186485c5d17312a3c5c00a4

Download Submit
\Windows\SysWOW64\wgwd.exe

Filesize
104KB

MD5
63c206808805b4f13389c4003c02c598

SHA1
7f65f03f5724dcccf65504699524c559f25505a8

SHA256
74bbfd8a19a8c1b8bc0b3e25cc1a5a96d7e63ce52dd68d0370bbe9d66df22ad4

SHA512
bfe9a1e5d4cfb37a961b57b1937cf3bd87228cc89306a0f473349e4812b77ad9832f0298089ec4b7cbba087d0c6b008f0a1c30c705528a44dd8554931b951f3c

Download Submit
\Windows\SysWOW64\wjfsatvi.exe

Filesize
105KB

MD5
037164175052fc033d2dacc0caf39520

SHA1
cc546f29e2cce6bfa77363afb05ffbfce86dfdca

SHA256
5405d9a4bae5628c99ddd3579f5b80e6469d4c5090a3944c144bd2bb5c511d29

SHA512
5baf2d5d8c5e92b4bfb84272b3c2356ebf38bef78c98098b4d3f02538074b7a0536ff77253fa94207671a136fefddc9739f0406ef88059abe658801afe3aec71

Download Submit
\Windows\SysWOW64\wmjegb.exe

Filesize
105KB

MD5
e3fb7bec24c0af57f9893b6c8b8ce5ab

SHA1
5af9855c6a34df505d2d61e06a752576d67efaee

SHA256
1722657e72dde12afa43a55daa724841122c735a0e13d4a0093d63afa4b9862e

SHA512
b27c744bb9315f2b15ece776e7d3b20fbe929c330490070db649b72707d8ec0feac86e56385617c2b248696919be89e21d6aca3913f0a7431e9716ef4a3dc3d8

Download Submit
\Windows\SysWOW64\wqn.exe

Filesize
104KB

MD5
9c44560b59084ee978bd2ddeccd9da29

SHA1
c9c65b99ded8e3422fe4892286bcaa822e196a65

SHA256
f005dfcb36c45c9b5b8b3c6999afe78abdb5474b476ca8764fff7c9ca7296cf6

SHA512
aae8639889080a2df77922b1992b5bbaa34e311cdde9b572bfcabb6b76603042f583ad29deb76bb7fab6a8e00c0d80757c170415447b49613a3b7c34cb9b8a0e

Download Submit
\Windows\SysWOW64\wraxtm.exe

Filesize
105KB

MD5
435bddf3137279c7b9ba0851fcda503b

SHA1
bbdaf2eb99b7da8232293955f32bd758dbc74c43

SHA256
8d578b4c2b03e81334c984fd71c3f21b288416419a188ad98b5df0e664391ec0

SHA512
ec2832f4a893b7a3e1a9fbe0611d114a5c531478d8f2d5cbe37ffc73e694053994cb4c9189eea9f3ef1cf670e4f7087876a9b558de55a7fba152525d5c3beee5

Download Submit
\Windows\SysWOW64\wtmy.exe

Filesize
105KB

MD5
0c22ea9a9af27f41e1af38e9a4bf69a5

SHA1
0383186bdeae921466366a9dcf1b983f6c2768a5

SHA256
01580bc645fbc064b0a41f0aa675983ea6a931b0cfc0527b8c99a30e6f5fbc4e

SHA512
ff26d1d3d983a01385c570696a19c8afedd89dca5eec8ea805e4e76ce5f0f07a73647884287147f8dd2cd053f8b2d06e4d740af4b05edab92d0a3b9385698c45

Download Submit
\Windows\SysWOW64\wurnc.exe

Filesize
105KB

MD5
b6479cdb829bcbadca6c62e1587f7b2a

SHA1
c0ece167354aa1ebe9ffeab500f02ce7a53a8e2e

SHA256
d2f26f66fe87e5622083df5e22cbf1c3007daceb07c8ff43f87ec639428f1ae2

SHA512
9058427abf805984070cb022d8e5029ebb43c86a2159468d3a0c742f7a76c7400db4b70ef84dbfdcedd038aad9237e527d2fdd7fde53278131a1b668badf442e

Download Submit
\Windows\SysWOW64\wydhrj.exe

Filesize
104KB

MD5
bfec94e0a01668469d7f5a9830335149

SHA1
5f40b184539db163c22127d181eeb69ea09d4c97

SHA256
07402a946298280ad00fada80b7b95de71094dc92da5c1a8cddbc0089ada90bf

SHA512
74c61b382e1e418989f8d65c8d4b66c34e97c6237c38236b401407e99847d566e04e7fc4dc4ac5280aab2471eb017eaa3b3b79ce11617b962e9f26651d93d6a7

Download Submit
memory/288-177-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/288-175-0x0000000004030000-0x0000000004047000-memory.dmp

Filesize
92KB

Download
memory/288-174-0x0000000003F60000-0x0000000003F77000-memory.dmp

Filesize
92KB

Download
memory/288-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/616-155-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/616-132-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/616-146-0x0000000003400000-0x0000000003417000-memory.dmp

Filesize
92KB

Download
memory/616-145-0x0000000003400000-0x0000000003417000-memory.dmp

Filesize
92KB

Download
memory/616-153-0x0000000003400000-0x0000000003417000-memory.dmp

Filesize
92KB

Download
memory/616-152-0x0000000003400000-0x0000000003417000-memory.dmp

Filesize
92KB

Download
memory/908-351-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/908-350-0x0000000000530000-0x0000000000547000-memory.dmp

Filesize
92KB

Download
memory/968-324-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/968-311-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1200-250-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1200-238-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1432-215-0x0000000003A70000-0x0000000003A87000-memory.dmp

Filesize
92KB

Download
memory/1432-198-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1432-216-0x0000000003A70000-0x0000000003A87000-memory.dmp

Filesize
92KB

Download
memory/1432-220-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1472-312-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1472-297-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1472-310-0x0000000003BC0000-0x0000000003BD7000-memory.dmp

Filesize
92KB

Download
memory/1800-107-0x00000000022E0000-0x00000000022F7000-memory.dmp

Filesize
92KB

Download
memory/1800-112-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1800-106-0x00000000022E0000-0x00000000022F7000-memory.dmp

Filesize
92KB

Download
memory/1800-108-0x0000000003280000-0x0000000003297000-memory.dmp

Filesize
92KB

Download
memory/1800-109-0x0000000003280000-0x0000000003297000-memory.dmp

Filesize
92KB

Download
memory/1800-89-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1820-338-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1820-325-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1820-337-0x0000000003A60000-0x0000000003A77000-memory.dmp

Filesize
92KB

Download
memory/2144-42-0x00000000040B0000-0x00000000040C7000-memory.dmp

Filesize
92KB

Download
memory/2144-40-0x00000000040A0000-0x00000000040B7000-memory.dmp

Filesize
92KB

Download
memory/2144-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2144-41-0x00000000040B0000-0x00000000040C7000-memory.dmp

Filesize
92KB

Download
memory/2220-363-0x0000000004080000-0x0000000004097000-memory.dmp

Filesize
92KB

Download
memory/2220-364-0x0000000004080000-0x0000000004097000-memory.dmp

Filesize
92KB

Download
memory/2220-189-0x0000000003F70000-0x0000000003F87000-memory.dmp

Filesize
92KB

Download
memory/2220-197-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2220-365-0x0000000004080000-0x0000000004097000-memory.dmp

Filesize
92KB

Download
memory/2220-190-0x0000000003F70000-0x0000000003F87000-memory.dmp

Filesize
92KB

Download
memory/2220-366-0x0000000004080000-0x0000000004097000-memory.dmp

Filesize
92KB

Download
memory/2220-176-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2220-368-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2240-397-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2240-412-0x0000000003960000-0x0000000003977000-memory.dmp

Filesize
92KB

Download
memory/2240-411-0x0000000003960000-0x0000000003977000-memory.dmp

Filesize
92KB

Download
memory/2240-413-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2240-410-0x0000000003960000-0x0000000003977000-memory.dmp

Filesize
92KB

Download
memory/2240-409-0x0000000003960000-0x0000000003977000-memory.dmp

Filesize
92KB

Download
memory/2244-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2244-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2244-6-0x0000000003D20000-0x0000000003D37000-memory.dmp

Filesize
92KB

Download
memory/2244-12-0x0000000003D20000-0x0000000003D37000-memory.dmp

Filesize
92KB

Download
memory/2244-21-0x0000000003D20000-0x0000000003D37000-memory.dmp

Filesize
92KB

Download
memory/2244-20-0x0000000003D20000-0x0000000003D37000-memory.dmp

Filesize
92KB

Download
memory/2428-425-0x0000000003D90000-0x0000000003DA7000-memory.dmp

Filesize
92KB

Download
memory/2460-396-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2460-391-0x0000000003FF0000-0x0000000004007000-memory.dmp

Filesize
92KB

Download
memory/2460-383-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2692-382-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2692-377-0x0000000003590000-0x00000000035A7000-memory.dmp

Filesize
92KB

Download
memory/2692-367-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2704-57-0x0000000004110000-0x0000000004127000-memory.dmp

Filesize
92KB

Download
memory/2704-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2704-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2704-58-0x0000000004110000-0x0000000004127000-memory.dmp

Filesize
92KB

Download
memory/2732-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2732-86-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2732-90-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2732-282-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2732-83-0x0000000003E90000-0x0000000003EA7000-memory.dmp

Filesize
92KB

Download
memory/2732-84-0x0000000003E90000-0x0000000003EA7000-memory.dmp

Filesize
92KB

Download
memory/2732-267-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2732-279-0x0000000002440000-0x0000000002457000-memory.dmp

Filesize
92KB

Download
memory/2732-280-0x0000000003EA0000-0x0000000003EB7000-memory.dmp

Filesize
92KB

Download
memory/2732-85-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2768-281-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2768-298-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2768-295-0x0000000003540000-0x0000000003557000-memory.dmp

Filesize
92KB

Download
memory/2768-296-0x0000000003540000-0x0000000003557000-memory.dmp

Filesize
92KB

Download
memory/2768-294-0x0000000003540000-0x0000000003557000-memory.dmp

Filesize
92KB

Download
memory/2824-218-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2824-236-0x00000000031B0000-0x00000000031C7000-memory.dmp

Filesize
92KB

Download
memory/2824-235-0x00000000031B0000-0x00000000031C7000-memory.dmp

Filesize
92KB

Download
memory/2824-237-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2888-263-0x00000000034D0000-0x00000000034E7000-memory.dmp

Filesize
92KB

Download
memory/2888-264-0x00000000034D0000-0x00000000034E7000-memory.dmp

Filesize
92KB

Download
memory/2888-265-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2888-251-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2888-266-0x00000000034E0000-0x00000000034F7000-memory.dmp

Filesize
92KB

Download
memory/2940-119-0x00000000020E0000-0x00000000020F7000-memory.dmp

Filesize
92KB

Download
memory/2940-111-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2940-131-0x00000000020E0000-0x00000000020F7000-memory.dmp

Filesize
92KB

Download
memory/2940-134-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download