f8bf94a22db072f7b35db50dc58b6b00a8c76934f09f638cde1d583330b5ec92

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 05:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe
Size

93KB
MD5

7cef84bc078b5eaeaff9185b9a95a1c0
SHA1

3d8d17237bf0eb0db0ef9fd107080d68f63dce69
SHA256

f8bf94a22db072f7b35db50dc58b6b00a8c76934f09f638cde1d583330b5ec92
SHA512

3f8d18ae68b6b0c1616a1a8b4ed7dfe2b3bbacbb70d0d14ddb2ecf07f38dc4ee20a7ce5d5457e39291ec3d6ca35bd9e6b41ecadaecb98c6994b7ccca17c76437
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71qCiv:1eOLK7hNIMLrCiS4+PwRjY5xhEAXQCm

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2924	wwnv.exe
2772	wbnup.exe
1528	wyojo.exe
1372	weba.exe
2024	wpwxq.exe
1524	wdn.exe
972	wxfmf.exe
568	wlb.exe
1908	wuxe.exe
2504	wbjulf.exe
1008	welf.exe
2408	wkhhwakm.exe
2328	wljrpp.exe
1824	wbtcmex.exe
1284	wgqdhm.exe
1220	wvcl.exe
872	wjwghq.exe
2108	wxsblhp.exe
2824	wetgu.exe
108	wtpb.exe
1144	whmvctgwa.exe
1032	wkm.exe
2124	wcthvpr.exe
1420	wbjlolm.exe
2060	wplgg.exe
1676	waifsxvjn.exe
1596	wkusyw.exe
1964	wyqmdmml.exe
2996	wslcxs.exe
1504	wxwtma.exe
2016	wqskiive.exe
3012	wkdpvn.exe
1736	wxxk.exe
1244	wijw.exe
572	wbpxikyo.exe
2596	wolrla.exe
2784	wwmy.exe
908	wfjxgelxj.exe
2544	wqtkndmxd.exe
1544	wtv.exe
2476	wdcuty.exe
1884	wttqvkpj.exe
2196	wegfcirg.exe
2060	wsqny.exe
2192	wacf.exe
1596	wnjjxu.exe
2612	wuvcnc.exe
1944	womip.exe
2236	wvucbjcl.exe
1176	wdgupqyu.exe
976	wirlfvv.exe
1312	wdudmc.exe
1836	wngrty.exe
2692	wjifrw.exe
608	whnclvjq.exe
1236	wonjtb.exe
2900	whqcdh.exe
484	wlyyxspq.exe
1828	weub.exe
896	wmryydsok.exe
1240	wgtrghtpj.exe
2064	wrffnfuog.exe
1912	wgaxquk.exe
1256	wbrhs.exe

Loads dropped DLL 64 IoCs

pid	Process
1920	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe
1920	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe
1920	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe
1920	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe
2924	wwnv.exe
2924	wwnv.exe
2924	wwnv.exe
2924	wwnv.exe
2924	wwnv.exe
2772	wbnup.exe
2772	wbnup.exe
2772	wbnup.exe
2772	wbnup.exe
2772	wbnup.exe
1528	wyojo.exe
1528	wyojo.exe
1528	wyojo.exe
1528	wyojo.exe
1528	wyojo.exe
1372	weba.exe
1372	weba.exe
1372	weba.exe
1372	weba.exe
1372	weba.exe
2024	wpwxq.exe
2024	wpwxq.exe
2024	wpwxq.exe
2024	wpwxq.exe
2024	wpwxq.exe
1524	wdn.exe
1524	wdn.exe
1524	wdn.exe
1524	wdn.exe
1524	wdn.exe
972	wxfmf.exe
972	wxfmf.exe
972	wxfmf.exe
972	wxfmf.exe
972	wxfmf.exe
568	wlb.exe
568	wlb.exe
568	wlb.exe
568	wlb.exe
568	wlb.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
1908	wuxe.exe
1908	wuxe.exe
1908	wuxe.exe
1908	wuxe.exe
1908	wuxe.exe
2504	wbjulf.exe
2504	wbjulf.exe
2504	wbjulf.exe
2504	wbjulf.exe
2504	wbjulf.exe
1008	welf.exe
1008	welf.exe
1008	welf.exe
1008	welf.exe
1008	welf.exe
2408	wkhhwakm.exe
2408	wkhhwakm.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbpxikyo = "\"C:\\Windows\\SysWOW64\\wbpxikyo.exe\""	wbpxikyo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjiyph = "\"C:\\Windows\\SysWOW64\\wjiyph.exe\""	wjiyph.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wegfcirg = "\"C:\\Windows\\SysWOW64\\wegfcirg.exe\""	wegfcirg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgxbojgi = "\"C:\\Windows\\SysWOW64\\wgxbojgi.exe\""	wgxbojgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\weakx = "\"C:\\Windows\\SysWOW64\\weakx.exe\""	weakx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wijw = "\"C:\\Windows\\SysWOW64\\wijw.exe\""	wijw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjifrw = "\"C:\\Windows\\SysWOW64\\wjifrw.exe\""	wjifrw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxsblhp = "\"C:\\Windows\\SysWOW64\\wxsblhp.exe\""	wxsblhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wplgg = "\"C:\\Windows\\SysWOW64\\wplgg.exe\""	wplgg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbrhs = "\"C:\\Windows\\SysWOW64\\wbrhs.exe\""	wbrhs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkafimt = "\"C:\\Windows\\SysWOW64\\wkafimt.exe\""	wkafimt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\weba = "\"C:\\Windows\\SysWOW64\\weba.exe\""	weba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxfmf = "\"C:\\Windows\\SysWOW64\\wxfmf.exe\""	wxfmf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlb = "\"C:\\Windows\\SysWOW64\\wlb.exe\""	wlb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlcydngjd = "\"C:\\Windows\\SysWOW64\\wlcydngjd.exe\""	wlcydngjd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsksue = "\"C:\\Windows\\SysWOW64\\wsksue.exe\""	wsksue.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjwghq = "\"C:\\Windows\\SysWOW64\\wjwghq.exe\""	wjwghq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkdpvn = "\"C:\\Windows\\SysWOW64\\wkdpvn.exe\""	wkdpvn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wonjtb = "\"C:\\Windows\\SysWOW64\\wonjtb.exe\""	wonjtb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnqav = "\"C:\\Windows\\SysWOW64\\wnqav.exe\""	wnqav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdudmc = "\"C:\\Windows\\SysWOW64\\wdudmc.exe\""	wdudmc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfvqxvyc = "\"C:\\Windows\\SysWOW64\\wfvqxvyc.exe\""	wfvqxvyc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlcjuf = "\"C:\\Windows\\SysWOW64\\wlcjuf.exe\""	wlcjuf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqskiive = "\"C:\\Windows\\SysWOW64\\wqskiive.exe\""	wqskiive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnefdk = "\"C:\\Windows\\SysWOW64\\wnefdk.exe\""	wnefdk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wiwupmje = "\"C:\\Windows\\SysWOW64\\wiwupmje.exe\""	wiwupmje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpwxq = "\"C:\\Windows\\SysWOW64\\wpwxq.exe\""	wpwxq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkhhwakm = "\"C:\\Windows\\SysWOW64\\wkhhwakm.exe\""	wkhhwakm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wyqmdmml = "\"C:\\Windows\\SysWOW64\\wyqmdmml.exe\""	wyqmdmml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\waifsxvjn = "\"C:\\Windows\\SysWOW64\\waifsxvjn.exe\""	waifsxvjn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnjjxu = "\"C:\\Windows\\SysWOW64\\wnjjxu.exe\""	wnjjxu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsvjsvc = "\"C:\\Windows\\SysWOW64\\wsvjsvc.exe\""	wsvjsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdrqwl = "\"C:\\Windows\\SysWOW64\\wdrqwl.exe\""	wdrqwl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpeptxwo = "\"C:\\Windows\\SysWOW64\\wpeptxwo.exe\""	wpeptxwo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wovham = "\"C:\\Windows\\SysWOW64\\wovham.exe\""	wovham.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtpb = "\"C:\\Windows\\SysWOW64\\wtpb.exe\""	wtpb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbjlolm = "\"C:\\Windows\\SysWOW64\\wbjlolm.exe\""	wbjlolm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdcuty = "\"C:\\Windows\\SysWOW64\\wdcuty.exe\""	wdcuty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wetgu = "\"C:\\Windows\\SysWOW64\\wetgu.exe\""	wetgu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wolrla = "\"C:\\Windows\\SysWOW64\\wolrla.exe\""	wolrla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\weub = "\"C:\\Windows\\SysWOW64\\weub.exe\""	weub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wekkmxxk = "\"C:\\Windows\\SysWOW64\\wekkmxxk.exe\""	wekkmxxk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkusyw = "\"C:\\Windows\\SysWOW64\\wkusyw.exe\""	wkusyw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuvcnc = "\"C:\\Windows\\SysWOW64\\wuvcnc.exe\""	wuvcnc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaleqbt = "\"C:\\Windows\\SysWOW64\\woaleqbt.exe\""	woaleqbt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxwtma = "\"C:\\Windows\\SysWOW64\\wxwtma.exe\""	wxwtma.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wacf = "\"C:\\Windows\\SysWOW64\\wacf.exe\""	wacf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgaxquk = "\"C:\\Windows\\SysWOW64\\wgaxquk.exe\""	wgaxquk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvmwbb = "\"C:\\Windows\\SysWOW64\\wvmwbb.exe\""	wvmwbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxijse = "\"C:\\Windows\\SysWOW64\\wxijse.exe\""	wxijse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbjulf = "\"C:\\Windows\\SysWOW64\\wbjulf.exe\""	wbjulf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wljrpp = "\"C:\\Windows\\SysWOW64\\wljrpp.exe\""	wljrpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcthvpr = "\"C:\\Windows\\SysWOW64\\wcthvpr.exe\""	wcthvpr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbtcmex = "\"C:\\Windows\\SysWOW64\\wbtcmex.exe\""	wbtcmex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsqny = "\"C:\\Windows\\SysWOW64\\wsqny.exe\""	wsqny.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlyrhpo = "\"C:\\Windows\\SysWOW64\\wlyrhpo.exe\""	wlyrhpo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkm = "\"C:\\Windows\\SysWOW64\\wkm.exe\""	wkm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wysglkuf = "\"C:\\Windows\\SysWOW64\\wysglkuf.exe\""	wysglkuf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxxk = "\"C:\\Windows\\SysWOW64\\wxxk.exe\""	wxxk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe\""	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wyojo = "\"C:\\Windows\\SysWOW64\\wyojo.exe\""	wyojo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wslcxs = "\"C:\\Windows\\SysWOW64\\wslcxs.exe\""	wslcxs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwmy = "\"C:\\Windows\\SysWOW64\\wwmy.exe\""	wwmy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfjxgelxj = "\"C:\\Windows\\SysWOW64\\wfjxgelxj.exe\""	wfjxgelxj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wttqvkpj.exe	wdcuty.exe
File opened for modification	C:\Windows\SysWOW64\wgxbojgi.exe	wfvqxvyc.exe
File created	C:\Windows\SysWOW64\womip.exe	wuvcnc.exe
File opened for modification	C:\Windows\SysWOW64\wekkmxxk.exe	wxnhrqpl.exe
File created	C:\Windows\SysWOW64\wchphcd.exe	wsksue.exe
File opened for modification	C:\Windows\SysWOW64\wgqdhm.exe	wbtcmex.exe
File opened for modification	C:\Windows\SysWOW64\wtpb.exe	wetgu.exe
File created	C:\Windows\SysWOW64\wfjxgelxj.exe	wwmy.exe
File opened for modification	C:\Windows\SysWOW64\wchphcd.exe	wsksue.exe
File created	C:\Windows\SysWOW64\wfppspv.exe	wysnvh.exe
File opened for modification	C:\Windows\SysWOW64\wijw.exe	wxxk.exe
File opened for modification	C:\Windows\SysWOW64\wvmwbb.exe	wlcjuf.exe
File created	C:\Windows\SysWOW64\wiswxc.exe	wxijse.exe
File opened for modification	C:\Windows\SysWOW64\wetgu.exe	wxsblhp.exe
File created	C:\Windows\SysWOW64\wuvcnc.exe	wnjjxu.exe
File opened for modification	C:\Windows\SysWOW64\wjifrw.exe	wngrty.exe
File opened for modification	C:\Windows\SysWOW64\wqkrvgj.exe	wwertwf.exe
File created	C:\Windows\SysWOW64\wlicy.exe	wjetqiv.exe
File opened for modification	C:\Windows\SysWOW64\wplgg.exe	wbjlolm.exe
File opened for modification	C:\Windows\SysWOW64\wonjtb.exe	whnclvjq.exe
File created	C:\Windows\SysWOW64\wmryydsok.exe	weub.exe
File created	C:\Windows\SysWOW64\wlyrhpo.exe	wnqav.exe
File opened for modification	C:\Windows\SysWOW64\wuvcnc.exe	wnjjxu.exe
File created	C:\Windows\SysWOW64\wnqav.exe	wmpp.exe
File opened for modification	C:\Windows\SysWOW64\wtv.exe	wqtkndmxd.exe
File opened for modification	C:\Windows\SysWOW64\woaleqbt.exe	wbrhs.exe
File opened for modification	C:\Windows\SysWOW64\wkhhwakm.exe	welf.exe
File created	C:\Windows\SysWOW64\wyqmdmml.exe	wkusyw.exe
File opened for modification	C:\Windows\SysWOW64\wxwtma.exe	wslcxs.exe
File created	C:\Windows\SysWOW64\wqtkndmxd.exe	wfjxgelxj.exe
File created	C:\Windows\SysWOW64\wtv.exe	wqtkndmxd.exe
File opened for modification	C:\Windows\SysWOW64\wovham.exe	wnuxhwbln.exe
File opened for modification	C:\Windows\SysWOW64\wyojo.exe	wbnup.exe
File created	C:\Windows\SysWOW64\wvcl.exe	wgqdhm.exe
File created	C:\Windows\SysWOW64\wxsblhp.exe	wjwghq.exe
File created	C:\Windows\SysWOW64\wvmwbb.exe	wlcjuf.exe
File created	C:\Windows\SysWOW64\wnefdk.exe	wdrqwl.exe
File opened for modification	C:\Windows\SysWOW64\wpeptxwo.exe	wnefdk.exe
File created	C:\Windows\SysWOW64\wjiyph.exe	wchphcd.exe
File created	C:\Windows\SysWOW64\wbnup.exe	wwnv.exe
File created	C:\Windows\SysWOW64\wgqdhm.exe	wbtcmex.exe
File opened for modification	C:\Windows\SysWOW64\wyqmdmml.exe	wkusyw.exe
File created	C:\Windows\SysWOW64\wegfcirg.exe	wttqvkpj.exe
File created	C:\Windows\SysWOW64\wacf.exe	wsqny.exe
File created	C:\Windows\SysWOW64\wbjulf.exe	wuxe.exe
File created	C:\Windows\SysWOW64\wnuxhwbln.exe	wqkrvgj.exe
File created	C:\Windows\SysWOW64\wysnvh.exe	wlicy.exe
File created	C:\Windows\SysWOW64\wgxkojnu.exe	wiwupmje.exe
File created	C:\Windows\SysWOW64\wxfmf.exe	wdn.exe
File created	C:\Windows\SysWOW64\wuxe.exe	wlb.exe
File opened for modification	C:\Windows\SysWOW64\whmvctgwa.exe	wtpb.exe
File created	C:\Windows\SysWOW64\wkusyw.exe	waifsxvjn.exe
File opened for modification	C:\Windows\SysWOW64\wkdpvn.exe	wqskiive.exe
File opened for modification	C:\Windows\SysWOW64\wqskiive.exe	wxwtma.exe
File opened for modification	C:\Windows\SysWOW64\wwmy.exe	wolrla.exe
File created	C:\Windows\SysWOW64\wwertwf.exe	wjiyph.exe
File opened for modification	C:\Windows\SysWOW64\welf.exe	wbjulf.exe
File opened for modification	C:\Windows\SysWOW64\wxxk.exe	wkdpvn.exe
File opened for modification	C:\Windows\SysWOW64\wngrty.exe	wdudmc.exe
File created	C:\Windows\SysWOW64\wbtcmex.exe	wljrpp.exe
File created	C:\Windows\SysWOW64\wbjlolm.exe	wcthvpr.exe
File opened for modification	C:\Windows\SysWOW64\wsvjsvc.exe	wriou.exe
File opened for modification	C:\Windows\SysWOW64\wwertwf.exe	wjiyph.exe
File created	C:\Windows\SysWOW64\wplgg.exe	wbjlolm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2644	568	WerFault.exe	50
1816	1176	WerFault.exe	180
2520	2412	WerFault.exe	332
1412	980	WerFault.exe	335

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2924	1920	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe	28
PID 1920 wrote to memory of 2924	1920	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe	28
PID 1920 wrote to memory of 2924	1920	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe	28
PID 1920 wrote to memory of 2924	1920	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe	28
PID 1920 wrote to memory of 2708	1920	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe	29
PID 1920 wrote to memory of 2708	1920	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe	29
PID 1920 wrote to memory of 2708	1920	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe	29
PID 1920 wrote to memory of 2708	1920	7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe	29
PID 2924 wrote to memory of 2772	2924	wwnv.exe	31
PID 2924 wrote to memory of 2772	2924	wwnv.exe	31
PID 2924 wrote to memory of 2772	2924	wwnv.exe	31
PID 2924 wrote to memory of 2772	2924	wwnv.exe	31
PID 2924 wrote to memory of 2484	2924	wwnv.exe	32
PID 2924 wrote to memory of 2484	2924	wwnv.exe	32
PID 2924 wrote to memory of 2484	2924	wwnv.exe	32
PID 2924 wrote to memory of 2484	2924	wwnv.exe	32
PID 2772 wrote to memory of 1528	2772	wbnup.exe	34
PID 2772 wrote to memory of 1528	2772	wbnup.exe	34
PID 2772 wrote to memory of 1528	2772	wbnup.exe	34
PID 2772 wrote to memory of 1528	2772	wbnup.exe	34
PID 2772 wrote to memory of 1532	2772	wbnup.exe	35
PID 2772 wrote to memory of 1532	2772	wbnup.exe	35
PID 2772 wrote to memory of 1532	2772	wbnup.exe	35
PID 2772 wrote to memory of 1532	2772	wbnup.exe	35
PID 1528 wrote to memory of 1372	1528	wyojo.exe	37
PID 1528 wrote to memory of 1372	1528	wyojo.exe	37
PID 1528 wrote to memory of 1372	1528	wyojo.exe	37
PID 1528 wrote to memory of 1372	1528	wyojo.exe	37
PID 1528 wrote to memory of 1356	1528	wyojo.exe	38
PID 1528 wrote to memory of 1356	1528	wyojo.exe	38
PID 1528 wrote to memory of 1356	1528	wyojo.exe	38
PID 1528 wrote to memory of 1356	1528	wyojo.exe	38
PID 1372 wrote to memory of 2024	1372	weba.exe	41
PID 1372 wrote to memory of 2024	1372	weba.exe	41
PID 1372 wrote to memory of 2024	1372	weba.exe	41
PID 1372 wrote to memory of 2024	1372	weba.exe	41
PID 1372 wrote to memory of 1668	1372	weba.exe	42
PID 1372 wrote to memory of 1668	1372	weba.exe	42
PID 1372 wrote to memory of 1668	1372	weba.exe	42
PID 1372 wrote to memory of 1668	1372	weba.exe	42
PID 2024 wrote to memory of 1524	2024	wpwxq.exe	44
PID 2024 wrote to memory of 1524	2024	wpwxq.exe	44
PID 2024 wrote to memory of 1524	2024	wpwxq.exe	44
PID 2024 wrote to memory of 1524	2024	wpwxq.exe	44
PID 2024 wrote to memory of 2472	2024	wpwxq.exe	45
PID 2024 wrote to memory of 2472	2024	wpwxq.exe	45
PID 2024 wrote to memory of 2472	2024	wpwxq.exe	45
PID 2024 wrote to memory of 2472	2024	wpwxq.exe	45
PID 1524 wrote to memory of 972	1524	wdn.exe	47
PID 1524 wrote to memory of 972	1524	wdn.exe	47
PID 1524 wrote to memory of 972	1524	wdn.exe	47
PID 1524 wrote to memory of 972	1524	wdn.exe	47
PID 1524 wrote to memory of 644	1524	wdn.exe	48
PID 1524 wrote to memory of 644	1524	wdn.exe	48
PID 1524 wrote to memory of 644	1524	wdn.exe	48
PID 1524 wrote to memory of 644	1524	wdn.exe	48
PID 972 wrote to memory of 568	972	wxfmf.exe	50
PID 972 wrote to memory of 568	972	wxfmf.exe	50
PID 972 wrote to memory of 568	972	wxfmf.exe	50
PID 972 wrote to memory of 568	972	wxfmf.exe	50
PID 972 wrote to memory of 2068	972	wxfmf.exe	51
PID 972 wrote to memory of 2068	972	wxfmf.exe	51
PID 972 wrote to memory of 2068	972	wxfmf.exe	51
PID 972 wrote to memory of 2068	972	wxfmf.exe	51

C:\Users\Admin\AppData\Local\Temp\7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\wwnv.exe
  "C:\Windows\system32\wwnv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\wbnup.exe
    "C:\Windows\system32\wbnup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\wyojo.exe
      "C:\Windows\system32\wyojo.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Windows\SysWOW64\weba.exe
        
        "C:\Windows\system32\weba.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1372
      - C:\Windows\SysWOW64\wpwxq.exe
        
        "C:\Windows\system32\wpwxq.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\wdn.exe
        
        "C:\Windows\system32\wdn.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\wxfmf.exe
        
        "C:\Windows\system32\wxfmf.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\wlb.exe
        
        "C:\Windows\system32\wlb.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:568
        
        C:\Windows\SysWOW64\wuxe.exe
        
        "C:\Windows\system32\wuxe.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\wbjulf.exe
        
        "C:\Windows\system32\wbjulf.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\welf.exe
        
        "C:\Windows\system32\welf.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1008
        
        C:\Windows\SysWOW64\wkhhwakm.exe
        
        "C:\Windows\system32\wkhhwakm.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2408
        
        C:\Windows\SysWOW64\wljrpp.exe
        
        "C:\Windows\system32\wljrpp.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\wbtcmex.exe
        
        "C:\Windows\system32\wbtcmex.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\wgqdhm.exe
        
        "C:\Windows\system32\wgqdhm.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\wvcl.exe
        
        "C:\Windows\system32\wvcl.exe"
        17⤵
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\SysWOW64\wjwghq.exe
        
        "C:\Windows\system32\wjwghq.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\wxsblhp.exe
        
        "C:\Windows\system32\wxsblhp.exe"
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\wetgu.exe
        
        "C:\Windows\system32\wetgu.exe"
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\wtpb.exe
        
        "C:\Windows\system32\wtpb.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:108
        
        C:\Windows\SysWOW64\whmvctgwa.exe
        
        "C:\Windows\system32\whmvctgwa.exe"
        22⤵
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\SysWOW64\wkm.exe
        
        "C:\Windows\system32\wkm.exe"
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1032
        
        C:\Windows\SysWOW64\wcthvpr.exe
        
        "C:\Windows\system32\wcthvpr.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\wbjlolm.exe
        
        "C:\Windows\system32\wbjlolm.exe"
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\wplgg.exe
        
        "C:\Windows\system32\wplgg.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2060
        
        C:\Windows\SysWOW64\waifsxvjn.exe
        
        "C:\Windows\system32\waifsxvjn.exe"
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\wkusyw.exe
        
        "C:\Windows\system32\wkusyw.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\wyqmdmml.exe
        
        "C:\Windows\system32\wyqmdmml.exe"
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1964
        
        C:\Windows\SysWOW64\wslcxs.exe
        
        "C:\Windows\system32\wslcxs.exe"
        30⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\wxwtma.exe
        
        "C:\Windows\system32\wxwtma.exe"
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\wqskiive.exe
        
        "C:\Windows\system32\wqskiive.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\wkdpvn.exe
        
        "C:\Windows\system32\wkdpvn.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\wxxk.exe
        
        "C:\Windows\system32\wxxk.exe"
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\wijw.exe
        
        "C:\Windows\system32\wijw.exe"
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1244
        
        C:\Windows\SysWOW64\wbpxikyo.exe
        
        "C:\Windows\system32\wbpxikyo.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:572
        
        C:\Windows\SysWOW64\wolrla.exe
        
        "C:\Windows\system32\wolrla.exe"
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\wwmy.exe
        
        "C:\Windows\system32\wwmy.exe"
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\wfjxgelxj.exe
        
        "C:\Windows\system32\wfjxgelxj.exe"
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\wqtkndmxd.exe
        
        "C:\Windows\system32\wqtkndmxd.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\wtv.exe
        
        "C:\Windows\system32\wtv.exe"
        41⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\wdcuty.exe
        
        "C:\Windows\system32\wdcuty.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\wttqvkpj.exe
        
        "C:\Windows\system32\wttqvkpj.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\wegfcirg.exe
        
        "C:\Windows\system32\wegfcirg.exe"
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2196
        
        C:\Windows\SysWOW64\wsqny.exe
        
        "C:\Windows\system32\wsqny.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\wacf.exe
        
        "C:\Windows\system32\wacf.exe"
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2192
        
        C:\Windows\SysWOW64\wnjjxu.exe
        
        "C:\Windows\system32\wnjjxu.exe"
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\wuvcnc.exe
        
        "C:\Windows\system32\wuvcnc.exe"
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\womip.exe
        
        "C:\Windows\system32\womip.exe"
        49⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\wvucbjcl.exe
        
        "C:\Windows\system32\wvucbjcl.exe"
        50⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\wdgupqyu.exe
        
        "C:\Windows\system32\wdgupqyu.exe"
        51⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\wirlfvv.exe
        
        "C:\Windows\system32\wirlfvv.exe"
        52⤵
        Executes dropped EXE
        
        PID:976
        
        C:\Windows\SysWOW64\wdudmc.exe
        
        "C:\Windows\system32\wdudmc.exe"
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\wngrty.exe
        
        "C:\Windows\system32\wngrty.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\wjifrw.exe
        
        "C:\Windows\system32\wjifrw.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2692
        
        C:\Windows\SysWOW64\whnclvjq.exe
        
        "C:\Windows\system32\whnclvjq.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:608
        
        C:\Windows\SysWOW64\wonjtb.exe
        
        "C:\Windows\system32\wonjtb.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1236
        
        C:\Windows\SysWOW64\whqcdh.exe
        
        "C:\Windows\system32\whqcdh.exe"
        58⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\wlyyxspq.exe
        
        "C:\Windows\system32\wlyyxspq.exe"
        59⤵
        Executes dropped EXE
        
        PID:484
        
        C:\Windows\SysWOW64\weub.exe
        
        "C:\Windows\system32\weub.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\wmryydsok.exe
        
        "C:\Windows\system32\wmryydsok.exe"
        61⤵
        Executes dropped EXE
        
        PID:896
        
        C:\Windows\SysWOW64\wgtrghtpj.exe
        
        "C:\Windows\system32\wgtrghtpj.exe"
        62⤵
        Executes dropped EXE
        
        PID:1240
        
        C:\Windows\SysWOW64\wrffnfuog.exe
        
        "C:\Windows\system32\wrffnfuog.exe"
        63⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\wgaxquk.exe
        
        "C:\Windows\system32\wgaxquk.exe"
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1912
        
        C:\Windows\SysWOW64\wbrhs.exe
        
        "C:\Windows\system32\wbrhs.exe"
        65⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\woaleqbt.exe
        
        "C:\Windows\system32\woaleqbt.exe"
        66⤵
        Adds Run key to start application
        
        PID:1484
        
        C:\Windows\SysWOW64\wlcydngjd.exe
        
        "C:\Windows\system32\wlcydngjd.exe"
        67⤵
        Adds Run key to start application
        
        PID:328
        
        C:\Windows\SysWOW64\wfvqxvyc.exe
        
        "C:\Windows\system32\wfvqxvyc.exe"
        68⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\wgxbojgi.exe
        
        "C:\Windows\system32\wgxbojgi.exe"
        69⤵
        Adds Run key to start application
        
        PID:904
        
        C:\Windows\SysWOW64\wriou.exe
        
        "C:\Windows\system32\wriou.exe"
        70⤵
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\wsvjsvc.exe
        
        "C:\Windows\system32\wsvjsvc.exe"
        71⤵
        Adds Run key to start application
        
        PID:1768
        
        C:\Windows\SysWOW64\wlcjuf.exe
        
        "C:\Windows\system32\wlcjuf.exe"
        72⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\wvmwbb.exe
        
        "C:\Windows\system32\wvmwbb.exe"
        73⤵
        Adds Run key to start application
        
        PID:1780
        
        C:\Windows\SysWOW64\wxnhrqpl.exe
        
        "C:\Windows\system32\wxnhrqpl.exe"
        74⤵
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\wekkmxxk.exe
        
        "C:\Windows\system32\wekkmxxk.exe"
        75⤵
        Adds Run key to start application
        
        PID:2516
        
        C:\Windows\SysWOW64\wkwaceu.exe
        
        "C:\Windows\system32\wkwaceu.exe"
        76⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\wdrqwl.exe
        
        "C:\Windows\system32\wdrqwl.exe"
        77⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\wnefdk.exe
        
        "C:\Windows\system32\wnefdk.exe"
        78⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\wpeptxwo.exe
        
        "C:\Windows\system32\wpeptxwo.exe"
        79⤵
        Adds Run key to start application
        
        PID:2020
        
        C:\Windows\SysWOW64\weakx.exe
        
        "C:\Windows\system32\weakx.exe"
        80⤵
        Adds Run key to start application
        
        PID:1564
        
        C:\Windows\SysWOW64\wsksue.exe
        
        "C:\Windows\system32\wsksue.exe"
        81⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\wchphcd.exe
        
        "C:\Windows\system32\wchphcd.exe"
        82⤵
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\wjiyph.exe
        
        "C:\Windows\system32\wjiyph.exe"
        83⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\wwertwf.exe
        
        "C:\Windows\system32\wwertwf.exe"
        84⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\wqkrvgj.exe
        
        "C:\Windows\system32\wqkrvgj.exe"
        85⤵
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\wnuxhwbln.exe
        
        "C:\Windows\system32\wnuxhwbln.exe"
        86⤵
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\wovham.exe
        
        "C:\Windows\system32\wovham.exe"
        87⤵
        Adds Run key to start application
        
        PID:2240
        
        C:\Windows\SysWOW64\wysglkuf.exe
        
        "C:\Windows\system32\wysglkuf.exe"
        88⤵
        Adds Run key to start application
        
        PID:2236
        
        C:\Windows\SysWOW64\wjetqiv.exe
        
        "C:\Windows\system32\wjetqiv.exe"
        89⤵
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\wlicy.exe
        
        "C:\Windows\system32\wlicy.exe"
        90⤵
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\wysnvh.exe
        
        "C:\Windows\system32\wysnvh.exe"
        91⤵
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\wfppspv.exe
        
        "C:\Windows\system32\wfppspv.exe"
        92⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\wuaxpdc.exe
        
        "C:\Windows\system32\wuaxpdc.exe"
        93⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\wscnoahg.exe
        
        "C:\Windows\system32\wscnoahg.exe"
        94⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\wmpp.exe
        
        "C:\Windows\system32\wmpp.exe"
        95⤵
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\wnqav.exe
        
        "C:\Windows\system32\wnqav.exe"
        96⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\wlyrhpo.exe
        
        "C:\Windows\system32\wlyrhpo.exe"
        97⤵
        Adds Run key to start application
        
        PID:1508
        
        C:\Windows\SysWOW64\wkafimt.exe
        
        "C:\Windows\system32\wkafimt.exe"
        98⤵
        Adds Run key to start application
        
        PID:2852
        
        C:\Windows\SysWOW64\wxijse.exe
        
        "C:\Windows\system32\wxijse.exe"
        99⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\wiswxc.exe
        
        "C:\Windows\system32\wiswxc.exe"
        100⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\wckfagluh.exe
        
        "C:\Windows\system32\wckfagluh.exe"
        101⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\wiwupmje.exe
        
        "C:\Windows\system32\wiwupmje.exe"
        102⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\wgxkojnu.exe
        
        "C:\Windows\system32\wgxkojnu.exe"
        103⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiwupmje.exe"
        103⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 728
        103⤵
        Program crash
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckfagluh.exe"
        102⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 712
        102⤵
        Program crash
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiswxc.exe"
        101⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxijse.exe"
        100⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkafimt.exe"
        99⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyrhpo.exe"
        98⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqav.exe"
        97⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpp.exe"
        96⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wscnoahg.exe"
        95⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuaxpdc.exe"
        94⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfppspv.exe"
        93⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wysnvh.exe"
        92⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlicy.exe"
        91⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjetqiv.exe"
        90⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wysglkuf.exe"
        89⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovham.exe"
        88⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnuxhwbln.exe"
        87⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqkrvgj.exe"
        86⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwertwf.exe"
        85⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjiyph.exe"
        84⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchphcd.exe"
        83⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsksue.exe"
        82⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weakx.exe"
        81⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpeptxwo.exe"
        80⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnefdk.exe"
        79⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrqwl.exe"
        78⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkwaceu.exe"
        77⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekkmxxk.exe"
        76⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxnhrqpl.exe"
        75⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvmwbb.exe"
        74⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlcjuf.exe"
        73⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsvjsvc.exe"
        72⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wriou.exe"
        71⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxbojgi.exe"
        70⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfvqxvyc.exe"
        69⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlcydngjd.exe"
        68⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woaleqbt.exe"
        67⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbrhs.exe"
        66⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgaxquk.exe"
        65⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrffnfuog.exe"
        64⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtrghtpj.exe"
        63⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmryydsok.exe"
        62⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weub.exe"
        61⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyyxspq.exe"
        60⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whqcdh.exe"
        59⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wonjtb.exe"
        58⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whnclvjq.exe"
        57⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjifrw.exe"
        56⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wngrty.exe"
        55⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdudmc.exe"
        54⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirlfvv.exe"
        53⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdgupqyu.exe"
        52⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 724
        52⤵
        Program crash
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvucbjcl.exe"
        51⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womip.exe"
        50⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuvcnc.exe"
        49⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnjjxu.exe"
        48⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wacf.exe"
        47⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsqny.exe"
        46⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wegfcirg.exe"
        45⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wttqvkpj.exe"
        44⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcuty.exe"
        43⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtv.exe"
        42⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqtkndmxd.exe"
        41⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfjxgelxj.exe"
        40⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwmy.exe"
        39⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wolrla.exe"
        38⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpxikyo.exe"
        37⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wijw.exe"
        36⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxk.exe"
        35⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkdpvn.exe"
        34⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqskiive.exe"
        33⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwtma.exe"
        32⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wslcxs.exe"
        31⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyqmdmml.exe"
        30⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkusyw.exe"
        29⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waifsxvjn.exe"
        28⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wplgg.exe"
        27⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbjlolm.exe"
        26⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcthvpr.exe"
        25⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkm.exe"
        24⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whmvctgwa.exe"
        23⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtpb.exe"
        22⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wetgu.exe"
        21⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxsblhp.exe"
        20⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwghq.exe"
        19⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvcl.exe"
        18⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqdhm.exe"
        17⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbtcmex.exe"
        16⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wljrpp.exe"
        15⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkhhwakm.exe"
        14⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\welf.exe"
        13⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbjulf.exe"
        12⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuxe.exe"
        11⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlb.exe"
        10⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 804
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxfmf.exe"
        9⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdn.exe"
        8⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpwxq.exe"
        7⤵
        
        PID:2472
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weba.exe"
        6⤵
        
        PID:1668
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyojo.exe"
        5⤵
        
        PID:1356
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbnup.exe"
      4⤵
      PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwnv.exe"
    3⤵
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\7cef84bc078b5eaeaff9185b9a95a1c0_NeikiAnalytics.exe"
  2⤵
  - Deletes itself
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9OML234L.txt

Filesize
99B

MD5
c09d4a8cb0e94089e05639a125308f86

SHA1
199fb1f5fabb7f4265b11915c55910e84c07ba78

SHA256
a5d7e7d372966b23e31bc7402a78dc2cf4e91094c7116ccdbefa63842d0421e5

SHA512
48fd5a4b9b5f1eb2223582ad04e0174fd8a6a028741c2ddba5f9af7bcb89a3e2804a241440a86249fbc0ed25626fd7de03e12b56ceac5d9c504cf83a89427ad7

Download Submit
\Windows\SysWOW64\wbnup.exe

Filesize
93KB

MD5
c7c402ad7da2b56a046994608e13eac0

SHA1
af2732f1921acf10a5dad1c36ce95ae8abcf79eb

SHA256
ea94568c0f4636c894bad78c17bcd416491acea49a216e72b019bebb2c9cc801

SHA512
7ee3dc82a83e852f35838f251cd76dd5928f827d3c5c3ac6d0ed54d00d9b0f16476555affeb8f92b2a2bb86e623869428a1c4254465f9b58e288f67888b52cca

Download Submit
\Windows\SysWOW64\wdn.exe

Filesize
94KB

MD5
e9a587e41056036f6ed08ce49f2a6c74

SHA1
1eb39e5ede6f4fd31284b66b671d31104b754a17

SHA256
8fe349070bc993bc21f0b5d611b9672e2e7290bc9df37ee441859c5cf35624a4

SHA512
c129a5116dd5f53e10e0bbe3cb74fd1a72daa77880195317ab9b2d62503a03deb399ac5d8f898e43b01fb99e57d4ad881f96e235a160dd916197a993e20aa237

Download Submit
\Windows\SysWOW64\weba.exe

Filesize
94KB

MD5
ea5b45c15355ca63c70e9b4cab0174d2

SHA1
71704463055ac98c6e5112799f0cd9baedb6b6b6

SHA256
9b98cf7fc140345782d8e06823cc5b09b790aa1500bb582e9960dbdbfedaa5f8

SHA512
63ad1b997a675c4c6a173a6c12c4923185abcf3033e292771f0cc077010d2c700c15b67eedbe12edfe341c85b660b2a6afdb82212104d60d0f3c44ae3313e4c7

Download Submit
\Windows\SysWOW64\wlb.exe

Filesize
94KB

MD5
386b6e630514a3fac2bb98ed6069ee6f

SHA1
a3f158aeaefdd5c78a1004ee0c30ed3e8ff32e57

SHA256
9800df020084181b7a617a2879e176338b3491cbc87b16f52302e011f1beb909

SHA512
a7854259f24b36f82eb35c75e30d63062fb951c7a5b01356d0350f63e3509ece50f9b3cc385ae3dcfc912654751a506777d1dad29fdbcfe7d006bce746d73c4e

Download Submit
\Windows\SysWOW64\wpwxq.exe

Filesize
94KB

MD5
cb146ea3a7d018522dba7f3b776ce68e

SHA1
0b23b2a5547a6756e5b2098fa6431c4866a60e64

SHA256
e249d4190e25b26e133c8cb7ef66f76554e93c8080fe56d569aa913c67cd5a82

SHA512
28d240b2a205de730c26edf3272e5ae0996cb1855100013bf30e203b11a7f2055cf402f742980e0008a6822c64d98a7bf7f61225abb2cb316eaa9da741c80403

Download Submit
\Windows\SysWOW64\wuxe.exe

Filesize
94KB

MD5
e5cd6d81f7a7a69ed30ec9daf5a1a955

SHA1
48bbfb2629f395bda8a7961d1d4f5d30162ad630

SHA256
8f84d88fd59a1edfaae7e1e71727aa4f303319c9b248e64a78e78c0cc51f700e

SHA512
652b9a65e6b349b3b38fc431c01b8bf186bbce765e2c877db529049e2a714d7a23605157788efeaa8d3b75c07da599b90dd33255fdd2dea2acd11a1b5eef9306

Download Submit
\Windows\SysWOW64\wwnv.exe

Filesize
93KB

MD5
d8e9465c318d6400f247321f735fb579

SHA1
e5a8511de93a418b9e5a543deaddc8d5f2042f26

SHA256
ce7cf076c5abfe68217b61469c3879c9e773edb986ddb49a905ab0d8c2949556

SHA512
6368391595cea4a27a205ae315232343c9b79aa38007e42ad560408d5129217cc8d367237c72af95a5cc7556bf747279382e1d40cfc52de4c3f6a1ff9f670610

Download Submit
\Windows\SysWOW64\wxfmf.exe

Filesize
94KB

MD5
7892b2f0626ca4da2cbc4ea385096e99

SHA1
92cb649ff2a535b6747129fdb5b71c2f00008e58

SHA256
ca3039649c9a2e4e0020aa84496b74616b17a4721bc4bcb47ffd6f209cc829f7

SHA512
ba1d95c2966a64f4126f68678999e16b3263b61f9fd707e0c9ed2b9cbbf08a5fee335a0347a554510bbf59ecc1a4714ff8c35e2327b4861d539018f753a2b1b5

Download Submit
\Windows\SysWOW64\wyojo.exe

Filesize
94KB

MD5
56795d64ee3dbef1574b65b3898a0388

SHA1
99e583fd75296e57621c47d6f288957f78dacec1

SHA256
8a89df2b6d5ddcba01ff101f829a4499f0d2da4f30c77e6e74592474fad0cfb8

SHA512
eefd3651829802b0d931c62835ff0746e79b5903491cdf50e47585f91f72e8aa5b9e365df353d19fb8a0f3c362e8ad13cf097eb98e47ede3eb5d1ad63ef1afa9

Download Submit
memory/568-202-0x0000000003B80000-0x0000000003B98000-memory.dmp

Filesize
96KB

Download
memory/568-204-0x0000000003B90000-0x0000000003BA8000-memory.dmp

Filesize
96KB

Download
memory/568-183-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/568-203-0x0000000003B90000-0x0000000003BA8000-memory.dmp

Filesize
96KB

Download
memory/568-207-0x0000000003B90000-0x0000000003BA0000-memory.dmp

Filesize
64KB

Download
memory/568-267-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/568-286-0x0000000003B80000-0x0000000003B98000-memory.dmp

Filesize
96KB

Download
memory/568-288-0x0000000003B90000-0x0000000003BA8000-memory.dmp

Filesize
96KB

Download
memory/568-291-0x0000000003B90000-0x0000000003BA0000-memory.dmp

Filesize
64KB

Download
memory/568-287-0x0000000003B90000-0x0000000003BA8000-memory.dmp

Filesize
96KB

Download
memory/872-348-0x00000000005A0000-0x00000000005B8000-memory.dmp

Filesize
96KB

Download
memory/872-355-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/872-347-0x00000000005A0000-0x00000000005B8000-memory.dmp

Filesize
96KB

Download
memory/872-353-0x0000000003330000-0x0000000003348000-memory.dmp

Filesize
96KB

Download
memory/872-354-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/872-337-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/972-180-0x0000000004030000-0x0000000004048000-memory.dmp

Filesize
96KB

Download
memory/972-179-0x0000000003D20000-0x0000000003D38000-memory.dmp

Filesize
96KB

Download
memory/972-186-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/972-184-0x0000000003D30000-0x0000000003D40000-memory.dmp

Filesize
64KB

Download
memory/972-160-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1008-256-0x0000000003670000-0x0000000003688000-memory.dmp

Filesize
96KB

Download
memory/1008-240-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1008-254-0x0000000003670000-0x0000000003688000-memory.dmp

Filesize
96KB

Download
memory/1008-255-0x0000000003670000-0x0000000003688000-memory.dmp

Filesize
96KB

Download
memory/1008-257-0x0000000003670000-0x0000000003688000-memory.dmp

Filesize
96KB

Download
memory/1008-258-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1220-339-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1220-338-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/1220-323-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1220-336-0x00000000024D0000-0x00000000024E8000-memory.dmp

Filesize
96KB

Download
memory/1284-322-0x00000000032E0000-0x00000000032F8000-memory.dmp

Filesize
96KB

Download
memory/1284-324-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1284-317-0x00000000032E0000-0x00000000032F8000-memory.dmp

Filesize
96KB

Download
memory/1372-102-0x0000000003490000-0x00000000034A8000-memory.dmp

Filesize
96KB

Download
memory/1372-113-0x00000000034A0000-0x00000000034B0000-memory.dmp

Filesize
64KB

Download
memory/1372-99-0x0000000003490000-0x00000000034A8000-memory.dmp

Filesize
96KB

Download
memory/1372-109-0x0000000003F90000-0x0000000003FA8000-memory.dmp

Filesize
96KB

Download
memory/1372-114-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1372-91-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1524-161-0x0000000003EE0000-0x0000000003EF0000-memory.dmp

Filesize
64KB

Download
memory/1524-155-0x0000000003ED0000-0x0000000003EE8000-memory.dmp

Filesize
96KB

Download
memory/1524-156-0x0000000004030000-0x0000000004048000-memory.dmp

Filesize
96KB

Download
memory/1524-157-0x0000000004030000-0x0000000004048000-memory.dmp

Filesize
96KB

Download
memory/1524-162-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1524-136-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1528-65-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1528-80-0x0000000003D20000-0x0000000003D38000-memory.dmp

Filesize
96KB

Download
memory/1528-79-0x0000000003D20000-0x0000000003D38000-memory.dmp

Filesize
96KB

Download
memory/1528-86-0x0000000004030000-0x0000000004048000-memory.dmp

Filesize
96KB

Download
memory/1528-89-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1824-292-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1824-307-0x00000000034A0000-0x00000000034B8000-memory.dmp

Filesize
96KB

Download
memory/1824-308-0x00000000034A0000-0x00000000034B0000-memory.dmp

Filesize
64KB

Download
memory/1824-306-0x00000000034A0000-0x00000000034B8000-memory.dmp

Filesize
96KB

Download
memory/1824-305-0x00000000034A0000-0x00000000034B8000-memory.dmp

Filesize
96KB

Download
memory/1824-309-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1908-221-0x00000000022B0000-0x00000000022C8000-memory.dmp

Filesize
96KB

Download
memory/1908-224-0x00000000022B0000-0x00000000022C8000-memory.dmp

Filesize
96KB

Download
memory/1908-225-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1908-223-0x00000000022B0000-0x00000000022C8000-memory.dmp

Filesize
96KB

Download
memory/1908-222-0x00000000022B0000-0x00000000022C8000-memory.dmp

Filesize
96KB

Download
memory/1920-6-0x0000000004020000-0x0000000004038000-memory.dmp

Filesize
96KB

Download
memory/1920-23-0x0000000004120000-0x0000000004130000-memory.dmp

Filesize
64KB

Download
memory/1920-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1920-18-0x0000000004120000-0x0000000004138000-memory.dmp

Filesize
96KB

Download
memory/1920-19-0x0000000004120000-0x0000000004138000-memory.dmp

Filesize
96KB

Download
memory/1920-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2024-133-0x0000000002230000-0x0000000002248000-memory.dmp

Filesize
96KB

Download
memory/2024-132-0x0000000002230000-0x0000000002248000-memory.dmp

Filesize
96KB

Download
memory/2024-112-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2024-137-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/2024-139-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2024-131-0x0000000002230000-0x0000000002248000-memory.dmp

Filesize
96KB

Download
memory/2108-364-0x0000000000B40000-0x0000000000B58000-memory.dmp

Filesize
96KB

Download
memory/2108-367-0x0000000000B40000-0x0000000000B58000-memory.dmp

Filesize
96KB

Download
memory/2272-633-0x0000000076BE0000-0x0000000076CDA000-memory.dmp

Filesize
1000KB

Download
memory/2328-293-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2328-274-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2328-289-0x0000000004010000-0x0000000004028000-memory.dmp

Filesize
96KB

Download
memory/2328-290-0x0000000004010000-0x0000000004028000-memory.dmp

Filesize
96KB

Download
memory/2408-273-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2408-259-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2408-269-0x00000000023F0000-0x0000000002408000-memory.dmp

Filesize
96KB

Download
memory/2504-238-0x0000000003410000-0x0000000003428000-memory.dmp

Filesize
96KB

Download
memory/2504-239-0x0000000003420000-0x0000000003438000-memory.dmp

Filesize
96KB

Download
memory/2504-237-0x0000000003410000-0x0000000003428000-memory.dmp

Filesize
96KB

Download
memory/2504-242-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2504-241-0x0000000003420000-0x0000000003430000-memory.dmp

Filesize
64KB

Download
memory/2772-66-0x00000000039D0000-0x00000000039E0000-memory.dmp

Filesize
64KB

Download
memory/2772-68-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2824-369-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2924-35-0x0000000003260000-0x0000000003278000-memory.dmp

Filesize
96KB

Download
memory/2924-36-0x0000000003260000-0x0000000003278000-memory.dmp

Filesize
96KB

Download
memory/2924-44-0x0000000003530000-0x0000000003548000-memory.dmp

Filesize
96KB

Download
memory/2924-46-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2924-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads