a4c79a1beccfea3f7a8bbab6303c58d2e07f748e9ccbfc91a3f5dcf193e11d27

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 13:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe
Size

91KB
MD5

e09e52178e743d4e232c2b74c1edee40
SHA1

c722b2c03c53f6b923bd668114acd190f60771cb
SHA256

a4c79a1beccfea3f7a8bbab6303c58d2e07f748e9ccbfc91a3f5dcf193e11d27
SHA512

18913d1d450f1bf5d5ca07cb208945a277771809a92853b182569bd7634e1ea3f0e061328bb4a85934dfe55a5e6551164d0d7b16b3a0bd1c6a596cf2aa0b7134
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71qCj:1eOLK7hNIMLrCiS4+PwRjY5xhEAXQCj

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
1404	wcoyj.exe
2572	wpthks.exe
820	wrct.exe
2248	wdfsnb.exe
2684	wdvlo.exe
2068	wbfbbo.exe
1544	wdtps.exe
1944	whto.exe
2576	wreqdd.exe
2492	wbflsgi.exe
2272	wjibcb.exe
1932	wuaptx.exe
680	wkkoyk.exe
2760	wvi.exe
2416	wis.exe
712	wkmubeqku.exe
1440	wbrjm.exe
1608	wvstrlyel.exe
2484	wcbcl.exe
2860	wunebvgy.exe
1836	wqtqeu.exe
692	wlvwtwp.exe
2756	wujvitsjv.exe
644	wkij.exe
928	wniieqa.exe
788	wmryr.exe
1596	wlh.exe
2148	woa.exe
2580	weac.exe
1656	wlsu.exe
2100	whytbxyn.exe
804	wemtvt.exe
2392	wqwvjpcm.exe
1740	wtf.exe
1944	wrny.exe
2508	wxrcjbxj.exe
2600	woqphk.exe
1000	whlsjonq.exe
1836	wckexrm.exe
1700	wbawyk.exe
680	wlmjve.exe
2960	wldbvxkmu.exe
1008	wacp.exe
1772	wawomd.exe
1336	wjoffy.exe
2440	wmoddk.exe
2484	wigyllp.exe
2692	wde.exe
912	wdkclexf.exe
1700	wknfu.exe
1488	wvulh.exe
2136	wunmbyl.exe
2932	wbeypu.exe
2596	wqhuhittt.exe
2040	wsitfsdi.exe
1764	wybmhwjb.exe
2788	woejxkh.exe
304	wfrlo.exe
1140	wymqqx.exe
2896	wgtamcgkw.exe
904	wybaokkr.exe
2528	wcexdg.exe
1856	wctqcydk.exe
1864	wdnmnlfp.exe

Loads dropped DLL 64 IoCs

pid	Process
2260	e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe
2260	e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe
2260	e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe
2260	e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe
1404	wcoyj.exe
1404	wcoyj.exe
1404	wcoyj.exe
1404	wcoyj.exe
1404	wcoyj.exe
2572	wpthks.exe
2572	wpthks.exe
2572	wpthks.exe
2572	wpthks.exe
2572	wpthks.exe
820	wrct.exe
820	wrct.exe
820	wrct.exe
820	wrct.exe
820	wrct.exe
2248	wdfsnb.exe
2248	wdfsnb.exe
2248	wdfsnb.exe
2248	wdfsnb.exe
2248	wdfsnb.exe
2684	wdvlo.exe
2684	wdvlo.exe
2684	wdvlo.exe
2684	wdvlo.exe
2684	wdvlo.exe
2068	wbfbbo.exe
2068	wbfbbo.exe
2068	wbfbbo.exe
2068	wbfbbo.exe
2068	wbfbbo.exe
1544	wdtps.exe
1544	wdtps.exe
1544	wdtps.exe
1544	wdtps.exe
1544	wdtps.exe
1944	whto.exe
1944	whto.exe
1944	whto.exe
1944	whto.exe
1944	whto.exe
2576	wreqdd.exe
2576	wreqdd.exe
2576	wreqdd.exe
2576	wreqdd.exe
2576	wreqdd.exe
2492	wbflsgi.exe
2492	wbflsgi.exe
2492	wbflsgi.exe
2492	wbflsgi.exe
2492	wbflsgi.exe
2272	wjibcb.exe
2272	wjibcb.exe
2272	wjibcb.exe
2272	wjibcb.exe
2272	wjibcb.exe
1932	wuaptx.exe
1932	wuaptx.exe
1932	wuaptx.exe
1932	wuaptx.exe
1932	wuaptx.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmfjsibl = "\"C:\\Windows\\SysWOW64\\wmfjsibl.exe\""	wmfjsibl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqtqeu = "\"C:\\Windows\\SysWOW64\\wqtqeu.exe\""	wqtqeu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcbcl = "\"C:\\Windows\\SysWOW64\\wcbcl.exe\""	wcbcl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wawomd = "\"C:\\Windows\\SysWOW64\\wawomd.exe\""	wawomd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvi = "\"C:\\Windows\\SysWOW64\\wvi.exe\""	wvi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\weac = "\"C:\\Windows\\SysWOW64\\weac.exe\""	weac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdkclexf = "\"C:\\Windows\\SysWOW64\\wdkclexf.exe\""	wdkclexf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwdveaaxp = "\"C:\\Windows\\SysWOW64\\wwdveaaxp.exe\""	wwdveaaxp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\waid = "\"C:\\Windows\\SysWOW64\\waid.exe\""	waid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfsnb = "\"C:\\Windows\\SysWOW64\\wdfsnb.exe\""	wdfsnb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlvwtwp = "\"C:\\Windows\\SysWOW64\\wlvwtwp.exe\""	wlvwtwp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wymqqx = "\"C:\\Windows\\SysWOW64\\wymqqx.exe\""	wymqqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkmubeqku = "\"C:\\Windows\\SysWOW64\\wkmubeqku.exe\""	wkmubeqku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmryr = "\"C:\\Windows\\SysWOW64\\wmryr.exe\""	wmryr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wldbvxkmu = "\"C:\\Windows\\SysWOW64\\wldbvxkmu.exe\""	wldbvxkmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wde = "\"C:\\Windows\\SysWOW64\\wde.exe\""	wde.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlnyg = "\"C:\\Windows\\SysWOW64\\wlnyg.exe\""	wlnyg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbrjm = "\"C:\\Windows\\SysWOW64\\wbrjm.exe\""	wbrjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuaptx = "\"C:\\Windows\\SysWOW64\\wuaptx.exe\""	wuaptx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqwvjpcm = "\"C:\\Windows\\SysWOW64\\wqwvjpcm.exe\""	wqwvjpcm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxrcjbxj = "\"C:\\Windows\\SysWOW64\\wxrcjbxj.exe\""	wxrcjbxj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjoffy = "\"C:\\Windows\\SysWOW64\\wjoffy.exe\""	wjoffy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmoddk = "\"C:\\Windows\\SysWOW64\\wmoddk.exe\""	wmoddk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wybmhwjb = "\"C:\\Windows\\SysWOW64\\wybmhwjb.exe\""	wybmhwjb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkggppmh = "\"C:\\Windows\\SysWOW64\\wkggppmh.exe\""	wkggppmh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpthks = "\"C:\\Windows\\SysWOW64\\wpthks.exe\""	wpthks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkcste = "\"C:\\Windows\\SysWOW64\\wkcste.exe\""	wkcste.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlsu = "\"C:\\Windows\\SysWOW64\\wlsu.exe\""	wlsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtf = "\"C:\\Windows\\SysWOW64\\wtf.exe\""	wtf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbawyk = "\"C:\\Windows\\SysWOW64\\wbawyk.exe\""	wbawyk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgtamcgkw = "\"C:\\Windows\\SysWOW64\\wgtamcgkw.exe\""	wgtamcgkw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wrkcpi = "\"C:\\Windows\\SysWOW64\\wrkcpi.exe\""	wrkcpi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvstrlyel = "\"C:\\Windows\\SysWOW64\\wvstrlyel.exe\""	wvstrlyel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkij = "\"C:\\Windows\\SysWOW64\\wkij.exe\""	wkij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqhuhittt = "\"C:\\Windows\\SysWOW64\\wqhuhittt.exe\""	wqhuhittt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\woejxkh = "\"C:\\Windows\\SysWOW64\\woejxkh.exe\""	woejxkh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdnmnlfp = "\"C:\\Windows\\SysWOW64\\wdnmnlfp.exe\""	wdnmnlfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdvlo = "\"C:\\Windows\\SysWOW64\\wdvlo.exe\""	wdvlo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbfbbo = "\"C:\\Windows\\SysWOW64\\wbfbbo.exe\""	wbfbbo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wrny = "\"C:\\Windows\\SysWOW64\\wrny.exe\""	wrny.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wunmbyl = "\"C:\\Windows\\SysWOW64\\wunmbyl.exe\""	wunmbyl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wimcu = "\"C:\\Windows\\SysWOW64\\wimcu.exe\""	wimcu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe\""	e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wniieqa = "\"C:\\Windows\\SysWOW64\\wniieqa.exe\""	wniieqa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wknfu = "\"C:\\Windows\\SysWOW64\\wknfu.exe\""	wknfu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvulh = "\"C:\\Windows\\SysWOW64\\wvulh.exe\""	wvulh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbeypu = "\"C:\\Windows\\SysWOW64\\wbeypu.exe\""	wbeypu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wybaokkr = "\"C:\\Windows\\SysWOW64\\wybaokkr.exe\""	wybaokkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wepaksvs = "\"C:\\Windows\\SysWOW64\\wepaksvs.exe\""	wepaksvs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcoyj = "\"C:\\Windows\\SysWOW64\\wcoyj.exe\""	wcoyj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wigyllp = "\"C:\\Windows\\SysWOW64\\wigyllp.exe\""	wigyllp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfrlo = "\"C:\\Windows\\SysWOW64\\wfrlo.exe\""	wfrlo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wctqcydk = "\"C:\\Windows\\SysWOW64\\wctqcydk.exe\""	wctqcydk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpacyn = "\"C:\\Windows\\SysWOW64\\wpacyn.exe\""	wpacyn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wemtvt = "\"C:\\Windows\\SysWOW64\\wemtvt.exe\""	wemtvt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wis = "\"C:\\Windows\\SysWOW64\\wis.exe\""	wis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\woqphk = "\"C:\\Windows\\SysWOW64\\woqphk.exe\""	woqphk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsitfsdi = "\"C:\\Windows\\SysWOW64\\wsitfsdi.exe\""	wsitfsdi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwfpyww = "\"C:\\Windows\\SysWOW64\\wwfpyww.exe\""	wwfpyww.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbsjt = "\"C:\\Windows\\SysWOW64\\wbsjt.exe\""	wbsjt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdtps = "\"C:\\Windows\\SysWOW64\\wdtps.exe\""	wdtps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbflsgi = "\"C:\\Windows\\SysWOW64\\wbflsgi.exe\""	wbflsgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wunebvgy = "\"C:\\Windows\\SysWOW64\\wunebvgy.exe\""	wunebvgy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlh = "\"C:\\Windows\\SysWOW64\\wlh.exe\""	wlh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wegkmyl.exe	wwfpyww.exe
File opened for modification	C:\Windows\SysWOW64\wkmubeqku.exe	wis.exe
File opened for modification	C:\Windows\SysWOW64\wlh.exe	wmryr.exe
File opened for modification	C:\Windows\SysWOW64\woa.exe	wlh.exe
File created	C:\Windows\SysWOW64\wldbvxkmu.exe	wlmjve.exe
File opened for modification	C:\Windows\SysWOW64\wbflsgi.exe	wreqdd.exe
File opened for modification	C:\Windows\SysWOW64\wxrcjbxj.exe	wrny.exe
File opened for modification	C:\Windows\SysWOW64\wunebvgy.exe	wcbcl.exe
File created	C:\Windows\SysWOW64\wlvwtwp.exe	wqtqeu.exe
File opened for modification	C:\Windows\SysWOW64\wpacyn.exe	wepaksvs.exe
File opened for modification	C:\Windows\SysWOW64\wkcste.exe	wqbnedik.exe
File created	C:\Windows\SysWOW64\wbsjt.exe	wegkmyl.exe
File created	C:\Windows\SysWOW64\wis.exe	wvi.exe
File created	C:\Windows\SysWOW64\wmryr.exe	wniieqa.exe
File created	C:\Windows\SysWOW64\wde.exe	wigyllp.exe
File opened for modification	C:\Windows\SysWOW64\wgtamcgkw.exe	wymqqx.exe
File opened for modification	C:\Windows\SysWOW64\wqtqeu.exe	wunebvgy.exe
File opened for modification	C:\Windows\SysWOW64\wkij.exe	wujvitsjv.exe
File opened for modification	C:\Windows\SysWOW64\weac.exe	woa.exe
File created	C:\Windows\SysWOW64\wmoddk.exe	wjoffy.exe
File opened for modification	C:\Windows\SysWOW64\wbsjt.exe	wegkmyl.exe
File created	C:\Windows\SysWOW64\whytbxyn.exe	wlsu.exe
File opened for modification	C:\Windows\SysWOW64\wemtvt.exe	whytbxyn.exe
File opened for modification	C:\Windows\SysWOW64\wrny.exe	wtf.exe
File opened for modification	C:\Windows\SysWOW64\wkggppmh.exe	wdnmnlfp.exe
File opened for modification	C:\Windows\SysWOW64\wdkclexf.exe	wde.exe
File opened for modification	C:\Windows\SysWOW64\wepaksvs.exe	wkggppmh.exe
File opened for modification	C:\Windows\SysWOW64\wimcu.exe	wbsjt.exe
File created	C:\Windows\SysWOW64\wrkcpi.exe	wkcste.exe
File created	C:\Windows\SysWOW64\wcoyj.exe	e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\wuaptx.exe	wjibcb.exe
File created	C:\Windows\SysWOW64\wkmubeqku.exe	wis.exe
File created	C:\Windows\SysWOW64\wdkclexf.exe	wde.exe
File opened for modification	C:\Windows\SysWOW64\wrkcpi.exe	wkcste.exe
File opened for modification	C:\Windows\SysWOW64\wjibcb.exe	wbflsgi.exe
File opened for modification	C:\Windows\SysWOW64\wcbcl.exe	wvstrlyel.exe
File created	C:\Windows\SysWOW64\wigyllp.exe	wmoddk.exe
File opened for modification	C:\Windows\SysWOW64\wknfu.exe	wdkclexf.exe
File created	C:\Windows\SysWOW64\whlsjonq.exe	woqphk.exe
File opened for modification	C:\Windows\SysWOW64\wldbvxkmu.exe	wlmjve.exe
File created	C:\Windows\SysWOW64\wvulh.exe	wknfu.exe
File created	C:\Windows\SysWOW64\wsitfsdi.exe	wqhuhittt.exe
File created	C:\Windows\SysWOW64\wbfbbo.exe	wdvlo.exe
File created	C:\Windows\SysWOW64\wvstrlyel.exe	wbrjm.exe
File created	C:\Windows\SysWOW64\woa.exe	wlh.exe
File opened for modification	C:\Windows\SysWOW64\woqphk.exe	wxrcjbxj.exe
File opened for modification	C:\Windows\SysWOW64\wcexdg.exe	wybaokkr.exe
File created	C:\Windows\SysWOW64\wepaksvs.exe	wkggppmh.exe
File created	C:\Windows\SysWOW64\wbawyk.exe	wckexrm.exe
File created	C:\Windows\SysWOW64\wjoffy.exe	wawomd.exe
File created	C:\Windows\SysWOW64\wdnmnlfp.exe	wctqcydk.exe
File created	C:\Windows\SysWOW64\wmfjsibl.exe	waid.exe
File opened for modification	C:\Windows\SysWOW64\wdfsnb.exe	wrct.exe
File opened for modification	C:\Windows\SysWOW64\wdvlo.exe	wdfsnb.exe
File opened for modification	C:\Windows\SysWOW64\wniieqa.exe	wkij.exe
File created	C:\Windows\SysWOW64\wlh.exe	wmryr.exe
File opened for modification	C:\Windows\SysWOW64\wckexrm.exe	whlsjonq.exe
File created	C:\Windows\SysWOW64\wkggppmh.exe	wdnmnlfp.exe
File created	C:\Windows\SysWOW64\wpthks.exe	wcoyj.exe
File created	C:\Windows\SysWOW64\wrct.exe	wpthks.exe
File created	C:\Windows\SysWOW64\wkkoyk.exe	wuaptx.exe
File opened for modification	C:\Windows\SysWOW64\wlvwtwp.exe	wqtqeu.exe
File opened for modification	C:\Windows\SysWOW64\waid.exe	wwdveaaxp.exe
File created	C:\Windows\SysWOW64\wdvlo.exe	wdfsnb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1948	712	WerFault.exe	74
2452	1740	WerFault.exe	132
1256	2596	WerFault.exe	194

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1404	2260	e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe	28
PID 2260 wrote to memory of 1404	2260	e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe	28
PID 2260 wrote to memory of 1404	2260	e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe	28
PID 2260 wrote to memory of 1404	2260	e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe	28
PID 2260 wrote to memory of 2704	2260	e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe	29
PID 2260 wrote to memory of 2704	2260	e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe	29
PID 2260 wrote to memory of 2704	2260	e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe	29
PID 2260 wrote to memory of 2704	2260	e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe	29
PID 1404 wrote to memory of 2572	1404	wcoyj.exe	31
PID 1404 wrote to memory of 2572	1404	wcoyj.exe	31
PID 1404 wrote to memory of 2572	1404	wcoyj.exe	31
PID 1404 wrote to memory of 2572	1404	wcoyj.exe	31
PID 1404 wrote to memory of 2556	1404	wcoyj.exe	32
PID 1404 wrote to memory of 2556	1404	wcoyj.exe	32
PID 1404 wrote to memory of 2556	1404	wcoyj.exe	32
PID 1404 wrote to memory of 2556	1404	wcoyj.exe	32
PID 2572 wrote to memory of 820	2572	wpthks.exe	34
PID 2572 wrote to memory of 820	2572	wpthks.exe	34
PID 2572 wrote to memory of 820	2572	wpthks.exe	34
PID 2572 wrote to memory of 820	2572	wpthks.exe	34
PID 2572 wrote to memory of 1032	2572	wpthks.exe	35
PID 2572 wrote to memory of 1032	2572	wpthks.exe	35
PID 2572 wrote to memory of 1032	2572	wpthks.exe	35
PID 2572 wrote to memory of 1032	2572	wpthks.exe	35
PID 820 wrote to memory of 2248	820	wrct.exe	37
PID 820 wrote to memory of 2248	820	wrct.exe	37
PID 820 wrote to memory of 2248	820	wrct.exe	37
PID 820 wrote to memory of 2248	820	wrct.exe	37
PID 820 wrote to memory of 540	820	wrct.exe	38
PID 820 wrote to memory of 540	820	wrct.exe	38
PID 820 wrote to memory of 540	820	wrct.exe	38
PID 820 wrote to memory of 540	820	wrct.exe	38
PID 2248 wrote to memory of 2684	2248	wdfsnb.exe	40
PID 2248 wrote to memory of 2684	2248	wdfsnb.exe	40
PID 2248 wrote to memory of 2684	2248	wdfsnb.exe	40
PID 2248 wrote to memory of 2684	2248	wdfsnb.exe	40
PID 2248 wrote to memory of 2760	2248	wdfsnb.exe	41
PID 2248 wrote to memory of 2760	2248	wdfsnb.exe	41
PID 2248 wrote to memory of 2760	2248	wdfsnb.exe	41
PID 2248 wrote to memory of 2760	2248	wdfsnb.exe	41
PID 2684 wrote to memory of 2068	2684	wdvlo.exe	43
PID 2684 wrote to memory of 2068	2684	wdvlo.exe	43
PID 2684 wrote to memory of 2068	2684	wdvlo.exe	43
PID 2684 wrote to memory of 2068	2684	wdvlo.exe	43
PID 2684 wrote to memory of 644	2684	wdvlo.exe	44
PID 2684 wrote to memory of 644	2684	wdvlo.exe	44
PID 2684 wrote to memory of 644	2684	wdvlo.exe	44
PID 2684 wrote to memory of 644	2684	wdvlo.exe	44
PID 2068 wrote to memory of 1544	2068	wbfbbo.exe	46
PID 2068 wrote to memory of 1544	2068	wbfbbo.exe	46
PID 2068 wrote to memory of 1544	2068	wbfbbo.exe	46
PID 2068 wrote to memory of 1544	2068	wbfbbo.exe	46
PID 2068 wrote to memory of 2784	2068	wbfbbo.exe	47
PID 2068 wrote to memory of 2784	2068	wbfbbo.exe	47
PID 2068 wrote to memory of 2784	2068	wbfbbo.exe	47
PID 2068 wrote to memory of 2784	2068	wbfbbo.exe	47
PID 1544 wrote to memory of 1944	1544	wdtps.exe	49
PID 1544 wrote to memory of 1944	1544	wdtps.exe	49
PID 1544 wrote to memory of 1944	1544	wdtps.exe	49
PID 1544 wrote to memory of 1944	1544	wdtps.exe	49
PID 1544 wrote to memory of 2104	1544	wdtps.exe	50
PID 1544 wrote to memory of 2104	1544	wdtps.exe	50
PID 1544 wrote to memory of 2104	1544	wdtps.exe	50
PID 1544 wrote to memory of 2104	1544	wdtps.exe	50

C:\Users\Admin\AppData\Local\Temp\e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\wcoyj.exe
  "C:\Windows\system32\wcoyj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\wpthks.exe
    "C:\Windows\system32\wpthks.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\wrct.exe
      "C:\Windows\system32\wrct.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:820
    - - C:\Windows\SysWOW64\wdfsnb.exe
        
        "C:\Windows\system32\wdfsnb.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\SysWOW64\wdvlo.exe
        
        "C:\Windows\system32\wdvlo.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\wbfbbo.exe
        
        "C:\Windows\system32\wbfbbo.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\wdtps.exe
        
        "C:\Windows\system32\wdtps.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\whto.exe
        
        "C:\Windows\system32\whto.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1944
        
        C:\Windows\SysWOW64\wreqdd.exe
        
        "C:\Windows\system32\wreqdd.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\wbflsgi.exe
        
        "C:\Windows\system32\wbflsgi.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\wjibcb.exe
        
        "C:\Windows\system32\wjibcb.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\wuaptx.exe
        
        "C:\Windows\system32\wuaptx.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\wkkoyk.exe
        
        "C:\Windows\system32\wkkoyk.exe"
        14⤵
        Executes dropped EXE
        
        PID:680
        
        C:\Windows\SysWOW64\wvi.exe
        
        "C:\Windows\system32\wvi.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\wis.exe
        
        "C:\Windows\system32\wis.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2416
        
        C:\Windows\SysWOW64\wkmubeqku.exe
        
        "C:\Windows\system32\wkmubeqku.exe"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:712
        
        C:\Windows\SysWOW64\wbrjm.exe
        
        "C:\Windows\system32\wbrjm.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\wvstrlyel.exe
        
        "C:\Windows\system32\wvstrlyel.exe"
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\wcbcl.exe
        
        "C:\Windows\system32\wcbcl.exe"
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\wunebvgy.exe
        
        "C:\Windows\system32\wunebvgy.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\wqtqeu.exe
        
        "C:\Windows\system32\wqtqeu.exe"
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\wlvwtwp.exe
        
        "C:\Windows\system32\wlvwtwp.exe"
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:692
        
        C:\Windows\SysWOW64\wujvitsjv.exe
        
        "C:\Windows\system32\wujvitsjv.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\wkij.exe
        
        "C:\Windows\system32\wkij.exe"
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:644
        
        C:\Windows\SysWOW64\wniieqa.exe
        
        "C:\Windows\system32\wniieqa.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\wmryr.exe
        
        "C:\Windows\system32\wmryr.exe"
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:788
        
        C:\Windows\SysWOW64\wlh.exe
        
        "C:\Windows\system32\wlh.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\woa.exe
        
        "C:\Windows\system32\woa.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\weac.exe
        
        "C:\Windows\system32\weac.exe"
        30⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2580
        
        C:\Windows\SysWOW64\wlsu.exe
        
        "C:\Windows\system32\wlsu.exe"
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\whytbxyn.exe
        
        "C:\Windows\system32\whytbxyn.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\wemtvt.exe
        
        "C:\Windows\system32\wemtvt.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:804
        
        C:\Windows\SysWOW64\wqwvjpcm.exe
        
        "C:\Windows\system32\wqwvjpcm.exe"
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2392
        
        C:\Windows\SysWOW64\wtf.exe
        
        "C:\Windows\system32\wtf.exe"
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1740
        
        C:\Windows\SysWOW64\wrny.exe
        
        "C:\Windows\system32\wrny.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\wxrcjbxj.exe
        
        "C:\Windows\system32\wxrcjbxj.exe"
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\woqphk.exe
        
        "C:\Windows\system32\woqphk.exe"
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\whlsjonq.exe
        
        "C:\Windows\system32\whlsjonq.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\wckexrm.exe
        
        "C:\Windows\system32\wckexrm.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\wbawyk.exe
        
        "C:\Windows\system32\wbawyk.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1700
        
        C:\Windows\SysWOW64\wlmjve.exe
        
        "C:\Windows\system32\wlmjve.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\wldbvxkmu.exe
        
        "C:\Windows\system32\wldbvxkmu.exe"
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2960
        
        C:\Windows\SysWOW64\wacp.exe
        
        "C:\Windows\system32\wacp.exe"
        44⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\wawomd.exe
        
        "C:\Windows\system32\wawomd.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\wjoffy.exe
        
        "C:\Windows\system32\wjoffy.exe"
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\wmoddk.exe
        
        "C:\Windows\system32\wmoddk.exe"
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\wigyllp.exe
        
        "C:\Windows\system32\wigyllp.exe"
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\wde.exe
        
        "C:\Windows\system32\wde.exe"
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\wdkclexf.exe
        
        "C:\Windows\system32\wdkclexf.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\wknfu.exe
        
        "C:\Windows\system32\wknfu.exe"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\wvulh.exe
        
        "C:\Windows\system32\wvulh.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1488
        
        C:\Windows\SysWOW64\wunmbyl.exe
        
        "C:\Windows\system32\wunmbyl.exe"
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2136
        
        C:\Windows\SysWOW64\wbeypu.exe
        
        "C:\Windows\system32\wbeypu.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2932
        
        C:\Windows\SysWOW64\wqhuhittt.exe
        
        "C:\Windows\system32\wqhuhittt.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\wsitfsdi.exe
        
        "C:\Windows\system32\wsitfsdi.exe"
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2040
        
        C:\Windows\SysWOW64\wybmhwjb.exe
        
        "C:\Windows\system32\wybmhwjb.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1764
        
        C:\Windows\SysWOW64\woejxkh.exe
        
        "C:\Windows\system32\woejxkh.exe"
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2788
        
        C:\Windows\SysWOW64\wfrlo.exe
        
        "C:\Windows\system32\wfrlo.exe"
        59⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:304
        
        C:\Windows\SysWOW64\wymqqx.exe
        
        "C:\Windows\system32\wymqqx.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\wgtamcgkw.exe
        
        "C:\Windows\system32\wgtamcgkw.exe"
        61⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2896
        
        C:\Windows\SysWOW64\wybaokkr.exe
        
        "C:\Windows\system32\wybaokkr.exe"
        62⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:904
        
        C:\Windows\SysWOW64\wcexdg.exe
        
        "C:\Windows\system32\wcexdg.exe"
        63⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\wctqcydk.exe
        
        "C:\Windows\system32\wctqcydk.exe"
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\wdnmnlfp.exe
        
        "C:\Windows\system32\wdnmnlfp.exe"
        65⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\wkggppmh.exe
        
        "C:\Windows\system32\wkggppmh.exe"
        66⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\wepaksvs.exe
        
        "C:\Windows\system32\wepaksvs.exe"
        67⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\wpacyn.exe
        
        "C:\Windows\system32\wpacyn.exe"
        68⤵
        Adds Run key to start application
        
        PID:1796
        
        C:\Windows\SysWOW64\wwdveaaxp.exe
        
        "C:\Windows\system32\wwdveaaxp.exe"
        69⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\waid.exe
        
        "C:\Windows\system32\waid.exe"
        70⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:996
        
        C:\Windows\SysWOW64\wmfjsibl.exe
        
        "C:\Windows\system32\wmfjsibl.exe"
        71⤵
        Adds Run key to start application
        
        PID:1308
        
        C:\Windows\SysWOW64\wlnyg.exe
        
        "C:\Windows\system32\wlnyg.exe"
        72⤵
        Adds Run key to start application
        
        PID:2404
        
        C:\Windows\SysWOW64\wwfpyww.exe
        
        "C:\Windows\system32\wwfpyww.exe"
        73⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\wegkmyl.exe
        
        "C:\Windows\system32\wegkmyl.exe"
        74⤵
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\wbsjt.exe
        
        "C:\Windows\system32\wbsjt.exe"
        75⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\wimcu.exe
        
        "C:\Windows\system32\wimcu.exe"
        76⤵
        Adds Run key to start application
        
        PID:1312
        
        C:\Windows\SysWOW64\wqbnedik.exe
        
        "C:\Windows\system32\wqbnedik.exe"
        77⤵
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\wkcste.exe
        
        "C:\Windows\system32\wkcste.exe"
        78⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\wrkcpi.exe
        
        "C:\Windows\system32\wrkcpi.exe"
        79⤵
        Adds Run key to start application
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcste.exe"
        79⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqbnedik.exe"
        78⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimcu.exe"
        77⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbsjt.exe"
        76⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wegkmyl.exe"
        75⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfpyww.exe"
        74⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnyg.exe"
        73⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmfjsibl.exe"
        72⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waid.exe"
        71⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwdveaaxp.exe"
        70⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpacyn.exe"
        69⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wepaksvs.exe"
        68⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkggppmh.exe"
        67⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnmnlfp.exe"
        66⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctqcydk.exe"
        65⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcexdg.exe"
        64⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybaokkr.exe"
        63⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtamcgkw.exe"
        62⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymqqx.exe"
        61⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfrlo.exe"
        60⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woejxkh.exe"
        59⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybmhwjb.exe"
        58⤵
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsitfsdi.exe"
        57⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqhuhittt.exe"
        56⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 808
        56⤵
        Program crash
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbeypu.exe"
        55⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunmbyl.exe"
        54⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvulh.exe"
        53⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wknfu.exe"
        52⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdkclexf.exe"
        51⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wde.exe"
        50⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigyllp.exe"
        49⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmoddk.exe"
        48⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjoffy.exe"
        47⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wawomd.exe"
        46⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wacp.exe"
        45⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wldbvxkmu.exe"
        44⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlmjve.exe"
        43⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbawyk.exe"
        42⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckexrm.exe"
        41⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whlsjonq.exe"
        40⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woqphk.exe"
        39⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxrcjbxj.exe"
        38⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrny.exe"
        37⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtf.exe"
        36⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 844
        36⤵
        Program crash
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqwvjpcm.exe"
        35⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemtvt.exe"
        34⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whytbxyn.exe"
        33⤵
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsu.exe"
        32⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weac.exe"
        31⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woa.exe"
        30⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlh.exe"
        29⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmryr.exe"
        28⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wniieqa.exe"
        27⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkij.exe"
        26⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujvitsjv.exe"
        25⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvwtwp.exe"
        24⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqtqeu.exe"
        23⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunebvgy.exe"
        22⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcbcl.exe"
        21⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvstrlyel.exe"
        20⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbrjm.exe"
        19⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkmubeqku.exe"
        18⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 208
        18⤵
        Program crash
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wis.exe"
        17⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvi.exe"
        16⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkkoyk.exe"
        15⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuaptx.exe"
        14⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjibcb.exe"
        13⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbflsgi.exe"
        12⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wreqdd.exe"
        11⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whto.exe"
        10⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdtps.exe"
        9⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbfbbo.exe"
        8⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvlo.exe"
        7⤵
        
        PID:644
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdfsnb.exe"
        6⤵
        
        PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrct.exe"
        5⤵
        
        PID:540
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpthks.exe"
      4⤵
      PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcoyj.exe"
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\e09e52178e743d4e232c2b74c1edee40_NeikiAnalytics.exe"
  2⤵
  - Deletes itself
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PQJKIWB0.txt

Filesize
99B

MD5
f712cd162b4b73d94c2670091ccb9640

SHA1
fd7134d9f0e3e3e81a68f88554ca3a5210074b34

SHA256
022d43a466d917b15c0467b2f50ee52323766af3def63c43b6bea6d265aed895

SHA512
669af8c1594ef43943d0c70f838ec1aeac895f15f8dbffb70305dcc4caf2af1b0d0094eeebe3617e73ac86b9007fda0456ac7c3e050696169d6783355c613509

Download Submit
\Windows\SysWOW64\wbfbbo.exe

Filesize
91KB

MD5
cf174a66a2484109b4e20c99f6af2532

SHA1
79117a67fdb0adfe35f9ff31c32e9f0555ec1cc0

SHA256
86b9b2aed5d0ce1df06afc6b53e17faaf5ea50e5627f620db492b49c21b1ace4

SHA512
f85fe1b7b01294ed4839fe47f5dc6d16779e71d4f876fd7867d9b6dc458677d406bf7e3b4037c6e0feb76a4de0487aba01b643ce96978908e65306cbb90ed59d

Download Submit
\Windows\SysWOW64\wbflsgi.exe

Filesize
91KB

MD5
3545d4f294b3cd16baf954799d4afa60

SHA1
f5e1d460f4cb2eb074bc30f9e88b6c7e24e4407e

SHA256
8573310112d093452e18b27a871b2f607465fb131d6f4ca25e14157b350f2e66

SHA512
750bf994e443d03b5811beacbe1df4ae1c759ce7c6ef1b76db95acde7b5383ac68a0b23ac762968ce2c3fa71dcfc88fae92a6e2b5cb23b46be70b9229a5ebe2d

Download Submit
\Windows\SysWOW64\wcoyj.exe

Filesize
91KB

MD5
483416c87021a80da742ebc576b24920

SHA1
e5dd544432e905aea4c08aff43f8d9d5a650b934

SHA256
fd360aec74a91b389fb4e9c5b87bd72c7093066d433a0324fbb8e0d2c70ce9ac

SHA512
44255cf03782ba1ccdfb5c9a7e8ac6986f5e7fccbf8bc8c009c2a12525428e7cdf5dacbb2fe9ce3740af5f27f486a6ed6102a53ebfb640df1e2c40ea31f573e4

Download Submit
\Windows\SysWOW64\wdfsnb.exe

Filesize
91KB

MD5
238bba9fe3f15da7345e272a1d770121

SHA1
c293690ce4cae840167dd49cb343c5447f6d9538

SHA256
b6a95636cadf7f9b419ab05eaa28f4603d8de5cd2e87603a02b70fb701a23b6e

SHA512
6d880625c52aedfc27a1b244d8559edcebd48c6b024f633335978ad3463c0b64912b6b4184c5133806387b52c59deaf2f4422f1f6dbffba6b2b0fe8a64c4899e

Download Submit
\Windows\SysWOW64\wdtps.exe

Filesize
91KB

MD5
6219cfc10a2f8c543c9b94d5dcf0bb47

SHA1
7f1b9b9df02685b948650dec1c3baba4a238a301

SHA256
b060b71860dc4c0fbefb296b9509d4fe3e07143169797e21c22669f7854f8230

SHA512
5b2d763ae49b33c795f82a4ddac5eb7107af1de4b7ce92448ac86ac7fee3b04660e52a3e9e0c32ed30d3bff89e1fed6991ed4b530dbf8c04b9c1a60e7e6c2106

Download Submit
\Windows\SysWOW64\wdvlo.exe

Filesize
91KB

MD5
3d80fcf68d9856415cbc2fe461642332

SHA1
b5ab830dedaf246e52dea9ef122e376fc1869723

SHA256
a5208898c48b95b2fd6642a40a3dbc1d744a7a3a7cc09f1eda457ae5652c52e0

SHA512
6c88d7632f987b24224bded3b495d9f8bb5a523e51b3a843a4691793ceefc49c1e31d8920a4a25be561df64e44902c90b0ea7ed0aba4e51a19df29cba76bedf0

Download Submit
\Windows\SysWOW64\whto.exe

Filesize
91KB

MD5
248f3e3813300da704c9debc45648dc1

SHA1
48b252fd093758d994daa3dab55ffa4afb210c8f

SHA256
199f49e44f71d34cea3e3bb26b4a93ae5406af96e15d586cdfc6d2d9c271371d

SHA512
3e21b3a5530ee18b13e16fe4115c2deebb8cc440ae969d0f39a8db2e3645b2d66a3e4e08ed65dd3e5835b703226216662a0f968b77395c227bbeb8db7be25a95

Download Submit
\Windows\SysWOW64\wpthks.exe

Filesize
91KB

MD5
525dfe40ecbc6a742fb7380f9cb63f19

SHA1
568c9adda75036ea6679e5e7243b7c1a7c763d84

SHA256
29aa894e86b515dc98009e6a8b80430fa0867ecc5bf50c9fe9c57fab8329480f

SHA512
316de10a16bb6fd1858bdc2e1df6acb937d927ba9bd7b614380bfbcdc8227af746a6c7771b479afee6250b62474a49db4c0d64f304a598054557f3816317a32e

Download Submit
\Windows\SysWOW64\wrct.exe

Filesize
91KB

MD5
edfc32d5e904e97268a6084ac0d521eb

SHA1
f75d59f2869e45b996cd5952a665d712d6a45a95

SHA256
cea94fdf7a1e74427d4ba065cf79877ed56d47a6c7be4de42362ee006576d5ba

SHA512
d57abbdc50437f64486f673f7835c74a9644a42e426879d07de2b89b81eec17e179d5e3b6b5514b1ed4fe0a9783cee7e0b1bbf282be89f233d4c763a91efd72a

Download Submit
\Windows\SysWOW64\wreqdd.exe

Filesize
91KB

MD5
71913cbe795ae4d69dfa6fc991e518c7

SHA1
ec58345fb0226b9f27da35f168e27a555a793c08

SHA256
ed04fa58f5bcdf0fcafeaf56cb0193ea89fbc0799cb1a42c9c4677bd8eaf7c44

SHA512
e8994e6c28a2ba24c541dbafd3df69ebf5b137aa6e8f8fd673c66f302933f4c41100842c1bf1981e7ff7725263bf31778ddee81c0337b70c4f17cf18a30216ed

Download Submit
memory/680-282-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/680-281-0x00000000022A0000-0x00000000022B8000-memory.dmp

Filesize
96KB

Download
memory/712-330-0x0000000003600000-0x0000000003618000-memory.dmp

Filesize
96KB

Download
memory/712-332-0x0000000003270000-0x0000000003280000-memory.dmp

Filesize
64KB

Download
memory/712-328-0x0000000003260000-0x0000000003278000-memory.dmp

Filesize
96KB

Download
memory/712-376-0x0000000003260000-0x0000000003278000-memory.dmp

Filesize
96KB

Download
memory/712-331-0x0000000003600000-0x0000000003618000-memory.dmp

Filesize
96KB

Download
memory/712-374-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/712-390-0x0000000003260000-0x0000000003278000-memory.dmp

Filesize
96KB

Download
memory/712-329-0x0000000003260000-0x0000000003278000-memory.dmp

Filesize
96KB

Download
memory/712-391-0x0000000003600000-0x0000000003618000-memory.dmp

Filesize
96KB

Download
memory/820-88-0x00000000034B0000-0x00000000034C8000-memory.dmp

Filesize
96KB

Download
memory/820-85-0x00000000034B0000-0x00000000034C8000-memory.dmp

Filesize
96KB

Download
memory/820-93-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/820-92-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/820-86-0x00000000034B0000-0x00000000034C8000-memory.dmp

Filesize
96KB

Download
memory/820-87-0x00000000034B0000-0x00000000034C8000-memory.dmp

Filesize
96KB

Download
memory/1404-45-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1404-36-0x0000000002470000-0x0000000002488000-memory.dmp

Filesize
96KB

Download
memory/1404-35-0x0000000002470000-0x0000000002488000-memory.dmp

Filesize
96KB

Download
memory/1404-42-0x0000000003470000-0x0000000003488000-memory.dmp

Filesize
96KB

Download
memory/1440-346-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1440-344-0x0000000002650000-0x0000000002668000-memory.dmp

Filesize
96KB

Download
memory/1544-175-0x0000000002510000-0x0000000002528000-memory.dmp

Filesize
96KB

Download
memory/1544-184-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1544-176-0x0000000002510000-0x0000000002528000-memory.dmp

Filesize
96KB

Download
memory/1544-178-0x0000000002510000-0x0000000002528000-memory.dmp

Filesize
96KB

Download
memory/1544-182-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/1544-177-0x0000000002510000-0x0000000002528000-memory.dmp

Filesize
96KB

Download
memory/1544-158-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1608-360-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1608-358-0x0000000003EF0000-0x0000000003F08000-memory.dmp

Filesize
96KB

Download
memory/1608-359-0x0000000003EF0000-0x0000000003F08000-memory.dmp

Filesize
96KB

Download
memory/1608-345-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1932-268-0x0000000003710000-0x0000000003728000-memory.dmp

Filesize
96KB

Download
memory/1932-267-0x0000000003710000-0x0000000003728000-memory.dmp

Filesize
96KB

Download
memory/1932-269-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1944-201-0x0000000003A40000-0x0000000003A58000-memory.dmp

Filesize
96KB

Download
memory/1944-200-0x0000000003A40000-0x0000000003A58000-memory.dmp

Filesize
96KB

Download
memory/1944-205-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1944-202-0x0000000003A40000-0x0000000003A58000-memory.dmp

Filesize
96KB

Download
memory/1944-181-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2068-152-0x0000000003570000-0x0000000003588000-memory.dmp

Filesize
96KB

Download
memory/2068-153-0x0000000003570000-0x0000000003588000-memory.dmp

Filesize
96KB

Download
memory/2068-157-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2068-135-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2068-154-0x0000000003570000-0x0000000003588000-memory.dmp

Filesize
96KB

Download
memory/2248-112-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2248-91-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2260-113-0x0000000003A60000-0x0000000003A70000-memory.dmp

Filesize
64KB

Download
memory/2260-19-0x0000000003D80000-0x0000000003D98000-memory.dmp

Filesize
96KB

Download
memory/2260-18-0x0000000003D80000-0x0000000003D98000-memory.dmp

Filesize
96KB

Download
memory/2260-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2260-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2260-22-0x0000000003A60000-0x0000000003A70000-memory.dmp

Filesize
64KB

Download
memory/2260-6-0x0000000003D80000-0x0000000003D98000-memory.dmp

Filesize
96KB

Download
memory/2272-254-0x0000000003F90000-0x0000000003FA8000-memory.dmp

Filesize
96KB

Download
memory/2272-255-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2272-253-0x0000000003550000-0x0000000003568000-memory.dmp

Filesize
96KB

Download
memory/2416-299-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2416-314-0x00000000035F0000-0x0000000003608000-memory.dmp

Filesize
96KB

Download
memory/2416-312-0x00000000035F0000-0x0000000003608000-memory.dmp

Filesize
96KB

Download
memory/2416-316-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2416-313-0x00000000035F0000-0x0000000003608000-memory.dmp

Filesize
96KB

Download
memory/2416-315-0x00000000035F0000-0x0000000003608000-memory.dmp

Filesize
96KB

Download
memory/2484-377-0x0000000003890000-0x00000000038A0000-memory.dmp

Filesize
64KB

Download
memory/2484-361-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2484-378-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2484-373-0x0000000003600000-0x0000000003618000-memory.dmp

Filesize
96KB

Download
memory/2492-241-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2492-237-0x00000000033D0000-0x00000000033E8000-memory.dmp

Filesize
96KB

Download
memory/2492-223-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2492-239-0x0000000003EF0000-0x0000000003F08000-memory.dmp

Filesize
96KB

Download
memory/2492-238-0x00000000033D0000-0x00000000033E8000-memory.dmp

Filesize
96KB

Download
memory/2492-240-0x0000000003EF0000-0x0000000003F08000-memory.dmp

Filesize
96KB

Download
memory/2572-46-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2572-66-0x0000000004030000-0x0000000004048000-memory.dmp

Filesize
96KB

Download
memory/2572-68-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2572-65-0x0000000004030000-0x0000000004048000-memory.dmp

Filesize
96KB

Download
memory/2572-63-0x00000000033F0000-0x0000000003408000-memory.dmp

Filesize
96KB

Download
memory/2576-225-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2576-224-0x0000000004020000-0x0000000004030000-memory.dmp

Filesize
64KB

Download
memory/2576-206-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2576-222-0x0000000003EE0000-0x0000000003EF8000-memory.dmp

Filesize
96KB

Download
memory/2576-221-0x0000000003ED0000-0x0000000003EE8000-memory.dmp

Filesize
96KB

Download
memory/2576-220-0x0000000003ED0000-0x0000000003EE8000-memory.dmp

Filesize
96KB

Download
memory/2684-134-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2684-126-0x0000000003B60000-0x0000000003B78000-memory.dmp

Filesize
96KB

Download
memory/2684-114-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2760-283-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2760-295-0x0000000003ED0000-0x0000000003EE8000-memory.dmp

Filesize
96KB

Download
memory/2760-300-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2760-296-0x0000000003ED0000-0x0000000003EE8000-memory.dmp

Filesize
96KB

Download
memory/2760-297-0x0000000003FE0000-0x0000000003FF8000-memory.dmp

Filesize
96KB

Download
memory/2760-298-0x0000000003FE0000-0x0000000003FF8000-memory.dmp

Filesize
96KB

Download
memory/2860-375-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads