7b6e04f42945bfcbaf030e10e7a9f1bf8d13957ac3344717ee902326ededad44

Analysis

max time kernel
147s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe
Size

316KB
MD5

4d3a867c1ce25b918dc4fa45136a2b40
SHA1

d8e6aeba24399861a646f318575ea01fa11f1db8
SHA256

7b6e04f42945bfcbaf030e10e7a9f1bf8d13957ac3344717ee902326ededad44
SHA512

23e4edc3a0cbd22537d42d7704ef386dd4379508058e03e6e1cdea248159ded17abf5c171fce16f6476b3c080695e1a5acd71815dfe72f40a50373b96b2d3f3b
SSDEEP

3072:mYUb5QoJ4g+LsP9iGqT8ZjKIz1ZdW4SrOLVSVpe1GhpSBfmy:mY699qT8hKSZI4zLVSVpe1GvOff

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2504 cmd.exe

pid	process
2504	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

wtnfoisg.exewfwkrywf.exewrmrrs.exewwstq.exewoqvu.exewkhrer.exewecwgtqw.exewaih.exewxxbimt.exewvrbc.exewowesn.exewgkvru.exewsqpl.exewnhltn.exewbvqs.exewfttpn.exewuhbnc.exewkfmk.exewaikcaq.exewscqtcn.exewajape.exewkmypccn.exewcs.exewvuvql.exewdnpsq.exewvwiot.exewqabwxyt.exewoiqjs.exewjaak.exewcisg.exewrxae.exewmvjsrtn.exewsbnc.exewysfd.exewkbnxoui.exewusdrlerv.exewmysb.exewrdvjxxoi.exewykff.exewsxithfid.exewnlukh.exewdg.exewsudwi.exewudpavdpi.exewxvmmif.exewfofmml.exewqhuhittt.exewwbnhmynp.exewisechiwc.exewwvytvgi.exeweosualb.exewtxqalr.exewbhauom.exewmgqciet.exewodvgxh.exewhlsry.exewktgvkkv.exewmymnxwo.exewjbamucf.exewyyinsh.exewenxf.exewwqqn.exewtsfne.exewfvdmbhy.exe

pid	process
2936	wtnfoisg.exe
1916	wfwkrywf.exe
344	wrmrrs.exe
896	wwstq.exe
920	woqvu.exe
2300	wkhrer.exe
3020	wecwgtqw.exe
1136	waih.exe
2120	wxxbimt.exe
2944	wvrbc.exe
944	wowesn.exe
2012	wgkvru.exe
744	wsqpl.exe
2468	wnhltn.exe
2296	wbvqs.exe
2212	wfttpn.exe
876	wuhbnc.exe
1804	wkfmk.exe
1500	waikcaq.exe
1952	wscqtcn.exe
932	wajape.exe
2284	wkmypccn.exe
1812	wcs.exe
3012	wvuvql.exe
1992	wdnpsq.exe
2568	wvwiot.exe
1496	wqabwxyt.exe
1036	woiqjs.exe
1936	wjaak.exe
2104	wcisg.exe
1856	wrxae.exe
2280	wmvjsrtn.exe
1596	wsbnc.exe
2552	wysfd.exe
2736	wkbnxoui.exe
364	wusdrlerv.exe
2228	wmysb.exe
1672	wrdvjxxoi.exe
2260	wykff.exe
2272	wsxithfid.exe
1004	wnlukh.exe
1588	wdg.exe
2548	wsudwi.exe
2568	wudpavdpi.exe
480	wxvmmif.exe
1616	wfofmml.exe
920	wqhuhittt.exe
2240	wwbnhmynp.exe
1020	wisechiwc.exe
1564	wwvytvgi.exe
536	weosualb.exe
2420	wtxqalr.exe
2900	wbhauom.exe
2780	wmgqciet.exe
1644	wodvgxh.exe
1616	whlsry.exe
3048	wktgvkkv.exe
2176	wmymnxwo.exe
1596	wjbamucf.exe
2000	wyyinsh.exe
2884	wenxf.exe
2400	wwqqn.exe
1968	wtsfne.exe
1696	wfvdmbhy.exe

Loads dropped DLL 64 IoCs

Processes:

4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exewtnfoisg.exewfwkrywf.exewrmrrs.exewwstq.exewoqvu.exewkhrer.exeWerFault.exewecwgtqw.exewaih.exeWerFault.exewxxbimt.exewvrbc.exewowesn.exewgkvru.exewsqpl.exewnhltn.exe

pid	process
2208	4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe
2208	4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe
2208	4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe
2208	4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe
2936	wtnfoisg.exe
2936	wtnfoisg.exe
2936	wtnfoisg.exe
2936	wtnfoisg.exe
1916	wfwkrywf.exe
1916	wfwkrywf.exe
1916	wfwkrywf.exe
1916	wfwkrywf.exe
344	wrmrrs.exe
344	wrmrrs.exe
344	wrmrrs.exe
344	wrmrrs.exe
896	wwstq.exe
896	wwstq.exe
896	wwstq.exe
896	wwstq.exe
920	woqvu.exe
920	woqvu.exe
920	woqvu.exe
920	woqvu.exe
2300	wkhrer.exe
2300	wkhrer.exe
2300	wkhrer.exe
2300	wkhrer.exe
864	WerFault.exe
864	WerFault.exe
864	WerFault.exe
3020	wecwgtqw.exe
3020	wecwgtqw.exe
3020	wecwgtqw.exe
3020	wecwgtqw.exe
1136	waih.exe
1136	waih.exe
1136	waih.exe
1136	waih.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
2120	wxxbimt.exe
2120	wxxbimt.exe
2120	wxxbimt.exe
2120	wxxbimt.exe
2944	wvrbc.exe
2944	wvrbc.exe
2944	wvrbc.exe
2944	wvrbc.exe
944	wowesn.exe
944	wowesn.exe
944	wowesn.exe
944	wowesn.exe
2012	wgkvru.exe
2012	wgkvru.exe
2012	wgkvru.exe
2012	wgkvru.exe
744	wsqpl.exe
744	wsqpl.exe
744	wsqpl.exe
744	wsqpl.exe
2468	wnhltn.exe

Drops file in System32 directory 64 IoCs

Processes:

waih.exewsqpl.exewkbnxoui.exewujlaoa.exewfuxfmc.exewqxrik.exewrmrrs.exewecwgtqw.exewoiqjs.exewykff.exewnlukh.exewcvjkj.exewkhrer.exewsbnc.exewvuvql.exewjaak.exewudpavdpi.exewmgqciet.exewhwqlhvf.exewbvqs.exewwqqn.exewipjngr.exewtnfoisg.exewoqvu.exewowesn.exewcs.exewppdxnp.exewfyfw.exewwstq.exewfttpn.exewaikcaq.exewajape.exewqabwxyt.exewusdrlerv.exewdnpsq.exewcisg.exewmysb.exeweosualb.exewwdlf.exewsxithfid.exewfofmml.exewbhauom.exewenxf.exewtsfne.exewnhltn.exewodvgxh.exewkvkvik.exewkfmk.exewfvdmbhy.exewaphcio.exewvrbc.exewdg.exewtxqalr.exewhlsry.exewfwkrywf.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wxxbimt.exe	waih.exe
File opened for modification	C:\Windows\SysWOW64\wnhltn.exe	wsqpl.exe
File created	C:\Windows\SysWOW64\wusdrlerv.exe	wkbnxoui.exe
File opened for modification	C:\Windows\SysWOW64\wfuxfmc.exe	wujlaoa.exe
File opened for modification	C:\Windows\SysWOW64\wpyxf.exe	wfuxfmc.exe
File created	C:\Windows\SysWOW64\wlxmp.exe	wqxrik.exe
File created	C:\Windows\SysWOW64\wwstq.exe	wrmrrs.exe
File created	C:\Windows\SysWOW64\waih.exe	wecwgtqw.exe
File created	C:\Windows\SysWOW64\wjaak.exe	woiqjs.exe
File opened for modification	C:\Windows\SysWOW64\wsxithfid.exe	wykff.exe
File created	C:\Windows\SysWOW64\wdg.exe	wnlukh.exe
File created	C:\Windows\SysWOW64\wujlaoa.exe	wcvjkj.exe
File created	C:\Windows\SysWOW64\wecwgtqw.exe	wkhrer.exe
File opened for modification	C:\Windows\SysWOW64\wysfd.exe	wsbnc.exe
File created	C:\Windows\SysWOW64\wdnpsq.exe	wvuvql.exe
File created	C:\Windows\SysWOW64\wcisg.exe	wjaak.exe
File opened for modification	C:\Windows\SysWOW64\wusdrlerv.exe	wkbnxoui.exe
File opened for modification	C:\Windows\SysWOW64\wxvmmif.exe	wudpavdpi.exe
File created	C:\Windows\SysWOW64\wodvgxh.exe	wmgqciet.exe
File created	C:\Windows\SysWOW64\wkvkvik.exe	whwqlhvf.exe
File created	C:\Windows\SysWOW64\wfttpn.exe	wbvqs.exe
File created	C:\Windows\SysWOW64\wtsfne.exe	wwqqn.exe
File opened for modification	C:\Windows\SysWOW64\wqxrik.exe	wipjngr.exe
File created	C:\Windows\SysWOW64\wfwkrywf.exe	wtnfoisg.exe
File opened for modification	C:\Windows\SysWOW64\wkhrer.exe	woqvu.exe
File created	C:\Windows\SysWOW64\wgkvru.exe	wowesn.exe
File opened for modification	C:\Windows\SysWOW64\wvuvql.exe	wcs.exe
File created	C:\Windows\SysWOW64\wcvjkj.exe	wppdxnp.exe
File created	C:\Windows\SysWOW64\wdbsw.exe	wfyfw.exe
File created	C:\Windows\SysWOW64\woqvu.exe	wwstq.exe
File created	C:\Windows\SysWOW64\wuhbnc.exe	wfttpn.exe
File created	C:\Windows\SysWOW64\wscqtcn.exe	waikcaq.exe
File opened for modification	C:\Windows\SysWOW64\wkmypccn.exe	wajape.exe
File opened for modification	C:\Windows\SysWOW64\woiqjs.exe	wqabwxyt.exe
File created	C:\Windows\SysWOW64\wmysb.exe	wusdrlerv.exe
File opened for modification	C:\Windows\SysWOW64\wvwiot.exe	wdnpsq.exe
File opened for modification	C:\Windows\SysWOW64\wrxae.exe	wcisg.exe
File opened for modification	C:\Windows\SysWOW64\wrdvjxxoi.exe	wmysb.exe
File opened for modification	C:\Windows\SysWOW64\wtxqalr.exe	weosualb.exe
File opened for modification	C:\Windows\SysWOW64\wkvkvik.exe	whwqlhvf.exe
File created	C:\Windows\SysWOW64\waphcio.exe	wwdlf.exe
File opened for modification	C:\Windows\SysWOW64\wjaak.exe	woiqjs.exe
File created	C:\Windows\SysWOW64\wnlukh.exe	wsxithfid.exe
File created	C:\Windows\SysWOW64\wqhuhittt.exe	wfofmml.exe
File opened for modification	C:\Windows\SysWOW64\wmgqciet.exe	wbhauom.exe
File created	C:\Windows\SysWOW64\wwqqn.exe	wenxf.exe
File opened for modification	C:\Windows\SysWOW64\wfvdmbhy.exe	wtsfne.exe
File created	C:\Windows\SysWOW64\wbvqs.exe	wnhltn.exe
File opened for modification	C:\Windows\SysWOW64\wcisg.exe	wjaak.exe
File opened for modification	C:\Windows\SysWOW64\whlsry.exe	wodvgxh.exe
File created	C:\Windows\SysWOW64\wppdxnp.exe	wkvkvik.exe
File opened for modification	C:\Windows\SysWOW64\wcvjkj.exe	wppdxnp.exe
File opened for modification	C:\Windows\SysWOW64\woqvu.exe	wwstq.exe
File created	C:\Windows\SysWOW64\wvuvql.exe	wcs.exe
File opened for modification	C:\Windows\SysWOW64\waikcaq.exe	wkfmk.exe
File opened for modification	C:\Windows\SysWOW64\wscqtcn.exe	waikcaq.exe
File created	C:\Windows\SysWOW64\wqntgvph.exe	wfvdmbhy.exe
File created	C:\Windows\SysWOW64\wvrudfs.exe	waphcio.exe
File created	C:\Windows\SysWOW64\wowesn.exe	wvrbc.exe
File opened for modification	C:\Windows\SysWOW64\wsudwi.exe	wdg.exe
File opened for modification	C:\Windows\SysWOW64\wqhuhittt.exe	wfofmml.exe
File opened for modification	C:\Windows\SysWOW64\wbhauom.exe	wtxqalr.exe
File created	C:\Windows\SysWOW64\wktgvkkv.exe	whlsry.exe
File opened for modification	C:\Windows\SysWOW64\wrmrrs.exe	wfwkrywf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

864 2300 WerFault.exe wkhrer.exe
2408 1136 WerFault.exe waih.exe
3028 3044 WerFault.exe wujlaoa.exe

pid	pid_target	process	target process
864	2300	WerFault.exe	wkhrer.exe
2408	1136	WerFault.exe	waih.exe
3028	3044	WerFault.exe	wujlaoa.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exewtnfoisg.exewfwkrywf.exewrmrrs.exewwstq.exewoqvu.exewkhrer.exewecwgtqw.exe

description	pid	process	target process
PID 2208 wrote to memory of 2936	2208	4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe	wtnfoisg.exe
PID 2208 wrote to memory of 2936	2208	4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe	wtnfoisg.exe
PID 2208 wrote to memory of 2936	2208	4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe	wtnfoisg.exe
PID 2208 wrote to memory of 2936	2208	4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe	wtnfoisg.exe
PID 2208 wrote to memory of 2504	2208	4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2504	2208	4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2504	2208	4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2504	2208	4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe	cmd.exe
PID 2936 wrote to memory of 1916	2936	wtnfoisg.exe	wfwkrywf.exe
PID 2936 wrote to memory of 1916	2936	wtnfoisg.exe	wfwkrywf.exe
PID 2936 wrote to memory of 1916	2936	wtnfoisg.exe	wfwkrywf.exe
PID 2936 wrote to memory of 1916	2936	wtnfoisg.exe	wfwkrywf.exe
PID 2936 wrote to memory of 2472	2936	wtnfoisg.exe	cmd.exe
PID 2936 wrote to memory of 2472	2936	wtnfoisg.exe	cmd.exe
PID 2936 wrote to memory of 2472	2936	wtnfoisg.exe	cmd.exe
PID 2936 wrote to memory of 2472	2936	wtnfoisg.exe	cmd.exe
PID 1916 wrote to memory of 344	1916	wfwkrywf.exe	wrmrrs.exe
PID 1916 wrote to memory of 344	1916	wfwkrywf.exe	wrmrrs.exe
PID 1916 wrote to memory of 344	1916	wfwkrywf.exe	wrmrrs.exe
PID 1916 wrote to memory of 344	1916	wfwkrywf.exe	wrmrrs.exe
PID 1916 wrote to memory of 2756	1916	wfwkrywf.exe	cmd.exe
PID 1916 wrote to memory of 2756	1916	wfwkrywf.exe	cmd.exe
PID 1916 wrote to memory of 2756	1916	wfwkrywf.exe	cmd.exe
PID 1916 wrote to memory of 2756	1916	wfwkrywf.exe	cmd.exe
PID 344 wrote to memory of 896	344	wrmrrs.exe	wwstq.exe
PID 344 wrote to memory of 896	344	wrmrrs.exe	wwstq.exe
PID 344 wrote to memory of 896	344	wrmrrs.exe	wwstq.exe
PID 344 wrote to memory of 896	344	wrmrrs.exe	wwstq.exe
PID 344 wrote to memory of 796	344	wrmrrs.exe	cmd.exe
PID 344 wrote to memory of 796	344	wrmrrs.exe	cmd.exe
PID 344 wrote to memory of 796	344	wrmrrs.exe	cmd.exe
PID 344 wrote to memory of 796	344	wrmrrs.exe	cmd.exe
PID 896 wrote to memory of 920	896	wwstq.exe	woqvu.exe
PID 896 wrote to memory of 920	896	wwstq.exe	woqvu.exe
PID 896 wrote to memory of 920	896	wwstq.exe	woqvu.exe
PID 896 wrote to memory of 920	896	wwstq.exe	woqvu.exe
PID 896 wrote to memory of 1996	896	wwstq.exe	cmd.exe
PID 896 wrote to memory of 1996	896	wwstq.exe	cmd.exe
PID 896 wrote to memory of 1996	896	wwstq.exe	cmd.exe
PID 896 wrote to memory of 1996	896	wwstq.exe	cmd.exe
PID 920 wrote to memory of 2300	920	woqvu.exe	wkhrer.exe
PID 920 wrote to memory of 2300	920	woqvu.exe	wkhrer.exe
PID 920 wrote to memory of 2300	920	woqvu.exe	wkhrer.exe
PID 920 wrote to memory of 2300	920	woqvu.exe	wkhrer.exe
PID 920 wrote to memory of 2948	920	woqvu.exe	cmd.exe
PID 920 wrote to memory of 2948	920	woqvu.exe	cmd.exe
PID 920 wrote to memory of 2948	920	woqvu.exe	cmd.exe
PID 920 wrote to memory of 2948	920	woqvu.exe	cmd.exe
PID 2300 wrote to memory of 3020	2300	wkhrer.exe	wecwgtqw.exe
PID 2300 wrote to memory of 3020	2300	wkhrer.exe	wecwgtqw.exe
PID 2300 wrote to memory of 3020	2300	wkhrer.exe	wecwgtqw.exe
PID 2300 wrote to memory of 3020	2300	wkhrer.exe	wecwgtqw.exe
PID 2300 wrote to memory of 1800	2300	wkhrer.exe	cmd.exe
PID 2300 wrote to memory of 1800	2300	wkhrer.exe	cmd.exe
PID 2300 wrote to memory of 1800	2300	wkhrer.exe	cmd.exe
PID 2300 wrote to memory of 1800	2300	wkhrer.exe	cmd.exe
PID 2300 wrote to memory of 864	2300	wkhrer.exe	WerFault.exe
PID 2300 wrote to memory of 864	2300	wkhrer.exe	WerFault.exe
PID 2300 wrote to memory of 864	2300	wkhrer.exe	WerFault.exe
PID 2300 wrote to memory of 864	2300	wkhrer.exe	WerFault.exe
PID 3020 wrote to memory of 1136	3020	wecwgtqw.exe	waih.exe
PID 3020 wrote to memory of 1136	3020	wecwgtqw.exe	waih.exe
PID 3020 wrote to memory of 1136	3020	wecwgtqw.exe	waih.exe
PID 3020 wrote to memory of 1136	3020	wecwgtqw.exe	waih.exe

C:\Users\Admin\AppData\Local\Temp\4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\wtnfoisg.exe
  "C:\Windows\system32\wtnfoisg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\wfwkrywf.exe
    "C:\Windows\system32\wfwkrywf.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\SysWOW64\wrmrrs.exe
      "C:\Windows\system32\wrmrrs.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:344
    - - C:\Windows\SysWOW64\wwstq.exe
        
        "C:\Windows\system32\wwstq.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:896
      - C:\Windows\SysWOW64\woqvu.exe
        
        "C:\Windows\system32\woqvu.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\wkhrer.exe
        
        "C:\Windows\system32\wkhrer.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\wecwgtqw.exe
        
        "C:\Windows\system32\wecwgtqw.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\waih.exe
        
        "C:\Windows\system32\waih.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\wxxbimt.exe
        
        "C:\Windows\system32\wxxbimt.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2120
        
        C:\Windows\SysWOW64\wvrbc.exe
        
        "C:\Windows\system32\wvrbc.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\wowesn.exe
        
        "C:\Windows\system32\wowesn.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\wgkvru.exe
        
        "C:\Windows\system32\wgkvru.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2012
        
        C:\Windows\SysWOW64\wsqpl.exe
        
        "C:\Windows\system32\wsqpl.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:744
        
        C:\Windows\SysWOW64\wnhltn.exe
        
        "C:\Windows\system32\wnhltn.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\wbvqs.exe
        
        "C:\Windows\system32\wbvqs.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\wfttpn.exe
        
        "C:\Windows\system32\wfttpn.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\wuhbnc.exe
        
        "C:\Windows\system32\wuhbnc.exe"
        18⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\wkfmk.exe
        
        "C:\Windows\system32\wkfmk.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\waikcaq.exe
        
        "C:\Windows\system32\waikcaq.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\wscqtcn.exe
        
        "C:\Windows\system32\wscqtcn.exe"
        21⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\wajape.exe
        
        "C:\Windows\system32\wajape.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:932
        
        C:\Windows\SysWOW64\wkmypccn.exe
        
        "C:\Windows\system32\wkmypccn.exe"
        23⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\wcs.exe
        
        "C:\Windows\system32\wcs.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\wvuvql.exe
        
        "C:\Windows\system32\wvuvql.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\wdnpsq.exe
        
        "C:\Windows\system32\wdnpsq.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\wvwiot.exe
        
        "C:\Windows\system32\wvwiot.exe"
        27⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\wqabwxyt.exe
        
        "C:\Windows\system32\wqabwxyt.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\woiqjs.exe
        
        "C:\Windows\system32\woiqjs.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\wjaak.exe
        
        "C:\Windows\system32\wjaak.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\wcisg.exe
        
        "C:\Windows\system32\wcisg.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\wrxae.exe
        
        "C:\Windows\system32\wrxae.exe"
        32⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\wmvjsrtn.exe
        
        "C:\Windows\system32\wmvjsrtn.exe"
        33⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\wsbnc.exe
        
        "C:\Windows\system32\wsbnc.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\wysfd.exe
        
        "C:\Windows\system32\wysfd.exe"
        35⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\wkbnxoui.exe
        
        "C:\Windows\system32\wkbnxoui.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\wusdrlerv.exe
        
        "C:\Windows\system32\wusdrlerv.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:364
        
        C:\Windows\SysWOW64\wmysb.exe
        
        "C:\Windows\system32\wmysb.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\wrdvjxxoi.exe
        
        "C:\Windows\system32\wrdvjxxoi.exe"
        39⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\wykff.exe
        
        "C:\Windows\system32\wykff.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\wsxithfid.exe
        
        "C:\Windows\system32\wsxithfid.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\wnlukh.exe
        
        "C:\Windows\system32\wnlukh.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1004
        
        C:\Windows\SysWOW64\wdg.exe
        
        "C:\Windows\system32\wdg.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\wsudwi.exe
        
        "C:\Windows\system32\wsudwi.exe"
        44⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\wudpavdpi.exe
        
        "C:\Windows\system32\wudpavdpi.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\wxvmmif.exe
        
        "C:\Windows\system32\wxvmmif.exe"
        46⤵
        Executes dropped EXE
        
        PID:480
        
        C:\Windows\SysWOW64\wfofmml.exe
        
        "C:\Windows\system32\wfofmml.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\wqhuhittt.exe
        
        "C:\Windows\system32\wqhuhittt.exe"
        48⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Windows\SysWOW64\wwbnhmynp.exe
        
        "C:\Windows\system32\wwbnhmynp.exe"
        49⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\wisechiwc.exe
        
        "C:\Windows\system32\wisechiwc.exe"
        50⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\wwvytvgi.exe
        
        "C:\Windows\system32\wwvytvgi.exe"
        51⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\weosualb.exe
        
        "C:\Windows\system32\weosualb.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\wtxqalr.exe
        
        "C:\Windows\system32\wtxqalr.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\wbhauom.exe
        
        "C:\Windows\system32\wbhauom.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\wmgqciet.exe
        
        "C:\Windows\system32\wmgqciet.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\wodvgxh.exe
        
        "C:\Windows\system32\wodvgxh.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\whlsry.exe
        
        "C:\Windows\system32\whlsry.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\wktgvkkv.exe
        
        "C:\Windows\system32\wktgvkkv.exe"
        58⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\wmymnxwo.exe
        
        "C:\Windows\system32\wmymnxwo.exe"
        59⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\wjbamucf.exe
        
        "C:\Windows\system32\wjbamucf.exe"
        60⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\wyyinsh.exe
        
        "C:\Windows\system32\wyyinsh.exe"
        61⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\wenxf.exe
        
        "C:\Windows\system32\wenxf.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\wwqqn.exe
        
        "C:\Windows\system32\wwqqn.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\wtsfne.exe
        
        "C:\Windows\system32\wtsfne.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\wfvdmbhy.exe
        
        "C:\Windows\system32\wfvdmbhy.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\wqntgvph.exe
        
        "C:\Windows\system32\wqntgvph.exe"
        66⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\whwqlhvf.exe
        
        "C:\Windows\system32\whwqlhvf.exe"
        67⤵
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\wkvkvik.exe
        
        "C:\Windows\system32\wkvkvik.exe"
        68⤵
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\wppdxnp.exe
        
        "C:\Windows\system32\wppdxnp.exe"
        69⤵
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\wcvjkj.exe
        
        "C:\Windows\system32\wcvjkj.exe"
        70⤵
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\wujlaoa.exe
        
        "C:\Windows\system32\wujlaoa.exe"
        71⤵
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\wfuxfmc.exe
        
        "C:\Windows\system32\wfuxfmc.exe"
        72⤵
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\wpyxf.exe
        
        "C:\Windows\system32\wpyxf.exe"
        73⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\wsgljul.exe
        
        "C:\Windows\system32\wsgljul.exe"
        74⤵
        
        PID:936
        
        C:\Windows\SysWOW64\wipjngr.exe
        
        "C:\Windows\system32\wipjngr.exe"
        75⤵
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\wqxrik.exe
        
        "C:\Windows\system32\wqxrik.exe"
        76⤵
        Drops file in System32 directory
        
        PID:644
        
        C:\Windows\SysWOW64\wlxmp.exe
        
        "C:\Windows\system32\wlxmp.exe"
        77⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\wfyfw.exe
        
        "C:\Windows\system32\wfyfw.exe"
        78⤵
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\wdbsw.exe
        
        "C:\Windows\system32\wdbsw.exe"
        79⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\wwdlf.exe
        
        "C:\Windows\system32\wwdlf.exe"
        80⤵
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\waphcio.exe
        
        "C:\Windows\system32\waphcio.exe"
        81⤵
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\wvrudfs.exe
        
        "C:\Windows\system32\wvrudfs.exe"
        82⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\wutjccwge.exe
        
        "C:\Windows\system32\wutjccwge.exe"
        83⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\wjvftp.exe
        
        "C:\Windows\system32\wjvftp.exe"
        84⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wutjccwge.exe"
        84⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvrudfs.exe"
        83⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waphcio.exe"
        82⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwdlf.exe"
        81⤵
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdbsw.exe"
        80⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfyfw.exe"
        79⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlxmp.exe"
        78⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqxrik.exe"
        77⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipjngr.exe"
        76⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsgljul.exe"
        75⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpyxf.exe"
        74⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfuxfmc.exe"
        73⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujlaoa.exe"
        72⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 836
        72⤵
        Program crash
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvjkj.exe"
        71⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wppdxnp.exe"
        70⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvkvik.exe"
        69⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwqlhvf.exe"
        68⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqntgvph.exe"
        67⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfvdmbhy.exe"
        66⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsfne.exe"
        65⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwqqn.exe"
        64⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wenxf.exe"
        63⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyyinsh.exe"
        62⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjbamucf.exe"
        61⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmymnxwo.exe"
        60⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wktgvkkv.exe"
        59⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whlsry.exe"
        58⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wodvgxh.exe"
        57⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmgqciet.exe"
        56⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhauom.exe"
        55⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxqalr.exe"
        54⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weosualb.exe"
        53⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwvytvgi.exe"
        52⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wisechiwc.exe"
        51⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbnhmynp.exe"
        50⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqhuhittt.exe"
        49⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfofmml.exe"
        48⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxvmmif.exe"
        47⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudpavdpi.exe"
        46⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsudwi.exe"
        45⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdg.exe"
        44⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnlukh.exe"
        43⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxithfid.exe"
        42⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wykff.exe"
        41⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrdvjxxoi.exe"
        40⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmysb.exe"
        39⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wusdrlerv.exe"
        38⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbnxoui.exe"
        37⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wysfd.exe"
        36⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsbnc.exe"
        35⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmvjsrtn.exe"
        34⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrxae.exe"
        33⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcisg.exe"
        32⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjaak.exe"
        31⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woiqjs.exe"
        30⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqabwxyt.exe"
        29⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvwiot.exe"
        28⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnpsq.exe"
        27⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvuvql.exe"
        26⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcs.exe"
        25⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkmypccn.exe"
        24⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wajape.exe"
        23⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wscqtcn.exe"
        22⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waikcaq.exe"
        21⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkfmk.exe"
        20⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhbnc.exe"
        19⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfttpn.exe"
        18⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvqs.exe"
        17⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnhltn.exe"
        16⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsqpl.exe"
        15⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkvru.exe"
        14⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wowesn.exe"
        13⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvrbc.exe"
        12⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxbimt.exe"
        11⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waih.exe"
        10⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 804
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wecwgtqw.exe"
        9⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkhrer.exe"
        8⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 808
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woqvu.exe"
        7⤵
        
        PID:2948
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwstq.exe"
        6⤵
        
        PID:1996
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrmrrs.exe"
        5⤵
        
        PID:796
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfwkrywf.exe"
      4⤵
      PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtnfoisg.exe"
    3⤵
    PID:2472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\4d3a867c1ce25b918dc4fa45136a2b40_NeikiAnalytics.exe"
  2⤵
  - Deletes itself
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KQGGP3A6.txt

Filesize
98B

MD5
6534e8270a1762d47b9f5423b15ab626

SHA1
08b354f3ba2b70f6b28f5fa9b3e4e5284938b615

SHA256
c6612589e7b562c116b5ebbee887e96979d94afd582b92f415b3d5b68735afc0

SHA512
5d3511a5d35a0f6835fc8a7dc59afb9ad7c9b4bac61907d64ec571f9c646c8eb3886fe5c68fd906d6ea2e762b5e7c23067c5afd236baad6ef4634c16fb49fc19

Download Submit
\Windows\SysWOW64\waih.exe

Filesize
316KB

MD5
b4c2760bc129dd75ba240ae125f18a68

SHA1
88637a8539cd8d25235d24f4a877ade5a3529aee

SHA256
764c340f5de18a3a35f988cd20e6466b40ee00f0521183374bedbd94fbbad291

SHA512
52f0aa560198b33f21a771f33c8816c8bb5c0b5fc95e877418f8aaded058d810bb87216c745db6893217b614afc92a7c7a3670971bcc6b26f579ff5fc28451cb

Download Submit
\Windows\SysWOW64\wecwgtqw.exe

Filesize
316KB

MD5
d8fb06b1650785b5149c51e3bbd678f0

SHA1
f58c05f459d76d1dd493f0ebe16403aac4e8cff8

SHA256
ab032e3352beb48263c313ce7b32b14dd2d2d266c3cafe28dd4409faf283c7e1

SHA512
98b489dffcf5b0211049a3b32669d16a6c77f3277b707decd023c130d5f5b92cab9cccf85cdd45919c8caebca42eb621db490327fe772ed856a4a34acfc8ed19

Download Submit
\Windows\SysWOW64\wfwkrywf.exe

Filesize
316KB

MD5
468e61e2e1e1cbba4bc7a3f53549f956

SHA1
967582b46f1ef17de19687c267bbbd4cb2da2401

SHA256
4e24d8289a843156bdb3c54e04a0d4dec01d5097d30582d721e7033b68859771

SHA512
e220bc8ae1d384483a5f6caa3556255aa087ae6d953d547653c044c5aefd2f0d2595388b29ede8e8c77fcd5b7f828e696a85fd3a037314836d489de2c63995c8

Download Submit
\Windows\SysWOW64\wkhrer.exe

Filesize
316KB

MD5
2aba0a0e128101ff13149d0de902d851

SHA1
9740073b30432faecc885fca0e53de0c1d6d632c

SHA256
834e62a864835c854c958e6f61085595e8742cb553666637843849d4f55e8742

SHA512
3e15a0cafa5fe218a6e62f8e980ee38957a45909c9f1eab18b64231a9dcc664348a2045691fd1f58e4a29f72c7087b906661f00d83d8b25e3252e44138387715

Download Submit
\Windows\SysWOW64\woqvu.exe

Filesize
316KB

MD5
6f861cdf20860f8f5a4d0e3cfc336663

SHA1
8cab19a7243385bb5cd0795724b1715266834d79

SHA256
02426e878936ead5039cceee784d1947f6d06262fcee5d7348aab88ea9a04987

SHA512
5398d8e6f38104225e2f6aade8d399494908fcd464cfe4452ed7d6a6336f78c86ec595ffc76f8bfad0a9532cb9267771af653e63303c2a08e9caa40ec0f5c614

Download Submit
\Windows\SysWOW64\wrmrrs.exe

Filesize
316KB

MD5
2746a6cfb4625ddcf58a1b0fd9f3eee8

SHA1
4b48fc3660836c5e42f6933a7a0862e123b65a60

SHA256
89b8f21cecc557e3d072dbdd574b4958ab414d4ecdfbbc57723bd714f580d2bb

SHA512
95ed46425445aba52a6ff6d13a45cbe3c206c1f2570dbfc5e2e48ee69a33db2ecac27e5f36d8a21e14d168342c0479346cf951ed86cce46ef0597e46e7754fef

Download Submit
\Windows\SysWOW64\wtnfoisg.exe

Filesize
316KB

MD5
9a6fc1059994a29d778e41f495500062

SHA1
42369d7782c21be2e34e364e2933e582dc231577

SHA256
1b5bcfa80f3ea07a2721961b3a2f6cbade5c33c32d60ed59ffc8d9743febdb13

SHA512
c35f29f5a9b4c10c49b241609c2042b3f756cd7d30052ff2fcc9f7449b6db6536a8ab2172409b012fddc286830b18fd6858b27cb0392d4e0090d076ace77748c

Download Submit
\Windows\SysWOW64\wvrbc.exe

Filesize
316KB

MD5
b13f7f566303754de5d2d4be08c8ad4a

SHA1
293c0ad775e52cc0d4a3223160154e28e6278d87

SHA256
ab07ea55060ca0f3fda3d1f6e2698c6b77fa010f46bbe253bd773e979c09ee92

SHA512
7d35a8a6ba93975cff0a880c6d2d43a96c77f9300ec2fb6dd9993243f9cb9e508c33144843e9bb6f080b7d13bae6eb134bbf2c339fa56e85d0fbe34dcfafbd73

Download Submit
\Windows\SysWOW64\wwstq.exe

Filesize
316KB

MD5
b7b080e273fa55e70f303c48fc955777

SHA1
1cbcbae4f42564fa23b29be71422b827f73c5f49

SHA256
002881c3d81c145f4013d2e73aa31e3ed3f32e1b2ff2b567df2f8aeb0b4080fe

SHA512
8cd87f811fa8ff96e9e54fe8df57a592220421f170c2502e04e7ce52b3354b83ae80a8528f92120bb11e35296e1201552a4485809184b8445f74496efce7906b

Download Submit
\Windows\SysWOW64\wxxbimt.exe

Filesize
316KB

MD5
bd801ca573eeb25ccdec6af308e5d3b2

SHA1
3512354a549a44ecfd179fea9bb15a09f6aed818

SHA256
92b3e8030ab2dbf743688ecd61c3327736805d4b4c77f3c7568cb782082c62c2

SHA512
b5a8100433ff5f33ce61b2f918ff62b37eefb622cd67a9ae4a6d32174c5af87cf1a14604c12e90809c6bf26729e78ea93c2ae254f74b6bc97208eda78fd1933c

Download Submit
memory/344-80-0x00000000036C0000-0x00000000036DE000-memory.dmp

Filesize
120KB

Download
memory/344-83-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/344-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/744-266-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/744-252-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/744-265-0x0000000003C80000-0x0000000003C9E000-memory.dmp

Filesize
120KB

Download
memory/876-327-0x0000000003BB0000-0x0000000003BCE000-memory.dmp

Filesize
120KB

Download
memory/876-315-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/876-329-0x0000000003BC0000-0x0000000003BDE000-memory.dmp

Filesize
120KB

Download
memory/876-328-0x0000000003BC0000-0x0000000003BDE000-memory.dmp

Filesize
120KB

Download
memory/876-330-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/896-84-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/896-94-0x0000000003AB0000-0x0000000003ACE000-memory.dmp

Filesize
120KB

Download
memory/896-104-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/920-123-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/920-120-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/920-102-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/932-396-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/932-380-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/932-393-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/932-395-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/932-394-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/944-237-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/944-223-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/944-236-0x0000000003C80000-0x0000000003C9E000-memory.dmp

Filesize
120KB

Download
memory/944-231-0x0000000003C80000-0x0000000003C9E000-memory.dmp

Filesize
120KB

Download
memory/1136-182-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/1136-181-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/1500-360-0x0000000003260000-0x000000000327E000-memory.dmp

Filesize
120KB

Download
memory/1500-348-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1500-362-0x0000000003270000-0x000000000328E000-memory.dmp

Filesize
120KB

Download
memory/1500-361-0x0000000003260000-0x000000000327E000-memory.dmp

Filesize
120KB

Download
memory/1500-364-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1500-363-0x0000000003270000-0x000000000328E000-memory.dmp

Filesize
120KB

Download
memory/1804-340-0x0000000003170000-0x000000000318E000-memory.dmp

Filesize
120KB

Download
memory/1804-347-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1804-331-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1804-346-0x0000000003180000-0x000000000319E000-memory.dmp

Filesize
120KB

Download
memory/1804-344-0x0000000003170000-0x000000000318E000-memory.dmp

Filesize
120KB

Download
memory/1804-345-0x0000000003180000-0x000000000319E000-memory.dmp

Filesize
120KB

Download
memory/1812-412-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1812-424-0x0000000003C60000-0x0000000003C7E000-memory.dmp

Filesize
120KB

Download
memory/1916-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1916-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1952-379-0x00000000031E0000-0x00000000031FE000-memory.dmp

Filesize
120KB

Download
memory/1952-376-0x00000000031E0000-0x00000000031FE000-memory.dmp

Filesize
120KB

Download
memory/1952-377-0x00000000031E0000-0x00000000031FE000-memory.dmp

Filesize
120KB

Download
memory/1952-378-0x00000000031E0000-0x00000000031FE000-memory.dmp

Filesize
120KB

Download
memory/1952-381-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2012-251-0x0000000003870000-0x000000000388E000-memory.dmp

Filesize
120KB

Download
memory/2012-253-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2012-238-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2012-250-0x0000000003860000-0x000000000387E000-memory.dmp

Filesize
120KB

Download
memory/2120-204-0x0000000003B30000-0x0000000003B4E000-memory.dmp

Filesize
120KB

Download
memory/2120-205-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2120-200-0x0000000003B20000-0x0000000003B3E000-memory.dmp

Filesize
120KB

Download
memory/2120-184-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2208-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2208-11-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/2208-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2208-18-0x0000000003D70000-0x0000000003D8E000-memory.dmp

Filesize
120KB

Download
memory/2208-19-0x0000000003D70000-0x0000000003D8E000-memory.dmp

Filesize
120KB

Download
memory/2212-298-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2212-310-0x0000000003AB0000-0x0000000003ACE000-memory.dmp

Filesize
120KB

Download
memory/2212-311-0x0000000003AB0000-0x0000000003ACE000-memory.dmp

Filesize
120KB

Download
memory/2212-312-0x0000000003AC0000-0x0000000003ADE000-memory.dmp

Filesize
120KB

Download
memory/2212-314-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2212-313-0x0000000003AC0000-0x0000000003ADE000-memory.dmp

Filesize
120KB

Download
memory/2284-397-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2284-410-0x0000000003870000-0x000000000388E000-memory.dmp

Filesize
120KB

Download
memory/2284-409-0x0000000003260000-0x000000000327E000-memory.dmp

Filesize
120KB

Download
memory/2284-411-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2296-296-0x00000000039F0000-0x0000000003A0E000-memory.dmp

Filesize
120KB

Download
memory/2296-295-0x00000000039E0000-0x00000000039FE000-memory.dmp

Filesize
120KB

Download
memory/2296-297-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2296-282-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2300-141-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/2300-124-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2300-133-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/2468-283-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2468-278-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/2468-279-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/2468-280-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/2468-281-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/2936-45-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2936-42-0x00000000032A0000-0x00000000032BE000-memory.dmp

Filesize
120KB

Download
memory/2936-40-0x0000000003290000-0x00000000032AE000-memory.dmp

Filesize
120KB

Download
memory/2936-39-0x0000000003290000-0x00000000032AE000-memory.dmp

Filesize
120KB

Download
memory/2944-220-0x0000000003D70000-0x0000000003D8E000-memory.dmp

Filesize
120KB

Download
memory/2944-221-0x0000000003D70000-0x0000000003D8E000-memory.dmp

Filesize
120KB

Download
memory/2944-215-0x0000000003C60000-0x0000000003C7E000-memory.dmp

Filesize
120KB

Download
memory/2944-216-0x0000000003C60000-0x0000000003C7E000-memory.dmp

Filesize
120KB

Download
memory/2944-206-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2944-222-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3020-164-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3020-143-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download