615336c214d0a92d455d9aeb62f813cbc036e8a9771c43c141dccbc7830729e2

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe
Size

447KB
MD5

ecb9b33a23f053225b6447f148d44870
SHA1

c52164612b896fe8906d6224833574b77328fc2e
SHA256

615336c214d0a92d455d9aeb62f813cbc036e8a9771c43c141dccbc7830729e2
SHA512

64bf569fe20376ae83e36c2a58b75010c6eded79a2b5e8a2d367b8a8b175e6a0e1013a30bec2760bc7af25ea5ff65f3948f41af4eea4500f373ee62d4672cdf7
SSDEEP

12288:QT6SZhP46SCTbSwgS1IaPRJbDh4i0vm4OsKN5sTuGZb:QThhP46SCTbSwgS1IaPRJbDh4i0vm4Om

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 19 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/files/0x000b000000014fe1-5.dat	family_berbew
behavioral1/files/0x0008000000015c23-37.dat	family_berbew
behavioral1/files/0x0008000000015c0d-46.dat	family_berbew
behavioral1/files/0x000c000000014fe1-65.dat	family_berbew
behavioral1/files/0x0009000000015c23-84.dat	family_berbew
behavioral1/memory/2172-97-0x0000000003850000-0x000000000386A000-memory.dmp	family_berbew
behavioral1/files/0x0007000000015c2f-107.dat	family_berbew
behavioral1/memory/2284-121-0x0000000003C70000-0x0000000003C8A000-memory.dmp	family_berbew
behavioral1/files/0x0007000000015c3c-129.dat	family_berbew
behavioral1/memory/2712-142-0x0000000003AE0000-0x0000000003AFA000-memory.dmp	family_berbew
behavioral1/files/0x000a000000015c23-151.dat	family_berbew
behavioral1/files/0x0008000000015c2f-173.dat	family_berbew
behavioral1/memory/1676-186-0x0000000003820000-0x000000000383A000-memory.dmp	family_berbew
behavioral1/memory/1676-185-0x0000000003810000-0x000000000382A000-memory.dmp	family_berbew
behavioral1/files/0x000b000000015c23-205.dat	family_berbew
behavioral1/memory/2220-219-0x0000000003C70000-0x0000000003C8A000-memory.dmp	family_berbew
behavioral1/files/0x0009000000015c2f-228.dat	family_berbew
behavioral1/memory/2776-249-0x0000000003B20000-0x0000000003B3A000-memory.dmp	family_berbew
behavioral1/memory/2776-253-0x0000000003B30000-0x0000000003B4A000-memory.dmp	family_berbew

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2844	wwnk.exe
2692	wanj.exe
1092	wylbm.exe
2172	wei.exe
2284	wvgppmq.exe
2712	wrwiiq.exe
1564	wtjqyj.exe
1676	wfrgde.exe
2236	wxx.exe
2456	whttbm.exe
2776	wlr.exe
1476	wifrmx.exe
944	wame.exe
2848	wmss.exe
920	wvvlli.exe
1508	wrivkj.exe
1976	wakpkovh.exe
2940	wjuni.exe
2660	wcjrxw.exe
2548	waddkueth.exe
1320	wgsl.exe
2004	wdatp.exe
2748	wqikrx.exe
1160	whtcqf.exe
1972	wtvog.exe
1768	wqjbg.exe
1608	wuhnum.exe
2572	wrm.exe
1556	wjm.exe
776	wefonf.exe
1616	wmntslt.exe
1928	wlwhqi.exe
2384	wphqex.exe
2748	wfhclm.exe
1700	wnpirri.exe
1972	wqxqeiy.exe
2472	wuwpmv.exe
2680	wcrhxdh.exe
2560	wfbpmsx.exe
1540	weascp.exe
860	wteldh.exe
808	wsdps.exe
2648	wbkuxk.exe
1160	wvvlepx.exe
2060	wvtotm.exe
1768	wxojpdy.exe
3028	woxhcs.exe
2312	woagto.exe
1556	wespn.exe
2388	wvhpnr.exe
1960	wdpvsy.exe
800	wcaiqwhim.exe
3020	wnsvsvox.exe
1572	wvumsa.exe
2128	wikrcvhss.exe
2604	wmtaplwpd.exe
892	wsopdsb.exe
1432	wxeddgy.exe
2280	wgnhimsh.exe
2276	wjlh.exe
1188	wivumx.exe
1816	wyvguld.exe
1964	wthwa.exe
2132	wpussw.exe

Loads dropped DLL 64 IoCs

pid	Process
1056	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe
1056	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe
1056	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe
1056	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe
2844	wwnk.exe
2844	wwnk.exe
2844	wwnk.exe
2844	wwnk.exe
2692	wanj.exe
2692	wanj.exe
2692	wanj.exe
2692	wanj.exe
1092	wylbm.exe
1092	wylbm.exe
1092	wylbm.exe
1092	wylbm.exe
2172	wei.exe
2172	wei.exe
2172	wei.exe
2172	wei.exe
2284	wvgppmq.exe
2284	wvgppmq.exe
2284	wvgppmq.exe
2284	wvgppmq.exe
2712	wrwiiq.exe
2712	wrwiiq.exe
2712	wrwiiq.exe
2712	wrwiiq.exe
1564	wtjqyj.exe
1564	wtjqyj.exe
1564	wtjqyj.exe
1564	wtjqyj.exe
1676	wfrgde.exe
1676	wfrgde.exe
1676	wfrgde.exe
1676	wfrgde.exe
2220	wpftax.exe
2220	wpftax.exe
2220	wpftax.exe
2220	wpftax.exe
2456	whttbm.exe
2456	whttbm.exe
2456	whttbm.exe
2456	whttbm.exe
2776	wlr.exe
2776	wlr.exe
2776	wlr.exe
2776	wlr.exe
1476	wifrmx.exe
1476	wifrmx.exe
1476	wifrmx.exe
1476	wifrmx.exe
944	wame.exe
944	wame.exe
944	wame.exe
944	wame.exe
2848	wmss.exe
2848	wmss.exe
2848	wmss.exe
2848	wmss.exe
920	wvvlli.exe
920	wvvlli.exe
920	wvvlli.exe
920	wvvlli.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wfgfdw.exe	wohuvjvyq.exe
File opened for modification	C:\Windows\SysWOW64\wpopluwe.exe	wumimp.exe
File created	C:\Windows\SysWOW64\wakpkovh.exe	wrivkj.exe
File created	C:\Windows\SysWOW64\wxojpdy.exe	wvtotm.exe
File created	C:\Windows\SysWOW64\wtxptpb.exe	wcwgnb.exe
File opened for modification	C:\Windows\SysWOW64\weaskkw.exe	wjverb.exe
File created	C:\Windows\SysWOW64\wlr.exe	whttbm.exe
File created	C:\Windows\SysWOW64\wbkuxk.exe	wsdps.exe
File opened for modification	C:\Windows\SysWOW64\wrsgngntv.exe	wfkeqip.exe
File opened for modification	C:\Windows\SysWOW64\wrlvxp.exe	wmvkw.exe
File opened for modification	C:\Windows\SysWOW64\wyvguld.exe	wivumx.exe
File created	C:\Windows\SysWOW64\wmplid.exe	wfgfdw.exe
File created	C:\Windows\SysWOW64\wfqxdey.exe	wnqnuqg.exe
File opened for modification	C:\Windows\SysWOW64\wei.exe	wylbm.exe
File opened for modification	C:\Windows\SysWOW64\wmss.exe	wame.exe
File opened for modification	C:\Windows\SysWOW64\wuwpmv.exe	wqxqeiy.exe
File created	C:\Windows\SysWOW64\wfbpmsx.exe	wcrhxdh.exe
File opened for modification	C:\Windows\SysWOW64\wtoxbuqwy.exe	webxa.exe
File opened for modification	C:\Windows\SysWOW64\wkcxcjqnd.exe	wlslfn.exe
File created	C:\Windows\SysWOW64\wpiviw.exe	wdokfwlm.exe
File opened for modification	C:\Windows\SysWOW64\wwnk.exe	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\wqxfqf.exe	wwwaqypt.exe
File created	C:\Windows\SysWOW64\woysoou.exe	wlpjaa.exe
File opened for modification	C:\Windows\SysWOW64\wirvxb.exe	wrrjsn.exe
File opened for modification	C:\Windows\SysWOW64\wumimp.exe	wigfq.exe
File created	C:\Windows\SysWOW64\wvgppmq.exe	wei.exe
File created	C:\Windows\SysWOW64\wsdps.exe	wteldh.exe
File opened for modification	C:\Windows\SysWOW64\wsfpfw.exe	wfldbxnt.exe
File created	C:\Windows\SysWOW64\wrrjsn.exe	wvhslfi.exe
File created	C:\Windows\SysWOW64\wou.exe	wkklnp.exe
File created	C:\Windows\SysWOW64\weerfpbjk.exe	wmeixcgue.exe
File created	C:\Windows\SysWOW64\wkwtmwsq.exe	wmnipahko.exe
File opened for modification	C:\Windows\SysWOW64\wivumx.exe	wjlh.exe
File created	C:\Windows\SysWOW64\wsqykuo.exe	wqxfqf.exe
File opened for modification	C:\Windows\SysWOW64\wfldbxnt.exe	wkbmuq.exe
File created	C:\Windows\SysWOW64\wwhqv.exe	wtxhi.exe
File created	C:\Windows\SysWOW64\wumimp.exe	wigfq.exe
File opened for modification	C:\Windows\SysWOW64\wohy.exe	wwweug.exe
File opened for modification	C:\Windows\SysWOW64\wbkuxk.exe	wsdps.exe
File created	C:\Windows\SysWOW64\wdusosava.exe	wsfpfw.exe
File created	C:\Windows\SysWOW64\wmioqhs.exe	wrjhq.exe
File opened for modification	C:\Windows\SysWOW64\wllqud.exe	wtxptpb.exe
File opened for modification	C:\Windows\SysWOW64\wyenr.exe	wmwlupsn.exe
File opened for modification	C:\Windows\SysWOW64\wqxqeiy.exe	wnpirri.exe
File created	C:\Windows\SysWOW64\wirbgp.exe	wiimjre.exe
File created	C:\Windows\SysWOW64\wvhslfi.exe	wwhqv.exe
File opened for modification	C:\Windows\SysWOW64\wknhwwp.exe	wohy.exe
File opened for modification	C:\Windows\SysWOW64\wqxfqf.exe	wwwaqypt.exe
File opened for modification	C:\Windows\SysWOW64\wiq.exe	wahbhd.exe
File created	C:\Windows\SysWOW64\wrjhq.exe	wloqgtr.exe
File created	C:\Windows\SysWOW64\wacasf.exe	wmioqhs.exe
File created	C:\Windows\SysWOW64\wei.exe	wylbm.exe
File created	C:\Windows\SysWOW64\wnpirri.exe	wfhclm.exe
File opened for modification	C:\Windows\SysWOW64\wcrhxdh.exe	wuwpmv.exe
File created	C:\Windows\SysWOW64\weascp.exe	wfbpmsx.exe
File created	C:\Windows\SysWOW64\webxa.exe	wepkcj.exe
File created	C:\Windows\SysWOW64\wyno.exe	wrlvxp.exe
File opened for modification	C:\Windows\SysWOW64\wiyus.exe	wknhwwp.exe
File created	C:\Windows\SysWOW64\wmntslt.exe	wefonf.exe
File opened for modification	C:\Windows\SysWOW64\wwhxsuod.exe	woysoou.exe
File created	C:\Windows\SysWOW64\wckttqa.exe	wprhrrrt.exe
File opened for modification	C:\Windows\SysWOW64\wckfagluh.exe	wglxbbnp.exe
File opened for modification	C:\Windows\SysWOW64\wdusosava.exe	wsfpfw.exe
File created	C:\Windows\SysWOW64\wndqvnn.exe	weaskkw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2168	2572	WerFault.exe	237

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2844	1056	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe	28
PID 1056 wrote to memory of 2844	1056	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe	28
PID 1056 wrote to memory of 2844	1056	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe	28
PID 1056 wrote to memory of 2844	1056	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe	28
PID 1056 wrote to memory of 2540	1056	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe	29
PID 1056 wrote to memory of 2540	1056	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe	29
PID 1056 wrote to memory of 2540	1056	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe	29
PID 1056 wrote to memory of 2540	1056	ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe	29
PID 2844 wrote to memory of 2692	2844	wwnk.exe	31
PID 2844 wrote to memory of 2692	2844	wwnk.exe	31
PID 2844 wrote to memory of 2692	2844	wwnk.exe	31
PID 2844 wrote to memory of 2692	2844	wwnk.exe	31
PID 2844 wrote to memory of 2444	2844	wwnk.exe	32
PID 2844 wrote to memory of 2444	2844	wwnk.exe	32
PID 2844 wrote to memory of 2444	2844	wwnk.exe	32
PID 2844 wrote to memory of 2444	2844	wwnk.exe	32
PID 2692 wrote to memory of 1092	2692	wanj.exe	34
PID 2692 wrote to memory of 1092	2692	wanj.exe	34
PID 2692 wrote to memory of 1092	2692	wanj.exe	34
PID 2692 wrote to memory of 1092	2692	wanj.exe	34
PID 2692 wrote to memory of 1432	2692	wanj.exe	35
PID 2692 wrote to memory of 1432	2692	wanj.exe	35
PID 2692 wrote to memory of 1432	2692	wanj.exe	35
PID 2692 wrote to memory of 1432	2692	wanj.exe	35
PID 1092 wrote to memory of 2172	1092	wylbm.exe	37
PID 1092 wrote to memory of 2172	1092	wylbm.exe	37
PID 1092 wrote to memory of 2172	1092	wylbm.exe	37
PID 1092 wrote to memory of 2172	1092	wylbm.exe	37
PID 1092 wrote to memory of 1832	1092	wylbm.exe	38
PID 1092 wrote to memory of 1832	1092	wylbm.exe	38
PID 1092 wrote to memory of 1832	1092	wylbm.exe	38
PID 1092 wrote to memory of 1832	1092	wylbm.exe	38
PID 2172 wrote to memory of 2284	2172	wei.exe	40
PID 2172 wrote to memory of 2284	2172	wei.exe	40
PID 2172 wrote to memory of 2284	2172	wei.exe	40
PID 2172 wrote to memory of 2284	2172	wei.exe	40
PID 2172 wrote to memory of 1596	2172	wei.exe	41
PID 2172 wrote to memory of 1596	2172	wei.exe	41
PID 2172 wrote to memory of 1596	2172	wei.exe	41
PID 2172 wrote to memory of 1596	2172	wei.exe	41
PID 2284 wrote to memory of 2712	2284	wvgppmq.exe	43
PID 2284 wrote to memory of 2712	2284	wvgppmq.exe	43
PID 2284 wrote to memory of 2712	2284	wvgppmq.exe	43
PID 2284 wrote to memory of 2712	2284	wvgppmq.exe	43
PID 2284 wrote to memory of 632	2284	wvgppmq.exe	44
PID 2284 wrote to memory of 632	2284	wvgppmq.exe	44
PID 2284 wrote to memory of 632	2284	wvgppmq.exe	44
PID 2284 wrote to memory of 632	2284	wvgppmq.exe	44
PID 2712 wrote to memory of 1564	2712	wrwiiq.exe	46
PID 2712 wrote to memory of 1564	2712	wrwiiq.exe	46
PID 2712 wrote to memory of 1564	2712	wrwiiq.exe	46
PID 2712 wrote to memory of 1564	2712	wrwiiq.exe	46
PID 2712 wrote to memory of 2832	2712	wrwiiq.exe	47
PID 2712 wrote to memory of 2832	2712	wrwiiq.exe	47
PID 2712 wrote to memory of 2832	2712	wrwiiq.exe	47
PID 2712 wrote to memory of 2832	2712	wrwiiq.exe	47
PID 1564 wrote to memory of 1676	1564	wtjqyj.exe	49
PID 1564 wrote to memory of 1676	1564	wtjqyj.exe	49
PID 1564 wrote to memory of 1676	1564	wtjqyj.exe	49
PID 1564 wrote to memory of 1676	1564	wtjqyj.exe	49
PID 1564 wrote to memory of 3028	1564	wtjqyj.exe	50
PID 1564 wrote to memory of 3028	1564	wtjqyj.exe	50
PID 1564 wrote to memory of 3028	1564	wtjqyj.exe	50
PID 1564 wrote to memory of 3028	1564	wtjqyj.exe	50

C:\Users\Admin\AppData\Local\Temp\ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SysWOW64\wwnk.exe
  "C:\Windows\system32\wwnk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\wanj.exe
    "C:\Windows\system32\wanj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\wylbm.exe
      "C:\Windows\system32\wylbm.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\Windows\SysWOW64\wei.exe
        
        "C:\Windows\system32\wei.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\SysWOW64\wvgppmq.exe
        
        "C:\Windows\system32\wvgppmq.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\wrwiiq.exe
        
        "C:\Windows\system32\wrwiiq.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\wtjqyj.exe
        
        "C:\Windows\system32\wtjqyj.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\wfrgde.exe
        
        "C:\Windows\system32\wfrgde.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1676
        
        C:\Windows\SysWOW64\wxx.exe
        
        "C:\Windows\system32\wxx.exe"
        10⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\wpftax.exe
        
        "C:\Windows\system32\wpftax.exe"
        11⤵
        Loads dropped DLL
        
        PID:2220
        
        C:\Windows\SysWOW64\whttbm.exe
        
        "C:\Windows\system32\whttbm.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\wlr.exe
        
        "C:\Windows\system32\wlr.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2776
        
        C:\Windows\SysWOW64\wifrmx.exe
        
        "C:\Windows\system32\wifrmx.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1476
        
        C:\Windows\SysWOW64\wame.exe
        
        "C:\Windows\system32\wame.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\wmss.exe
        
        "C:\Windows\system32\wmss.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2848
        
        C:\Windows\SysWOW64\wvvlli.exe
        
        "C:\Windows\system32\wvvlli.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:920
        
        C:\Windows\SysWOW64\wrivkj.exe
        
        "C:\Windows\system32\wrivkj.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\wakpkovh.exe
        
        "C:\Windows\system32\wakpkovh.exe"
        19⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\wjuni.exe
        
        "C:\Windows\system32\wjuni.exe"
        20⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\wcjrxw.exe
        
        "C:\Windows\system32\wcjrxw.exe"
        21⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\waddkueth.exe
        
        "C:\Windows\system32\waddkueth.exe"
        22⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\wgsl.exe
        
        "C:\Windows\system32\wgsl.exe"
        23⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Windows\SysWOW64\wdatp.exe
        
        "C:\Windows\system32\wdatp.exe"
        24⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\wqikrx.exe
        
        "C:\Windows\system32\wqikrx.exe"
        25⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\whtcqf.exe
        
        "C:\Windows\system32\whtcqf.exe"
        26⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\wtvog.exe
        
        "C:\Windows\system32\wtvog.exe"
        27⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\wqjbg.exe
        
        "C:\Windows\system32\wqjbg.exe"
        28⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\wuhnum.exe
        
        "C:\Windows\system32\wuhnum.exe"
        29⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\wrm.exe
        
        "C:\Windows\system32\wrm.exe"
        30⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\wjm.exe
        
        "C:\Windows\system32\wjm.exe"
        31⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\wefonf.exe
        
        "C:\Windows\system32\wefonf.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:776
        
        C:\Windows\SysWOW64\wmntslt.exe
        
        "C:\Windows\system32\wmntslt.exe"
        33⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\wlwhqi.exe
        
        "C:\Windows\system32\wlwhqi.exe"
        34⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\wphqex.exe
        
        "C:\Windows\system32\wphqex.exe"
        35⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\wfhclm.exe
        
        "C:\Windows\system32\wfhclm.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\wnpirri.exe
        
        "C:\Windows\system32\wnpirri.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\wqxqeiy.exe
        
        "C:\Windows\system32\wqxqeiy.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\wuwpmv.exe
        
        "C:\Windows\system32\wuwpmv.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\wcrhxdh.exe
        
        "C:\Windows\system32\wcrhxdh.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\wfbpmsx.exe
        
        "C:\Windows\system32\wfbpmsx.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\weascp.exe
        
        "C:\Windows\system32\weascp.exe"
        42⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\wteldh.exe
        
        "C:\Windows\system32\wteldh.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\wsdps.exe
        
        "C:\Windows\system32\wsdps.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:808
        
        C:\Windows\SysWOW64\wbkuxk.exe
        
        "C:\Windows\system32\wbkuxk.exe"
        45⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\wvvlepx.exe
        
        "C:\Windows\system32\wvvlepx.exe"
        46⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\wvtotm.exe
        
        "C:\Windows\system32\wvtotm.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\wxojpdy.exe
        
        "C:\Windows\system32\wxojpdy.exe"
        48⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\woxhcs.exe
        
        "C:\Windows\system32\woxhcs.exe"
        49⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\woagto.exe
        
        "C:\Windows\system32\woagto.exe"
        50⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\wespn.exe
        
        "C:\Windows\system32\wespn.exe"
        51⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\wvhpnr.exe
        
        "C:\Windows\system32\wvhpnr.exe"
        52⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\wdpvsy.exe
        
        "C:\Windows\system32\wdpvsy.exe"
        53⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\wcaiqwhim.exe
        
        "C:\Windows\system32\wcaiqwhim.exe"
        54⤵
        Executes dropped EXE
        
        PID:800
        
        C:\Windows\SysWOW64\wnsvsvox.exe
        
        "C:\Windows\system32\wnsvsvox.exe"
        55⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\wvumsa.exe
        
        "C:\Windows\system32\wvumsa.exe"
        56⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\wikrcvhss.exe
        
        "C:\Windows\system32\wikrcvhss.exe"
        57⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\wmtaplwpd.exe
        
        "C:\Windows\system32\wmtaplwpd.exe"
        58⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\wsopdsb.exe
        
        "C:\Windows\system32\wsopdsb.exe"
        59⤵
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\wxeddgy.exe
        
        "C:\Windows\system32\wxeddgy.exe"
        60⤵
        Executes dropped EXE
        
        PID:1432
        
        C:\Windows\SysWOW64\wgnhimsh.exe
        
        "C:\Windows\system32\wgnhimsh.exe"
        61⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\wjlh.exe
        
        "C:\Windows\system32\wjlh.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\wivumx.exe
        
        "C:\Windows\system32\wivumx.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\wyvguld.exe
        
        "C:\Windows\system32\wyvguld.exe"
        64⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\wthwa.exe
        
        "C:\Windows\system32\wthwa.exe"
        65⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\wpussw.exe
        
        "C:\Windows\system32\wpussw.exe"
        66⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\wbnfu.exe
        
        "C:\Windows\system32\wbnfu.exe"
        67⤵
        
        PID:584
        
        C:\Windows\SysWOW64\wivlb.exe
        
        "C:\Windows\system32\wivlb.exe"
        68⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\wwwaqypt.exe
        
        "C:\Windows\system32\wwwaqypt.exe"
        69⤵
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\wqxfqf.exe
        
        "C:\Windows\system32\wqxfqf.exe"
        70⤵
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\wsqykuo.exe
        
        "C:\Windows\system32\wsqykuo.exe"
        71⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\wvbjxke.exe
        
        "C:\Windows\system32\wvbjxke.exe"
        72⤵
        
        PID:952
        
        C:\Windows\SysWOW64\wekpdqxq.exe
        
        "C:\Windows\system32\wekpdqxq.exe"
        73⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\witxsgnn.exe
        
        "C:\Windows\system32\witxsgnn.exe"
        74⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\wisbhc.exe
        
        "C:\Windows\system32\wisbhc.exe"
        75⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\wkbmuq.exe
        
        "C:\Windows\system32\wkbmuq.exe"
        76⤵
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\wfldbxnt.exe
        
        "C:\Windows\system32\wfldbxnt.exe"
        77⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\wsfpfw.exe
        
        "C:\Windows\system32\wsfpfw.exe"
        78⤵
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\wdusosava.exe
        
        "C:\Windows\system32\wdusosava.exe"
        79⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\wlpjaa.exe
        
        "C:\Windows\system32\wlpjaa.exe"
        80⤵
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\woysoou.exe
        
        "C:\Windows\system32\woysoou.exe"
        81⤵
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\wwhxsuod.exe
        
        "C:\Windows\system32\wwhxsuod.exe"
        82⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\wiimjre.exe
        
        "C:\Windows\system32\wiimjre.exe"
        83⤵
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\wirbgp.exe
        
        "C:\Windows\system32\wirbgp.exe"
        84⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\wahbhd.exe
        
        "C:\Windows\system32\wahbhd.exe"
        85⤵
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\wiq.exe
        
        "C:\Windows\system32\wiq.exe"
        86⤵
        
        PID:240
        
        C:\Windows\SysWOW64\wfkeqip.exe
        
        "C:\Windows\system32\wfkeqip.exe"
        87⤵
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\wrsgngntv.exe
        
        "C:\Windows\system32\wrsgngntv.exe"
        88⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\wudpavdpi.exe
        
        "C:\Windows\system32\wudpavdpi.exe"
        89⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\wcwgnb.exe
        
        "C:\Windows\system32\wcwgnb.exe"
        90⤵
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\wtxptpb.exe
        
        "C:\Windows\system32\wtxptpb.exe"
        91⤵
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\wllqud.exe
        
        "C:\Windows\system32\wllqud.exe"
        92⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\wjverb.exe
        
        "C:\Windows\system32\wjverb.exe"
        93⤵
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\weaskkw.exe
        
        "C:\Windows\system32\weaskkw.exe"
        94⤵
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\wndqvnn.exe
        
        "C:\Windows\system32\wndqvnn.exe"
        95⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\wtxhi.exe
        
        "C:\Windows\system32\wtxhi.exe"
        96⤵
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\wwhqv.exe
        
        "C:\Windows\system32\wwhqv.exe"
        97⤵
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\wvhslfi.exe
        
        "C:\Windows\system32\wvhslfi.exe"
        98⤵
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\wrrjsn.exe
        
        "C:\Windows\system32\wrrjsn.exe"
        99⤵
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\wirvxb.exe
        
        "C:\Windows\system32\wirvxb.exe"
        100⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\wugyivqip.exe
        
        "C:\Windows\system32\wugyivqip.exe"
        101⤵
        
        PID:624
        
        C:\Windows\SysWOW64\wcantd.exe
        
        "C:\Windows\system32\wcantd.exe"
        102⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\wgjyisl.exe
        
        "C:\Windows\system32\wgjyisl.exe"
        103⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\wmsgnbe.exe
        
        "C:\Windows\system32\wmsgnbe.exe"
        104⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\wmshew.exe
        
        "C:\Windows\system32\wmshew.exe"
        105⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\wukwpdk.exe
        
        "C:\Windows\system32\wukwpdk.exe"
        106⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\wtjbgc.exe
        
        "C:\Windows\system32\wtjbgc.exe"
        107⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\wkklnp.exe
        
        "C:\Windows\system32\wkklnp.exe"
        108⤵
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\wou.exe
        
        "C:\Windows\system32\wou.exe"
        109⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\wmeixcgue.exe
        
        "C:\Windows\system32\wmeixcgue.exe"
        110⤵
        Drops file in System32 directory
        
        PID:2364
        
        C:\Windows\SysWOW64\weerfpbjk.exe
        
        "C:\Windows\system32\weerfpbjk.exe"
        111⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\wpxejoja.exe
        
        "C:\Windows\system32\wpxejoja.exe"
        112⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\whwpqddmo.exe
        
        "C:\Windows\system32\whwpqddmo.exe"
        113⤵
        
        PID:940
        
        C:\Windows\SysWOW64\wohuvjvyq.exe
        
        "C:\Windows\system32\wohuvjvyq.exe"
        114⤵
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\wfgfdw.exe
        
        "C:\Windows\system32\wfgfdw.exe"
        115⤵
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\wmplid.exe
        
        "C:\Windows\system32\wmplid.exe"
        116⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\wprhrrrt.exe
        
        "C:\Windows\system32\wprhrrrt.exe"
        117⤵
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\wckttqa.exe
        
        "C:\Windows\system32\wckttqa.exe"
        118⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\wloqgtr.exe
        
        "C:\Windows\system32\wloqgtr.exe"
        119⤵
        Drops file in System32 directory
        
        PID:112
        
        C:\Windows\SysWOW64\wrjhq.exe
        
        "C:\Windows\system32\wrjhq.exe"
        120⤵
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\wmioqhs.exe
        
        "C:\Windows\system32\wmioqhs.exe"
        121⤵
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\wacasf.exe
        
        "C:\Windows\system32\wacasf.exe"
        122⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\widsrln.exe
        
        "C:\Windows\system32\widsrln.exe"
        123⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\wpcorpvr.exe
        
        "C:\Windows\system32\wpcorpvr.exe"
        124⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\wmwlupsn.exe
        
        "C:\Windows\system32\wmwlupsn.exe"
        125⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\wyenr.exe
        
        "C:\Windows\system32\wyenr.exe"
        126⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\wigfq.exe
        
        "C:\Windows\system32\wigfq.exe"
        127⤵
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\wumimp.exe
        
        "C:\Windows\system32\wumimp.exe"
        128⤵
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\wpopluwe.exe
        
        "C:\Windows\system32\wpopluwe.exe"
        129⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\wahbou.exe
        
        "C:\Windows\system32\wahbou.exe"
        130⤵
        
        PID:892
        
        C:\Windows\SysWOW64\wepkcj.exe
        
        "C:\Windows\system32\wepkcj.exe"
        131⤵
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\webxa.exe
        
        "C:\Windows\system32\webxa.exe"
        132⤵
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\wtoxbuqwy.exe
        
        "C:\Windows\system32\wtoxbuqwy.exe"
        133⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\wgjketxm.exe
        
        "C:\Windows\system32\wgjketxm.exe"
        134⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\wxjulhs.exe
        
        "C:\Windows\system32\wxjulhs.exe"
        135⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\wiciog.exe
        
        "C:\Windows\system32\wiciog.exe"
        136⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\wvsmxcgbm.exe
        
        "C:\Windows\system32\wvsmxcgbm.exe"
        137⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\wglxbbnp.exe
        
        "C:\Windows\system32\wglxbbnp.exe"
        138⤵
        Drops file in System32 directory
        
        PID:584
        
        C:\Windows\SysWOW64\wckfagluh.exe
        
        "C:\Windows\system32\wckfagluh.exe"
        139⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\wlslfn.exe
        
        "C:\Windows\system32\wlslfn.exe"
        140⤵
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\wkcxcjqnd.exe
        
        "C:\Windows\system32\wkcxcjqnd.exe"
        141⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\wmnipahko.exe
        
        "C:\Windows\system32\wmnipahko.exe"
        142⤵
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\wkwtmwsq.exe
        
        "C:\Windows\system32\wkwtmwsq.exe"
        143⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\woxskhdf.exe
        
        "C:\Windows\system32\woxskhdf.exe"
        144⤵
        
        PID:980
        
        C:\Windows\SysWOW64\wqgve.exe
        
        "C:\Windows\system32\wqgve.exe"
        145⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\wwweug.exe
        
        "C:\Windows\system32\wwweug.exe"
        146⤵
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\wohy.exe
        
        "C:\Windows\system32\wohy.exe"
        147⤵
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\wknhwwp.exe
        
        "C:\Windows\system32\wknhwwp.exe"
        148⤵
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\wiyus.exe
        
        "C:\Windows\system32\wiyus.exe"
        149⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\wjeywple.exe
        
        "C:\Windows\system32\wjeywple.exe"
        150⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\wmvkw.exe
        
        "C:\Windows\system32\wmvkw.exe"
        151⤵
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\wrlvxp.exe
        
        "C:\Windows\system32\wrlvxp.exe"
        152⤵
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\wyno.exe
        
        "C:\Windows\system32\wyno.exe"
        153⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\wystaodd.exe
        
        "C:\Windows\system32\wystaodd.exe"
        154⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\whtlau.exe
        
        "C:\Windows\system32\whtlau.exe"
        155⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\wdokfwlm.exe
        
        "C:\Windows\system32\wdokfwlm.exe"
        156⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\wpiviw.exe
        
        "C:\Windows\system32\wpiviw.exe"
        157⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\wktm.exe
        
        "C:\Windows\system32\wktm.exe"
        158⤵
        
        PID:604
        
        C:\Windows\SysWOW64\wnqnuqg.exe
        
        "C:\Windows\system32\wnqnuqg.exe"
        159⤵
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\wfqxdey.exe
        
        "C:\Windows\system32\wfqxdey.exe"
        160⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqnuqg.exe"
        160⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wktm.exe"
        159⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpiviw.exe"
        158⤵
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdokfwlm.exe"
        157⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whtlau.exe"
        156⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wystaodd.exe"
        155⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyno.exe"
        154⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrlvxp.exe"
        153⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmvkw.exe"
        152⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjeywple.exe"
        151⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiyus.exe"
        150⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wknhwwp.exe"
        149⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohy.exe"
        148⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwweug.exe"
        147⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgve.exe"
        146⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxskhdf.exe"
        145⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkwtmwsq.exe"
        144⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmnipahko.exe"
        143⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcxcjqnd.exe"
        142⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlslfn.exe"
        141⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckfagluh.exe"
        140⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wglxbbnp.exe"
        139⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvsmxcgbm.exe"
        138⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiciog.exe"
        137⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxjulhs.exe"
        136⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgjketxm.exe"
        135⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtoxbuqwy.exe"
        134⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\webxa.exe"
        133⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wepkcj.exe"
        132⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahbou.exe"
        131⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpopluwe.exe"
        130⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wumimp.exe"
        129⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigfq.exe"
        128⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyenr.exe"
        127⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmwlupsn.exe"
        126⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpcorpvr.exe"
        125⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\widsrln.exe"
        124⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wacasf.exe"
        123⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmioqhs.exe"
        122⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjhq.exe"
        121⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wloqgtr.exe"
        120⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckttqa.exe"
        119⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wprhrrrt.exe"
        118⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmplid.exe"
        117⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfgfdw.exe"
        116⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohuvjvyq.exe"
        115⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwpqddmo.exe"
        114⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpxejoja.exe"
        113⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weerfpbjk.exe"
        112⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmeixcgue.exe"
        111⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wou.exe"
        110⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkklnp.exe"
        109⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtjbgc.exe"
        108⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wukwpdk.exe"
        107⤵
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmshew.exe"
        106⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmsgnbe.exe"
        105⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgjyisl.exe"
        104⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcantd.exe"
        103⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugyivqip.exe"
        102⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirvxb.exe"
        101⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrrjsn.exe"
        100⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvhslfi.exe"
        99⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhqv.exe"
        98⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxhi.exe"
        97⤵
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wndqvnn.exe"
        96⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weaskkw.exe"
        95⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjverb.exe"
        94⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllqud.exe"
        93⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxptpb.exe"
        92⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwgnb.exe"
        91⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudpavdpi.exe"
        90⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrsgngntv.exe"
        89⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfkeqip.exe"
        88⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiq.exe"
        87⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahbhd.exe"
        86⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirbgp.exe"
        85⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiimjre.exe"
        84⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhxsuod.exe"
        83⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woysoou.exe"
        82⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlpjaa.exe"
        81⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdusosava.exe"
        80⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsfpfw.exe"
        79⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfldbxnt.exe"
        78⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbmuq.exe"
        77⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wisbhc.exe"
        76⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\witxsgnn.exe"
        75⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekpdqxq.exe"
        74⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvbjxke.exe"
        73⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsqykuo.exe"
        72⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 776
        72⤵
        Program crash
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqxfqf.exe"
        71⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwwaqypt.exe"
        70⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivlb.exe"
        69⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbnfu.exe"
        68⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpussw.exe"
        67⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wthwa.exe"
        66⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyvguld.exe"
        65⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivumx.exe"
        64⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjlh.exe"
        63⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgnhimsh.exe"
        62⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxeddgy.exe"
        61⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsopdsb.exe"
        60⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmtaplwpd.exe"
        59⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikrcvhss.exe"
        58⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvumsa.exe"
        57⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnsvsvox.exe"
        56⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcaiqwhim.exe"
        55⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdpvsy.exe"
        54⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvhpnr.exe"
        53⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wespn.exe"
        52⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woagto.exe"
        51⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxhcs.exe"
        50⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxojpdy.exe"
        49⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtotm.exe"
        48⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvvlepx.exe"
        47⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbkuxk.exe"
        46⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsdps.exe"
        45⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wteldh.exe"
        44⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weascp.exe"
        43⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfbpmsx.exe"
        42⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcrhxdh.exe"
        41⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuwpmv.exe"
        40⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqxqeiy.exe"
        39⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnpirri.exe"
        38⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfhclm.exe"
        37⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphqex.exe"
        36⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwhqi.exe"
        35⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmntslt.exe"
        34⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wefonf.exe"
        33⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjm.exe"
        32⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrm.exe"
        31⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhnum.exe"
        30⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqjbg.exe"
        29⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvog.exe"
        28⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whtcqf.exe"
        27⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqikrx.exe"
        26⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdatp.exe"
        25⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsl.exe"
        24⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waddkueth.exe"
        23⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjrxw.exe"
        22⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjuni.exe"
        21⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wakpkovh.exe"
        20⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrivkj.exe"
        19⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvvlli.exe"
        18⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmss.exe"
        17⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wame.exe"
        16⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifrmx.exe"
        15⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlr.exe"
        14⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whttbm.exe"
        13⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpftax.exe"
        12⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxx.exe"
        11⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfrgde.exe"
        10⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtjqyj.exe"
        9⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwiiq.exe"
        8⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgppmq.exe"
        7⤵
        
        PID:632
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wei.exe"
        6⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wylbm.exe"
        5⤵
        
        PID:1832
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wanj.exe"
      4⤵
      PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwnk.exe"
    3⤵
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\ecb9b33a23f053225b6447f148d44870_NeikiAnalytics.exe"
  2⤵
  - Deletes itself
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8L7U47GQ.txt

Filesize
98B

MD5
0c91d207908aaa7f24b018f900e41016

SHA1
048a9fbd626d36ee324bb363cb25fa4bbc3fd345

SHA256
2bfeb06d44e6ec22adbacc79ea437220874bf6e0e14c1307d62c643c88f2ae16

SHA512
c454d9b3f62fe5a316f4ec90631081eb3f954725fe98229fcbe52ccf43cf3f1e37159d042afaa61cf8f070e0bc6db5eae46a4ff3403483329e94ef3a164a5c85

Download Submit
\Windows\SysWOW64\wanj.exe

Filesize
447KB

MD5
ad293a8370877ce890248e1b28a15907

SHA1
2f3cc114213c79085de4aa064b109b5c5ddf2b0a

SHA256
e6395316b2b9c37483ea935708ab09642d924d7b9eeb8e173bbec1925ff03828

SHA512
bf75601cf644c46c8ab5932082a80cd5f93735710933f4660a35a4eaada8a261efee8947c2c223252449396f0406ca5e829c380f1c3d0a5d364199faa6650e34

Download Submit
\Windows\SysWOW64\wei.exe

Filesize
447KB

MD5
c447b10089562983a7edcd8c7a0c4358

SHA1
95063421e586afbd75cc357a356822c541a4c3b7

SHA256
a7306f46ef71154c914147c6f392ae4bbf9f4c4cffe454f278f021761a1dcba7

SHA512
12051e8f97e28df95409bd9730fafa2246b07c60372188e738478382ae931dd673e01d9b14fe707381c03207e821cbdc7ab555845f4226e9e9d7c409d32a27a3

Download Submit
\Windows\SysWOW64\wfrgde.exe

Filesize
447KB

MD5
a20f914328746bd44a7c958155b3290b

SHA1
bdea11f5a246c99f8316e6d4ed32d47de6b80486

SHA256
cb9a4c55818baad42c6cb9e51fbede1f19f3d8c527158c55cda037e38ea3843b

SHA512
2e82be789e90579742292c2f443efc62b0e9701df9e17f3edcc7da1e6daa3b5623bd4cd3ff73dd7fba9dac7905b4cb9f7b7dbdc7e95df5e8ea120e558aad9dbc

Download Submit
\Windows\SysWOW64\whttbm.exe

Filesize
447KB

MD5
ca0962952c9e609af6919cdfb2deaf6f

SHA1
3269c69a03042de61fab47429f18cd739fef1427

SHA256
0e13df0d33a37938c7b6942e5f95f8c51726551b90fd10bd9ce359fb0073b758

SHA512
c6d2a328e563ae13e59edbfa2a4f8d09bbdc0c28f9e2c319dffda99a0cdafdef6544a69839e66bc23601984c8bff226457cb86ac1af29f2813a99681d321a491

Download Submit
\Windows\SysWOW64\wlr.exe

Filesize
447KB

MD5
2f467b7a8e6982a083843bebe41b3724

SHA1
35427e9ba9f48cd6042aa3723c6a0cc7211041c2

SHA256
3025d98a09d140913861e9c0c578f5986425bb468488d09fb36475149247147f

SHA512
f9336bee1161e3f01516f2cdb955a30f9e4737024aabdedcb8f614d052428e8193673afbe98aa7e620dfb4a1f4bcfb5e208087032e91241f7c0ed657d4581097

Download Submit
\Windows\SysWOW64\wrwiiq.exe

Filesize
447KB

MD5
b5e837879137cfe05b2dec4a49563ddd

SHA1
66b22dc8067a491bac6f203d9bb084dc3414e16b

SHA256
a436f3e7a78a4b9f6eec8e6d4aceb9bdfa9c2a3950a64d5691625cda2f246cb9

SHA512
af6237d5398868ebf6dfde3fcb4a57c29b5ca14cdacd795e7d6827a254bf399fe22aee7656e5f16d7af5d7e5383b195860eedef09b47dd8c888e5f689730d292

Download Submit
\Windows\SysWOW64\wtjqyj.exe

Filesize
447KB

MD5
784a874247bb3edd5a1754860529dc25

SHA1
07b1524db5d2f1aac0ccf074fda7065f4257988f

SHA256
b8afc3acb90145dae1ec14f2db31096ce45e5eff9ffa787d70f859cabdf29a46

SHA512
8ffc38d82138f1888d8eb2b3697dad68e1a36297e3ae3181a52f52ca7e9b46f23479e14243931f65c56a2ab0710f5923174a7bda30eb3c55caf8960346ab9c5b

Download Submit
\Windows\SysWOW64\wvgppmq.exe

Filesize
447KB

MD5
7f3c8d13e1bef9999ac864244120c37c

SHA1
dbe0442fc22154a621f1f245d39ce2c1baa6bc4f

SHA256
c6f289dff1c3b7d6be6e67421f5bba6174647fa6ee9cdaf04fcc963bfa810acc

SHA512
1146f7dbaaace99548d1b0ba83241630abc88221bc11a748f34a27d279e7d9dacb5ad2d394c295cad8ed7304619653f9f7d1381f21db0bc391906968563cd979

Download Submit
\Windows\SysWOW64\wwnk.exe

Filesize
447KB

MD5
8a6885c7bec3db59263d91562cb7ed40

SHA1
8130d45b67264f3cdc732cb08188b7850ec09609

SHA256
158c8036328c32179bc4ef06c2f65f89546e8869c3bb141ce1a71819e8864540

SHA512
8d81b94c6fcc0b819fa319de9a84c52c2411607f64802ac21f7cce7910a5bedf2a6394def0bd2a7de667c4e4a9a54a5aeab7e0832081321a688862be880b4a98

Download Submit
\Windows\SysWOW64\wxx.exe

Filesize
447KB

MD5
f5ac00d4c9083ac2ecf63da8e8652cfe

SHA1
719fab641557492104543f56cd08884ad480e4ec

SHA256
3526ce9228fd88a5575ca1b374859b04a38403e839fb6468c4ea6570f48a45a4

SHA512
3b3c7541d2b72d5c2facde3a68b6c505128d7df5a2e7ff8f92809875995d2b52ebbea480f095c890e3bc9c3b307b7ed2ae6ec71bb8e4bec06c8f3148206bc7ce

Download Submit
\Windows\SysWOW64\wylbm.exe

Filesize
447KB

MD5
79504fac78e15c839570a6c776d6de6d

SHA1
5e907d31520c475fb5b1aa38ea7838f2c0b15263

SHA256
8e4d31d7c3c3d39e6091ac9f3e5511b3e9110fb9aaf27cd083c6c4bee7c7ddb0

SHA512
0110fc6b359889716898d4ebae26051748b123df9ac49c415a11d89f1ddc2fb0212990987b9bf186f707b277308ab0d4f2bb3f62c8f729aecc91d61ae28bdae2

Download Submit
memory/920-315-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/920-314-0x0000000003C70000-0x0000000003C8A000-memory.dmp

Filesize
104KB

Download
memory/944-278-0x0000000003C60000-0x0000000003C7A000-memory.dmp

Filesize
104KB

Download
memory/944-285-0x0000000003C70000-0x0000000003C8A000-memory.dmp

Filesize
104KB

Download
memory/944-280-0x0000000003C60000-0x0000000003C7A000-memory.dmp

Filesize
104KB

Download
memory/944-284-0x0000000003C70000-0x0000000003C8A000-memory.dmp

Filesize
104KB

Download
memory/944-287-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1056-18-0x0000000003B30000-0x0000000003B4A000-memory.dmp

Filesize
104KB

Download
memory/1056-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1056-6-0x0000000003B30000-0x0000000003B4A000-memory.dmp

Filesize
104KB

Download
memory/1056-19-0x0000000003B30000-0x0000000003B4A000-memory.dmp

Filesize
104KB

Download
memory/1056-21-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1092-78-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1092-59-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1320-407-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1320-406-0x0000000002D70000-0x0000000002D8A000-memory.dmp

Filesize
104KB

Download
memory/1320-405-0x0000000002D70000-0x0000000002D8A000-memory.dmp

Filesize
104KB

Download
memory/1320-404-0x0000000002D60000-0x0000000002D7A000-memory.dmp

Filesize
104KB

Download
memory/1476-267-0x0000000003170000-0x000000000318A000-memory.dmp

Filesize
104KB

Download
memory/1476-270-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1476-254-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1476-269-0x0000000003180000-0x000000000319A000-memory.dmp

Filesize
104KB

Download
memory/1476-268-0x0000000003180000-0x000000000319A000-memory.dmp

Filesize
104KB

Download
memory/1508-323-0x0000000003D70000-0x0000000003D8A000-memory.dmp

Filesize
104KB

Download
memory/1508-331-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1508-329-0x0000000003E70000-0x0000000003E8A000-memory.dmp

Filesize
104KB

Download
memory/1508-322-0x0000000003D70000-0x0000000003D8A000-memory.dmp

Filesize
104KB

Download
memory/1564-164-0x0000000003AC0000-0x0000000003ADA000-memory.dmp

Filesize
104KB

Download
memory/1564-165-0x0000000003AC0000-0x0000000003ADA000-memory.dmp

Filesize
104KB

Download
memory/1564-146-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1564-167-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1564-156-0x0000000003AB0000-0x0000000003ACA000-memory.dmp

Filesize
104KB

Download
memory/1676-185-0x0000000003810000-0x000000000382A000-memory.dmp

Filesize
104KB

Download
memory/1676-188-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1676-187-0x0000000003820000-0x000000000383A000-memory.dmp

Filesize
104KB

Download
memory/1676-169-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1676-186-0x0000000003820000-0x000000000383A000-memory.dmp

Filesize
104KB

Download
memory/1976-330-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1976-345-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1976-344-0x0000000003C80000-0x0000000003C9A000-memory.dmp

Filesize
104KB

Download
memory/1976-343-0x0000000003270000-0x000000000328A000-memory.dmp

Filesize
104KB

Download
memory/2004-408-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2004-420-0x0000000003260000-0x000000000327A000-memory.dmp

Filesize
104KB

Download
memory/2172-98-0x0000000003860000-0x000000000387A000-memory.dmp

Filesize
104KB

Download
memory/2172-96-0x0000000003850000-0x000000000386A000-memory.dmp

Filesize
104KB

Download
memory/2172-80-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2172-100-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2172-97-0x0000000003850000-0x000000000386A000-memory.dmp

Filesize
104KB

Download
memory/2220-218-0x0000000003C60000-0x0000000003C7A000-memory.dmp

Filesize
104KB

Download
memory/2220-217-0x0000000003C60000-0x0000000003C7A000-memory.dmp

Filesize
104KB

Download
memory/2220-220-0x0000000003C70000-0x0000000003C8A000-memory.dmp

Filesize
104KB

Download
memory/2220-222-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2220-219-0x0000000003C70000-0x0000000003C8A000-memory.dmp

Filesize
104KB

Download
memory/2220-194-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2236-197-0x00000000748C0000-0x0000000074918000-memory.dmp

Filesize
352KB

Download
memory/2236-193-0x0000000003C70000-0x0000000003C8A000-memory.dmp

Filesize
104KB

Download
memory/2236-191-0x0000000003B30000-0x0000000003B4A000-memory.dmp

Filesize
104KB

Download
memory/2236-190-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2236-192-0x0000000003C70000-0x0000000003C8A000-memory.dmp

Filesize
104KB

Download
memory/2236-200-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2236-199-0x0000000003800000-0x00000000039C4000-memory.dmp

Filesize
1.8MB

Download
memory/2236-198-0x0000000074870000-0x00000000748BF000-memory.dmp

Filesize
316KB

Download
memory/2284-121-0x0000000003C70000-0x0000000003C8A000-memory.dmp

Filesize
104KB

Download
memory/2284-101-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2284-119-0x0000000003C70000-0x0000000003C8A000-memory.dmp

Filesize
104KB

Download
memory/2284-122-0x0000000003C70000-0x0000000003C8A000-memory.dmp

Filesize
104KB

Download
memory/2284-124-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2284-120-0x0000000003C70000-0x0000000003C8A000-memory.dmp

Filesize
104KB

Download
memory/2456-240-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2456-223-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2456-239-0x0000000003C80000-0x0000000003C9A000-memory.dmp

Filesize
104KB

Download
memory/2548-390-0x0000000003D70000-0x0000000003D8A000-memory.dmp

Filesize
104KB

Download
memory/2548-392-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2548-376-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2548-391-0x0000000003D70000-0x0000000003D8A000-memory.dmp

Filesize
104KB

Download
memory/2548-389-0x0000000003C70000-0x0000000003C8A000-memory.dmp

Filesize
104KB

Download
memory/2660-374-0x0000000003760000-0x000000000377A000-memory.dmp

Filesize
104KB

Download
memory/2660-375-0x0000000003A40000-0x0000000003A5A000-memory.dmp

Filesize
104KB

Download
memory/2660-377-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2660-373-0x0000000003760000-0x000000000377A000-memory.dmp

Filesize
104KB

Download
memory/2692-60-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2692-40-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2712-143-0x0000000003AE0000-0x0000000003AFA000-memory.dmp

Filesize
104KB

Download
memory/2712-142-0x0000000003AE0000-0x0000000003AFA000-memory.dmp

Filesize
104KB

Download
memory/2712-141-0x0000000003AE0000-0x0000000003AFA000-memory.dmp

Filesize
104KB

Download
memory/2712-145-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2776-255-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2776-249-0x0000000003B20000-0x0000000003B3A000-memory.dmp

Filesize
104KB

Download
memory/2776-253-0x0000000003B30000-0x0000000003B4A000-memory.dmp

Filesize
104KB

Download
memory/2844-41-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2848-300-0x00000000030C0000-0x00000000030DA000-memory.dmp

Filesize
104KB

Download
memory/2848-301-0x00000000030C0000-0x00000000030DA000-memory.dmp

Filesize
104KB

Download
memory/2848-286-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2848-299-0x00000000030C0000-0x00000000030DA000-memory.dmp

Filesize
104KB

Download
memory/2848-302-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2940-360-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2940-359-0x0000000003A80000-0x0000000003A9A000-memory.dmp

Filesize
104KB

Download
memory/2940-354-0x0000000003A70000-0x0000000003A8A000-memory.dmp

Filesize
104KB

Download
memory/2940-346-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download