f8604f530211ed9cf11657504faaa8f4c993a7e4739bdb6ea406366e7a10ac82

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe
Size

94KB
MD5

32f75d238cc3f12dbf55743b4720a1d0
SHA1

122effd5b77f8dd8a417e1ebab235de5bb9eec5a
SHA256

f8604f530211ed9cf11657504faaa8f4c993a7e4739bdb6ea406366e7a10ac82
SHA512

678def5ddabd2568a237cb628e99a9511ad706dddd7309f50f6df05a61ca8fcbaea092255a78af1069a121e192e0ab9d23c7e42c68166802f7795792600330e8
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71qCiYsn0v:1eOLK7hNIMLrCiS4+PwRjY5xhEAXQC11

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2592	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2576	wymayg.exe
916	woommo.exe
1160	wqahldj.exe
2420	whg.exe
1780	welunlu.exe
2816	wswdl.exe
1604	wqrq.exe
1476	wlswnc.exe
2688	wwrn.exe
2780	wox.exe
1932	wipa.exe
2752	wloxl.exe
1936	woqwjagy.exe
2424	wpf.exe
2308	wduhakj.exe
1060	wlkps.exe
1444	wjmqyirw.exe
2488	walfxs.exe
1696	wiflac.exe
1556	wqljbbs.exe
2812	wqip.exe
1116	wfsnmhc.exe
2232	wbjjvitf.exe
2280	wqthytab.exe
2284	wocwlonam.exe
2436	wrd.exe
1752	wue.exe
988	wxxdla.exe
1984	wmoddk.exe
1132	wenqburl.exe
2420	woysoou.exe
2132	wvqlpt.exe
2968	wexjssvw.exe
2028	wlgr.exe
2828	wfxnw.exe
2620	wuktumsx.exe
1444	wotoq.exe
1148	wksxfrae.exe
988	wvkcfjk.exe
1948	wmtakur.exe
1136	wwsqp.exe
2064	wwrxvj.exe
388	warvutvjm.exe
2968	wocuyfcfn.exe
2280	wfttpoqj.exe
1012	wkihhypj.exe
2360	wixahqltv.exe
2024	wcsejvh.exe
2452	wwrnxw.exe
988	wulprsce.exe
2348	wuttl.exe
828	wtckye.exe
1892	wavdbi.exe
1036	wxetndx.exe
2336	wfeoefm.exe
2500	wuhkus.exe
1656	worepvt.exe
1992	wvjxsay.exe
1620	wqpjtag.exe
1004	wtfro.exe
2100	wvwpa.exe
956	wrvyonpe.exe
2308	wpvbvfw.exe
1688	wwwvlhl.exe

Loads dropped DLL 64 IoCs

pid	Process
1704	32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe
1704	32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe
1704	32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe
1704	32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe
2576	wymayg.exe
2576	wymayg.exe
2576	wymayg.exe
2576	wymayg.exe
2576	wymayg.exe
916	woommo.exe
916	woommo.exe
916	woommo.exe
916	woommo.exe
916	woommo.exe
1160	wqahldj.exe
1160	wqahldj.exe
1160	wqahldj.exe
1160	wqahldj.exe
1160	wqahldj.exe
2420	whg.exe
2420	whg.exe
2420	whg.exe
2420	whg.exe
2420	whg.exe
1780	welunlu.exe
1780	welunlu.exe
1780	welunlu.exe
1780	welunlu.exe
1780	welunlu.exe
2816	wswdl.exe
2816	wswdl.exe
2816	wswdl.exe
2816	wswdl.exe
2816	wswdl.exe
1604	wqrq.exe
1604	wqrq.exe
1604	wqrq.exe
1604	wqrq.exe
1604	wqrq.exe
1476	wlswnc.exe
1476	wlswnc.exe
1476	wlswnc.exe
1476	wlswnc.exe
1476	wlswnc.exe
2688	wwrn.exe
2688	wwrn.exe
2688	wwrn.exe
2688	wwrn.exe
2688	wwrn.exe
2780	wox.exe
2780	wox.exe
2780	wox.exe
2780	wox.exe
2780	wox.exe
1932	wipa.exe
1932	wipa.exe
1932	wipa.exe
1932	wipa.exe
1932	wipa.exe
2752	wloxl.exe
2752	wloxl.exe
2752	wloxl.exe
2752	wloxl.exe
2752	wloxl.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwrn = "\"C:\\Windows\\SysWOW64\\wwrn.exe\""	wwrn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmtakur = "\"C:\\Windows\\SysWOW64\\wmtakur.exe\""	wmtakur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfeoefm = "\"C:\\Windows\\SysWOW64\\wfeoefm.exe\""	wfeoefm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wswdl = "\"C:\\Windows\\SysWOW64\\wswdl.exe\""	wswdl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wiflac = "\"C:\\Windows\\SysWOW64\\wiflac.exe\""	wiflac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wulprsce = "\"C:\\Windows\\SysWOW64\\wulprsce.exe\""	wulprsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuhkus = "\"C:\\Windows\\SysWOW64\\wuhkus.exe\""	wuhkus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqljbbs = "\"C:\\Windows\\SysWOW64\\wqljbbs.exe\""	wqljbbs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wenqburl = "\"C:\\Windows\\SysWOW64\\wenqburl.exe\""	wenqburl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wksxfrae = "\"C:\\Windows\\SysWOW64\\wksxfrae.exe\""	wksxfrae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\whxcqx = "\"C:\\Windows\\SysWOW64\\whxcqx.exe\""	whxcqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqpjtag = "\"C:\\Windows\\SysWOW64\\wqpjtag.exe\""	wqpjtag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wipa = "\"C:\\Windows\\SysWOW64\\wipa.exe\""	wipa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjmqyirw = "\"C:\\Windows\\SysWOW64\\wjmqyirw.exe\""	wjmqyirw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqthytab = "\"C:\\Windows\\SysWOW64\\wqthytab.exe\""	wqthytab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwrnxw = "\"C:\\Windows\\SysWOW64\\wwrnxw.exe\""	wwrnxw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wue = "\"C:\\Windows\\SysWOW64\\wue.exe\""	wue.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\woysoou = "\"C:\\Windows\\SysWOW64\\woysoou.exe\""	woysoou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvqlpt = "\"C:\\Windows\\SysWOW64\\wvqlpt.exe\""	wvqlpt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\whg = "\"C:\\Windows\\SysWOW64\\whg.exe\""	whg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wox = "\"C:\\Windows\\SysWOW64\\wox.exe\""	wox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wedgt = "\"C:\\Windows\\SysWOW64\\wedgt.exe\""	wedgt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcsejvh = "\"C:\\Windows\\SysWOW64\\wcsejvh.exe\""	wcsejvh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlswnc = "\"C:\\Windows\\SysWOW64\\wlswnc.exe\""	wlswnc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlgr = "\"C:\\Windows\\SysWOW64\\wlgr.exe\""	wlgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuktumsx = "\"C:\\Windows\\SysWOW64\\wuktumsx.exe\""	wuktumsx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wocuyfcfn = "\"C:\\Windows\\SysWOW64\\wocuyfcfn.exe\""	wocuyfcfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxetndx = "\"C:\\Windows\\SysWOW64\\wxetndx.exe\""	wxetndx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\woommo = "\"C:\\Windows\\SysWOW64\\woommo.exe\""	woommo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxxdla = "\"C:\\Windows\\SysWOW64\\wxxdla.exe\""	wxxdla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfttpoqj = "\"C:\\Windows\\SysWOW64\\wfttpoqj.exe\""	wfttpoqj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wavdbi = "\"C:\\Windows\\SysWOW64\\wavdbi.exe\""	wavdbi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\walfxs = "\"C:\\Windows\\SysWOW64\\walfxs.exe\""	walfxs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfsnmhc = "\"C:\\Windows\\SysWOW64\\wfsnmhc.exe\""	wfsnmhc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\worepvt = "\"C:\\Windows\\SysWOW64\\worepvt.exe\""	worepvt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\whavl = "\"C:\\Windows\\SysWOW64\\whavl.exe\""	whavl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wixahqltv = "\"C:\\Windows\\SysWOW64\\wixahqltv.exe\""	wixahqltv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuttl = "\"C:\\Windows\\SysWOW64\\wuttl.exe\""	wuttl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtckye = "\"C:\\Windows\\SysWOW64\\wtckye.exe\""	wtckye.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvwpa = "\"C:\\Windows\\SysWOW64\\wvwpa.exe\""	wvwpa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wduhakj = "\"C:\\Windows\\SysWOW64\\wduhakj.exe\""	wduhakj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlkps = "\"C:\\Windows\\SysWOW64\\wlkps.exe\""	wlkps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvkcfjk = "\"C:\\Windows\\SysWOW64\\wvkcfjk.exe\""	wvkcfjk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwrxvj = "\"C:\\Windows\\SysWOW64\\wwrxvj.exe\""	wwrxvj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwvlhl = "\"C:\\Windows\\SysWOW64\\wwwvlhl.exe\""	wwwvlhl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjybo = "\"C:\\Windows\\SysWOW64\\wjybo.exe\""	wjybo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wccv = "\"C:\\Windows\\SysWOW64\\wccv.exe\""	wccv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfxnw = "\"C:\\Windows\\SysWOW64\\wfxnw.exe\""	wfxnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wotoq = "\"C:\\Windows\\SysWOW64\\wotoq.exe\""	wotoq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wrvyonpe = "\"C:\\Windows\\SysWOW64\\wrvyonpe.exe\""	wrvyonpe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdxinph = "\"C:\\Windows\\SysWOW64\\wdxinph.exe\""	wdxinph.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\welunlu = "\"C:\\Windows\\SysWOW64\\welunlu.exe\""	welunlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\woqwjagy = "\"C:\\Windows\\SysWOW64\\woqwjagy.exe\""	woqwjagy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpf = "\"C:\\Windows\\SysWOW64\\wpf.exe\""	wpf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbjjvitf = "\"C:\\Windows\\SysWOW64\\wbjjvitf.exe\""	wbjjvitf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe\""	32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wocwlonam = "\"C:\\Windows\\SysWOW64\\wocwlonam.exe\""	wocwlonam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmoddk = "\"C:\\Windows\\SysWOW64\\wmoddk.exe\""	wmoddk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wymayg = "\"C:\\Windows\\SysWOW64\\wymayg.exe\""	wymayg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wrd = "\"C:\\Windows\\SysWOW64\\wrd.exe\""	wrd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwsqp = "\"C:\\Windows\\SysWOW64\\wwsqp.exe\""	wwsqp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\warvutvjm = "\"C:\\Windows\\SysWOW64\\warvutvjm.exe\""	warvutvjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtfro = "\"C:\\Windows\\SysWOW64\\wtfro.exe\""	wtfro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqahldj = "\"C:\\Windows\\SysWOW64\\wqahldj.exe\""	wqahldj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmtakur.exe	wvkcfjk.exe
File created	C:\Windows\SysWOW64\wixahqltv.exe	wkihhypj.exe
File created	C:\Windows\SysWOW64\wrvyonpe.exe	wvwpa.exe
File created	C:\Windows\SysWOW64\whavl.exe	wwwvlhl.exe
File opened for modification	C:\Windows\SysWOW64\walfxs.exe	wjmqyirw.exe
File created	C:\Windows\SysWOW64\wbjjvitf.exe	wfsnmhc.exe
File created	C:\Windows\SysWOW64\wlgr.exe	wexjssvw.exe
File created	C:\Windows\SysWOW64\wwsqp.exe	wmtakur.exe
File opened for modification	C:\Windows\SysWOW64\wtckye.exe	wuttl.exe
File created	C:\Windows\SysWOW64\wxxdla.exe	wue.exe
File created	C:\Windows\SysWOW64\wfxnw.exe	wlgr.exe
File opened for modification	C:\Windows\SysWOW64\wksxfrae.exe	wotoq.exe
File created	C:\Windows\SysWOW64\wedgt.exe	wccv.exe
File created	C:\Windows\SysWOW64\wqthytab.exe	wbjjvitf.exe
File opened for modification	C:\Windows\SysWOW64\wpvbvfw.exe	wrvyonpe.exe
File opened for modification	C:\Windows\SysWOW64\whxcqx.exe	whavl.exe
File opened for modification	C:\Windows\SysWOW64\wulprsce.exe	wwrnxw.exe
File opened for modification	C:\Windows\SysWOW64\wuttl.exe	wulprsce.exe
File opened for modification	C:\Windows\SysWOW64\wlkps.exe	wduhakj.exe
File opened for modification	C:\Windows\SysWOW64\wqthytab.exe	wbjjvitf.exe
File created	C:\Windows\SysWOW64\wfttpoqj.exe	wocuyfcfn.exe
File created	C:\Windows\SysWOW64\whxcqx.exe	whavl.exe
File created	C:\Windows\SysWOW64\welunlu.exe	whg.exe
File created	C:\Windows\SysWOW64\wloxl.exe	wipa.exe
File opened for modification	C:\Windows\SysWOW64\wrd.exe	wocwlonam.exe
File created	C:\Windows\SysWOW64\wjybo.exe	whxcqx.exe
File opened for modification	C:\Windows\SysWOW64\wox.exe	wwrn.exe
File created	C:\Windows\SysWOW64\wipa.exe	wox.exe
File opened for modification	C:\Windows\SysWOW64\wuhkus.exe	wfeoefm.exe
File created	C:\Windows\SysWOW64\wfeoefm.exe	wxetndx.exe
File opened for modification	C:\Windows\SysWOW64\wqpjtag.exe	wvjxsay.exe
File created	C:\Windows\SysWOW64\wpvbvfw.exe	wrvyonpe.exe
File opened for modification	C:\Windows\SysWOW64\wdxinph.exe	wedgt.exe
File opened for modification	C:\Windows\SysWOW64\woqwjagy.exe	wloxl.exe
File created	C:\Windows\SysWOW64\wmoddk.exe	wxxdla.exe
File created	C:\Windows\SysWOW64\wxetndx.exe	wavdbi.exe
File opened for modification	C:\Windows\SysWOW64\wwrxvj.exe	wwsqp.exe
File created	C:\Windows\SysWOW64\wccv.exe	wmsxy.exe
File created	C:\Windows\SysWOW64\wvqlpt.exe	woysoou.exe
File created	C:\Windows\SysWOW64\wuktumsx.exe	wfxnw.exe
File created	C:\Windows\SysWOW64\wvkcfjk.exe	wksxfrae.exe
File opened for modification	C:\Windows\SysWOW64\wue.exe	wrd.exe
File created	C:\Windows\SysWOW64\warvutvjm.exe	wwrxvj.exe
File opened for modification	C:\Windows\SysWOW64\wfsnmhc.exe	wqip.exe
File created	C:\Windows\SysWOW64\wuttl.exe	wulprsce.exe
File created	C:\Windows\SysWOW64\whg.exe	wqahldj.exe
File created	C:\Windows\SysWOW64\wpf.exe	woqwjagy.exe
File created	C:\Windows\SysWOW64\wduhakj.exe	wpf.exe
File created	C:\Windows\SysWOW64\wenqburl.exe	wmoddk.exe
File opened for modification	C:\Windows\SysWOW64\wotoq.exe	wuktumsx.exe
File created	C:\Windows\SysWOW64\wqpjtag.exe	wvjxsay.exe
File created	C:\Windows\SysWOW64\whmvgaf.exe	wdxinph.exe
File opened for modification	C:\Windows\SysWOW64\wpf.exe	woqwjagy.exe
File created	C:\Windows\SysWOW64\wiflac.exe	walfxs.exe
File opened for modification	C:\Windows\SysWOW64\wbjjvitf.exe	wfsnmhc.exe
File opened for modification	C:\Windows\SysWOW64\wipa.exe	wox.exe
File opened for modification	C:\Windows\SysWOW64\worepvt.exe	wuhkus.exe
File opened for modification	C:\Windows\SysWOW64\wmsxy.exe	wjybo.exe
File opened for modification	C:\Windows\SysWOW64\wqahldj.exe	woommo.exe
File opened for modification	C:\Windows\SysWOW64\wduhakj.exe	wpf.exe
File opened for modification	C:\Windows\SysWOW64\wwrnxw.exe	wcsejvh.exe
File created	C:\Windows\SysWOW64\wtfro.exe	wqpjtag.exe
File created	C:\Windows\SysWOW64\wwwvlhl.exe	wpvbvfw.exe
File opened for modification	C:\Windows\SysWOW64\wqrq.exe	wswdl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1712	956	WerFault.exe	215

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2576	1704	32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe	28
PID 1704 wrote to memory of 2576	1704	32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe	28
PID 1704 wrote to memory of 2576	1704	32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe	28
PID 1704 wrote to memory of 2576	1704	32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe	28
PID 1704 wrote to memory of 2592	1704	32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe	29
PID 1704 wrote to memory of 2592	1704	32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe	29
PID 1704 wrote to memory of 2592	1704	32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe	29
PID 1704 wrote to memory of 2592	1704	32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe	29
PID 2576 wrote to memory of 916	2576	wymayg.exe	31
PID 2576 wrote to memory of 916	2576	wymayg.exe	31
PID 2576 wrote to memory of 916	2576	wymayg.exe	31
PID 2576 wrote to memory of 916	2576	wymayg.exe	31
PID 2576 wrote to memory of 2916	2576	wymayg.exe	32
PID 2576 wrote to memory of 2916	2576	wymayg.exe	32
PID 2576 wrote to memory of 2916	2576	wymayg.exe	32
PID 2576 wrote to memory of 2916	2576	wymayg.exe	32
PID 916 wrote to memory of 1160	916	woommo.exe	34
PID 916 wrote to memory of 1160	916	woommo.exe	34
PID 916 wrote to memory of 1160	916	woommo.exe	34
PID 916 wrote to memory of 1160	916	woommo.exe	34
PID 916 wrote to memory of 1204	916	woommo.exe	35
PID 916 wrote to memory of 1204	916	woommo.exe	35
PID 916 wrote to memory of 1204	916	woommo.exe	35
PID 916 wrote to memory of 1204	916	woommo.exe	35
PID 1160 wrote to memory of 2420	1160	wqahldj.exe	37
PID 1160 wrote to memory of 2420	1160	wqahldj.exe	37
PID 1160 wrote to memory of 2420	1160	wqahldj.exe	37
PID 1160 wrote to memory of 2420	1160	wqahldj.exe	37
PID 1160 wrote to memory of 1532	1160	wqahldj.exe	38
PID 1160 wrote to memory of 1532	1160	wqahldj.exe	38
PID 1160 wrote to memory of 1532	1160	wqahldj.exe	38
PID 1160 wrote to memory of 1532	1160	wqahldj.exe	38
PID 2420 wrote to memory of 1780	2420	whg.exe	40
PID 2420 wrote to memory of 1780	2420	whg.exe	40
PID 2420 wrote to memory of 1780	2420	whg.exe	40
PID 2420 wrote to memory of 1780	2420	whg.exe	40
PID 2420 wrote to memory of 2860	2420	whg.exe	41
PID 2420 wrote to memory of 2860	2420	whg.exe	41
PID 2420 wrote to memory of 2860	2420	whg.exe	41
PID 2420 wrote to memory of 2860	2420	whg.exe	41
PID 1780 wrote to memory of 2816	1780	welunlu.exe	43
PID 1780 wrote to memory of 2816	1780	welunlu.exe	43
PID 1780 wrote to memory of 2816	1780	welunlu.exe	43
PID 1780 wrote to memory of 2816	1780	welunlu.exe	43
PID 1780 wrote to memory of 2004	1780	welunlu.exe	44
PID 1780 wrote to memory of 2004	1780	welunlu.exe	44
PID 1780 wrote to memory of 2004	1780	welunlu.exe	44
PID 1780 wrote to memory of 2004	1780	welunlu.exe	44
PID 2816 wrote to memory of 1604	2816	wswdl.exe	46
PID 2816 wrote to memory of 1604	2816	wswdl.exe	46
PID 2816 wrote to memory of 1604	2816	wswdl.exe	46
PID 2816 wrote to memory of 1604	2816	wswdl.exe	46
PID 2816 wrote to memory of 2316	2816	wswdl.exe	47
PID 2816 wrote to memory of 2316	2816	wswdl.exe	47
PID 2816 wrote to memory of 2316	2816	wswdl.exe	47
PID 2816 wrote to memory of 2316	2816	wswdl.exe	47
PID 1604 wrote to memory of 1476	1604	wqrq.exe	49
PID 1604 wrote to memory of 1476	1604	wqrq.exe	49
PID 1604 wrote to memory of 1476	1604	wqrq.exe	49
PID 1604 wrote to memory of 1476	1604	wqrq.exe	49
PID 1604 wrote to memory of 2436	1604	wqrq.exe	50
PID 1604 wrote to memory of 2436	1604	wqrq.exe	50
PID 1604 wrote to memory of 2436	1604	wqrq.exe	50
PID 1604 wrote to memory of 2436	1604	wqrq.exe	50

C:\Users\Admin\AppData\Local\Temp\32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\wymayg.exe
  "C:\Windows\system32\wymayg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\woommo.exe
    "C:\Windows\system32\woommo.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\SysWOW64\wqahldj.exe
      "C:\Windows\system32\wqahldj.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\SysWOW64\whg.exe
        
        "C:\Windows\system32\whg.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - C:\Windows\SysWOW64\welunlu.exe
        
        "C:\Windows\system32\welunlu.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\wswdl.exe
        
        "C:\Windows\system32\wswdl.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\wqrq.exe
        
        "C:\Windows\system32\wqrq.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\wlswnc.exe
        
        "C:\Windows\system32\wlswnc.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1476
        
        C:\Windows\SysWOW64\wwrn.exe
        
        "C:\Windows\system32\wwrn.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\wox.exe
        
        "C:\Windows\system32\wox.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\wipa.exe
        
        "C:\Windows\system32\wipa.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\wloxl.exe
        
        "C:\Windows\system32\wloxl.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\woqwjagy.exe
        
        "C:\Windows\system32\woqwjagy.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\wpf.exe
        
        "C:\Windows\system32\wpf.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\wduhakj.exe
        
        "C:\Windows\system32\wduhakj.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\wlkps.exe
        
        "C:\Windows\system32\wlkps.exe"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1060
        
        C:\Windows\SysWOW64\wjmqyirw.exe
        
        "C:\Windows\system32\wjmqyirw.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\walfxs.exe
        
        "C:\Windows\system32\walfxs.exe"
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\wiflac.exe
        
        "C:\Windows\system32\wiflac.exe"
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1696
        
        C:\Windows\SysWOW64\wqljbbs.exe
        
        "C:\Windows\system32\wqljbbs.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1556
        
        C:\Windows\SysWOW64\wqip.exe
        
        "C:\Windows\system32\wqip.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\wfsnmhc.exe
        
        "C:\Windows\system32\wfsnmhc.exe"
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\wbjjvitf.exe
        
        "C:\Windows\system32\wbjjvitf.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\wqthytab.exe
        
        "C:\Windows\system32\wqthytab.exe"
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2280
        
        C:\Windows\SysWOW64\wocwlonam.exe
        
        "C:\Windows\system32\wocwlonam.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\wrd.exe
        
        "C:\Windows\system32\wrd.exe"
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\wue.exe
        
        "C:\Windows\system32\wue.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\wxxdla.exe
        
        "C:\Windows\system32\wxxdla.exe"
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\wmoddk.exe
        
        "C:\Windows\system32\wmoddk.exe"
        30⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\wenqburl.exe
        
        "C:\Windows\system32\wenqburl.exe"
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1132
        
        C:\Windows\SysWOW64\woysoou.exe
        
        "C:\Windows\system32\woysoou.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\wvqlpt.exe
        
        "C:\Windows\system32\wvqlpt.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2132
        
        C:\Windows\SysWOW64\wexjssvw.exe
        
        "C:\Windows\system32\wexjssvw.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\wlgr.exe
        
        "C:\Windows\system32\wlgr.exe"
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\wfxnw.exe
        
        "C:\Windows\system32\wfxnw.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\wuktumsx.exe
        
        "C:\Windows\system32\wuktumsx.exe"
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\wotoq.exe
        
        "C:\Windows\system32\wotoq.exe"
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\wksxfrae.exe
        
        "C:\Windows\system32\wksxfrae.exe"
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\wvkcfjk.exe
        
        "C:\Windows\system32\wvkcfjk.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\wmtakur.exe
        
        "C:\Windows\system32\wmtakur.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\wwsqp.exe
        
        "C:\Windows\system32\wwsqp.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\wwrxvj.exe
        
        "C:\Windows\system32\wwrxvj.exe"
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\warvutvjm.exe
        
        "C:\Windows\system32\warvutvjm.exe"
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:388
        
        C:\Windows\SysWOW64\wocuyfcfn.exe
        
        "C:\Windows\system32\wocuyfcfn.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\wfttpoqj.exe
        
        "C:\Windows\system32\wfttpoqj.exe"
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2280
        
        C:\Windows\SysWOW64\wkihhypj.exe
        
        "C:\Windows\system32\wkihhypj.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\wixahqltv.exe
        
        "C:\Windows\system32\wixahqltv.exe"
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2360
        
        C:\Windows\SysWOW64\wcsejvh.exe
        
        "C:\Windows\system32\wcsejvh.exe"
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\wwrnxw.exe
        
        "C:\Windows\system32\wwrnxw.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\wulprsce.exe
        
        "C:\Windows\system32\wulprsce.exe"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\wuttl.exe
        
        "C:\Windows\system32\wuttl.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\wtckye.exe
        
        "C:\Windows\system32\wtckye.exe"
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:828
        
        C:\Windows\SysWOW64\wavdbi.exe
        
        "C:\Windows\system32\wavdbi.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\wxetndx.exe
        
        "C:\Windows\system32\wxetndx.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\wfeoefm.exe
        
        "C:\Windows\system32\wfeoefm.exe"
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\wuhkus.exe
        
        "C:\Windows\system32\wuhkus.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\worepvt.exe
        
        "C:\Windows\system32\worepvt.exe"
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1656
        
        C:\Windows\SysWOW64\wvjxsay.exe
        
        "C:\Windows\system32\wvjxsay.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\wqpjtag.exe
        
        "C:\Windows\system32\wqpjtag.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\wtfro.exe
        
        "C:\Windows\system32\wtfro.exe"
        61⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1004
        
        C:\Windows\SysWOW64\wvwpa.exe
        
        "C:\Windows\system32\wvwpa.exe"
        62⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\wrvyonpe.exe
        
        "C:\Windows\system32\wrvyonpe.exe"
        63⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:956
        
        C:\Windows\SysWOW64\wpvbvfw.exe
        
        "C:\Windows\system32\wpvbvfw.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\wwwvlhl.exe
        
        "C:\Windows\system32\wwwvlhl.exe"
        65⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\whavl.exe
        
        "C:\Windows\system32\whavl.exe"
        66⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\whxcqx.exe
        
        "C:\Windows\system32\whxcqx.exe"
        67⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\wjybo.exe
        
        "C:\Windows\system32\wjybo.exe"
        68⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\wmsxy.exe
        
        "C:\Windows\system32\wmsxy.exe"
        69⤵
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\wccv.exe
        
        "C:\Windows\system32\wccv.exe"
        70⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\wedgt.exe
        
        "C:\Windows\system32\wedgt.exe"
        71⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:576
        
        C:\Windows\SysWOW64\wdxinph.exe
        
        "C:\Windows\system32\wdxinph.exe"
        72⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wedgt.exe"
        72⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccv.exe"
        71⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmsxy.exe"
        70⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjybo.exe"
        69⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxcqx.exe"
        68⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whavl.exe"
        67⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwwvlhl.exe"
        66⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvbvfw.exe"
        65⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrvyonpe.exe"
        64⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 908
        64⤵
        Program crash
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvwpa.exe"
        63⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtfro.exe"
        62⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpjtag.exe"
        61⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvjxsay.exe"
        60⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\worepvt.exe"
        59⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhkus.exe"
        58⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfeoefm.exe"
        57⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxetndx.exe"
        56⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wavdbi.exe"
        55⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtckye.exe"
        54⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuttl.exe"
        53⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wulprsce.exe"
        52⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrnxw.exe"
        51⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcsejvh.exe"
        50⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wixahqltv.exe"
        49⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkihhypj.exe"
        48⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfttpoqj.exe"
        47⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wocuyfcfn.exe"
        46⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warvutvjm.exe"
        45⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrxvj.exe"
        44⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwsqp.exe"
        43⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmtakur.exe"
        42⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkcfjk.exe"
        41⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wksxfrae.exe"
        40⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wotoq.exe"
        39⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuktumsx.exe"
        38⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfxnw.exe"
        37⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlgr.exe"
        36⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexjssvw.exe"
        35⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvqlpt.exe"
        34⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woysoou.exe"
        33⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wenqburl.exe"
        32⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmoddk.exe"
        31⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxdla.exe"
        30⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wue.exe"
        29⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrd.exe"
        28⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wocwlonam.exe"
        27⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqthytab.exe"
        26⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbjjvitf.exe"
        25⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfsnmhc.exe"
        24⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqip.exe"
        23⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqljbbs.exe"
        22⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiflac.exe"
        21⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\walfxs.exe"
        20⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjmqyirw.exe"
        19⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkps.exe"
        18⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wduhakj.exe"
        17⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpf.exe"
        16⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woqwjagy.exe"
        15⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wloxl.exe"
        14⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipa.exe"
        13⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wox.exe"
        12⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrn.exe"
        11⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlswnc.exe"
        10⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqrq.exe"
        9⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wswdl.exe"
        8⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\welunlu.exe"
        7⤵
        
        PID:2004
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whg.exe"
        6⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqahldj.exe"
        5⤵
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woommo.exe"
      4⤵
      PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymayg.exe"
    3⤵
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\32f75d238cc3f12dbf55743b4720a1d0_NeikiAnalytics.exe"
  2⤵
  - Deletes itself
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ECCPSJ82.txt

Filesize
99B

MD5
6b3c04438012b59cff5cf2a081bf889c

SHA1
d57487edb87633e97a754a9f7206763688a0a494

SHA256
735a998df424a265256000abc2a8b49311c2e2e27c7c2b7b9affae08f591b06b

SHA512
3d3b95ada8f9b4d18179e076a2b3b2056b3435b6b2d53c85d3abb3980224f6eb1c1c0bea578282233cf0ef1f0610c119ccccdd21aecf70aaba255e0458d2f812

Download Submit
\Windows\SysWOW64\welunlu.exe

Filesize
94KB

MD5
0eb39d34a9a29a49924a607e721edf45

SHA1
e592707b25e373f17b1a08708564601608aea225

SHA256
92a739533ddeeb619902fbe09190c41fae0d344e77d1053161931e6943d7caed

SHA512
41191341276aaf440b722491cf01bcbc3f3900d48af1e67df7f3cc0ce4dab69d3859555cf6ab54956e48a50c1f57a45cedbc1086cd2d678331b30b9364bfabc8

Download Submit
\Windows\SysWOW64\whg.exe

Filesize
94KB

MD5
663b6e2136ed776d1c2cdaf216f283e6

SHA1
59c34aad4ab607af8bad7beefc6ea02098575d08

SHA256
1290e1e5015b9b35ffbac17c11dddd392d9084a914d35974692b4a803a8e5322

SHA512
c03929aed0f3c94d371bbdc9c3e0e605a202867b5f7286b9535254b96e24e33e90dbbb5d34626f3ebfdec589714bd693328dd7c57ddc4aed4d157d7c1e69a13a

Download Submit
\Windows\SysWOW64\wlswnc.exe

Filesize
94KB

MD5
a4f8696302d08d70172d475d15106b29

SHA1
70db18380c58d84a027f3214457da38ea5a473cc

SHA256
c2a2508cd19c8e98bdfe775df4858ba89c8d01301ea0e6f2f3a58d17ddeb615e

SHA512
dd77e5de856862449c3879b7a80c729bc3fa093900a6dcdca4dac008e3d1f80de188933693e20f28e1a39ab94146442d036ff12ca6f12fee359bba052efa8d52

Download Submit
\Windows\SysWOW64\woommo.exe

Filesize
94KB

MD5
20bed07fd2d814c8a8796a0571b620a9

SHA1
f6d02f7cfccf6f639915f9e86265324be970c01f

SHA256
7f351ce83d8c19d1a5fcbd74a66dfdc778b28ba75ea4b4da337b4dbb2423c95b

SHA512
ad12af4d7b4da102a4b4601fb86002d11d3c2c24d764fb2b23e51419f5d25efe7bf160cf22a4b37786e439b339815ee1dc35be8909567ebade4c5bc306d81673

Download Submit
\Windows\SysWOW64\wox.exe

Filesize
94KB

MD5
e9828f6b726f4107aead053318a5885c

SHA1
9b58fe539228c6ad70990423f3f0b07c106fca46

SHA256
dbe6cfede0c16dd01f978673cd704e27bae0f0008e4b5720889b83d9473392e8

SHA512
3c0a5c0c74ce57e97e43840a04de14874c53418df7ac4d137f0f972194d10842f1285aa7b4307bd50cd0b2de4e67cc0be3274c92b6a4b4e7da370b94490b4fc0

Download Submit
\Windows\SysWOW64\wqahldj.exe

Filesize
94KB

MD5
9e5317d8d15c70fa481559f51189eaf4

SHA1
f50ed37d719fbaf87966dcbfe03c125c65c0b85e

SHA256
ae00b5c414d63acbf8422f67af046e1f60a44d22ec69b50cfbe0e0c4a0109d02

SHA512
fb805fafc3a756a204246ff180d5939249ecf10bf4a245f3001e9016a77328fa37c0ba74655111f48c6ec5d23fb73f8a66a34ce1a1460eb0d4885b756a03324a

Download Submit
\Windows\SysWOW64\wqrq.exe

Filesize
94KB

MD5
dd9d3d8429f2924114843d5abb4341a3

SHA1
cf6ef30a0f6a54deed090be19ffb141535576437

SHA256
757908cc1e74553f18870af6332aee83ddb23408fa71f64ff170b07a5d72d5c5

SHA512
9e009f85355953dcd257ef3128053055e1165719e5fb23787b144e0a3d005a559b87992d45ac3ee52205c70a46a3cbc91a48bb20ed0bc73fa365cb31dbe1e900

Download Submit
\Windows\SysWOW64\wswdl.exe

Filesize
94KB

MD5
c9229b711b09fd327fd96478c561e876

SHA1
40b359f429d5e1af4fbd16a83937ae8c44233fd2

SHA256
a1e636a038f712a0bf66a89ff910808fcf2a4dce34fa28d8bb8439435abcc006

SHA512
504cca010cab85faead696748dbf75eee96f453907415d636909a83fd51ff8f7f5593a77b3ccb1f09a7830c853de774e2b709f0c1f46b588505d08a9e41464b9

Download Submit
\Windows\SysWOW64\wwrn.exe

Filesize
94KB

MD5
0bb6742c4077e5b1c6c16d46523c67a6

SHA1
5fe6aade1b0ed8c279ba64c7678a955af4ef3a13

SHA256
0c844cf94d3d1fc4e03ecfa6cc97c3964880d171188f60e412359ca7f2fd82d7

SHA512
8aa87a399e75c9d5ab568aaef1ec35b939f837826011a06cb7b18a081efe1993b054c3f0e005a6b5cad945058ac44f768a33188c3a00fdf04d5d4d70069d8ee9

Download Submit
\Windows\SysWOW64\wymayg.exe

Filesize
94KB

MD5
9f7921d7f7b7546aff9b0a58af8d24a8

SHA1
7c2112769c28ec23bf2845b168620fa8acb37e1f

SHA256
4872613a2cd60fb184ae7160976bbf9956d9fba139a8bdbd75f152674e0c6b84

SHA512
bb4fd28e9dd8d6de718b88550add6affb42bac78e5de80305b91483e7337407e5a007a6c47918f36916ece571d24145ecadb16e847feaed6e8801aa25a309f15

Download Submit
memory/916-46-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/916-60-0x0000000002DB0000-0x0000000002DC8000-memory.dmp

Filesize
96KB

Download
memory/916-66-0x0000000003DA0000-0x0000000003DB8000-memory.dmp

Filesize
96KB

Download
memory/916-70-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/916-72-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1060-329-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1060-326-0x0000000003AC0000-0x0000000003AD8000-memory.dmp

Filesize
96KB

Download
memory/1060-328-0x0000000003AC0000-0x0000000003AD0000-memory.dmp

Filesize
64KB

Download
memory/1060-325-0x0000000003AC0000-0x0000000003AD8000-memory.dmp

Filesize
96KB

Download
memory/1116-407-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1160-95-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1160-84-0x0000000003C80000-0x0000000003C98000-memory.dmp

Filesize
96KB

Download
memory/1160-94-0x00000000037F0000-0x0000000003800000-memory.dmp

Filesize
64KB

Download
memory/1160-90-0x0000000003C80000-0x0000000003C98000-memory.dmp

Filesize
96KB

Download
memory/1160-69-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1444-330-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1444-345-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1444-342-0x0000000003AE0000-0x0000000003AF8000-memory.dmp

Filesize
96KB

Download
memory/1444-343-0x0000000003AE0000-0x0000000003AF8000-memory.dmp

Filesize
96KB

Download
memory/1444-344-0x0000000003AF0000-0x0000000003B08000-memory.dmp

Filesize
96KB

Download
memory/1444-327-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1476-207-0x0000000003C70000-0x0000000003C88000-memory.dmp

Filesize
96KB

Download
memory/1476-206-0x0000000003C70000-0x0000000003C88000-memory.dmp

Filesize
96KB

Download
memory/1476-213-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1476-187-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1476-211-0x0000000003C70000-0x0000000003C80000-memory.dmp

Filesize
64KB

Download
memory/1556-391-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1556-389-0x0000000003C60000-0x0000000003C78000-memory.dmp

Filesize
96KB

Download
memory/1556-390-0x0000000003C60000-0x0000000003C78000-memory.dmp

Filesize
96KB

Download
memory/1604-190-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1604-164-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1604-184-0x0000000003920000-0x0000000003938000-memory.dmp

Filesize
96KB

Download
memory/1604-188-0x0000000003920000-0x0000000003930000-memory.dmp

Filesize
64KB

Download
memory/1696-361-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1696-373-0x0000000003B20000-0x0000000003B38000-memory.dmp

Filesize
96KB

Download
memory/1696-372-0x0000000003B20000-0x0000000003B38000-memory.dmp

Filesize
96KB

Download
memory/1696-375-0x0000000003B30000-0x0000000003B48000-memory.dmp

Filesize
96KB

Download
memory/1696-376-0x0000000003B30000-0x0000000003B40000-memory.dmp

Filesize
64KB

Download
memory/1696-377-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1704-12-0x0000000003D70000-0x0000000003D88000-memory.dmp

Filesize
96KB

Download
memory/1704-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1704-19-0x0000000003D70000-0x0000000003D88000-memory.dmp

Filesize
96KB

Download
memory/1704-6-0x0000000003D70000-0x0000000003D88000-memory.dmp

Filesize
96KB

Download
memory/1704-23-0x0000000003D70000-0x0000000003D80000-memory.dmp

Filesize
64KB

Download
memory/1704-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1780-137-0x0000000003B30000-0x0000000003B48000-memory.dmp

Filesize
96KB

Download
memory/1780-138-0x0000000003B30000-0x0000000003B48000-memory.dmp

Filesize
96KB

Download
memory/1780-126-0x0000000003B30000-0x0000000003B48000-memory.dmp

Filesize
96KB

Download
memory/1780-142-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1932-255-0x0000000002D80000-0x0000000002D98000-memory.dmp

Filesize
96KB

Download
memory/1932-241-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1932-256-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1936-283-0x0000000003BB0000-0x0000000003BC8000-memory.dmp

Filesize
96KB

Download
memory/1936-284-0x0000000003BC0000-0x0000000003BD8000-memory.dmp

Filesize
96KB

Download
memory/1936-286-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2308-313-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2308-312-0x0000000003C20000-0x0000000003C38000-memory.dmp

Filesize
96KB

Download
memory/2420-113-0x0000000003730000-0x0000000003748000-memory.dmp

Filesize
96KB

Download
memory/2420-115-0x0000000003730000-0x0000000003748000-memory.dmp

Filesize
96KB

Download
memory/2420-93-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2420-118-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2420-114-0x0000000003730000-0x0000000003748000-memory.dmp

Filesize
96KB

Download
memory/2424-285-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2424-298-0x0000000003DA0000-0x0000000003DB8000-memory.dmp

Filesize
96KB

Download
memory/2424-299-0x0000000003DB0000-0x0000000003DC0000-memory.dmp

Filesize
64KB

Download
memory/2424-300-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2488-360-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2488-405-0x0000000003380000-0x0000000003398000-memory.dmp

Filesize
96KB

Download
memory/2488-359-0x0000000003380000-0x0000000003398000-memory.dmp

Filesize
96KB

Download
memory/2488-357-0x00000000031A0000-0x00000000031B8000-memory.dmp

Filesize
96KB

Download
memory/2488-358-0x0000000003380000-0x0000000003398000-memory.dmp

Filesize
96KB

Download
memory/2576-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2576-47-0x0000000003B30000-0x0000000003B40000-memory.dmp

Filesize
64KB

Download
memory/2576-49-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2576-43-0x0000000003B30000-0x0000000003B48000-memory.dmp

Filesize
96KB

Download
memory/2576-42-0x0000000003B20000-0x0000000003B38000-memory.dmp

Filesize
96KB

Download
memory/2688-210-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2688-229-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2688-227-0x0000000003BE0000-0x0000000003BF8000-memory.dmp

Filesize
96KB

Download
memory/2688-228-0x0000000003270000-0x0000000003280000-memory.dmp

Filesize
64KB

Download
memory/2688-226-0x0000000003260000-0x0000000003278000-memory.dmp

Filesize
96KB

Download
memory/2752-257-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2752-270-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2752-269-0x0000000003C30000-0x0000000003C40000-memory.dmp

Filesize
64KB

Download
memory/2780-243-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2780-242-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/2812-392-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2812-406-0x0000000003180000-0x0000000003198000-memory.dmp

Filesize
96KB

Download
memory/2812-401-0x0000000003120000-0x0000000003138000-memory.dmp

Filesize
96KB

Download
memory/2816-140-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2816-168-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2816-162-0x00000000032B0000-0x00000000032C8000-memory.dmp

Filesize
96KB

Download
memory/2816-166-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/2816-153-0x00000000032A0000-0x00000000032B8000-memory.dmp

Filesize
96KB

Download
memory/2816-154-0x00000000032A0000-0x00000000032B8000-memory.dmp

Filesize
96KB

Download
memory/2816-161-0x00000000032B0000-0x00000000032C8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads