4ae22b9c1c3b7ca9fbf10b765d8970eec7434716fc67aecbfbea60233aa4d9e5

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 21:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe
Size

82KB
MD5

7fb876bf482467cf233b3e098e59fe40
SHA1

84644c7dda46cbfcb74fa80b2cbc5d7577dae66a
SHA256

4ae22b9c1c3b7ca9fbf10b765d8970eec7434716fc67aecbfbea60233aa4d9e5
SHA512

fd09d530b2b6edd4272ec432d18959633b5e0cabef95a648474da04433560cc96420f30f78a11d8728e74c410ac90b31755ccbaafc86dc28257029a95ef797d9
SSDEEP

1536:azUQz74LIvK/+Czax4IHVdmRvW1BDVwrVXwm:qUQz74TmFnmRvW1gXwm

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2564	wccc.exe
2592	wgdb.exe
1368	wnwt.exe
2344	wcypms.exe
2236	wnse.exe
1744	wykuy.exe
952	wngdjwwj.exe
2856	wqn.exe
2568	wgrlew.exe
2324	wribxs.exe
472	wwfgj.exe
1336	wdxxm.exe
2508	wrpjwo.exe
2752	wny.exe
1424	wbcbjf.exe
1268	wnupcc.exe
2124	wyxocxid.exe
2100	wgfy.exe
2240	wpjxw.exe
2600	wkbg.exe
1512	wyolwqw.exe
1244	wehfyvc.exe
2096	wwhogjv.exe
2092	wlybr.exe
880	wvcbrtd.exe
2972	wdjklv.exe
1516	wblymsc.exe
2880	wpotc.exe
2564	wcikvdj.exe
1556	wqvptr.exe
2032	wfnc.exe
2076	wqqbebyev.exe
2852	worqexeum.exe
2128	wqlnplfxq.exe
2628	wcsrc.exe
2536	wlaoef.exe
2748	wdoqtlm.exe
2728	wxpjcq.exe
2516	wjwonm.exe
1412	wsano.exe
1544	wiraxv.exe
312	wlmwj.exe
2072	wfop.exe
1640	wtrkjcu.exe
1540	wiuhap.exe
2648	wumwtl.exe
2488	wjprkyxjy.exe
1680	wdrktfaly.exe
1736	wglktn.exe
692	wunglbbtb.exe
1140	wkf.exe
312	wujrulin.exe
572	woy.exe
1636	wus.exe
1540	wnu.exe
300	wvn.exe
2520	wgrejbel.exe
2336	wilatnhp.exe
544	wsb.exe
352	wmpvsm.exe
2068	wtprhor.exe
1732	wfihbjbqi.exe
3020	wulcrwx.exe
2532	wcslmb.exe

Loads dropped DLL 64 IoCs

pid	Process
3068	7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe
3068	7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe
3068	7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe
3068	7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe
2564	wccc.exe
2564	wccc.exe
2564	wccc.exe
2564	wccc.exe
2564	wccc.exe
2592	wgdb.exe
2592	wgdb.exe
2592	wgdb.exe
2592	wgdb.exe
2592	wgdb.exe
1368	wnwt.exe
1368	wnwt.exe
1368	wnwt.exe
1368	wnwt.exe
1368	wnwt.exe
2344	wcypms.exe
2344	wcypms.exe
2344	wcypms.exe
2344	wcypms.exe
2344	wcypms.exe
2236	wnse.exe
2236	wnse.exe
2236	wnse.exe
2236	wnse.exe
2236	wnse.exe
1744	wykuy.exe
1744	wykuy.exe
1744	wykuy.exe
1744	wykuy.exe
1744	wykuy.exe
952	wngdjwwj.exe
952	wngdjwwj.exe
952	wngdjwwj.exe
952	wngdjwwj.exe
952	wngdjwwj.exe
2856	wqn.exe
2856	wqn.exe
2856	wqn.exe
2856	wqn.exe
2856	wqn.exe
2568	wgrlew.exe
2568	wgrlew.exe
2568	wgrlew.exe
2568	wgrlew.exe
2568	wgrlew.exe
2364	WerFault.exe
2364	WerFault.exe
2364	WerFault.exe
2364	WerFault.exe
2324	wribxs.exe
2324	wribxs.exe
2324	wribxs.exe
2324	wribxs.exe
2324	wribxs.exe
472	wwfgj.exe
472	wwfgj.exe
472	wwfgj.exe
472	wwfgj.exe
472	wwfgj.exe
1336	wdxxm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wbcbjf.exe	wny.exe
File created	C:\Windows\SysWOW64\wlybr.exe	wwhogjv.exe
File created	C:\Windows\SysWOW64\wqvptr.exe	wcikvdj.exe
File opened for modification	C:\Windows\SysWOW64\wfjtnssar.exe	wvnhs.exe
File created	C:\Windows\SysWOW64\wfyrilhpg.exe	wpifxx.exe
File created	C:\Windows\SysWOW64\wnupcc.exe	wbcbjf.exe
File opened for modification	C:\Windows\SysWOW64\wdjklv.exe	wvcbrtd.exe
File opened for modification	C:\Windows\SysWOW64\woy.exe	wujrulin.exe
File opened for modification	C:\Windows\SysWOW64\wulcrwx.exe	wfihbjbqi.exe
File created	C:\Windows\SysWOW64\wbtbja.exe	wpam.exe
File created	C:\Windows\SysWOW64\wxewclkd.exe	wnc.exe
File created	C:\Windows\SysWOW64\wpifxx.exe	waejhkv.exe
File opened for modification	C:\Windows\SysWOW64\wvbpdrse.exe	wynrvs.exe
File opened for modification	C:\Windows\SysWOW64\wqn.exe	wngdjwwj.exe
File created	C:\Windows\SysWOW64\wfnc.exe	wqvptr.exe
File created	C:\Windows\SysWOW64\wlmwj.exe	wiraxv.exe
File opened for modification	C:\Windows\SysWOW64\wunglbbtb.exe	wglktn.exe
File created	C:\Windows\SysWOW64\wtprhor.exe	wmpvsm.exe
File opened for modification	C:\Windows\SysWOW64\wyolwqw.exe	wkbg.exe
File created	C:\Windows\SysWOW64\wblymsc.exe	wdjklv.exe
File opened for modification	C:\Windows\SysWOW64\wqvptr.exe	wcikvdj.exe
File opened for modification	C:\Windows\SysWOW64\wjwonm.exe	wxpjcq.exe
File opened for modification	C:\Windows\SysWOW64\winh.exe	wxijdtr.exe
File opened for modification	C:\Windows\SysWOW64\wfqndfud.exe	wqycsr.exe
File created	C:\Windows\SysWOW64\wtexwm.exe	winh.exe
File opened for modification	C:\Windows\SysWOW64\wpam.exe	wfwmph.exe
File opened for modification	C:\Windows\SysWOW64\wnwt.exe	wgdb.exe
File created	C:\Windows\SysWOW64\wsano.exe	wjwonm.exe
File opened for modification	C:\Windows\SysWOW64\wilatnhp.exe	wgrejbel.exe
File opened for modification	C:\Windows\SysWOW64\wcjhiuhvw.exe	wnrwxht.exe
File created	C:\Windows\SysWOW64\wqycsr.exe	wbk.exe
File created	C:\Windows\SysWOW64\wnc.exe	wcjhiuhvw.exe
File opened for modification	C:\Windows\SysWOW64\waejhkv.exe	wsmpegq.exe
File opened for modification	C:\Windows\SysWOW64\wukfp.exe	wvbpdrse.exe
File created	C:\Windows\SysWOW64\wribxs.exe	wgrlew.exe
File created	C:\Windows\SysWOW64\wwfgj.exe	wribxs.exe
File opened for modification	C:\Windows\SysWOW64\wqlnplfxq.exe	worqexeum.exe
File created	C:\Windows\SysWOW64\wfop.exe	wlmwj.exe
File created	C:\Windows\SysWOW64\wbagek.exe	wml.exe
File created	C:\Windows\SysWOW64\wurfc.exe	wcddniek.exe
File created	C:\Windows\SysWOW64\wngdjwwj.exe	wykuy.exe
File created	C:\Windows\SysWOW64\wgrlew.exe	wqn.exe
File opened for modification	C:\Windows\SysWOW64\wpotc.exe	wblymsc.exe
File created	C:\Windows\SysWOW64\wulcrwx.exe	wfihbjbqi.exe
File opened for modification	C:\Windows\SysWOW64\wpifxx.exe	waejhkv.exe
File created	C:\Windows\SysWOW64\wiiwb.exe	wxewclkd.exe
File created	C:\Windows\SysWOW64\wyolwqw.exe	wkbg.exe
File opened for modification	C:\Windows\SysWOW64\wehfyvc.exe	wyolwqw.exe
File opened for modification	C:\Windows\SysWOW64\wkf.exe	wunglbbtb.exe
File opened for modification	C:\Windows\SysWOW64\wml.exe	wcslmb.exe
File opened for modification	C:\Windows\SysWOW64\wxewclkd.exe	wnc.exe
File opened for modification	C:\Windows\SysWOW64\wqycsr.exe	wbk.exe
File created	C:\Windows\SysWOW64\wlaoef.exe	wcsrc.exe
File opened for modification	C:\Windows\SysWOW64\wumwtl.exe	wiuhap.exe
File opened for modification	C:\Windows\SysWOW64\wdrktfaly.exe	wjprkyxjy.exe
File created	C:\Windows\SysWOW64\wgrejbel.exe	wvn.exe
File created	C:\Windows\SysWOW64\wbk.exe	wprgchpwt.exe
File created	C:\Windows\SysWOW64\wilatnhp.exe	wgrejbel.exe
File opened for modification	C:\Windows\SysWOW64\wfyrilhpg.exe	wpifxx.exe
File created	C:\Windows\SysWOW64\wfqndfud.exe	wqycsr.exe
File opened for modification	C:\Windows\SysWOW64\wngdjwwj.exe	wykuy.exe
File opened for modification	C:\Windows\SysWOW64\wny.exe	wrpjwo.exe
File opened for modification	C:\Windows\SysWOW64\wyxocxid.exe	wnupcc.exe
File created	C:\Windows\SysWOW64\wxpjcq.exe	wdoqtlm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2364	2568	WerFault.exe	52
1604	1512	WerFault.exe	89
2900	3012	WerFault.exe	233

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2564	3068	7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe	28
PID 3068 wrote to memory of 2564	3068	7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe	28
PID 3068 wrote to memory of 2564	3068	7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe	28
PID 3068 wrote to memory of 2564	3068	7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe	28
PID 3068 wrote to memory of 2632	3068	7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe	29
PID 3068 wrote to memory of 2632	3068	7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe	29
PID 3068 wrote to memory of 2632	3068	7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe	29
PID 3068 wrote to memory of 2632	3068	7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe	29
PID 2564 wrote to memory of 2592	2564	wccc.exe	31
PID 2564 wrote to memory of 2592	2564	wccc.exe	31
PID 2564 wrote to memory of 2592	2564	wccc.exe	31
PID 2564 wrote to memory of 2592	2564	wccc.exe	31
PID 2564 wrote to memory of 2472	2564	wccc.exe	32
PID 2564 wrote to memory of 2472	2564	wccc.exe	32
PID 2564 wrote to memory of 2472	2564	wccc.exe	32
PID 2564 wrote to memory of 2472	2564	wccc.exe	32
PID 2592 wrote to memory of 1368	2592	wgdb.exe	34
PID 2592 wrote to memory of 1368	2592	wgdb.exe	34
PID 2592 wrote to memory of 1368	2592	wgdb.exe	34
PID 2592 wrote to memory of 1368	2592	wgdb.exe	34
PID 2592 wrote to memory of 1336	2592	wgdb.exe	35
PID 2592 wrote to memory of 1336	2592	wgdb.exe	35
PID 2592 wrote to memory of 1336	2592	wgdb.exe	35
PID 2592 wrote to memory of 1336	2592	wgdb.exe	35
PID 1368 wrote to memory of 2344	1368	wnwt.exe	37
PID 1368 wrote to memory of 2344	1368	wnwt.exe	37
PID 1368 wrote to memory of 2344	1368	wnwt.exe	37
PID 1368 wrote to memory of 2344	1368	wnwt.exe	37
PID 1368 wrote to memory of 1236	1368	wnwt.exe	38
PID 1368 wrote to memory of 1236	1368	wnwt.exe	38
PID 1368 wrote to memory of 1236	1368	wnwt.exe	38
PID 1368 wrote to memory of 1236	1368	wnwt.exe	38
PID 2344 wrote to memory of 2236	2344	wcypms.exe	40
PID 2344 wrote to memory of 2236	2344	wcypms.exe	40
PID 2344 wrote to memory of 2236	2344	wcypms.exe	40
PID 2344 wrote to memory of 2236	2344	wcypms.exe	40
PID 2344 wrote to memory of 668	2344	wcypms.exe	41
PID 2344 wrote to memory of 668	2344	wcypms.exe	41
PID 2344 wrote to memory of 668	2344	wcypms.exe	41
PID 2344 wrote to memory of 668	2344	wcypms.exe	41
PID 2236 wrote to memory of 1744	2236	wnse.exe	43
PID 2236 wrote to memory of 1744	2236	wnse.exe	43
PID 2236 wrote to memory of 1744	2236	wnse.exe	43
PID 2236 wrote to memory of 1744	2236	wnse.exe	43
PID 2236 wrote to memory of 1108	2236	wnse.exe	44
PID 2236 wrote to memory of 1108	2236	wnse.exe	44
PID 2236 wrote to memory of 1108	2236	wnse.exe	44
PID 2236 wrote to memory of 1108	2236	wnse.exe	44
PID 1744 wrote to memory of 952	1744	wykuy.exe	46
PID 1744 wrote to memory of 952	1744	wykuy.exe	46
PID 1744 wrote to memory of 952	1744	wykuy.exe	46
PID 1744 wrote to memory of 952	1744	wykuy.exe	46
PID 1744 wrote to memory of 2820	1744	wykuy.exe	47
PID 1744 wrote to memory of 2820	1744	wykuy.exe	47
PID 1744 wrote to memory of 2820	1744	wykuy.exe	47
PID 1744 wrote to memory of 2820	1744	wykuy.exe	47
PID 952 wrote to memory of 2856	952	wngdjwwj.exe	49
PID 952 wrote to memory of 2856	952	wngdjwwj.exe	49
PID 952 wrote to memory of 2856	952	wngdjwwj.exe	49
PID 952 wrote to memory of 2856	952	wngdjwwj.exe	49
PID 952 wrote to memory of 1432	952	wngdjwwj.exe	50
PID 952 wrote to memory of 1432	952	wngdjwwj.exe	50
PID 952 wrote to memory of 1432	952	wngdjwwj.exe	50
PID 952 wrote to memory of 1432	952	wngdjwwj.exe	50

C:\Users\Admin\AppData\Local\Temp\7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\wccc.exe
  "C:\Windows\system32\wccc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\wgdb.exe
    "C:\Windows\system32\wgdb.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\wnwt.exe
      "C:\Windows\system32\wnwt.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Windows\SysWOW64\wcypms.exe
        
        "C:\Windows\system32\wcypms.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\SysWOW64\wnse.exe
        
        "C:\Windows\system32\wnse.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\wykuy.exe
        
        "C:\Windows\system32\wykuy.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\wngdjwwj.exe
        
        "C:\Windows\system32\wngdjwwj.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\wqn.exe
        
        "C:\Windows\system32\wqn.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\wgrlew.exe
        
        "C:\Windows\system32\wgrlew.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\wribxs.exe
        
        "C:\Windows\system32\wribxs.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\wwfgj.exe
        
        "C:\Windows\system32\wwfgj.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:472
        
        C:\Windows\SysWOW64\wdxxm.exe
        
        "C:\Windows\system32\wdxxm.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1336
        
        C:\Windows\SysWOW64\wrpjwo.exe
        
        "C:\Windows\system32\wrpjwo.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\wny.exe
        
        "C:\Windows\system32\wny.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\wbcbjf.exe
        
        "C:\Windows\system32\wbcbjf.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1424
        
        C:\Windows\SysWOW64\wnupcc.exe
        
        "C:\Windows\system32\wnupcc.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1268
        
        C:\Windows\SysWOW64\wyxocxid.exe
        
        "C:\Windows\system32\wyxocxid.exe"
        18⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\wgfy.exe
        
        "C:\Windows\system32\wgfy.exe"
        19⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\wpjxw.exe
        
        "C:\Windows\system32\wpjxw.exe"
        20⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\wkbg.exe
        
        "C:\Windows\system32\wkbg.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\wyolwqw.exe
        
        "C:\Windows\system32\wyolwqw.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\wehfyvc.exe
        
        "C:\Windows\system32\wehfyvc.exe"
        23⤵
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\SysWOW64\wwhogjv.exe
        
        "C:\Windows\system32\wwhogjv.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\wlybr.exe
        
        "C:\Windows\system32\wlybr.exe"
        25⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\wvcbrtd.exe
        
        "C:\Windows\system32\wvcbrtd.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\wdjklv.exe
        
        "C:\Windows\system32\wdjklv.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\wblymsc.exe
        
        "C:\Windows\system32\wblymsc.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\wpotc.exe
        
        "C:\Windows\system32\wpotc.exe"
        29⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\wcikvdj.exe
        
        "C:\Windows\system32\wcikvdj.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2564
        
        C:\Windows\SysWOW64\wqvptr.exe
        
        "C:\Windows\system32\wqvptr.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\wfnc.exe
        
        "C:\Windows\system32\wfnc.exe"
        32⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\wqqbebyev.exe
        
        "C:\Windows\system32\wqqbebyev.exe"
        33⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\SysWOW64\worqexeum.exe
        
        "C:\Windows\system32\worqexeum.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\wqlnplfxq.exe
        
        "C:\Windows\system32\wqlnplfxq.exe"
        35⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\wcsrc.exe
        
        "C:\Windows\system32\wcsrc.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2628
        
        C:\Windows\SysWOW64\wlaoef.exe
        
        "C:\Windows\system32\wlaoef.exe"
        37⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\wdoqtlm.exe
        
        "C:\Windows\system32\wdoqtlm.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\wxpjcq.exe
        
        "C:\Windows\system32\wxpjcq.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\wjwonm.exe
        
        "C:\Windows\system32\wjwonm.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\wsano.exe
        
        "C:\Windows\system32\wsano.exe"
        41⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\wiraxv.exe
        
        "C:\Windows\system32\wiraxv.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\wlmwj.exe
        
        "C:\Windows\system32\wlmwj.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:312
        
        C:\Windows\SysWOW64\wfop.exe
        
        "C:\Windows\system32\wfop.exe"
        44⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\wtrkjcu.exe
        
        "C:\Windows\system32\wtrkjcu.exe"
        45⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\wiuhap.exe
        
        "C:\Windows\system32\wiuhap.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\wumwtl.exe
        
        "C:\Windows\system32\wumwtl.exe"
        47⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\wjprkyxjy.exe
        
        "C:\Windows\system32\wjprkyxjy.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\wdrktfaly.exe
        
        "C:\Windows\system32\wdrktfaly.exe"
        49⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\wglktn.exe
        
        "C:\Windows\system32\wglktn.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\wunglbbtb.exe
        
        "C:\Windows\system32\wunglbbtb.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:692
        
        C:\Windows\SysWOW64\wkf.exe
        
        "C:\Windows\system32\wkf.exe"
        52⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\wujrulin.exe
        
        "C:\Windows\system32\wujrulin.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:312
        
        C:\Windows\SysWOW64\woy.exe
        
        "C:\Windows\system32\woy.exe"
        54⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\wus.exe
        
        "C:\Windows\system32\wus.exe"
        55⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\wnu.exe
        
        "C:\Windows\system32\wnu.exe"
        56⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\wvn.exe
        
        "C:\Windows\system32\wvn.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:300
        
        C:\Windows\SysWOW64\wgrejbel.exe
        
        "C:\Windows\system32\wgrejbel.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\wilatnhp.exe
        
        "C:\Windows\system32\wilatnhp.exe"
        59⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\wsb.exe
        
        "C:\Windows\system32\wsb.exe"
        60⤵
        Executes dropped EXE
        
        PID:544
        
        C:\Windows\SysWOW64\wmpvsm.exe
        
        "C:\Windows\system32\wmpvsm.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:352
        
        C:\Windows\SysWOW64\wtprhor.exe
        
        "C:\Windows\system32\wtprhor.exe"
        62⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\wfihbjbqi.exe
        
        "C:\Windows\system32\wfihbjbqi.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\wulcrwx.exe
        
        "C:\Windows\system32\wulcrwx.exe"
        64⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\wcslmb.exe
        
        "C:\Windows\system32\wcslmb.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\wml.exe
        
        "C:\Windows\system32\wml.exe"
        66⤵
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\wbagek.exe
        
        "C:\Windows\system32\wbagek.exe"
        67⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\wnrwxht.exe
        
        "C:\Windows\system32\wnrwxht.exe"
        68⤵
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\wcjhiuhvw.exe
        
        "C:\Windows\system32\wcjhiuhvw.exe"
        69⤵
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\wnc.exe
        
        "C:\Windows\system32\wnc.exe"
        70⤵
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\wxewclkd.exe
        
        "C:\Windows\system32\wxewclkd.exe"
        71⤵
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\wiiwb.exe
        
        "C:\Windows\system32\wiiwb.exe"
        72⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\wdafdmun.exe
        
        "C:\Windows\system32\wdafdmun.exe"
        73⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\wvnhs.exe
        
        "C:\Windows\system32\wvnhs.exe"
        74⤵
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\wfjtnssar.exe
        
        "C:\Windows\system32\wfjtnssar.exe"
        75⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\wsmpegq.exe
        
        "C:\Windows\system32\wsmpegq.exe"
        76⤵
        Drops file in System32 directory
        
        PID:892
        
        C:\Windows\SysWOW64\waejhkv.exe
        
        "C:\Windows\system32\waejhkv.exe"
        77⤵
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\wpifxx.exe
        
        "C:\Windows\system32\wpifxx.exe"
        78⤵
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\wfyrilhpg.exe
        
        "C:\Windows\system32\wfyrilhpg.exe"
        79⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\wprgchpwt.exe
        
        "C:\Windows\system32\wprgchpwt.exe"
        80⤵
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\wbk.exe
        
        "C:\Windows\system32\wbk.exe"
        81⤵
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\wqycsr.exe
        
        "C:\Windows\system32\wqycsr.exe"
        82⤵
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\wfqndfud.exe
        
        "C:\Windows\system32\wfqndfud.exe"
        83⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\wqtne.exe
        
        "C:\Windows\system32\wqtne.exe"
        84⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\wkvfl.exe
        
        "C:\Windows\system32\wkvfl.exe"
        85⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\wynrvs.exe
        
        "C:\Windows\system32\wynrvs.exe"
        86⤵
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\wvbpdrse.exe
        
        "C:\Windows\system32\wvbpdrse.exe"
        87⤵
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\wukfp.exe
        
        "C:\Windows\system32\wukfp.exe"
        88⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\wxijdtr.exe
        
        "C:\Windows\system32\wxijdtr.exe"
        89⤵
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\winh.exe
        
        "C:\Windows\system32\winh.exe"
        90⤵
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\wtexwm.exe
        
        "C:\Windows\system32\wtexwm.exe"
        91⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\wfwmph.exe
        
        "C:\Windows\system32\wfwmph.exe"
        92⤵
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\wpam.exe
        
        "C:\Windows\system32\wpam.exe"
        93⤵
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\wbtbja.exe
        
        "C:\Windows\system32\wbtbja.exe"
        94⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\wllrdu.exe
        
        "C:\Windows\system32\wllrdu.exe"
        95⤵
        
        PID:588
        
        C:\Windows\SysWOW64\wcddniek.exe
        
        "C:\Windows\system32\wcddniek.exe"
        96⤵
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllrdu.exe"
        96⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbtbja.exe"
        95⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpam.exe"
        94⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfwmph.exe"
        93⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtexwm.exe"
        92⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winh.exe"
        91⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxijdtr.exe"
        90⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wukfp.exe"
        89⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvbpdrse.exe"
        88⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wynrvs.exe"
        87⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvfl.exe"
        86⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqtne.exe"
        85⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfqndfud.exe"
        84⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqycsr.exe"
        83⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbk.exe"
        82⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wprgchpwt.exe"
        81⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfyrilhpg.exe"
        80⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpifxx.exe"
        79⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waejhkv.exe"
        78⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsmpegq.exe"
        77⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfjtnssar.exe"
        76⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvnhs.exe"
        75⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdafdmun.exe"
        74⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiiwb.exe"
        73⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxewclkd.exe"
        72⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnc.exe"
        71⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjhiuhvw.exe"
        70⤵
        
        PID:272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 180
        70⤵
        Program crash
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnrwxht.exe"
        69⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbagek.exe"
        68⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wml.exe"
        67⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcslmb.exe"
        66⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wulcrwx.exe"
        65⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfihbjbqi.exe"
        64⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtprhor.exe"
        63⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpvsm.exe"
        62⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsb.exe"
        61⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wilatnhp.exe"
        60⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrejbel.exe"
        59⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvn.exe"
        58⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnu.exe"
        57⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wus.exe"
        56⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woy.exe"
        55⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujrulin.exe"
        54⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkf.exe"
        53⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunglbbtb.exe"
        52⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wglktn.exe"
        51⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrktfaly.exe"
        50⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjprkyxjy.exe"
        49⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wumwtl.exe"
        48⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiuhap.exe"
        47⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtrkjcu.exe"
        46⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfop.exe"
        45⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlmwj.exe"
        44⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiraxv.exe"
        43⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsano.exe"
        42⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwonm.exe"
        41⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpjcq.exe"
        40⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdoqtlm.exe"
        39⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlaoef.exe"
        38⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcsrc.exe"
        37⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqlnplfxq.exe"
        36⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\worqexeum.exe"
        35⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqbebyev.exe"
        34⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfnc.exe"
        33⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqvptr.exe"
        32⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcikvdj.exe"
        31⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpotc.exe"
        30⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wblymsc.exe"
        29⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdjklv.exe"
        28⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvcbrtd.exe"
        27⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlybr.exe"
        26⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhogjv.exe"
        25⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wehfyvc.exe"
        24⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyolwqw.exe"
        23⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 204
        23⤵
        Program crash
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbg.exe"
        22⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpjxw.exe"
        21⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgfy.exe"
        20⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxocxid.exe"
        19⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnupcc.exe"
        18⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbcbjf.exe"
        17⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wny.exe"
        16⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrpjwo.exe"
        15⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxxm.exe"
        14⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfgj.exe"
        13⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wribxs.exe"
        12⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrlew.exe"
        11⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 796
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqn.exe"
        10⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wngdjwwj.exe"
        9⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wykuy.exe"
        8⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnse.exe"
        7⤵
        
        PID:1108
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcypms.exe"
        6⤵
        
        PID:668
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwt.exe"
        5⤵
        
        PID:1236
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgdb.exe"
      4⤵
      PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccc.exe"
    3⤵
    PID:2472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\7fb876bf482467cf233b3e098e59fe40_NeikiAnalytics.exe"
  2⤵
  - Deletes itself
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S0GC3KGC.txt

Filesize
98B

MD5
f1ada86d8657e3b1fcc85b2f28cc1268

SHA1
939fe1cf371f71184a73e4442e32c9c4fdec724b

SHA256
f9c4cf1c1762fb921b1efb4ad4cdf8e7df0970e381d5107cedcb4e68dfebcdc3

SHA512
be154552af00002b68dbefbda041f84cb4ca2a470f60845cf9cc6a3792113f5c1f585f68fdaf4bdd845de3badcef1edf6255d3eb9c7ad11afe45c0fa4a7c6a7a

Download Submit
\Windows\SysWOW64\wccc.exe

Filesize
82KB

MD5
bcc9c9b38da53dff9212bcc36a438e07

SHA1
135103dadd0f1fdb1df8a970195ef217d4c2ab86

SHA256
888567fa0a1ec608fb3d6a6a0f10c2c16fe2dc487f0cf61885a5736f70c2e573

SHA512
5fc5f13a5a60da99705ee29199d26b5ba54870ec4cf18d7314908ab55c003b890ba370b0aec944ac17006a54ada87e539c16265b1e3ec29a6829a429ca430f64

Download Submit
\Windows\SysWOW64\wcypms.exe

Filesize
82KB

MD5
937b7e1f23dc1a9eed1a863359be0549

SHA1
dd3c26dc214263682558b01faaa639454d8fc621

SHA256
39c56d8d1ec033d31bb9e514e90e2960e3631e2638fc59e917019bfb6f5de5e8

SHA512
bc88bd697a244f180e2618e4507e8333eef22fc8ff33d71518b51cb28bee26825c026de4dcb6e3ba17abca7c096d1c580b68da0787972d9c351a9aac31431630

Download Submit
\Windows\SysWOW64\wgdb.exe

Filesize
82KB

MD5
7279d661e72a3cc71ff2632a63656a04

SHA1
db9fb1098cb8f33fc4e8be8e3a7d625cb52682f7

SHA256
c065c43c19acc9827fa60f143a5ab71592258df5ec29d3c804137bc014f94f43

SHA512
bd18bcb8482dc288d0c381aafd2adac7ad06b666d40ba4e74111cb3fb115bad1b007b8e65f55168da76879b34a836f192fbb7859f2f66cf98cad4d464f577e1e

Download Submit
\Windows\SysWOW64\wgrlew.exe

Filesize
82KB

MD5
c66bc4bb6c1e0bc4ab88dbe5e751b483

SHA1
4249bf422fc3a847645a1d344b5e45b88da0762a

SHA256
6686d1c8b467a815245f172288f4813e4058b40ffcaa053de1fadce2337a7741

SHA512
3ead636f56e965fb8d0a74c0434523277250832cda84d8232f3edd3c0de656cf3b37cfe20eb9461c132db982057e4ec215c95c7eb49eb96ab13a070184182a98

Download Submit
\Windows\SysWOW64\wngdjwwj.exe

Filesize
82KB

MD5
6a46e29735ebb3711f406e8f4af18f24

SHA1
81da49a2c7f14b77360044965139c7897ee0aa62

SHA256
d2cde7b6333c6b80e818a4f8016c0462abc7972942ddea2dcf0b8dd4ecc5773f

SHA512
cba8a1d83c3ed60e0f6a53ea2fcd58f86c4e5d6467ca2c3d224f56cddc3957a1917a30f094bc876cff86e07f61cdb1e13a620f8a5fe21ef70016044b147ad5bc

Download Submit
\Windows\SysWOW64\wnse.exe

Filesize
82KB

MD5
73bd031ad41f63ef04de455daa40805f

SHA1
63cdbc476e78be29165e2d7089fcf023fd5d978b

SHA256
fd0363b78aab3eb6f8a21b1bb77f4df186488a566d120cc51d6283b0b815aea9

SHA512
6bbd800305094ec106b6f3ccf92425befb154f2cfd2bed751d1df38f07f3a468a55479f867684de651c528e4730e46196d04c8497d9c49a6ede8b3c9ec9e15f7

Download Submit
\Windows\SysWOW64\wnwt.exe

Filesize
82KB

MD5
8f690cfff94e33c8ac478806f3997293

SHA1
4d25749319d8fd8a48bd374a98c179898167db18

SHA256
98a4f34714e78d982b90646eb2ced5477e268b4affcc83c6f3331b684cb70738

SHA512
a15d119248e7fb6320d3a22f9f4dda2f0fe876df810fdc90dca98c2e3737045dc696bcafb3eba890a500c03c400a1e9329075d7a0cf06b7c553ddf1200699fdf

Download Submit
\Windows\SysWOW64\wqn.exe

Filesize
82KB

MD5
6cd7a20f782ad0099f1ff215af68d713

SHA1
d00b1217c69cc4f55e2c08150cb10f26185ab45c

SHA256
89de6f3d398d1a9886cb312022096baf241558df709059ee9958c2ccaa099d24

SHA512
5ea36f6312d3e9b5c50e1bea0edd7de61987803f4ed4de9c2b56e1acb79e9c802e1c1c9ff79a909572751094e8cfd8251884245e1d9ffde67a13c91c57bb78d1

Download Submit
\Windows\SysWOW64\wribxs.exe

Filesize
82KB

MD5
d450ecc3aacc9837a4855bee10a49ac4

SHA1
d11c699a2c63634d5231cde9d822cd0d74a9eb7b

SHA256
2d927296cab0768fe2ee63997598248eb5357d7a5c70f04b8bd8428445c2c323

SHA512
f534aa9867d96d579b8033a65564f37f6c94a78c43a9a4c852a2f8b37034051daccd926f8bf2d5e6736b841381da28f295ceee7ba54b8d8c9232342483de7209

Download Submit
\Windows\SysWOW64\wykuy.exe

Filesize
82KB

MD5
bb5a6a5f52cf94eeaef421995eaddd32

SHA1
9e5409dcce4e4a4ce39a54b496ee7e167231d316

SHA256
0e892f874a9fecf49dd3fcf91e2f1df4538172b91ffa3bcd37f608a30366654f

SHA512
a8d3e4e1b2cc13c9804c2cc88d2a1fe841fafaf539be2b757fb46cb0e9597a455be7ec1ae65478727e2f1b12c864401afd7ea2c4bf3a0eb7e38cc7f97fb5570e

Download Submit
memory/472-254-0x0000000000B40000-0x0000000000B57000-memory.dmp

Filesize
92KB

Download
memory/472-255-0x0000000003BD0000-0x0000000003BE7000-memory.dmp

Filesize
92KB

Download
memory/472-257-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/472-258-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/952-182-0x00000000031E0000-0x00000000031F7000-memory.dmp

Filesize
92KB

Download
memory/952-184-0x00000000031E0000-0x00000000031F7000-memory.dmp

Filesize
92KB

Download
memory/952-183-0x00000000031E0000-0x00000000031F7000-memory.dmp

Filesize
92KB

Download
memory/952-163-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/952-188-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1268-335-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/1268-334-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/1268-336-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1268-333-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/1268-319-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1336-256-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1336-270-0x0000000002220000-0x0000000002237000-memory.dmp

Filesize
92KB

Download
memory/1336-271-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1368-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1368-89-0x0000000002400000-0x0000000002417000-memory.dmp

Filesize
92KB

Download
memory/1368-90-0x0000000002400000-0x0000000002417000-memory.dmp

Filesize
92KB

Download
memory/1368-93-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/1368-94-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1368-91-0x0000000002400000-0x0000000002417000-memory.dmp

Filesize
92KB

Download
memory/1424-304-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1424-318-0x0000000003500000-0x0000000003517000-memory.dmp

Filesize
92KB

Download
memory/1424-321-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1424-320-0x0000000002130000-0x0000000002140000-memory.dmp

Filesize
64KB

Download
memory/1424-317-0x0000000003500000-0x0000000003517000-memory.dmp

Filesize
92KB

Download
memory/1424-316-0x0000000002120000-0x0000000002137000-memory.dmp

Filesize
92KB

Download
memory/1744-165-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1744-144-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1744-162-0x0000000003B50000-0x0000000003B67000-memory.dmp

Filesize
92KB

Download
memory/1744-164-0x0000000003B60000-0x0000000003B70000-memory.dmp

Filesize
64KB

Download
memory/2100-351-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2100-367-0x00000000035A0000-0x00000000035B7000-memory.dmp

Filesize
92KB

Download
memory/2100-366-0x00000000035A0000-0x00000000035B7000-memory.dmp

Filesize
92KB

Download
memory/2100-369-0x00000000035A0000-0x00000000035B0000-memory.dmp

Filesize
64KB

Download
memory/2100-365-0x00000000035A0000-0x00000000035B7000-memory.dmp

Filesize
92KB

Download
memory/2124-352-0x0000000003B60000-0x0000000003B70000-memory.dmp

Filesize
64KB

Download
memory/2124-346-0x0000000003B60000-0x0000000003B77000-memory.dmp

Filesize
92KB

Download
memory/2124-353-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2124-350-0x0000000003B60000-0x0000000003B77000-memory.dmp

Filesize
92KB

Download
memory/2124-337-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2236-138-0x00000000036D0000-0x00000000036E7000-memory.dmp

Filesize
92KB

Download
memory/2236-137-0x00000000036D0000-0x00000000036E7000-memory.dmp

Filesize
92KB

Download
memory/2236-118-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2236-142-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2236-139-0x0000000003BE0000-0x0000000003BF7000-memory.dmp

Filesize
92KB

Download
memory/2240-368-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2324-242-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2324-226-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2324-241-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/2324-240-0x00000000022A0000-0x00000000022B7000-memory.dmp

Filesize
92KB

Download
memory/2324-239-0x0000000002200000-0x0000000002217000-memory.dmp

Filesize
92KB

Download
memory/2344-119-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/2344-121-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2344-115-0x0000000003A00000-0x0000000003A17000-memory.dmp

Filesize
92KB

Download
memory/2344-114-0x0000000003A00000-0x0000000003A17000-memory.dmp

Filesize
92KB

Download
memory/2344-113-0x0000000003A00000-0x0000000003A17000-memory.dmp

Filesize
92KB

Download
memory/2344-112-0x0000000003A00000-0x0000000003A17000-memory.dmp

Filesize
92KB

Download
memory/2508-288-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2508-272-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2564-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2564-42-0x0000000003A60000-0x0000000003A77000-memory.dmp

Filesize
92KB

Download
memory/2564-47-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/2564-36-0x0000000003A60000-0x0000000003A77000-memory.dmp

Filesize
92KB

Download
memory/2564-43-0x0000000003A60000-0x0000000003A77000-memory.dmp

Filesize
92KB

Download
memory/2564-48-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2568-287-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/2568-285-0x00000000035E0000-0x00000000035F7000-memory.dmp

Filesize
92KB

Download
memory/2568-209-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2568-218-0x00000000035E0000-0x00000000035F7000-memory.dmp

Filesize
92KB

Download
memory/2568-227-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/2568-284-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2568-286-0x00000000035E0000-0x00000000035F7000-memory.dmp

Filesize
92KB

Download
memory/2592-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2592-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2592-60-0x0000000003230000-0x0000000003247000-memory.dmp

Filesize
92KB

Download
memory/2592-67-0x0000000003610000-0x0000000003627000-memory.dmp

Filesize
92KB

Download
memory/2592-59-0x0000000003230000-0x0000000003247000-memory.dmp

Filesize
92KB

Download
memory/2592-72-0x0000000003240000-0x0000000003250000-memory.dmp

Filesize
64KB

Download
memory/2752-303-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2752-301-0x0000000002400000-0x0000000002417000-memory.dmp

Filesize
92KB

Download
memory/2752-289-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2752-302-0x0000000003580000-0x0000000003597000-memory.dmp

Filesize
92KB

Download
memory/2856-210-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/2856-186-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2856-206-0x00000000035C0000-0x00000000035D7000-memory.dmp

Filesize
92KB

Download
memory/2856-200-0x00000000021C0000-0x00000000021D7000-memory.dmp

Filesize
92KB

Download
memory/2856-211-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2912-1174-0x0000000077280000-0x000000007739F000-memory.dmp

Filesize
1.1MB

Download
memory/2912-1175-0x0000000077180000-0x000000007727A000-memory.dmp

Filesize
1000KB

Download
memory/2912-1176-0x0000000003CB0000-0x0000000003E74000-memory.dmp

Filesize
1.8MB

Download
memory/3068-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3068-11-0x0000000003250000-0x0000000003267000-memory.dmp

Filesize
92KB

Download
memory/3068-12-0x0000000003250000-0x0000000003267000-memory.dmp

Filesize
92KB

Download
memory/3068-19-0x0000000003370000-0x0000000003387000-memory.dmp

Filesize
92KB

Download
memory/3068-22-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/3068-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download