0829074be18b904ef9966ba1741cb0e28b96088fb9a4cb3ec54f21ccb1b2309a

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe
Size

88KB
MD5

a52962dddaa4a37208926df9873d6720
SHA1

fad0c0e585684f88976899c673ea6fba30c5002e
SHA256

0829074be18b904ef9966ba1741cb0e28b96088fb9a4cb3ec54f21ccb1b2309a
SHA512

42d7bd017024d8aa63deabcc42c9fd3e9eded2d8e01842018ec6478b8503cff28f8b93bcbc3b2e358f3a54767c8df5340e1bfc4010b48bb4ea213aeec3ef6c59
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71qC2:1eOLK7hNIMLrCiS4+PwRjY5xhEAXQC2

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2364	wknk.exe
2772	wlqupb.exe
2868	wqwvjm.exe
1904	wofigl.exe
1440	wekchbkdq.exe
1612	wudkbrvhf.exe
1336	wxnspilfq.exe
2844	wfvyun.exe
2900	wvdxi.exe
2516	wmwh.exe
2500	wgyvuc.exe
1736	wsiy.exe
1072	wibglpb.exe
2424	wxs.exe
540	wtuuv.exe
1340	wpxjv.exe
2340	wkpoh.exe
2296	wwjb.exe
2800	wqbf.exe
2592	wulpj.exe
2904	wlpilyrwr.exe
564	wrwopf.exe
2456	whqxkw.exe
1496	wlbgyknkr.exe
2964	wyvmv.exe
1588	wxww.exe
2992	wkfyj.exe
2584	wkvq.exe
2616	wiknal.exe
2488	whiqp.exe
2972	wxbx.exe
888	wbkh.exe
1692	wqeq.exe
1100	wlhfknxfq.exe
1848	wsfbk.exe
1640	wjxkd.exe
2084	wudgojkk.exe
2164	wlk.exe
2676	wcqr.exe
2476	wpf.exe
2488	waabnqkye.exe
1752	wqg.exe
1856	wlclo.exe
676	wys.exe
1740	wpure.exe
2408	wnheqho.exe
2792	weanlw.exe
2204	wqpkyfpx.exe
2608	wcxmud.exe
2576	wkooqtv.exe
2200	wslk.exe
1520	whodrrbk.exe
2840	www.exe
1580	wjpojfkpn.exe
1908	wducbnj.exe
1572	wunlueu.exe
2624	wwejo.exe
1148	wgagcs.exe
1972	wfdsltim.exe
1752	wrncjk.exe
320	wiuavaeh.exe
3036	wxnhrqpl.exe
2436	wnsbsime.exe
1484	wwplyk.exe

Loads dropped DLL 64 IoCs

pid	Process
1304	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe
1304	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe
1304	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe
1304	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe
2364	wknk.exe
2364	wknk.exe
2364	wknk.exe
2364	wknk.exe
2364	wknk.exe
2772	wlqupb.exe
2772	wlqupb.exe
2772	wlqupb.exe
2772	wlqupb.exe
2772	wlqupb.exe
2868	wqwvjm.exe
2868	wqwvjm.exe
2868	wqwvjm.exe
2868	wqwvjm.exe
2868	wqwvjm.exe
1904	wofigl.exe
1904	wofigl.exe
1904	wofigl.exe
1904	wofigl.exe
1904	wofigl.exe
1440	wekchbkdq.exe
1440	wekchbkdq.exe
1440	wekchbkdq.exe
1440	wekchbkdq.exe
1440	wekchbkdq.exe
1612	wudkbrvhf.exe
1612	wudkbrvhf.exe
1612	wudkbrvhf.exe
1612	wudkbrvhf.exe
1612	wudkbrvhf.exe
1336	wxnspilfq.exe
1336	wxnspilfq.exe
1336	wxnspilfq.exe
1336	wxnspilfq.exe
1336	wxnspilfq.exe
2844	wfvyun.exe
2844	wfvyun.exe
2844	wfvyun.exe
2844	wfvyun.exe
2844	wfvyun.exe
2900	wvdxi.exe
2900	wvdxi.exe
2900	wvdxi.exe
2900	wvdxi.exe
2900	wvdxi.exe
2516	wmwh.exe
2516	wmwh.exe
2516	wmwh.exe
2516	wmwh.exe
2516	wmwh.exe
2500	wgyvuc.exe
2500	wgyvuc.exe
2500	wgyvuc.exe
2500	wgyvuc.exe
2500	wgyvuc.exe
1736	wsiy.exe
1736	wsiy.exe
1736	wsiy.exe
1736	wsiy.exe
1736	wsiy.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wekchbkdq = "\"C:\\Windows\\SysWOW64\\wekchbkdq.exe\""	wekchbkdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqg = "\"C:\\Windows\\SysWOW64\\wqg.exe\""	wqg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvdtu = "\"C:\\Windows\\SysWOW64\\wvdtu.exe\""	wvdtu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wholw = "\"C:\\Windows\\SysWOW64\\wholw.exe\""	wholw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjpojfkpn = "\"C:\\Windows\\SysWOW64\\wjpojfkpn.exe\""	wjpojfkpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlpilyrwr = "\"C:\\Windows\\SysWOW64\\wlpilyrwr.exe\""	wlpilyrwr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\whodrrbk = "\"C:\\Windows\\SysWOW64\\whodrrbk.exe\""	whodrrbk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtlkwrla = "\"C:\\Windows\\SysWOW64\\wtlkwrla.exe\""	wtlkwrla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wudkbrvhf = "\"C:\\Windows\\SysWOW64\\wudkbrvhf.exe\""	wudkbrvhf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkfyj = "\"C:\\Windows\\SysWOW64\\wkfyj.exe\""	wkfyj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlclo = "\"C:\\Windows\\SysWOW64\\wlclo.exe\""	wlclo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwejo = "\"C:\\Windows\\SysWOW64\\wwejo.exe\""	wwejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgagcs = "\"C:\\Windows\\SysWOW64\\wgagcs.exe\""	wgagcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\whqxkw = "\"C:\\Windows\\SysWOW64\\whqxkw.exe\""	whqxkw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wknk = "\"C:\\Windows\\SysWOW64\\wknk.exe\""	wknk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgasdryg = "\"C:\\Windows\\SysWOW64\\wgasdryg.exe\""	wgasdryg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxnhrqpl = "\"C:\\Windows\\SysWOW64\\wxnhrqpl.exe\""	wxnhrqpl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wagowi = "\"C:\\Windows\\SysWOW64\\wagowi.exe\""	wagowi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlrgpx = "\"C:\\Windows\\SysWOW64\\wlrgpx.exe\""	wlrgpx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlnykv = "\"C:\\Windows\\SysWOW64\\wlnykv.exe\""	wlnykv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxnspilfq = "\"C:\\Windows\\SysWOW64\\wxnspilfq.exe\""	wxnspilfq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxbx = "\"C:\\Windows\\SysWOW64\\wxbx.exe\""	wxbx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wrrjsn = "\"C:\\Windows\\SysWOW64\\wrrjsn.exe\""	wrrjsn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfvyun = "\"C:\\Windows\\SysWOW64\\wfvyun.exe\""	wfvyun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxs = "\"C:\\Windows\\SysWOW64\\wxs.exe\""	wxs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnsbsime = "\"C:\\Windows\\SysWOW64\\wnsbsime.exe\""	wnsbsime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wofigl = "\"C:\\Windows\\SysWOW64\\wofigl.exe\""	wofigl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkvq = "\"C:\\Windows\\SysWOW64\\wkvq.exe\""	wkvq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvued = "\"C:\\Windows\\SysWOW64\\wvued.exe\""	wvued.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwh = "\"C:\\Windows\\SysWOW64\\wmwh.exe\""	wmwh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgyvuc = "\"C:\\Windows\\SysWOW64\\wgyvuc.exe\""	wgyvuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wys = "\"C:\\Windows\\SysWOW64\\wys.exe\""	wys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wagvyo = "\"C:\\Windows\\SysWOW64\\wagvyo.exe\""	wagvyo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wyjxqx = "\"C:\\Windows\\SysWOW64\\wyjxqx.exe\""	wyjxqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqwvjm = "\"C:\\Windows\\SysWOW64\\wqwvjm.exe\""	wqwvjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmyvjjd = "\"C:\\Windows\\SysWOW64\\wmyvjjd.exe\""	wmyvjjd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdrtgq = "\"C:\\Windows\\SysWOW64\\wdrtgq.exe\""	wdrtgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwjb = "\"C:\\Windows\\SysWOW64\\wwjb.exe\""	wwjb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlbgyknkr = "\"C:\\Windows\\SysWOW64\\wlbgyknkr.exe\""	wlbgyknkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wiknal = "\"C:\\Windows\\SysWOW64\\wiknal.exe\""	wiknal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwplyk = "\"C:\\Windows\\SysWOW64\\wwplyk.exe\""	wwplyk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbdtif = "\"C:\\Windows\\SysWOW64\\wbdtif.exe\""	wbdtif.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcqr = "\"C:\\Windows\\SysWOW64\\wcqr.exe\""	wcqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wducbnj = "\"C:\\Windows\\SysWOW64\\wducbnj.exe\""	wducbnj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpxjv = "\"C:\\Windows\\SysWOW64\\wpxjv.exe\""	wpxjv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wquvbmvf = "\"C:\\Windows\\SysWOW64\\wquvbmvf.exe\""	wquvbmvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmkbdpke = "\"C:\\Windows\\SysWOW64\\wmkbdpke.exe\""	wmkbdpke.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbbynm = "\"C:\\Windows\\SysWOW64\\wbbynm.exe\""	wbbynm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjxkd = "\"C:\\Windows\\SysWOW64\\wjxkd.exe\""	wjxkd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlk = "\"C:\\Windows\\SysWOW64\\wlk.exe\""	wlk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpf = "\"C:\\Windows\\SysWOW64\\wpf.exe\""	wpf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wunlueu = "\"C:\\Windows\\SysWOW64\\wunlueu.exe\""	wunlueu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wrncjk = "\"C:\\Windows\\SysWOW64\\wrncjk.exe\""	wrncjk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wibglpb = "\"C:\\Windows\\SysWOW64\\wibglpb.exe\""	wibglpb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wrwopf = "\"C:\\Windows\\SysWOW64\\wrwopf.exe\""	wrwopf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\whiqp = "\"C:\\Windows\\SysWOW64\\whiqp.exe\""	whiqp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqeq = "\"C:\\Windows\\SysWOW64\\wqeq.exe\""	wqeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wiuavaeh = "\"C:\\Windows\\SysWOW64\\wiuavaeh.exe\""	wiuavaeh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpure = "\"C:\\Windows\\SysWOW64\\wpure.exe\""	wpure.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\watdv = "\"C:\\Windows\\SysWOW64\\watdv.exe\""	watdv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\whqrxgmi = "\"C:\\Windows\\SysWOW64\\whqrxgmi.exe\""	whqrxgmi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wccfihkfw = "\"C:\\Windows\\SysWOW64\\wccfihkfw.exe\""	wccfihkfw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjbtb = "\"C:\\Windows\\SysWOW64\\wjbtb.exe\""	wjbtb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wanhsopub = "\"C:\\Windows\\SysWOW64\\wanhsopub.exe\""	wanhsopub.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmwh.exe	wvdxi.exe
File opened for modification	C:\Windows\SysWOW64\wrwopf.exe	wlpilyrwr.exe
File opened for modification	C:\Windows\SysWOW64\wrncjk.exe	wfdsltim.exe
File opened for modification	C:\Windows\SysWOW64\wagvyo.exe	wquvbmvf.exe
File opened for modification	C:\Windows\SysWOW64\wudkbrvhf.exe	wekchbkdq.exe
File created	C:\Windows\SysWOW64\wmkbdpke.exe	wagowi.exe
File opened for modification	C:\Windows\SysWOW64\wbkh.exe	wxbx.exe
File opened for modification	C:\Windows\SysWOW64\wnheqho.exe	wpure.exe
File created	C:\Windows\SysWOW64\wcxmud.exe	wqpkyfpx.exe
File opened for modification	C:\Windows\SysWOW64\wgagcs.exe	wwejo.exe
File opened for modification	C:\Windows\SysWOW64\wpxjv.exe	wtuuv.exe
File opened for modification	C:\Windows\SysWOW64\wlcfsl.exe	watdv.exe
File opened for modification	C:\Windows\SysWOW64\wslk.exe	wkooqtv.exe
File opened for modification	C:\Windows\SysWOW64\wlpilyrwr.exe	wulpj.exe
File opened for modification	C:\Windows\SysWOW64\wctqcydk.exe	wtlkwrla.exe
File created	C:\Windows\SysWOW64\wgyvuc.exe	wmwh.exe
File created	C:\Windows\SysWOW64\wsiy.exe	wgyvuc.exe
File created	C:\Windows\SysWOW64\wlbgyknkr.exe	whqxkw.exe
File created	C:\Windows\SysWOW64\wjbtb.exe	wlnykv.exe
File created	C:\Windows\SysWOW64\wgasdryg.exe	waneehd.exe
File created	C:\Windows\SysWOW64\wudkbrvhf.exe	wekchbkdq.exe
File created	C:\Windows\SysWOW64\wjxkd.exe	wsfbk.exe
File opened for modification	C:\Windows\SysWOW64\wducbnj.exe	wjpojfkpn.exe
File opened for modification	C:\Windows\SysWOW64\wholw.exe	wbdtif.exe
File opened for modification	C:\Windows\SysWOW64\wgasdryg.exe	waneehd.exe
File opened for modification	C:\Windows\SysWOW64\wsfbk.exe	wlhfknxfq.exe
File opened for modification	C:\Windows\SysWOW64\wjxkd.exe	wsfbk.exe
File created	C:\Windows\SysWOW64\wpf.exe	wcqr.exe
File created	C:\Windows\SysWOW64\wrgxj.exe	wccfihkfw.exe
File created	C:\Windows\SysWOW64\wtlkwrla.exe	wlcfsl.exe
File opened for modification	C:\Windows\SysWOW64\wtlkwrla.exe	wlcfsl.exe
File created	C:\Windows\SysWOW64\wunlueu.exe	wducbnj.exe
File opened for modification	C:\Windows\SysWOW64\wxww.exe	wyvmv.exe
File created	C:\Windows\SysWOW64\wnheqho.exe	wpure.exe
File created	C:\Windows\SysWOW64\wagvyo.exe	wquvbmvf.exe
File opened for modification	C:\Windows\SysWOW64\wvdxi.exe	wfvyun.exe
File opened for modification	C:\Windows\SysWOW64\wkooqtv.exe	wcxmud.exe
File opened for modification	C:\Windows\SysWOW64\whodrrbk.exe	wslk.exe
File opened for modification	C:\Windows\SysWOW64\wxnhrqpl.exe	wiuavaeh.exe
File opened for modification	C:\Windows\SysWOW64\wtuuv.exe	wxs.exe
File created	C:\Windows\SysWOW64\whiqp.exe	wiknal.exe
File opened for modification	C:\Windows\SysWOW64\wekchbkdq.exe	wofigl.exe
File created	C:\Windows\SysWOW64\wulpj.exe	wqbf.exe
File created	C:\Windows\SysWOW64\www.exe	whodrrbk.exe
File opened for modification	C:\Windows\SysWOW64\wxnspilfq.exe	wudkbrvhf.exe
File opened for modification	C:\Windows\SysWOW64\whqxkw.exe	wrwopf.exe
File opened for modification	C:\Windows\SysWOW64\wpure.exe	wys.exe
File opened for modification	C:\Windows\SysWOW64\www.exe	whodrrbk.exe
File created	C:\Windows\SysWOW64\wkxsj.exe	wbbynm.exe
File opened for modification	C:\Windows\SysWOW64\wdrtgq.exe	wgasdryg.exe
File opened for modification	C:\Windows\SysWOW64\whiqp.exe	wiknal.exe
File opened for modification	C:\Windows\SysWOW64\wvdtu.exe	wdafdmun.exe
File opened for modification	C:\Windows\SysWOW64\wjbtb.exe	wlnykv.exe
File opened for modification	C:\Windows\SysWOW64\wgtdhfp.exe	whqrxgmi.exe
File created	C:\Windows\SysWOW64\wpure.exe	wys.exe
File created	C:\Windows\SysWOW64\wfdsltim.exe	wgagcs.exe
File created	C:\Windows\SysWOW64\wlnykv.exe	wholw.exe
File opened for modification	C:\Windows\SysWOW64\waabnqkye.exe	wpf.exe
File opened for modification	C:\Windows\SysWOW64\wgyvuc.exe	wmwh.exe
File created	C:\Windows\SysWOW64\wlk.exe	wudgojkk.exe
File created	C:\Windows\SysWOW64\wlclo.exe	wqg.exe
File opened for modification	C:\Windows\SysWOW64\weanlw.exe	wnheqho.exe
File opened for modification	C:\Windows\SysWOW64\wcxmud.exe	wqpkyfpx.exe
File created	C:\Windows\SysWOW64\wxww.exe	wyvmv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1676	2904	WerFault.exe	88
2408	2512	WerFault.exe	229
2200	2080	WerFault.exe	246
1476	2132	WerFault.exe	322

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2364	1304	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe	28
PID 1304 wrote to memory of 2364	1304	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe	28
PID 1304 wrote to memory of 2364	1304	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe	28
PID 1304 wrote to memory of 2364	1304	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe	28
PID 1304 wrote to memory of 2712	1304	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe	29
PID 1304 wrote to memory of 2712	1304	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe	29
PID 1304 wrote to memory of 2712	1304	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe	29
PID 1304 wrote to memory of 2712	1304	a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe	29
PID 2364 wrote to memory of 2772	2364	wknk.exe	31
PID 2364 wrote to memory of 2772	2364	wknk.exe	31
PID 2364 wrote to memory of 2772	2364	wknk.exe	31
PID 2364 wrote to memory of 2772	2364	wknk.exe	31
PID 2364 wrote to memory of 2496	2364	wknk.exe	32
PID 2364 wrote to memory of 2496	2364	wknk.exe	32
PID 2364 wrote to memory of 2496	2364	wknk.exe	32
PID 2364 wrote to memory of 2496	2364	wknk.exe	32
PID 2772 wrote to memory of 2868	2772	wlqupb.exe	34
PID 2772 wrote to memory of 2868	2772	wlqupb.exe	34
PID 2772 wrote to memory of 2868	2772	wlqupb.exe	34
PID 2772 wrote to memory of 2868	2772	wlqupb.exe	34
PID 2772 wrote to memory of 2248	2772	wlqupb.exe	35
PID 2772 wrote to memory of 2248	2772	wlqupb.exe	35
PID 2772 wrote to memory of 2248	2772	wlqupb.exe	35
PID 2772 wrote to memory of 2248	2772	wlqupb.exe	35
PID 2868 wrote to memory of 1904	2868	wqwvjm.exe	37
PID 2868 wrote to memory of 1904	2868	wqwvjm.exe	37
PID 2868 wrote to memory of 1904	2868	wqwvjm.exe	37
PID 2868 wrote to memory of 1904	2868	wqwvjm.exe	37
PID 2868 wrote to memory of 2456	2868	wqwvjm.exe	38
PID 2868 wrote to memory of 2456	2868	wqwvjm.exe	38
PID 2868 wrote to memory of 2456	2868	wqwvjm.exe	38
PID 2868 wrote to memory of 2456	2868	wqwvjm.exe	38
PID 1904 wrote to memory of 1440	1904	wofigl.exe	40
PID 1904 wrote to memory of 1440	1904	wofigl.exe	40
PID 1904 wrote to memory of 1440	1904	wofigl.exe	40
PID 1904 wrote to memory of 1440	1904	wofigl.exe	40
PID 1904 wrote to memory of 1952	1904	wofigl.exe	41
PID 1904 wrote to memory of 1952	1904	wofigl.exe	41
PID 1904 wrote to memory of 1952	1904	wofigl.exe	41
PID 1904 wrote to memory of 1952	1904	wofigl.exe	41
PID 1440 wrote to memory of 1612	1440	wekchbkdq.exe	43
PID 1440 wrote to memory of 1612	1440	wekchbkdq.exe	43
PID 1440 wrote to memory of 1612	1440	wekchbkdq.exe	43
PID 1440 wrote to memory of 1612	1440	wekchbkdq.exe	43
PID 1440 wrote to memory of 612	1440	wekchbkdq.exe	44
PID 1440 wrote to memory of 612	1440	wekchbkdq.exe	44
PID 1440 wrote to memory of 612	1440	wekchbkdq.exe	44
PID 1440 wrote to memory of 612	1440	wekchbkdq.exe	44
PID 1612 wrote to memory of 1336	1612	wudkbrvhf.exe	46
PID 1612 wrote to memory of 1336	1612	wudkbrvhf.exe	46
PID 1612 wrote to memory of 1336	1612	wudkbrvhf.exe	46
PID 1612 wrote to memory of 1336	1612	wudkbrvhf.exe	46
PID 1612 wrote to memory of 2432	1612	wudkbrvhf.exe	47
PID 1612 wrote to memory of 2432	1612	wudkbrvhf.exe	47
PID 1612 wrote to memory of 2432	1612	wudkbrvhf.exe	47
PID 1612 wrote to memory of 2432	1612	wudkbrvhf.exe	47
PID 1336 wrote to memory of 2844	1336	wxnspilfq.exe	49
PID 1336 wrote to memory of 2844	1336	wxnspilfq.exe	49
PID 1336 wrote to memory of 2844	1336	wxnspilfq.exe	49
PID 1336 wrote to memory of 2844	1336	wxnspilfq.exe	49
PID 1336 wrote to memory of 2388	1336	wxnspilfq.exe	50
PID 1336 wrote to memory of 2388	1336	wxnspilfq.exe	50
PID 1336 wrote to memory of 2388	1336	wxnspilfq.exe	50
PID 1336 wrote to memory of 2388	1336	wxnspilfq.exe	50

C:\Users\Admin\AppData\Local\Temp\a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\wknk.exe
  "C:\Windows\system32\wknk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\wlqupb.exe
    "C:\Windows\system32\wlqupb.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\wqwvjm.exe
      "C:\Windows\system32\wqwvjm.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\SysWOW64\wofigl.exe
        
        "C:\Windows\system32\wofigl.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1904
      - C:\Windows\SysWOW64\wekchbkdq.exe
        
        "C:\Windows\system32\wekchbkdq.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\wudkbrvhf.exe
        
        "C:\Windows\system32\wudkbrvhf.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\wxnspilfq.exe
        
        "C:\Windows\system32\wxnspilfq.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\wfvyun.exe
        
        "C:\Windows\system32\wfvyun.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\wvdxi.exe
        
        "C:\Windows\system32\wvdxi.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\wmwh.exe
        
        "C:\Windows\system32\wmwh.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\wgyvuc.exe
        
        "C:\Windows\system32\wgyvuc.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\wsiy.exe
        
        "C:\Windows\system32\wsiy.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1736
        
        C:\Windows\SysWOW64\wibglpb.exe
        
        "C:\Windows\system32\wibglpb.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1072
        
        C:\Windows\SysWOW64\wxs.exe
        
        "C:\Windows\system32\wxs.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\wtuuv.exe
        
        "C:\Windows\system32\wtuuv.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\wpxjv.exe
        
        "C:\Windows\system32\wpxjv.exe"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1340
        
        C:\Windows\SysWOW64\wkpoh.exe
        
        "C:\Windows\system32\wkpoh.exe"
        18⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SysWOW64\wwjb.exe
        
        "C:\Windows\system32\wwjb.exe"
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2296
        
        C:\Windows\SysWOW64\wqbf.exe
        
        "C:\Windows\system32\wqbf.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\wulpj.exe
        
        "C:\Windows\system32\wulpj.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\wlpilyrwr.exe
        
        "C:\Windows\system32\wlpilyrwr.exe"
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\wrwopf.exe
        
        "C:\Windows\system32\wrwopf.exe"
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:564
        
        C:\Windows\SysWOW64\whqxkw.exe
        
        "C:\Windows\system32\whqxkw.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\wlbgyknkr.exe
        
        "C:\Windows\system32\wlbgyknkr.exe"
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1496
        
        C:\Windows\SysWOW64\wyvmv.exe
        
        "C:\Windows\system32\wyvmv.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\wxww.exe
        
        "C:\Windows\system32\wxww.exe"
        27⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\wkfyj.exe
        
        "C:\Windows\system32\wkfyj.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2992
        
        C:\Windows\SysWOW64\wkvq.exe
        
        "C:\Windows\system32\wkvq.exe"
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2584
        
        C:\Windows\SysWOW64\wiknal.exe
        
        "C:\Windows\system32\wiknal.exe"
        30⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\whiqp.exe
        
        "C:\Windows\system32\whiqp.exe"
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2488
        
        C:\Windows\SysWOW64\wxbx.exe
        
        "C:\Windows\system32\wxbx.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\wbkh.exe
        
        "C:\Windows\system32\wbkh.exe"
        33⤵
        Executes dropped EXE
        
        PID:888
        
        C:\Windows\SysWOW64\wqeq.exe
        
        "C:\Windows\system32\wqeq.exe"
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1692
        
        C:\Windows\SysWOW64\wlhfknxfq.exe
        
        "C:\Windows\system32\wlhfknxfq.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\wsfbk.exe
        
        "C:\Windows\system32\wsfbk.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1848
        
        C:\Windows\SysWOW64\wjxkd.exe
        
        "C:\Windows\system32\wjxkd.exe"
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1640
        
        C:\Windows\SysWOW64\wudgojkk.exe
        
        "C:\Windows\system32\wudgojkk.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\wlk.exe
        
        "C:\Windows\system32\wlk.exe"
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2164
        
        C:\Windows\SysWOW64\wcqr.exe
        
        "C:\Windows\system32\wcqr.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\wpf.exe
        
        "C:\Windows\system32\wpf.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\waabnqkye.exe
        
        "C:\Windows\system32\waabnqkye.exe"
        42⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\wqg.exe
        
        "C:\Windows\system32\wqg.exe"
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\wlclo.exe
        
        "C:\Windows\system32\wlclo.exe"
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1856
        
        C:\Windows\SysWOW64\wys.exe
        
        "C:\Windows\system32\wys.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\wpure.exe
        
        "C:\Windows\system32\wpure.exe"
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1740
        
        C:\Windows\SysWOW64\wnheqho.exe
        
        "C:\Windows\system32\wnheqho.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\weanlw.exe
        
        "C:\Windows\system32\weanlw.exe"
        48⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\wqpkyfpx.exe
        
        "C:\Windows\system32\wqpkyfpx.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\wcxmud.exe
        
        "C:\Windows\system32\wcxmud.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\wkooqtv.exe
        
        "C:\Windows\system32\wkooqtv.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\wslk.exe
        
        "C:\Windows\system32\wslk.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\whodrrbk.exe
        
        "C:\Windows\system32\whodrrbk.exe"
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\www.exe
        
        "C:\Windows\system32\www.exe"
        54⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\wjpojfkpn.exe
        
        "C:\Windows\system32\wjpojfkpn.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\wducbnj.exe
        
        "C:\Windows\system32\wducbnj.exe"
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\wunlueu.exe
        
        "C:\Windows\system32\wunlueu.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1572
        
        C:\Windows\SysWOW64\wwejo.exe
        
        "C:\Windows\system32\wwejo.exe"
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2624
        
        C:\Windows\SysWOW64\wgagcs.exe
        
        "C:\Windows\system32\wgagcs.exe"
        59⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\wfdsltim.exe
        
        "C:\Windows\system32\wfdsltim.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\wrncjk.exe
        
        "C:\Windows\system32\wrncjk.exe"
        61⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1752
        
        C:\Windows\SysWOW64\wiuavaeh.exe
        
        "C:\Windows\system32\wiuavaeh.exe"
        62⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:320
        
        C:\Windows\SysWOW64\wxnhrqpl.exe
        
        "C:\Windows\system32\wxnhrqpl.exe"
        63⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3036
        
        C:\Windows\SysWOW64\wnsbsime.exe
        
        "C:\Windows\system32\wnsbsime.exe"
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2436
        
        C:\Windows\SysWOW64\wwplyk.exe
        
        "C:\Windows\system32\wwplyk.exe"
        65⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1484
        
        C:\Windows\SysWOW64\wexpeqpu.exe
        
        "C:\Windows\system32\wexpeqpu.exe"
        66⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\wlrgpx.exe
        
        "C:\Windows\system32\wlrgpx.exe"
        67⤵
        Adds Run key to start application
        
        PID:1448
        
        C:\Windows\SysWOW64\wdafdmun.exe
        
        "C:\Windows\system32\wdafdmun.exe"
        68⤵
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\wvdtu.exe
        
        "C:\Windows\system32\wvdtu.exe"
        69⤵
        Adds Run key to start application
        
        PID:2288
        
        C:\Windows\SysWOW64\wrrjsn.exe
        
        "C:\Windows\system32\wrrjsn.exe"
        70⤵
        Adds Run key to start application
        
        PID:1376
        
        C:\Windows\SysWOW64\wquvbmvf.exe
        
        "C:\Windows\system32\wquvbmvf.exe"
        71⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\wagvyo.exe
        
        "C:\Windows\system32\wagvyo.exe"
        72⤵
        Adds Run key to start application
        
        PID:776
        
        C:\Windows\SysWOW64\wmyvjjd.exe
        
        "C:\Windows\system32\wmyvjjd.exe"
        73⤵
        Adds Run key to start application
        
        PID:884
        
        C:\Windows\SysWOW64\wccfihkfw.exe
        
        "C:\Windows\system32\wccfihkfw.exe"
        74⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\wrgxj.exe
        
        "C:\Windows\system32\wrgxj.exe"
        75⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\wbdtif.exe
        
        "C:\Windows\system32\wbdtif.exe"
        76⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\wholw.exe
        
        "C:\Windows\system32\wholw.exe"
        77⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\wlnykv.exe
        
        "C:\Windows\system32\wlnykv.exe"
        78⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\wjbtb.exe
        
        "C:\Windows\system32\wjbtb.exe"
        79⤵
        Adds Run key to start application
        
        PID:2428
        
        C:\Windows\SysWOW64\watdv.exe
        
        "C:\Windows\system32\watdv.exe"
        80⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\wlcfsl.exe
        
        "C:\Windows\system32\wlcfsl.exe"
        81⤵
        Drops file in System32 directory
        
        PID:1252
        
        C:\Windows\SysWOW64\wtlkwrla.exe
        
        "C:\Windows\system32\wtlkwrla.exe"
        82⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\wctqcydk.exe
        
        "C:\Windows\system32\wctqcydk.exe"
        83⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\wqmawopp.exe
        
        "C:\Windows\system32\wqmawopp.exe"
        84⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\whqrxgmi.exe
        
        "C:\Windows\system32\whqrxgmi.exe"
        85⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\wgtdhfp.exe
        
        "C:\Windows\system32\wgtdhfp.exe"
        86⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\wbbynm.exe
        
        "C:\Windows\system32\wbbynm.exe"
        87⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\wkxsj.exe
        
        "C:\Windows\system32\wkxsj.exe"
        88⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\wvued.exe
        
        "C:\Windows\system32\wvued.exe"
        89⤵
        Adds Run key to start application
        
        PID:2580
        
        C:\Windows\SysWOW64\wuxpmxep.exe
        
        "C:\Windows\system32\wuxpmxep.exe"
        90⤵
        
        PID:700
        
        C:\Windows\SysWOW64\waneehd.exe
        
        "C:\Windows\system32\waneehd.exe"
        91⤵
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\wgasdryg.exe
        
        "C:\Windows\system32\wgasdryg.exe"
        92⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\wdrtgq.exe
        
        "C:\Windows\system32\wdrtgq.exe"
        93⤵
        Adds Run key to start application
        
        PID:1244
        
        C:\Windows\SysWOW64\wyjxqx.exe
        
        "C:\Windows\system32\wyjxqx.exe"
        94⤵
        Adds Run key to start application
        
        PID:2596
        
        C:\Windows\SysWOW64\wanhsopub.exe
        
        "C:\Windows\system32\wanhsopub.exe"
        95⤵
        Adds Run key to start application
        
        PID:2132
        
        C:\Windows\SysWOW64\wagowi.exe
        
        "C:\Windows\system32\wagowi.exe"
        96⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\wmkbdpke.exe
        
        "C:\Windows\system32\wmkbdpke.exe"
        97⤵
        Adds Run key to start application
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wagowi.exe"
        97⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wanhsopub.exe"
        96⤵
        
        PID:268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 880
        96⤵
        Program crash
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyjxqx.exe"
        95⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrtgq.exe"
        94⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgasdryg.exe"
        93⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waneehd.exe"
        92⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuxpmxep.exe"
        91⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvued.exe"
        90⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkxsj.exe"
        89⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbbynm.exe"
        88⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtdhfp.exe"
        87⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whqrxgmi.exe"
        86⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqmawopp.exe"
        85⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctqcydk.exe"
        84⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtlkwrla.exe"
        83⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlcfsl.exe"
        82⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\watdv.exe"
        81⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjbtb.exe"
        80⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnykv.exe"
        79⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wholw.exe"
        78⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbdtif.exe"
        77⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrgxj.exe"
        76⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccfihkfw.exe"
        75⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmyvjjd.exe"
        74⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wagvyo.exe"
        73⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wquvbmvf.exe"
        72⤵
        
        PID:984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 156
        72⤵
        Program crash
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrrjsn.exe"
        71⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdtu.exe"
        70⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdafdmun.exe"
        69⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrgpx.exe"
        68⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexpeqpu.exe"
        67⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 892
        67⤵
        Program crash
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwplyk.exe"
        66⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnsbsime.exe"
        65⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxnhrqpl.exe"
        64⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiuavaeh.exe"
        63⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrncjk.exe"
        62⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfdsltim.exe"
        61⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgagcs.exe"
        60⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwejo.exe"
        59⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunlueu.exe"
        58⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wducbnj.exe"
        57⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjpojfkpn.exe"
        56⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\www.exe"
        55⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whodrrbk.exe"
        54⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wslk.exe"
        53⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkooqtv.exe"
        52⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcxmud.exe"
        51⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpkyfpx.exe"
        50⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weanlw.exe"
        49⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnheqho.exe"
        48⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpure.exe"
        47⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wys.exe"
        46⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlclo.exe"
        45⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqg.exe"
        44⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waabnqkye.exe"
        43⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpf.exe"
        42⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcqr.exe"
        41⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlk.exe"
        40⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudgojkk.exe"
        39⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjxkd.exe"
        38⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsfbk.exe"
        37⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlhfknxfq.exe"
        36⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqeq.exe"
        35⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbkh.exe"
        34⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxbx.exe"
        33⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whiqp.exe"
        32⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiknal.exe"
        31⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvq.exe"
        30⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkfyj.exe"
        29⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxww.exe"
        28⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyvmv.exe"
        27⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlbgyknkr.exe"
        26⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whqxkw.exe"
        25⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwopf.exe"
        24⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlpilyrwr.exe"
        23⤵
        
        PID:316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 180
        23⤵
        Program crash
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wulpj.exe"
        22⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqbf.exe"
        21⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjb.exe"
        20⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkpoh.exe"
        19⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpxjv.exe"
        18⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtuuv.exe"
        17⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxs.exe"
        16⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibglpb.exe"
        15⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsiy.exe"
        14⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgyvuc.exe"
        13⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmwh.exe"
        12⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdxi.exe"
        11⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfvyun.exe"
        10⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxnspilfq.exe"
        9⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudkbrvhf.exe"
        8⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekchbkdq.exe"
        7⤵
        
        PID:612
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofigl.exe"
        6⤵
        
        PID:1952
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqwvjm.exe"
        5⤵
        
        PID:2456
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqupb.exe"
      4⤵
      PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wknk.exe"
    3⤵
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\a52962dddaa4a37208926df9873d6720_NeikiAnalytics.exe"
  2⤵
  - Deletes itself
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OAW2SX5D.txt

Filesize
98B

MD5
f7ab96a6605f3373ab0e75e257eef29c

SHA1
7fb6bb42e461f0b5252073a1dffad1974512f410

SHA256
d84a9f77945d6edef854363fc2f2fdc461125f12f6fea64ba8e2c2e3f51f73c7

SHA512
2e64213ad1053dc544ee4335d540ddc527d3fe91beb47c6211c7e952aadc967dbdc623d4c7f20ece8e8502bbeaf3a01474a0335fc33d3737b7f8c0b6119df3e3

Download Submit
\Windows\SysWOW64\wekchbkdq.exe

Filesize
88KB

MD5
f598eecff2d06d5236e79111a8807089

SHA1
228aa426cce2f8aee35f01ee2c2927ed32f2bbdf

SHA256
f00e9052da25ffae46908f025b659929bee9c5edf1e2583fce953a58d757986f

SHA512
30e088801d35eb72471ad3babf7a3d6ecde757bcb7af05a7f818c7da9c986d0713812a28b5595f415789abef4ff877f99497f018035e349ce938d361422cd253

Download Submit
\Windows\SysWOW64\wfvyun.exe

Filesize
88KB

MD5
751b8dc8d754410c8e4a915a959ec39c

SHA1
b64f9964242a103b224d671904e3e939c0ec46a8

SHA256
3922f063dc3624ed025ea44adc44bcd47b6cd8236704a6d8158c7862efb387fd

SHA512
2eee9f2bf0827cfe5bc7177cb74e9b85d3a4d58529acec81af973613d464c7eb7794e00d93610541db60ffda599bb5bc439a093a38551ce17e724a546ed38b83

Download Submit
\Windows\SysWOW64\wknk.exe

Filesize
88KB

MD5
914d2b2250593ebc4993d305e75fdddd

SHA1
b8a28eeb0a58775c17c76014abc5c4d6cd599a52

SHA256
c3f4a448a942c51ac44b1a041057da8f13e6b7fa2764fb62bd3c5daf2c92a6f1

SHA512
1f2d40c09f4440c391f75c73d1aca90c583ca5bf064f418fb6da45db2964ed2ed7df8e70a2a5cbc3a0235bf8bc9180f4d3bb2b2f849add657fe95661cb6dfb1a

Download Submit
\Windows\SysWOW64\wlqupb.exe

Filesize
88KB

MD5
e073686326c3d5b0de29b3dc4a14c1c0

SHA1
7f678183419bd2679d90f99743baa91097ad45e2

SHA256
6f60750717a7dd35bb31d29b88d1a0a3001333dc9fa285cae33a4f3ec3f41ed0

SHA512
566caa658a52851c24ef629e3193805f3c9d0fc53f8d5da711f8b640c04ed45d4864a98730587b87602e0b58b9de5fe47795e08d74f0d1e2b81b3fbc53240f69

Download Submit
\Windows\SysWOW64\wmwh.exe

Filesize
88KB

MD5
410e5dea8847c62f0618bed741808fc0

SHA1
4d2590ab306354e78d99a745812a0d0746be6e60

SHA256
e3bde16f993c1913e982367693a9d1c5dcc7d0623b19c6925b704c0e404f5d9f

SHA512
9d07a0062bb0310be51174eccb2f2687df81887aa6178404baf16d5c3f327c6a512077d4022356b38b7b5a3692035c1e097dd32498f8ac6730ce5e6112ee5a8d

Download Submit
\Windows\SysWOW64\wofigl.exe

Filesize
88KB

MD5
1a8f798d719c4d4215ecb00b35ca3421

SHA1
8c301a2259b6051ddc9d46affa979c96f72e2983

SHA256
456fdb0709c158903fe30ec312de67cb0989d5a1a8c8f4561e4763c4c3fa457f

SHA512
457307d71771e758e95681e5c4aa86efd4c674432d932d0f7ff63f1a72ee4bbf16b0d489bf24cf8a53bc26f0278a1799a5032f3dd71a974ea29267dceee02984

Download Submit
\Windows\SysWOW64\wqwvjm.exe

Filesize
88KB

MD5
c8e66a2b6e9b86d1f24904afa3782ac5

SHA1
03cac214b99e2fbe3109e5873151b6f0a5d9a095

SHA256
0569dc548e0a606bc8afe26716908f5655bb2a8efe5ee6931cd52d0ceda79dd6

SHA512
166a38c59c1e1ac25ff3e9e58f269332d3103a6d9f91555a5150a1a8446018db34f9a218d427004ca6b1621b31f394c5ccd494071c768746a78a486f8fcffcf7

Download Submit
\Windows\SysWOW64\wudkbrvhf.exe

Filesize
88KB

MD5
3cfbc09844b02a41052d90461e99a577

SHA1
46884547a7798e5dc49a19a21ce526fafbbfd355

SHA256
0ea52d9a59e1cabe8c120f8ae212ebaf5023bf32b66b5d40c8ed32c5d95f4cc1

SHA512
dfc99c502efe6585a3937f1bb8dad7703515af9535d3dfbc99c40978bfcadb46a05e5ddc2be034db1e10f13f44aaa5f48a2a39117fd867f92e290705f576279a

Download Submit
\Windows\SysWOW64\wvdxi.exe

Filesize
88KB

MD5
7e7487d47b8184037c97d1faa736e00d

SHA1
231f902cc132c58700c30adc85ebf181e580fde4

SHA256
ce40d86742d1a2f4231daba5a6c234bebc4aaca2f89a08e09ca6124623afc0d5

SHA512
3d953a5bea99849abebaf06c1ce074dcb2d4823528472edf26ef70c9edf3ae584196bbb0c08da1fa8affe7371ebe299617344d863a72c8bee08820c6cccc099a

Download Submit
\Windows\SysWOW64\wxnspilfq.exe

Filesize
88KB

MD5
82e360f9aa70f927c673f74077b5a288

SHA1
eee0b2ea18bc224d81ca6234592d12c62f4b86f8

SHA256
50d0a54d38bff8e2ab3daa3c0df056862009b8576c5e90d45852e8a2c1e10192

SHA512
674ff43684f5b227c4022bf14e380b3edb86574d19159ab108932f78a7c65fade05337064bf9de9c5dffe6107a95e2d2020886f17b52176b81e8cec1b1c7f52e

Download Submit
memory/540-316-0x00000000039F0000-0x0000000003A08000-memory.dmp

Filesize
96KB

Download
memory/540-302-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/540-317-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1072-287-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1072-286-0x0000000003DA0000-0x0000000003DB8000-memory.dmp

Filesize
96KB

Download
memory/1304-25-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1304-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1304-23-0x00000000031B0000-0x00000000031C0000-memory.dmp

Filesize
64KB

Download
memory/1304-19-0x0000000003B00000-0x0000000003B18000-memory.dmp

Filesize
96KB

Download
memory/1304-20-0x0000000003B00000-0x0000000003B18000-memory.dmp

Filesize
96KB

Download
memory/1304-12-0x0000000003B00000-0x0000000003B18000-memory.dmp

Filesize
96KB

Download
memory/1336-189-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1336-163-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1336-187-0x0000000003270000-0x0000000003280000-memory.dmp

Filesize
64KB

Download
memory/1336-183-0x0000000003270000-0x0000000003288000-memory.dmp

Filesize
96KB

Download
memory/1336-182-0x0000000003270000-0x0000000003288000-memory.dmp

Filesize
96KB

Download
memory/1340-329-0x0000000003420000-0x0000000003438000-memory.dmp

Filesize
96KB

Download
memory/1340-331-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1440-112-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1440-139-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/1440-141-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1440-122-0x0000000002350000-0x0000000002368000-memory.dmp

Filesize
96KB

Download
memory/1440-134-0x00000000032B0000-0x00000000032C8000-memory.dmp

Filesize
96KB

Download
memory/1440-135-0x00000000032B0000-0x00000000032C8000-memory.dmp

Filesize
96KB

Download
memory/1440-133-0x0000000002350000-0x0000000002368000-memory.dmp

Filesize
96KB

Download
memory/1612-164-0x0000000003FB0000-0x0000000003FC0000-memory.dmp

Filesize
64KB

Download
memory/1612-158-0x0000000003FA0000-0x0000000003FB8000-memory.dmp

Filesize
96KB

Download
memory/1612-166-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1612-138-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1612-157-0x0000000003F60000-0x0000000003F78000-memory.dmp

Filesize
96KB

Download
memory/1612-160-0x0000000004170000-0x0000000004188000-memory.dmp

Filesize
96KB

Download
memory/1612-159-0x0000000004170000-0x0000000004188000-memory.dmp

Filesize
96KB

Download
memory/1736-273-0x0000000002130000-0x0000000002140000-memory.dmp

Filesize
64KB

Download
memory/1736-261-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1736-274-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1904-115-0x00000000040B0000-0x00000000040C0000-memory.dmp

Filesize
64KB

Download
memory/1904-116-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1904-109-0x00000000040A0000-0x00000000040B8000-memory.dmp

Filesize
96KB

Download
memory/1904-110-0x00000000040B0000-0x00000000040C8000-memory.dmp

Filesize
96KB

Download
memory/1904-93-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2296-362-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2296-346-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2296-358-0x0000000003730000-0x0000000003748000-memory.dmp

Filesize
96KB

Download
memory/2296-361-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/2296-359-0x0000000003730000-0x0000000003748000-memory.dmp

Filesize
96KB

Download
memory/2340-330-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2340-343-0x0000000004030000-0x0000000004048000-memory.dmp

Filesize
96KB

Download
memory/2340-344-0x0000000004030000-0x0000000004048000-memory.dmp

Filesize
96KB

Download
memory/2340-345-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2364-42-0x0000000002470000-0x0000000002488000-memory.dmp

Filesize
96KB

Download
memory/2364-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2364-43-0x0000000003D60000-0x0000000003D78000-memory.dmp

Filesize
96KB

Download
memory/2364-46-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2424-303-0x0000000003630000-0x0000000003640000-memory.dmp

Filesize
64KB

Download
memory/2424-304-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2424-301-0x0000000003630000-0x0000000003648000-memory.dmp

Filesize
96KB

Download
memory/2424-288-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2500-244-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2500-259-0x00000000022B0000-0x00000000022C8000-memory.dmp

Filesize
96KB

Download
memory/2500-260-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2500-258-0x00000000022B0000-0x00000000022C8000-memory.dmp

Filesize
96KB

Download
memory/2516-241-0x00000000033F0000-0x0000000003408000-memory.dmp

Filesize
96KB

Download
memory/2516-229-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2516-246-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2516-245-0x00000000033F0000-0x0000000003400000-memory.dmp

Filesize
64KB

Download
memory/2516-243-0x00000000033F0000-0x0000000003408000-memory.dmp

Filesize
96KB

Download
memory/2516-242-0x00000000033F0000-0x0000000003408000-memory.dmp

Filesize
96KB

Download
memory/2592-393-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/2592-390-0x0000000003950000-0x0000000003968000-memory.dmp

Filesize
96KB

Download
memory/2592-391-0x0000000003950000-0x0000000003968000-memory.dmp

Filesize
96KB

Download
memory/2592-386-0x0000000002430000-0x0000000002448000-memory.dmp

Filesize
96KB

Download
memory/2592-377-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2772-60-0x0000000004030000-0x0000000004048000-memory.dmp

Filesize
96KB

Download
memory/2772-67-0x0000000004130000-0x0000000004148000-memory.dmp

Filesize
96KB

Download
memory/2772-47-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2772-69-0x0000000003F70000-0x0000000003F80000-memory.dmp

Filesize
64KB

Download
memory/2772-71-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2800-374-0x0000000004010000-0x0000000004028000-memory.dmp

Filesize
96KB

Download
memory/2800-375-0x0000000004020000-0x0000000004038000-memory.dmp

Filesize
96KB

Download
memory/2800-376-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2800-360-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2844-212-0x0000000003E70000-0x0000000003E80000-memory.dmp

Filesize
64KB

Download
memory/2844-213-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2844-186-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2844-206-0x0000000003E70000-0x0000000003E88000-memory.dmp

Filesize
96KB

Download
memory/2844-207-0x0000000003E70000-0x0000000003E88000-memory.dmp

Filesize
96KB

Download
memory/2844-205-0x0000000003E60000-0x0000000003E78000-memory.dmp

Filesize
96KB

Download
memory/2868-88-0x0000000003560000-0x0000000003578000-memory.dmp

Filesize
96KB

Download
memory/2868-87-0x0000000003560000-0x0000000003578000-memory.dmp

Filesize
96KB

Download
memory/2868-91-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2868-68-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2900-226-0x0000000002220000-0x0000000002238000-memory.dmp

Filesize
96KB

Download
memory/2900-228-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2900-209-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2900-227-0x0000000003540000-0x0000000003558000-memory.dmp

Filesize
96KB

Download
memory/2904-392-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads