57940a828c9f5f8223a4f5400100c35d9e511fc1eeff90ef1d2702264138ef02

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 12:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe
Size

89KB
MD5

012903b6776cd32b7194a67d2240d240
SHA1

0c1cb394b462f0ceb3e2b1762b2de3bf7263bc63
SHA256

57940a828c9f5f8223a4f5400100c35d9e511fc1eeff90ef1d2702264138ef02
SHA512

cff6e5455b316553cc8d61564d5cd1a098f5f4804b9210309b65eaa448842dfa90d233f2bf7ed09cf6ea4969dd1870ac3d1273070e9c71c1593450fe8d723ab7
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71PvJdsJG1:1eOLK7hNIMLrCiS4+PwRjY5xhEAXVvt

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2740	wjbseca.exe
2676	wni.exe
2684	wkvsviim.exe
1520	waofhu.exe
2064	wqfpq.exe
932	wjssg.exe
1548	wvikwgapf.exe
1924	wlyv.exe
1660	wiyqnvn.exe
2436	wphbia.exe
2612	wooq.exe
2388	whdtk.exe
2316	wygxlj.exe
1132	wstbaptdn.exe
668	wik.exe
1620	wfwkrywf.exe
2904	wdayqv.exe
2392	woy.exe
2720	wmhaowoo.exe
2852	wqeq.exe
1640	woge.exe
2144	wudgojkk.exe
2112	wgjmb.exe
2872	wdvkhb.exe
1820	wbxygx.exe
2908	wujvitsjv.exe
1600	wjb.exe
2392	wdojintw.exe
2648	wbpxikyo.exe
2504	wyrmihee.exe
2784	wvtbh.exe
1684	wxhvetc.exe
324	wasqdivka.exe
344	wtv.exe
836	wpiujomi.exe
1144	wjlyl.exe
1832	wgx.exe
1704	wnr.exe
1588	wks.exe
1396	wqqgoe.exe
628	wfiraqgl.exe
668	wibokchp.exe
952	wcehsij.exe
1812	wvtotm.exe
2600	wtinakp.exe
2488	wmjfjpq.exe
2528	wkweonhp.exe
1312	whysojmfq.exe
1488	wjknmyg.exe
580	whnclvjq.exe
3044	wkondksv.exe
2552	wlbiaym.exe
2724	wkdvawr.exe
2516	whpvgthm.exe
1916	wbhc.exe
2264	wcsxfo.exe
568	wbu.exe
2872	wkxlgfrh.exe
2164	wjaaedvv.exe
2036	wknvcsp.exe
1716	wfeedw.exe
2460	wygvmc.exe
1528	waebqsln.exe
1292	wovmbf.exe

Loads dropped DLL 64 IoCs

pid	Process
2972	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe
2972	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe
2972	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe
2972	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe
2740	wjbseca.exe
2740	wjbseca.exe
2740	wjbseca.exe
2740	wjbseca.exe
2740	wjbseca.exe
2676	wni.exe
2676	wni.exe
2676	wni.exe
2676	wni.exe
2676	wni.exe
2684	wkvsviim.exe
2684	wkvsviim.exe
2684	wkvsviim.exe
2684	wkvsviim.exe
2684	wkvsviim.exe
1520	waofhu.exe
1520	waofhu.exe
1520	waofhu.exe
1520	waofhu.exe
1520	waofhu.exe
2064	wqfpq.exe
2064	wqfpq.exe
2064	wqfpq.exe
2064	wqfpq.exe
2064	wqfpq.exe
932	wjssg.exe
932	wjssg.exe
932	wjssg.exe
932	wjssg.exe
932	wjssg.exe
1548	wvikwgapf.exe
1548	wvikwgapf.exe
1548	wvikwgapf.exe
1548	wvikwgapf.exe
1548	wvikwgapf.exe
1924	wlyv.exe
1924	wlyv.exe
1924	wlyv.exe
1924	wlyv.exe
1924	wlyv.exe
1660	wiyqnvn.exe
1660	wiyqnvn.exe
1660	wiyqnvn.exe
1660	wiyqnvn.exe
1660	wiyqnvn.exe
2436	wphbia.exe
2436	wphbia.exe
2436	wphbia.exe
2436	wphbia.exe
2436	wphbia.exe
2612	wooq.exe
2612	wooq.exe
2612	wooq.exe
2612	wooq.exe
2612	wooq.exe
2388	whdtk.exe
2388	whdtk.exe
2388	whdtk.exe
2388	whdtk.exe
2388	whdtk.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wovmbf = "\"C:\\Windows\\SysWOW64\\wovmbf.exe\""	wovmbf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlgpmjsg = "\"C:\\Windows\\SysWOW64\\wlgpmjsg.exe\""	wlgpmjsg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wodln = "\"C:\\Windows\\SysWOW64\\wodln.exe\""	wodln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxmajg = "\"C:\\Windows\\SysWOW64\\wxmajg.exe\""	wxmajg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscnoahg = "\"C:\\Windows\\SysWOW64\\wscnoahg.exe\""	wscnoahg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wik = "\"C:\\Windows\\SysWOW64\\wik.exe\""	wik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmbcvsac = "\"C:\\Windows\\SysWOW64\\wmbcvsac.exe\""	wmbcvsac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkvsviim = "\"C:\\Windows\\SysWOW64\\wkvsviim.exe\""	wkvsviim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjssg = "\"C:\\Windows\\SysWOW64\\wjssg.exe\""	wjssg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdvkhb = "\"C:\\Windows\\SysWOW64\\wdvkhb.exe\""	wdvkhb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvtbh = "\"C:\\Windows\\SysWOW64\\wvtbh.exe\""	wvtbh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtrgocch = "\"C:\\Windows\\SysWOW64\\wtrgocch.exe\""	wtrgocch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfqndfud = "\"C:\\Windows\\SysWOW64\\wfqndfud.exe\""	wfqndfud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlyv = "\"C:\\Windows\\SysWOW64\\wlyv.exe\""	wlyv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\woge = "\"C:\\Windows\\SysWOW64\\woge.exe\""	woge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkweonhp = "\"C:\\Windows\\SysWOW64\\wkweonhp.exe\""	wkweonhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuswmf = "\"C:\\Windows\\SysWOW64\\wuswmf.exe\""	wuswmf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wygvmc = "\"C:\\Windows\\SysWOW64\\wygvmc.exe\""	wygvmc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbxygx = "\"C:\\Windows\\SysWOW64\\wbxygx.exe\""	wbxygx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wyrmihee = "\"C:\\Windows\\SysWOW64\\wyrmihee.exe\""	wyrmihee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\waligasr = "\"C:\\Windows\\SysWOW64\\waligasr.exe\""	waligasr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfermt = "\"C:\\Windows\\SysWOW64\\wdfermt.exe\""	wdfermt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkxlgfrh = "\"C:\\Windows\\SysWOW64\\wkxlgfrh.exe\""	wkxlgfrh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvikwgapf = "\"C:\\Windows\\SysWOW64\\wvikwgapf.exe\""	wvikwgapf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wstbaptdn = "\"C:\\Windows\\SysWOW64\\wstbaptdn.exe\""	wstbaptdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wibokchp = "\"C:\\Windows\\SysWOW64\\wibokchp.exe\""	wibokchp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmjmhco = "\"C:\\Windows\\SysWOW64\\wmjmhco.exe\""	wmjmhco.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wumimp = "\"C:\\Windows\\SysWOW64\\wumimp.exe\""	wumimp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtinakp = "\"C:\\Windows\\SysWOW64\\wtinakp.exe\""	wtinakp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\waebqsln = "\"C:\\Windows\\SysWOW64\\waebqsln.exe\""	waebqsln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjlyl = "\"C:\\Windows\\SysWOW64\\wjlyl.exe\""	wjlyl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wllhwrex = "\"C:\\Windows\\SysWOW64\\wllhwrex.exe\""	wllhwrex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkondksv = "\"C:\\Windows\\SysWOW64\\wkondksv.exe\""	wkondksv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbhc = "\"C:\\Windows\\SysWOW64\\wbhc.exe\""	wbhc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqfpq = "\"C:\\Windows\\SysWOW64\\wqfpq.exe\""	wqfpq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wphbia = "\"C:\\Windows\\SysWOW64\\wphbia.exe\""	wphbia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfwkrywf = "\"C:\\Windows\\SysWOW64\\wfwkrywf.exe\""	wfwkrywf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\whnclvjq = "\"C:\\Windows\\SysWOW64\\whnclvjq.exe\""	whnclvjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wegrky = "\"C:\\Windows\\SysWOW64\\wegrky.exe\""	wegrky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdayqv = "\"C:\\Windows\\SysWOW64\\wdayqv.exe\""	wdayqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjknmyg = "\"C:\\Windows\\SysWOW64\\wjknmyg.exe\""	wjknmyg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjaaedvv = "\"C:\\Windows\\SysWOW64\\wjaaedvv.exe\""	wjaaedvv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxgwyr = "\"C:\\Windows\\SysWOW64\\wxgwyr.exe\""	wxgwyr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wudgojkk = "\"C:\\Windows\\SysWOW64\\wudgojkk.exe\""	wudgojkk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbu = "\"C:\\Windows\\SysWOW64\\wbu.exe\""	wbu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxbabyxy = "\"C:\\Windows\\SysWOW64\\wxbabyxy.exe\""	wxbabyxy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\whdibt = "\"C:\\Windows\\SysWOW64\\whdibt.exe\""	whdibt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wiyqnvn = "\"C:\\Windows\\SysWOW64\\wiyqnvn.exe\""	wiyqnvn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfiraqgl = "\"C:\\Windows\\SysWOW64\\wfiraqgl.exe\""	wfiraqgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wujvitsjv = "\"C:\\Windows\\SysWOW64\\wujvitsjv.exe\""	wujvitsjv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlsous = "\"C:\\Windows\\SysWOW64\\wlsous.exe\""	wlsous.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqjca = "\"C:\\Windows\\SysWOW64\\wqjca.exe\""	wqjca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqqgoe = "\"C:\\Windows\\SysWOW64\\wqqgoe.exe\""	wqqgoe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\whysojmfq = "\"C:\\Windows\\SysWOW64\\whysojmfq.exe\""	whysojmfq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbxbwv = "\"C:\\Windows\\SysWOW64\\wbxbwv.exe\""	wbxbwv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuaxpdc = "\"C:\\Windows\\SysWOW64\\wuaxpdc.exe\""	wuaxpdc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\whpvgthm = "\"C:\\Windows\\SysWOW64\\whpvgthm.exe\""	whpvgthm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdojintw = "\"C:\\Windows\\SysWOW64\\wdojintw.exe\""	wdojintw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wudpavdpi = "\"C:\\Windows\\SysWOW64\\wudpavdpi.exe\""	wudpavdpi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxijse = "\"C:\\Windows\\SysWOW64\\wxijse.exe\""	wxijse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfeedw = "\"C:\\Windows\\SysWOW64\\wfeedw.exe\""	wfeedw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgjmb = "\"C:\\Windows\\SysWOW64\\wgjmb.exe\""	wgjmb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpiujomi = "\"C:\\Windows\\SysWOW64\\wpiujomi.exe\""	wpiujomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmnvuyrd = "\"C:\\Windows\\SysWOW64\\wmnvuyrd.exe\""	wmnvuyrd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wqqgoe.exe	wks.exe
File created	C:\Windows\SysWOW64\wuswmf.exe	wgqbvrs.exe
File opened for modification	C:\Windows\SysWOW64\waligasr.exe	wijpxtqq.exe
File opened for modification	C:\Windows\SysWOW64\wni.exe	wjbseca.exe
File opened for modification	C:\Windows\SysWOW64\wcsxfo.exe	wbhc.exe
File opened for modification	C:\Windows\SysWOW64\wknvcsp.exe	wjaaedvv.exe
File opened for modification	C:\Windows\SysWOW64\wphbia.exe	wiyqnvn.exe
File created	C:\Windows\SysWOW64\wjaaedvv.exe	wkxlgfrh.exe
File created	C:\Windows\SysWOW64\wodln.exe	wmbcvsac.exe
File opened for modification	C:\Windows\SysWOW64\wuswmf.exe	wgqbvrs.exe
File created	C:\Windows\SysWOW64\weoagyf.exe	wllhwrex.exe
File created	C:\Windows\SysWOW64\wudpavdpi.exe	wxbabyxy.exe
File opened for modification	C:\Windows\SysWOW64\wygpi.exe	wfewbr.exe
File created	C:\Windows\SysWOW64\wfeedw.exe	wknvcsp.exe
File opened for modification	C:\Windows\SysWOW64\wygvmc.exe	wfeedw.exe
File created	C:\Windows\SysWOW64\wwrkovkf.exe	wypuoxfp.exe
File created	C:\Windows\SysWOW64\wxgwyr.exe	wdfermt.exe
File created	C:\Windows\SysWOW64\wiaylqdxp.exe	wxgwyr.exe
File opened for modification	C:\Windows\SysWOW64\wdvkhb.exe	wgjmb.exe
File created	C:\Windows\SysWOW64\wumimp.exe	wscnoahg.exe
File opened for modification	C:\Windows\SysWOW64\wkweonhp.exe	wmjfjpq.exe
File created	C:\Windows\SysWOW64\wjb.exe	wujvitsjv.exe
File opened for modification	C:\Windows\SysWOW64\whnclvjq.exe	wjknmyg.exe
File opened for modification	C:\Windows\SysWOW64\wtrgocch.exe	wygpi.exe
File opened for modification	C:\Windows\SysWOW64\wijrx.exe	wtrgocch.exe
File created	C:\Windows\SysWOW64\wyrmihee.exe	wbpxikyo.exe
File opened for modification	C:\Windows\SysWOW64\wlgpmjsg.exe	wwrkovkf.exe
File opened for modification	C:\Windows\SysWOW64\wik.exe	wstbaptdn.exe
File created	C:\Windows\SysWOW64\wvtotm.exe	wcehsij.exe
File created	C:\Windows\SysWOW64\wjbseca.exe	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\wudgojkk.exe	woge.exe
File opened for modification	C:\Windows\SysWOW64\wiyqnvn.exe	wlyv.exe
File opened for modification	C:\Windows\SysWOW64\wtinakp.exe	wvtotm.exe
File opened for modification	C:\Windows\SysWOW64\wllhwrex.exe	wuswmf.exe
File opened for modification	C:\Windows\SysWOW64\wks.exe	wnr.exe
File created	C:\Windows\SysWOW64\wbxbwv.exe	wlgpmjsg.exe
File created	C:\Windows\SysWOW64\wygpi.exe	wfewbr.exe
File created	C:\Windows\SysWOW64\wujvitsjv.exe	wbxygx.exe
File opened for modification	C:\Windows\SysWOW64\wygxlj.exe	whdtk.exe
File created	C:\Windows\SysWOW64\wmjfjpq.exe	wtinakp.exe
File created	C:\Windows\SysWOW64\wxmajg.exe	wijrx.exe
File opened for modification	C:\Windows\SysWOW64\wooq.exe	wphbia.exe
File opened for modification	C:\Windows\SysWOW64\whysojmfq.exe	wkweonhp.exe
File opened for modification	C:\Windows\SysWOW64\wbhc.exe	whpvgthm.exe
File opened for modification	C:\Windows\SysWOW64\wijpxtqq.exe	wqjca.exe
File opened for modification	C:\Windows\SysWOW64\wgx.exe	wjlyl.exe
File opened for modification	C:\Windows\SysWOW64\wibokchp.exe	wfiraqgl.exe
File opened for modification	C:\Windows\SysWOW64\weoagyf.exe	wllhwrex.exe
File opened for modification	C:\Windows\SysWOW64\whdibt.exe	wfqndfud.exe
File created	C:\Windows\SysWOW64\woy.exe	wdayqv.exe
File created	C:\Windows\SysWOW64\wdvkhb.exe	wgjmb.exe
File opened for modification	C:\Windows\SysWOW64\wvikwgapf.exe	wjssg.exe
File created	C:\Windows\SysWOW64\wygxlj.exe	whdtk.exe
File opened for modification	C:\Windows\SysWOW64\wujvitsjv.exe	wbxygx.exe
File created	C:\Windows\SysWOW64\wfiraqgl.exe	wqqgoe.exe
File opened for modification	C:\Windows\SysWOW64\wfeedw.exe	wknvcsp.exe
File created	C:\Windows\SysWOW64\wfqndfud.exe	wmnvuyrd.exe
File created	C:\Windows\SysWOW64\waofhu.exe	wkvsviim.exe
File opened for modification	C:\Windows\SysWOW64\waofhu.exe	wkvsviim.exe
File created	C:\Windows\SysWOW64\wiyqnvn.exe	wlyv.exe
File opened for modification	C:\Windows\SysWOW64\wmhaowoo.exe	woy.exe
File opened for modification	C:\Windows\SysWOW64\wjbseca.exe	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\wxijse.exe	wegrky.exe
File created	C:\Windows\SysWOW64\wygvmc.exe	wfeedw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1196	1820	WerFault.exe	102
2020	2908	WerFault.exe	105
2816	836	WerFault.exe	136
952	3044	WerFault.exe	185
2556	2516	WerFault.exe	195
1980	2164	WerFault.exe	211
1216	2688	WerFault.exe	242
856	2380	WerFault.exe	258
2456	932	WerFault.exe	274

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2740	2972	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe	28
PID 2972 wrote to memory of 2740	2972	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe	28
PID 2972 wrote to memory of 2740	2972	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe	28
PID 2972 wrote to memory of 2740	2972	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe	28
PID 2972 wrote to memory of 2624	2972	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe	29
PID 2972 wrote to memory of 2624	2972	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe	29
PID 2972 wrote to memory of 2624	2972	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe	29
PID 2972 wrote to memory of 2624	2972	012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe	29
PID 2740 wrote to memory of 2676	2740	wjbseca.exe	31
PID 2740 wrote to memory of 2676	2740	wjbseca.exe	31
PID 2740 wrote to memory of 2676	2740	wjbseca.exe	31
PID 2740 wrote to memory of 2676	2740	wjbseca.exe	31
PID 2740 wrote to memory of 2460	2740	wjbseca.exe	32
PID 2740 wrote to memory of 2460	2740	wjbseca.exe	32
PID 2740 wrote to memory of 2460	2740	wjbseca.exe	32
PID 2740 wrote to memory of 2460	2740	wjbseca.exe	32
PID 2676 wrote to memory of 2684	2676	wni.exe	34
PID 2676 wrote to memory of 2684	2676	wni.exe	34
PID 2676 wrote to memory of 2684	2676	wni.exe	34
PID 2676 wrote to memory of 2684	2676	wni.exe	34
PID 2676 wrote to memory of 1288	2676	wni.exe	35
PID 2676 wrote to memory of 1288	2676	wni.exe	35
PID 2676 wrote to memory of 1288	2676	wni.exe	35
PID 2676 wrote to memory of 1288	2676	wni.exe	35
PID 2684 wrote to memory of 1520	2684	wkvsviim.exe	37
PID 2684 wrote to memory of 1520	2684	wkvsviim.exe	37
PID 2684 wrote to memory of 1520	2684	wkvsviim.exe	37
PID 2684 wrote to memory of 1520	2684	wkvsviim.exe	37
PID 2684 wrote to memory of 2688	2684	wkvsviim.exe	38
PID 2684 wrote to memory of 2688	2684	wkvsviim.exe	38
PID 2684 wrote to memory of 2688	2684	wkvsviim.exe	38
PID 2684 wrote to memory of 2688	2684	wkvsviim.exe	38
PID 1520 wrote to memory of 2064	1520	waofhu.exe	40
PID 1520 wrote to memory of 2064	1520	waofhu.exe	40
PID 1520 wrote to memory of 2064	1520	waofhu.exe	40
PID 1520 wrote to memory of 2064	1520	waofhu.exe	40
PID 1520 wrote to memory of 2884	1520	waofhu.exe	41
PID 1520 wrote to memory of 2884	1520	waofhu.exe	41
PID 1520 wrote to memory of 2884	1520	waofhu.exe	41
PID 1520 wrote to memory of 2884	1520	waofhu.exe	41
PID 2064 wrote to memory of 932	2064	wqfpq.exe	43
PID 2064 wrote to memory of 932	2064	wqfpq.exe	43
PID 2064 wrote to memory of 932	2064	wqfpq.exe	43
PID 2064 wrote to memory of 932	2064	wqfpq.exe	43
PID 2064 wrote to memory of 1820	2064	wqfpq.exe	44
PID 2064 wrote to memory of 1820	2064	wqfpq.exe	44
PID 2064 wrote to memory of 1820	2064	wqfpq.exe	44
PID 2064 wrote to memory of 1820	2064	wqfpq.exe	44
PID 932 wrote to memory of 1548	932	wjssg.exe	46
PID 932 wrote to memory of 1548	932	wjssg.exe	46
PID 932 wrote to memory of 1548	932	wjssg.exe	46
PID 932 wrote to memory of 1548	932	wjssg.exe	46
PID 932 wrote to memory of 2240	932	wjssg.exe	47
PID 932 wrote to memory of 2240	932	wjssg.exe	47
PID 932 wrote to memory of 2240	932	wjssg.exe	47
PID 932 wrote to memory of 2240	932	wjssg.exe	47
PID 1548 wrote to memory of 1924	1548	wvikwgapf.exe	49
PID 1548 wrote to memory of 1924	1548	wvikwgapf.exe	49
PID 1548 wrote to memory of 1924	1548	wvikwgapf.exe	49
PID 1548 wrote to memory of 1924	1548	wvikwgapf.exe	49
PID 1548 wrote to memory of 896	1548	wvikwgapf.exe	50
PID 1548 wrote to memory of 896	1548	wvikwgapf.exe	50
PID 1548 wrote to memory of 896	1548	wvikwgapf.exe	50
PID 1548 wrote to memory of 896	1548	wvikwgapf.exe	50

C:\Users\Admin\AppData\Local\Temp\012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\wjbseca.exe
  "C:\Windows\system32\wjbseca.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\wni.exe
    "C:\Windows\system32\wni.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\wkvsviim.exe
      "C:\Windows\system32\wkvsviim.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\waofhu.exe
        
        "C:\Windows\system32\waofhu.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Windows\SysWOW64\wqfpq.exe
        
        "C:\Windows\system32\wqfpq.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\wjssg.exe
        
        "C:\Windows\system32\wjssg.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\wvikwgapf.exe
        
        "C:\Windows\system32\wvikwgapf.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\wlyv.exe
        
        "C:\Windows\system32\wlyv.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\wiyqnvn.exe
        
        "C:\Windows\system32\wiyqnvn.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\wphbia.exe
        
        "C:\Windows\system32\wphbia.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\wooq.exe
        
        "C:\Windows\system32\wooq.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2612
        
        C:\Windows\SysWOW64\whdtk.exe
        
        "C:\Windows\system32\whdtk.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\wygxlj.exe
        
        "C:\Windows\system32\wygxlj.exe"
        14⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\wstbaptdn.exe
        
        "C:\Windows\system32\wstbaptdn.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\wik.exe
        
        "C:\Windows\system32\wik.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:668
        
        C:\Windows\SysWOW64\wfwkrywf.exe
        
        "C:\Windows\system32\wfwkrywf.exe"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1620
        
        C:\Windows\SysWOW64\wdayqv.exe
        
        "C:\Windows\system32\wdayqv.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\woy.exe
        
        "C:\Windows\system32\woy.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\wmhaowoo.exe
        
        "C:\Windows\system32\wmhaowoo.exe"
        20⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\wqeq.exe
        
        "C:\Windows\system32\wqeq.exe"
        21⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\woge.exe
        
        "C:\Windows\system32\woge.exe"
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\wudgojkk.exe
        
        "C:\Windows\system32\wudgojkk.exe"
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2144
        
        C:\Windows\SysWOW64\wgjmb.exe
        
        "C:\Windows\system32\wgjmb.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\wdvkhb.exe
        
        "C:\Windows\system32\wdvkhb.exe"
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2872
        
        C:\Windows\SysWOW64\wbxygx.exe
        
        "C:\Windows\system32\wbxygx.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\wujvitsjv.exe
        
        "C:\Windows\system32\wujvitsjv.exe"
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\wjb.exe
        
        "C:\Windows\system32\wjb.exe"
        28⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\wdojintw.exe
        
        "C:\Windows\system32\wdojintw.exe"
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2392
        
        C:\Windows\SysWOW64\wbpxikyo.exe
        
        "C:\Windows\system32\wbpxikyo.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2648
        
        C:\Windows\SysWOW64\wyrmihee.exe
        
        "C:\Windows\system32\wyrmihee.exe"
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2504
        
        C:\Windows\SysWOW64\wvtbh.exe
        
        "C:\Windows\system32\wvtbh.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2784
        
        C:\Windows\SysWOW64\wxhvetc.exe
        
        "C:\Windows\system32\wxhvetc.exe"
        33⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Windows\SysWOW64\wasqdivka.exe
        
        "C:\Windows\system32\wasqdivka.exe"
        34⤵
        Executes dropped EXE
        
        PID:324
        
        C:\Windows\SysWOW64\wtv.exe
        
        "C:\Windows\system32\wtv.exe"
        35⤵
        Executes dropped EXE
        
        PID:344
        
        C:\Windows\SysWOW64\wpiujomi.exe
        
        "C:\Windows\system32\wpiujomi.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:836
        
        C:\Windows\SysWOW64\wjlyl.exe
        
        "C:\Windows\system32\wjlyl.exe"
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\wgx.exe
        
        "C:\Windows\system32\wgx.exe"
        38⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\wnr.exe
        
        "C:\Windows\system32\wnr.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\wks.exe
        
        "C:\Windows\system32\wks.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\wqqgoe.exe
        
        "C:\Windows\system32\wqqgoe.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\wfiraqgl.exe
        
        "C:\Windows\system32\wfiraqgl.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\wibokchp.exe
        
        "C:\Windows\system32\wibokchp.exe"
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:668
        
        C:\Windows\SysWOW64\wcehsij.exe
        
        "C:\Windows\system32\wcehsij.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\wvtotm.exe
        
        "C:\Windows\system32\wvtotm.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\wtinakp.exe
        
        "C:\Windows\system32\wtinakp.exe"
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\wmjfjpq.exe
        
        "C:\Windows\system32\wmjfjpq.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\wkweonhp.exe
        
        "C:\Windows\system32\wkweonhp.exe"
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\whysojmfq.exe
        
        "C:\Windows\system32\whysojmfq.exe"
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1312
        
        C:\Windows\SysWOW64\wjknmyg.exe
        
        "C:\Windows\system32\wjknmyg.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\whnclvjq.exe
        
        "C:\Windows\system32\whnclvjq.exe"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:580
        
        C:\Windows\SysWOW64\wkondksv.exe
        
        "C:\Windows\system32\wkondksv.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3044
        
        C:\Windows\SysWOW64\wlbiaym.exe
        
        "C:\Windows\system32\wlbiaym.exe"
        53⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\wkdvawr.exe
        
        "C:\Windows\system32\wkdvawr.exe"
        54⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\whpvgthm.exe
        
        "C:\Windows\system32\whpvgthm.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\wbhc.exe
        
        "C:\Windows\system32\wbhc.exe"
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\wcsxfo.exe
        
        "C:\Windows\system32\wcsxfo.exe"
        57⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\SysWOW64\wbu.exe
        
        "C:\Windows\system32\wbu.exe"
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:568
        
        C:\Windows\SysWOW64\wkxlgfrh.exe
        
        "C:\Windows\system32\wkxlgfrh.exe"
        59⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\wjaaedvv.exe
        
        "C:\Windows\system32\wjaaedvv.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\wknvcsp.exe
        
        "C:\Windows\system32\wknvcsp.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\wfeedw.exe
        
        "C:\Windows\system32\wfeedw.exe"
        62⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\wygvmc.exe
        
        "C:\Windows\system32\wygvmc.exe"
        63⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2460
        
        C:\Windows\SysWOW64\waebqsln.exe
        
        "C:\Windows\system32\waebqsln.exe"
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1528
        
        C:\Windows\SysWOW64\wovmbf.exe
        
        "C:\Windows\system32\wovmbf.exe"
        65⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1292
        
        C:\Windows\SysWOW64\wmjmhco.exe
        
        "C:\Windows\system32\wmjmhco.exe"
        66⤵
        Adds Run key to start application
        
        PID:1012
        
        C:\Windows\SysWOW64\wxbabyxy.exe
        
        "C:\Windows\system32\wxbabyxy.exe"
        67⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:324
        
        C:\Windows\SysWOW64\wudpavdpi.exe
        
        "C:\Windows\system32\wudpavdpi.exe"
        68⤵
        Adds Run key to start application
        
        PID:1944
        
        C:\Windows\SysWOW64\wwplyk.exe
        
        "C:\Windows\system32\wwplyk.exe"
        69⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\wypuoxfp.exe
        
        "C:\Windows\system32\wypuoxfp.exe"
        70⤵
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\wwrkovkf.exe
        
        "C:\Windows\system32\wwrkovkf.exe"
        71⤵
        Drops file in System32 directory
        
        PID:1960
        
        C:\Windows\SysWOW64\wlgpmjsg.exe
        
        "C:\Windows\system32\wlgpmjsg.exe"
        72⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\wbxbwv.exe
        
        "C:\Windows\system32\wbxbwv.exe"
        73⤵
        Adds Run key to start application
        
        PID:2884
        
        C:\Windows\SysWOW64\wmbcvsac.exe
        
        "C:\Windows\system32\wmbcvsac.exe"
        74⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1240
        
        C:\Windows\SysWOW64\wodln.exe
        
        "C:\Windows\system32\wodln.exe"
        75⤵
        Adds Run key to start application
        
        PID:2380
        
        C:\Windows\SysWOW64\wgqbvrs.exe
        
        "C:\Windows\system32\wgqbvrs.exe"
        76⤵
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\wuswmf.exe
        
        "C:\Windows\system32\wuswmf.exe"
        77⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\wllhwrex.exe
        
        "C:\Windows\system32\wllhwrex.exe"
        78⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\weoagyf.exe
        
        "C:\Windows\system32\weoagyf.exe"
        79⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\wmnvuyrd.exe
        
        "C:\Windows\system32\wmnvuyrd.exe"
        80⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:932
        
        C:\Windows\SysWOW64\wfqndfud.exe
        
        "C:\Windows\system32\wfqndfud.exe"
        81⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\whdibt.exe
        
        "C:\Windows\system32\whdibt.exe"
        82⤵
        Adds Run key to start application
        
        PID:404
        
        C:\Windows\SysWOW64\wfewbr.exe
        
        "C:\Windows\system32\wfewbr.exe"
        83⤵
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\wygpi.exe
        
        "C:\Windows\system32\wygpi.exe"
        84⤵
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\wtrgocch.exe
        
        "C:\Windows\system32\wtrgocch.exe"
        85⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\wijrx.exe
        
        "C:\Windows\system32\wijrx.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\wxmajg.exe
        
        "C:\Windows\system32\wxmajg.exe"
        87⤵
        Adds Run key to start application
        
        PID:2632
        
        C:\Windows\SysWOW64\wuaxpdc.exe
        
        "C:\Windows\system32\wuaxpdc.exe"
        88⤵
        Adds Run key to start application
        
        PID:2984
        
        C:\Windows\SysWOW64\wscnoahg.exe
        
        "C:\Windows\system32\wscnoahg.exe"
        89⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\wumimp.exe
        
        "C:\Windows\system32\wumimp.exe"
        90⤵
        Adds Run key to start application
        
        PID:1772
        
        C:\Windows\SysWOW64\wqpvmmf.exe
        
        "C:\Windows\system32\wqpvmmf.exe"
        91⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\wlsous.exe
        
        "C:\Windows\system32\wlsous.exe"
        92⤵
        Adds Run key to start application
        
        PID:1972
        
        C:\Windows\SysWOW64\wegrky.exe
        
        "C:\Windows\system32\wegrky.exe"
        93⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\wxijse.exe
        
        "C:\Windows\system32\wxijse.exe"
        94⤵
        Adds Run key to start application
        
        PID:2472
        
        C:\Windows\SysWOW64\wqjca.exe
        
        "C:\Windows\system32\wqjca.exe"
        95⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\wijpxtqq.exe
        
        "C:\Windows\system32\wijpxtqq.exe"
        96⤵
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\waligasr.exe
        
        "C:\Windows\system32\waligasr.exe"
        97⤵
        Adds Run key to start application
        
        PID:924
        
        C:\Windows\SysWOW64\wdfermt.exe
        
        "C:\Windows\system32\wdfermt.exe"
        98⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:904
        
        C:\Windows\SysWOW64\wxgwyr.exe
        
        "C:\Windows\system32\wxgwyr.exe"
        99⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\wiaylqdxp.exe
        
        "C:\Windows\system32\wiaylqdxp.exe"
        100⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxgwyr.exe"
        100⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdfermt.exe"
        99⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waligasr.exe"
        98⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wijpxtqq.exe"
        97⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqjca.exe"
        96⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxijse.exe"
        95⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wegrky.exe"
        94⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsous.exe"
        93⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpvmmf.exe"
        92⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wumimp.exe"
        91⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wscnoahg.exe"
        90⤵
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuaxpdc.exe"
        89⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxmajg.exe"
        88⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wijrx.exe"
        87⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtrgocch.exe"
        86⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wygpi.exe"
        85⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfewbr.exe"
        84⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdibt.exe"
        83⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfqndfud.exe"
        82⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmnvuyrd.exe"
        81⤵
        
        PID:996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 892
        81⤵
        Program crash
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weoagyf.exe"
        80⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllhwrex.exe"
        79⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuswmf.exe"
        78⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqbvrs.exe"
        77⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wodln.exe"
        76⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 876
        76⤵
        Program crash
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmbcvsac.exe"
        75⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbxbwv.exe"
        74⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlgpmjsg.exe"
        73⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrkovkf.exe"
        72⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wypuoxfp.exe"
        71⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 496
        71⤵
        Program crash
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwplyk.exe"
        70⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudpavdpi.exe"
        69⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxbabyxy.exe"
        68⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmjmhco.exe"
        67⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovmbf.exe"
        66⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waebqsln.exe"
        65⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wygvmc.exe"
        64⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfeedw.exe"
        63⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wknvcsp.exe"
        62⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjaaedvv.exe"
        61⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 900
        61⤵
        Program crash
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkxlgfrh.exe"
        60⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbu.exe"
        59⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcsxfo.exe"
        58⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhc.exe"
        57⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whpvgthm.exe"
        56⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 872
        56⤵
        Program crash
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkdvawr.exe"
        55⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlbiaym.exe"
        54⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkondksv.exe"
        53⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 892
        53⤵
        Program crash
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whnclvjq.exe"
        52⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjknmyg.exe"
        51⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whysojmfq.exe"
        50⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkweonhp.exe"
        49⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmjfjpq.exe"
        48⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtinakp.exe"
        47⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtotm.exe"
        46⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcehsij.exe"
        45⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibokchp.exe"
        44⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfiraqgl.exe"
        43⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqgoe.exe"
        42⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wks.exe"
        41⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnr.exe"
        40⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgx.exe"
        39⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjlyl.exe"
        38⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpiujomi.exe"
        37⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 448
        37⤵
        Program crash
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtv.exe"
        36⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wasqdivka.exe"
        35⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxhvetc.exe"
        34⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtbh.exe"
        33⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyrmihee.exe"
        32⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpxikyo.exe"
        31⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdojintw.exe"
        30⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjb.exe"
        29⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujvitsjv.exe"
        28⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 896
        28⤵
        Program crash
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbxygx.exe"
        27⤵
        
        PID:880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 800
        27⤵
        Program crash
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvkhb.exe"
        26⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgjmb.exe"
        25⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudgojkk.exe"
        24⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woge.exe"
        23⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqeq.exe"
        22⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmhaowoo.exe"
        21⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woy.exe"
        20⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdayqv.exe"
        19⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfwkrywf.exe"
        18⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wik.exe"
        17⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wstbaptdn.exe"
        16⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wygxlj.exe"
        15⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whdtk.exe"
        14⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wooq.exe"
        13⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphbia.exe"
        12⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiyqnvn.exe"
        11⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyv.exe"
        10⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvikwgapf.exe"
        9⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjssg.exe"
        8⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqfpq.exe"
        7⤵
        
        PID:1820
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waofhu.exe"
        6⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvsviim.exe"
        5⤵
        
        PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wni.exe"
      4⤵
      PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjbseca.exe"
    3⤵
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\012903b6776cd32b7194a67d2240d240_NeikiAnalytics.exe"
  2⤵
  - Deletes itself
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DYZW2H1V.txt

Filesize
98B

MD5
6076ae075c914c07b7f0e7be8e779579

SHA1
9f175f77d744840803931007e66046d16690d48b

SHA256
6211118e7a19f7d16e15bf61a9a0328104ab50239c7b681bfec32fb3c4da2653

SHA512
ef22c54b28c2ce6a3557d908499d6fa0cd44a4a770ec407f1abb17180169f50200e77cf69d431426881ae38c9c76c058c05efec7644c6c60578b2634e306a843

Download Submit
\Windows\SysWOW64\waofhu.exe

Filesize
89KB

MD5
aa9912b93bdc1225081ed7e0a6eab241

SHA1
081c3f4b552601ceb48af5222389f978facb6b92

SHA256
8630d6057ac3f89980d29ba2e37dfe9cfd0737c2706b90980f65b88c03349b7d

SHA512
cc99c5231bd5dc088c5ee1e55267873bd3c752e5702d7d77ebcda5e144a93919a33e8184c1965ee10d1f6ac6d3c2922fea2d8904fe6ca7d443eb1c6288aed219

Download Submit
\Windows\SysWOW64\wiyqnvn.exe

Filesize
89KB

MD5
56f5c76ecf7338129ae4ebd96bac6407

SHA1
0818a3a6f1557ee300d33bc1af27ec2d4470c832

SHA256
1b657d245b6f1db0f16ead8c1c1a4bd962b72a24b117c1157e38586c50d4590b

SHA512
75dd32ecd546b15840491551d72b1089214def82f28f8db4931990efd49d4f7a0f1346083cd9ded3488758c1692ae2aaf6d8f2c08f92c49709cb2fc71d6f5cde

Download Submit
\Windows\SysWOW64\wjbseca.exe

Filesize
89KB

MD5
8c92a3c1b1ef81b74cef404dfc045f8b

SHA1
8cf8fec0934214c1bd17aff8150fda3dd6c7e1cb

SHA256
8f934c910506874e090c686c2174dcdb11683d342e529cf6d1909b71ecd47271

SHA512
d7119da4104d6cb9ed7e01c02eedf78f4db4d279d9ef7daf8c3fd0d53874f3fd56d8d12a0fefde735d8afe6e85d23ffb6127a7df0c5d56fd4a8ff9e43017c71d

Download Submit
\Windows\SysWOW64\wjssg.exe

Filesize
89KB

MD5
c98e2898b62bafcbc9316316c2c81543

SHA1
ab7a8d6597c357dd158fad606721ea4b8dbf96ff

SHA256
40e80f155f476722ed48131716767eeb0367b415c7f7beaadcc3a042e42c663f

SHA512
8dde15beee0126e7d92c77520570760d3307df317cd97b900524d7060e60d071bb8a65c12bb9bd6ee17acc598191d66f332ada4c93c462ba6a9303107d23f6f3

Download Submit
\Windows\SysWOW64\wkvsviim.exe

Filesize
89KB

MD5
fc02c907f302508ba3b0e9fda4d53f99

SHA1
9e9d0819d5a74d7a9ef6841002955b0cc6664a39

SHA256
c19520f8db28a7353714159da1f7cd818afa9f22adae139ed4b0d7a748faf07b

SHA512
6325783d165b113198c170cfc573d82a3c20bd04773ed9d04e4e6bba05b89864871cbc2a1a29396bec3c2a2f6cb85cdbcfcc4442084ae5a73131d7a7dc930a1c

Download Submit
\Windows\SysWOW64\wlyv.exe

Filesize
89KB

MD5
428922513264c05306b17528e33d5792

SHA1
552acabc3c2b418aa75f89a82f2cb7b85d6baa9c

SHA256
cb59b822231e2141582decc4c69dd987a684adf7077eadb729b0d81b11317488

SHA512
c84eee5ae2ab6d792d4ab5806f9637480630c4392390076015aac8512bd3c53105a30ea1b600e7130109371e9e4afd41c47bfba5100683479e6ce5d913055fd9

Download Submit
\Windows\SysWOW64\wni.exe

Filesize
89KB

MD5
8f930705ae528b77c3519c17443e0dbe

SHA1
185a04931a20dcf35e38268ad692585e22983156

SHA256
6ae4bf81930b90844d79c74e510d979279c0a818aa57917ff0f2972293993263

SHA512
df51d148a68e5759c4f123bb20b59bc3701c2ef6531cffac628119a36b8e396f58e19a549a092e04ca024ab566f72d4af26ece3ea8ac722ed5c213eea16ab93b

Download Submit
\Windows\SysWOW64\wphbia.exe

Filesize
89KB

MD5
26e5fda432d209f9cb2434e85a5cccb4

SHA1
3e3e714796483edf346f6b2dc35726b53240e957

SHA256
5c54c3c2a08db65ba2537d65bb3e3adee4ae5fcdf620c5dbd1e2ec21592a0389

SHA512
8655795a5e933b484571d89b35bbb3e8d34bd1050a261856e8ebaac0c098adca51a8973d54e6f3c414a0c838116faa1324d8016e5d7dd03d50d88bb802670559

Download Submit
\Windows\SysWOW64\wqfpq.exe

Filesize
89KB

MD5
3c5a932d4f6bf9e126479011a7f6c5ae

SHA1
e72ec99526a95f72cb2e8fec14e9172272d6cea7

SHA256
3842e109066b1ccb0d0456e4f5288fc22d286649fed5cacb60bae02e381aaac0

SHA512
9006c87d1e369dacef7bfa1e0185aedfe6c8c77fcea153b13a9350f0cb4cb0c53914d598d4c22054abe1257398a877a9c53c310b2288d5ff7528fad8c38e2d24

Download Submit
\Windows\SysWOW64\wvikwgapf.exe

Filesize
89KB

MD5
433ff0094fe0ccca058c5bfab409a2df

SHA1
23a1093d54ce7cd0f7690d9c29a587c112340a08

SHA256
e57f0dad573ae559543222aba20bc78644f2faf856701a3dbcb65a66aa80666b

SHA512
287b83cefeb0d7c8ece6ce9cdf003697a0d3b767bf42e7a3b17c7663bb9eeaeb13a0b7fbf36ad9d31be393783d4a327c2b96167801778e4d68596d23e8974cdb

Download Submit
memory/668-314-0x0000000003710000-0x0000000003728000-memory.dmp

Filesize
96KB

Download
memory/668-316-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/668-302-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/668-315-0x0000000003720000-0x0000000003738000-memory.dmp

Filesize
96KB

Download
memory/932-162-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/932-158-0x00000000034A0000-0x00000000034B8000-memory.dmp

Filesize
96KB

Download
memory/932-146-0x00000000034A0000-0x00000000034B8000-memory.dmp

Filesize
96KB

Download
memory/932-163-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/932-140-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1132-289-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1132-301-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1520-94-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1520-114-0x0000000003560000-0x0000000003578000-memory.dmp

Filesize
96KB

Download
memory/1520-120-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1520-112-0x0000000003550000-0x0000000003568000-memory.dmp

Filesize
96KB

Download
memory/1520-113-0x0000000003560000-0x0000000003578000-memory.dmp

Filesize
96KB

Download
memory/1520-118-0x0000000003560000-0x0000000003570000-memory.dmp

Filesize
64KB

Download
memory/1520-109-0x0000000003550000-0x0000000003568000-memory.dmp

Filesize
96KB

Download
memory/1548-171-0x0000000003BC0000-0x0000000003BD8000-memory.dmp

Filesize
96KB

Download
memory/1548-161-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1548-185-0x0000000003BD0000-0x0000000003BE8000-memory.dmp

Filesize
96KB

Download
memory/1548-189-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1548-184-0x0000000003BC0000-0x0000000003BD8000-memory.dmp

Filesize
96KB

Download
memory/1548-188-0x0000000003BD0000-0x0000000003BE0000-memory.dmp

Filesize
64KB

Download
memory/1548-186-0x0000000003BD0000-0x0000000003BE8000-memory.dmp

Filesize
96KB

Download
memory/1620-331-0x0000000004030000-0x0000000004048000-memory.dmp

Filesize
96KB

Download
memory/1620-327-0x0000000003E60000-0x0000000003E78000-memory.dmp

Filesize
96KB

Download
memory/1620-333-0x0000000003E70000-0x0000000003E80000-memory.dmp

Filesize
64KB

Download
memory/1620-334-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1620-326-0x0000000003E60000-0x0000000003E78000-memory.dmp

Filesize
96KB

Download
memory/1620-317-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1660-229-0x00000000035E0000-0x00000000035F8000-memory.dmp

Filesize
96KB

Download
memory/1660-230-0x00000000035E0000-0x00000000035F8000-memory.dmp

Filesize
96KB

Download
memory/1660-225-0x00000000035E0000-0x00000000035F8000-memory.dmp

Filesize
96KB

Download
memory/1660-212-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1660-231-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1924-207-0x00000000039A0000-0x00000000039B8000-memory.dmp

Filesize
96KB

Download
memory/1924-187-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1924-215-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1924-213-0x00000000039B0000-0x00000000039C0000-memory.dmp

Filesize
64KB

Download
memory/1924-208-0x0000000003EF0000-0x0000000003F08000-memory.dmp

Filesize
96KB

Download
memory/1924-209-0x0000000003EF0000-0x0000000003F08000-memory.dmp

Filesize
96KB

Download
memory/1924-206-0x00000000039A0000-0x00000000039B8000-memory.dmp

Filesize
96KB

Download
memory/2064-117-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2064-139-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2316-288-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2316-274-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2388-275-0x0000000003A60000-0x0000000003A70000-memory.dmp

Filesize
64KB

Download
memory/2388-276-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2388-273-0x0000000003E80000-0x0000000003E98000-memory.dmp

Filesize
96KB

Download
memory/2388-272-0x0000000003E80000-0x0000000003E98000-memory.dmp

Filesize
96KB

Download
memory/2392-365-0x00000000037E0000-0x00000000037F8000-memory.dmp

Filesize
96KB

Download
memory/2392-364-0x00000000037E0000-0x00000000037F8000-memory.dmp

Filesize
96KB

Download
memory/2392-366-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2392-351-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2392-363-0x00000000037D0000-0x00000000037E8000-memory.dmp

Filesize
96KB

Download
memory/2436-232-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2436-244-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2612-258-0x0000000003FE0000-0x0000000003FF8000-memory.dmp

Filesize
96KB

Download
memory/2612-260-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2612-259-0x0000000003FE0000-0x0000000003FF8000-memory.dmp

Filesize
96KB

Download
memory/2612-245-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2676-48-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2676-72-0x0000000003960000-0x0000000003970000-memory.dmp

Filesize
64KB

Download
memory/2676-73-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2676-65-0x0000000003950000-0x0000000003968000-memory.dmp

Filesize
96KB

Download
memory/2676-66-0x0000000003950000-0x0000000003968000-memory.dmp

Filesize
96KB

Download
memory/2676-67-0x0000000004290000-0x00000000042A8000-memory.dmp

Filesize
96KB

Download
memory/2676-68-0x0000000004290000-0x00000000042A8000-memory.dmp

Filesize
96KB

Download
memory/2684-71-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2684-93-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2684-90-0x0000000004150000-0x0000000004168000-memory.dmp

Filesize
96KB

Download
memory/2720-367-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2720-379-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2720-380-0x0000000003570000-0x0000000003588000-memory.dmp

Filesize
96KB

Download
memory/2740-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2740-44-0x0000000003310000-0x0000000003328000-memory.dmp

Filesize
96KB

Download
memory/2740-45-0x0000000003320000-0x0000000003338000-memory.dmp

Filesize
96KB

Download
memory/2740-31-0x0000000003310000-0x0000000003328000-memory.dmp

Filesize
96KB

Download
memory/2740-46-0x0000000003320000-0x0000000003338000-memory.dmp

Filesize
96KB

Download
memory/2740-47-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2852-381-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2852-393-0x0000000003FE0000-0x0000000003FF8000-memory.dmp

Filesize
96KB

Download
memory/2852-394-0x0000000003FE0000-0x0000000003FF8000-memory.dmp

Filesize
96KB

Download
memory/2904-332-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2904-350-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2904-347-0x00000000023A0000-0x00000000023B8000-memory.dmp

Filesize
96KB

Download
memory/2904-348-0x00000000023A0000-0x00000000023B8000-memory.dmp

Filesize
96KB

Download
memory/2904-349-0x00000000023A0000-0x00000000023B8000-memory.dmp

Filesize
96KB

Download
memory/2904-346-0x00000000023A0000-0x00000000023B8000-memory.dmp

Filesize
96KB

Download
memory/2972-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2972-12-0x0000000003F00000-0x0000000003F18000-memory.dmp

Filesize
96KB

Download
memory/2972-19-0x0000000003F00000-0x0000000003F18000-memory.dmp

Filesize
96KB

Download
memory/2972-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2972-23-0x0000000003920000-0x0000000003930000-memory.dmp

Filesize
64KB

Download
memory/2972-11-0x0000000003F00000-0x0000000003F18000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads