0c351f38a364a6e5c3bfd1579de668d585c668f463440c6db076e0faa4697303

Analysis

max time kernel
136s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.68f360ba7d874645c414e37282b2efe0.exe
Size

208KB
MD5

68f360ba7d874645c414e37282b2efe0
SHA1

8c0ba1fb2cbb3dc7265ba29b9f3d10e5b154631a
SHA256

0c351f38a364a6e5c3bfd1579de668d585c668f463440c6db076e0faa4697303
SHA512

01a964287731b7601f028c87c03ea67ded3cecc24173f896ffb03eeca4a57bd85ac8b94d04a079a9f764df73ca42067ffbcfcd41b22cd4a27a5cdff3807a4139
SSDEEP

3072:8Q8zG+zq+7PYYj/N7Ts50IllG2TF1kA7aGHv94NLthEjQT6j:8Q8zGv+b7TSpd1QEj1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	WYHVV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	EKVID.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	RIVT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	HDMYYUE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	BMK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	NEAS.68f360ba7d874645c414e37282b2efe0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	UMNPZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	BDD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	WTNXX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	WLOZL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	QCLSEFY.exe

Executes dropped EXE 11 IoCs

pid	Process
1760	UMNPZ.exe
3892	BDD.exe
3652	WYHVV.exe
5100	EKVID.exe
3364	RIVT.exe
4564	HDMYYUE.exe
4084	WTNXX.exe
1532	WLOZL.exe
5092	BMK.exe
2184	QCLSEFY.exe
3524	MFVLLFN.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\UMNPZ.exe.bat	NEAS.68f360ba7d874645c414e37282b2efe0.exe
File opened for modification	C:\windows\SysWOW64\WYHVV.exe	BDD.exe
File opened for modification	C:\windows\SysWOW64\UMNPZ.exe	NEAS.68f360ba7d874645c414e37282b2efe0.exe
File created	C:\windows\SysWOW64\RIVT.exe	EKVID.exe
File opened for modification	C:\windows\SysWOW64\RIVT.exe	EKVID.exe
File created	C:\windows\SysWOW64\MFVLLFN.exe	QCLSEFY.exe
File created	C:\windows\SysWOW64\WYHVV.exe	BDD.exe
File created	C:\windows\SysWOW64\WYHVV.exe.bat	BDD.exe
File created	C:\windows\SysWOW64\EKVID.exe	WYHVV.exe
File created	C:\windows\SysWOW64\EKVID.exe.bat	WYHVV.exe
File opened for modification	C:\windows\SysWOW64\MFVLLFN.exe	QCLSEFY.exe
File created	C:\windows\SysWOW64\MFVLLFN.exe.bat	QCLSEFY.exe
File created	C:\windows\SysWOW64\UMNPZ.exe	NEAS.68f360ba7d874645c414e37282b2efe0.exe
File opened for modification	C:\windows\SysWOW64\EKVID.exe	WYHVV.exe
File created	C:\windows\SysWOW64\RIVT.exe.bat	EKVID.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\windows\system\WLOZL.exe	WTNXX.exe
File created	C:\windows\system\WLOZL.exe.bat	WTNXX.exe
File opened for modification	C:\windows\system\QCLSEFY.exe	BMK.exe
File created	C:\windows\system\QCLSEFY.exe.bat	BMK.exe
File created	C:\windows\BDD.exe	UMNPZ.exe
File opened for modification	C:\windows\BDD.exe	UMNPZ.exe
File created	C:\windows\HDMYYUE.exe	RIVT.exe
File created	C:\windows\WTNXX.exe	HDMYYUE.exe
File created	C:\windows\WTNXX.exe.bat	HDMYYUE.exe
File opened for modification	C:\windows\system\BMK.exe	WLOZL.exe
File created	C:\windows\system\BMK.exe.bat	WLOZL.exe
File created	C:\windows\BDD.exe.bat	UMNPZ.exe
File opened for modification	C:\windows\WTNXX.exe	HDMYYUE.exe
File created	C:\windows\system\WLOZL.exe	WTNXX.exe
File created	C:\windows\system\QCLSEFY.exe	BMK.exe
File opened for modification	C:\windows\HDMYYUE.exe	RIVT.exe
File created	C:\windows\HDMYYUE.exe.bat	RIVT.exe
File created	C:\windows\system\BMK.exe	WLOZL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
4832	944	WerFault.exe	84
4304	1760	WerFault.exe	90
2880	3892	WerFault.exe	96
3660	3652	WerFault.exe	102
788	5100	WerFault.exe	107
1132	3364	WerFault.exe	114
3016	4564	WerFault.exe	120
3056	4084	WerFault.exe	126
4536	1532	WerFault.exe	131
4860	5092	WerFault.exe	136
2120	2184	WerFault.exe	142
2500	3524	WerFault.exe	147

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
944	NEAS.68f360ba7d874645c414e37282b2efe0.exe
944	NEAS.68f360ba7d874645c414e37282b2efe0.exe
1760	UMNPZ.exe
1760	UMNPZ.exe
3892	BDD.exe
3892	BDD.exe
3652	WYHVV.exe
3652	WYHVV.exe
5100	EKVID.exe
5100	EKVID.exe
3364	RIVT.exe
3364	RIVT.exe
4564	HDMYYUE.exe
4564	HDMYYUE.exe
4084	WTNXX.exe
4084	WTNXX.exe
1532	WLOZL.exe
1532	WLOZL.exe
5092	BMK.exe
5092	BMK.exe
2184	QCLSEFY.exe
2184	QCLSEFY.exe
3524	MFVLLFN.exe
3524	MFVLLFN.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
944	NEAS.68f360ba7d874645c414e37282b2efe0.exe
944	NEAS.68f360ba7d874645c414e37282b2efe0.exe
1760	UMNPZ.exe
1760	UMNPZ.exe
3892	BDD.exe
3892	BDD.exe
3652	WYHVV.exe
3652	WYHVV.exe
5100	EKVID.exe
5100	EKVID.exe
3364	RIVT.exe
3364	RIVT.exe
4564	HDMYYUE.exe
4564	HDMYYUE.exe
4084	WTNXX.exe
4084	WTNXX.exe
1532	WLOZL.exe
1532	WLOZL.exe
5092	BMK.exe
5092	BMK.exe
2184	QCLSEFY.exe
2184	QCLSEFY.exe
3524	MFVLLFN.exe
3524	MFVLLFN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 1736	944	NEAS.68f360ba7d874645c414e37282b2efe0.exe	86
PID 944 wrote to memory of 1736	944	NEAS.68f360ba7d874645c414e37282b2efe0.exe	86
PID 944 wrote to memory of 1736	944	NEAS.68f360ba7d874645c414e37282b2efe0.exe	86
PID 1736 wrote to memory of 1760	1736	cmd.exe	90
PID 1736 wrote to memory of 1760	1736	cmd.exe	90
PID 1736 wrote to memory of 1760	1736	cmd.exe	90
PID 1760 wrote to memory of 4228	1760	UMNPZ.exe	92
PID 1760 wrote to memory of 4228	1760	UMNPZ.exe	92
PID 1760 wrote to memory of 4228	1760	UMNPZ.exe	92
PID 4228 wrote to memory of 3892	4228	cmd.exe	96
PID 4228 wrote to memory of 3892	4228	cmd.exe	96
PID 4228 wrote to memory of 3892	4228	cmd.exe	96
PID 3892 wrote to memory of 4348	3892	BDD.exe	98
PID 3892 wrote to memory of 4348	3892	BDD.exe	98
PID 3892 wrote to memory of 4348	3892	BDD.exe	98
PID 4348 wrote to memory of 3652	4348	cmd.exe	102
PID 4348 wrote to memory of 3652	4348	cmd.exe	102
PID 4348 wrote to memory of 3652	4348	cmd.exe	102
PID 3652 wrote to memory of 4044	3652	WYHVV.exe	103
PID 3652 wrote to memory of 4044	3652	WYHVV.exe	103
PID 3652 wrote to memory of 4044	3652	WYHVV.exe	103
PID 4044 wrote to memory of 5100	4044	cmd.exe	107
PID 4044 wrote to memory of 5100	4044	cmd.exe	107
PID 4044 wrote to memory of 5100	4044	cmd.exe	107
PID 5100 wrote to memory of 5096	5100	EKVID.exe	110
PID 5100 wrote to memory of 5096	5100	EKVID.exe	110
PID 5100 wrote to memory of 5096	5100	EKVID.exe	110
PID 5096 wrote to memory of 3364	5096	cmd.exe	114
PID 5096 wrote to memory of 3364	5096	cmd.exe	114
PID 5096 wrote to memory of 3364	5096	cmd.exe	114
PID 3364 wrote to memory of 4680	3364	RIVT.exe	115
PID 3364 wrote to memory of 4680	3364	RIVT.exe	115
PID 3364 wrote to memory of 4680	3364	RIVT.exe	115
PID 4680 wrote to memory of 4564	4680	cmd.exe	120
PID 4680 wrote to memory of 4564	4680	cmd.exe	120
PID 4680 wrote to memory of 4564	4680	cmd.exe	120
PID 4564 wrote to memory of 4308	4564	HDMYYUE.exe	122
PID 4564 wrote to memory of 4308	4564	HDMYYUE.exe	122
PID 4564 wrote to memory of 4308	4564	HDMYYUE.exe	122
PID 4308 wrote to memory of 4084	4308	cmd.exe	126
PID 4308 wrote to memory of 4084	4308	cmd.exe	126
PID 4308 wrote to memory of 4084	4308	cmd.exe	126
PID 4084 wrote to memory of 4568	4084	WTNXX.exe	127
PID 4084 wrote to memory of 4568	4084	WTNXX.exe	127
PID 4084 wrote to memory of 4568	4084	WTNXX.exe	127
PID 4568 wrote to memory of 1532	4568	cmd.exe	131
PID 4568 wrote to memory of 1532	4568	cmd.exe	131
PID 4568 wrote to memory of 1532	4568	cmd.exe	131
PID 1532 wrote to memory of 2888	1532	WLOZL.exe	132
PID 1532 wrote to memory of 2888	1532	WLOZL.exe	132
PID 1532 wrote to memory of 2888	1532	WLOZL.exe	132
PID 2888 wrote to memory of 5092	2888	cmd.exe	136
PID 2888 wrote to memory of 5092	2888	cmd.exe	136
PID 2888 wrote to memory of 5092	2888	cmd.exe	136
PID 5092 wrote to memory of 4816	5092	BMK.exe	138
PID 5092 wrote to memory of 4816	5092	BMK.exe	138
PID 5092 wrote to memory of 4816	5092	BMK.exe	138
PID 4816 wrote to memory of 2184	4816	cmd.exe	142
PID 4816 wrote to memory of 2184	4816	cmd.exe	142
PID 4816 wrote to memory of 2184	4816	cmd.exe	142
PID 2184 wrote to memory of 4876	2184	QCLSEFY.exe	143
PID 2184 wrote to memory of 4876	2184	QCLSEFY.exe	143
PID 2184 wrote to memory of 4876	2184	QCLSEFY.exe	143
PID 4876 wrote to memory of 3524	4876	cmd.exe	147

C:\Users\Admin\AppData\Local\Temp\NEAS.68f360ba7d874645c414e37282b2efe0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.68f360ba7d874645c414e37282b2efe0.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UMNPZ.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\windows\SysWOW64\UMNPZ.exe
    C:\windows\system32\UMNPZ.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\BDD.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4228
    - - C:\windows\BDD.exe
        
        C:\windows\BDD.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WYHVV.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\windows\SysWOW64\WYHVV.exe
        
        C:\windows\system32\WYHVV.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EKVID.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\windows\SysWOW64\EKVID.exe
        
        C:\windows\system32\EKVID.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RIVT.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\windows\SysWOW64\RIVT.exe
        
        C:\windows\system32\RIVT.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HDMYYUE.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\windows\HDMYYUE.exe
        
        C:\windows\HDMYYUE.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WTNXX.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\windows\WTNXX.exe
        
        C:\windows\WTNXX.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WLOZL.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\windows\system\WLOZL.exe
        
        C:\windows\system\WLOZL.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BMK.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\windows\system\BMK.exe
        
        C:\windows\system\BMK.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QCLSEFY.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\windows\system\QCLSEFY.exe
        
        C:\windows\system\QCLSEFY.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MFVLLFN.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\windows\SysWOW64\MFVLLFN.exe
        
        C:\windows\system32\MFVLLFN.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 852
        24⤵
        Program crash
        
        PID:2500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1004
        22⤵
        Program crash
        
        PID:2120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 960
        20⤵
        Program crash
        
        PID:4860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1008
        18⤵
        Program crash
        
        PID:4536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 960
        16⤵
        Program crash
        
        PID:3056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 964
        14⤵
        Program crash
        
        PID:3016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 988
        12⤵
        Program crash
        
        PID:1132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 1328
        10⤵
        Program crash
        
        PID:788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 1300
        8⤵
        Program crash
        
        PID:3660
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 960
        6⤵
        Program crash
        
        PID:2880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 960
      4⤵
      Program crash
      PID:4304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 1296
  2⤵
  - Program crash
  PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 944 -ip 944
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1760 -ip 1760
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3892 -ip 3892
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3652 -ip 3652
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 5100 -ip 5100
1⤵
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3364 -ip 3364
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4564 -ip 4564
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4084 -ip 4084
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1532 -ip 1532
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5092 -ip 5092
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2184 -ip 2184
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3524 -ip 3524
1⤵
PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\BDD.exe

Filesize
208KB

MD5
a9df934f884b7c5010b2aa58615961a0

SHA1
93214976182fa30d43b0bd4964a3ac45ebcaed03

SHA256
b80786e4346dac100b18c5c5024910fb94e8b0ef64910f08f5f77da97bdddab6

SHA512
381c7f73d56ad1a5792c2f1351a55fa176feb918d25b687ffad041318b77306a7428d367391c6bf28581443c59b927a9743d8036a16d58c730f89359d09a729b

Download Submit
C:\Windows\BDD.exe

Filesize
208KB

MD5
a9df934f884b7c5010b2aa58615961a0

SHA1
93214976182fa30d43b0bd4964a3ac45ebcaed03

SHA256
b80786e4346dac100b18c5c5024910fb94e8b0ef64910f08f5f77da97bdddab6

SHA512
381c7f73d56ad1a5792c2f1351a55fa176feb918d25b687ffad041318b77306a7428d367391c6bf28581443c59b927a9743d8036a16d58c730f89359d09a729b

Download Submit
C:\Windows\HDMYYUE.exe

Filesize
208KB

MD5
2047c8f406b45fbb4ab802f4052df07c

SHA1
5ffaf73336f927f1bb074856341b8ad4a68c6e62

SHA256
ec3f128f8fa95745f7239cd59b820abc802077b004ec215d5892f2175358d4a8

SHA512
71da5f33d4b4abe3ecb1a10cccab8ee69011f7d162a87816c4f5ee69e7f18ff01a57ff0a021412f873ff03ccc9bd6f4877a74ff7c3dadbc60edb699a6e387754

Download Submit
C:\Windows\SysWOW64\EKVID.exe

Filesize
208KB

MD5
1a08de4ca2691bd648f5a019bd5761a2

SHA1
f32f0cfd4a562514a2856cb82cc34cbff8fee8f9

SHA256
bf7fbea15256213c4802dd39e8fd72c8cb4710bd44205f502dbd54ea4d37bf68

SHA512
e4151b626a306ab9400c7d1067df99ecd83fe424217b334d977889043aadf2c4a62863b6f9e0cb0e115077129876ea69fa26e9946c6c62eba54d97973c4f8953

Download Submit
C:\Windows\SysWOW64\MFVLLFN.exe

Filesize
208KB

MD5
0d4c496291888db2ef3db61588100eda

SHA1
fe0e3f2d904efa1c86e62474289c9c03c5230c19

SHA256
6fb5b19d373e9474d9291a0ce902a11637223d06fe7c1cfad9f0a528ee567fa7

SHA512
0757fe9d314e6a4154aef7832f6a75623e800830720c1ffa964e2e77ab92923af1c304ea144fff14952a2200758a685c8c045e03baab19dc9ebbb74d0091ce81

Download Submit
C:\Windows\SysWOW64\RIVT.exe

Filesize
208KB

MD5
55af21a0c59b70f84f9d2a6827a076bf

SHA1
5923e80267d0a629f4ebde51fbe0d24053cf7886

SHA256
0b80b85c84d95c04db944721997e42c5eac496a2f6054c28a98c85612eb6d8fb

SHA512
5f18c5c812d5e8c2af9bbe2afadd8b0ebc2c89025b939e685884ceaa0e2c91318f921d52718dfeccf2d9b42f3e23330e4dbea888d5700b5395760f30fcca1cd7

Download Submit
C:\Windows\SysWOW64\UMNPZ.exe

Filesize
208KB

MD5
91110d1e2a5d29f8a57f5378e0b612e6

SHA1
d12024a094a7e2601ae475a75b33388aad395c89

SHA256
ef72babdd4007a23caa12dbffe2fc5c6565964591ce2d16448392e843ac96ca9

SHA512
56c8b67245c5d9126c39e619f9d687e364d4eeb673fce465f17f3880abc7ebb4c725fc9f0d837e8e7255958844f0236af61060c9be534129ca9876d1870ae240

Download Submit
C:\Windows\SysWOW64\WYHVV.exe

Filesize
208KB

MD5
7aa618175c48391d1e0ed46684030b79

SHA1
3dea3122ca464abe3cce0357b36aec5b872bf460

SHA256
7f30d239606a23c42f0d7043f0210f6b3242093f5dbd2af2537ee36e2faab8e1

SHA512
6202c423941b3b31bbf6e96792ea57e38f8e00787448b866fa33d05f39a2026f26fc54b706ed870f7d51c5d9d07c139430f28cba9a58537d2327bcfcc0d238dc

Download Submit
C:\Windows\System\BMK.exe

Filesize
208KB

MD5
6fec79300c11f771e026faa73997a0a7

SHA1
71ceddf292498c93876d77a0fd1198123d60da34

SHA256
344dfe07cd4611c4cf12dbc3d10812c9fdcd641a3837c2c6cbf330ca3d8e8868

SHA512
2f56643f70021aefe0c35e87cd4087a34b2ad9a9dc0ed84f473828a153a02bc12fcda4cb23e2c6cc5bab6eaf30fb79751ac2286c8270a6ae2f63d248aba0b5df

Download Submit
C:\Windows\System\QCLSEFY.exe

Filesize
208KB

MD5
388dc4b8afa63ead7f0e95b05867a355

SHA1
e449e86f5c9bb5e5642b4f730cc490e57fa34b65

SHA256
c7ef4f0fc80b240db332d033e38295f127b9734d67157e5265d46dd0ae51064d

SHA512
e3afa438de92907e048423bbb84b8b79984996afe6ebc5df9bd15c7c87c78c6c53bf5b25ce5125c23d28e1ef00a0d4a58be67a4aa94a1a26b42a1019034d6957

Download Submit
C:\Windows\System\WLOZL.exe

Filesize
208KB

MD5
623596d220212ab14f7c592796cfe0b1

SHA1
84ec95dd9b34a84ca61f7ada0875de0d2721e74b

SHA256
b7b3a7239970ea33c2625ac89548f4c31255e2e2598f085d93f3462954b97e02

SHA512
055d07e40144cb34954baf37fbb99538922af5257eb05c6637b89dc81a0e249bc063d7e91b2ca176a569b9637a4a7e04ea0cb85d739d3a7c880781891f726df6

Download Submit
C:\Windows\WTNXX.exe

Filesize
208KB

MD5
623596d220212ab14f7c592796cfe0b1

SHA1
84ec95dd9b34a84ca61f7ada0875de0d2721e74b

SHA256
b7b3a7239970ea33c2625ac89548f4c31255e2e2598f085d93f3462954b97e02

SHA512
055d07e40144cb34954baf37fbb99538922af5257eb05c6637b89dc81a0e249bc063d7e91b2ca176a569b9637a4a7e04ea0cb85d739d3a7c880781891f726df6

Download Submit
C:\windows\BDD.exe

Filesize
208KB

MD5
a9df934f884b7c5010b2aa58615961a0

SHA1
93214976182fa30d43b0bd4964a3ac45ebcaed03

SHA256
b80786e4346dac100b18c5c5024910fb94e8b0ef64910f08f5f77da97bdddab6

SHA512
381c7f73d56ad1a5792c2f1351a55fa176feb918d25b687ffad041318b77306a7428d367391c6bf28581443c59b927a9743d8036a16d58c730f89359d09a729b

Download Submit
C:\windows\BDD.exe.bat

Filesize
52B

MD5
4ddcbed997593d394b4aa2010d0f9ce1

SHA1
80877cd61b34bc6ee79f4b9ec0b0a8f687d38d06

SHA256
1ba2fed30777caae068dc85e1c98c71efaeddb4393a3d6fb792ae4051f6c3fcd

SHA512
4be403b05e1587f1c50eb70dd6944a243238085b344708d4e5e85efde902a68e93553ef7861cc15a3879bc7eaf3d4b22e4b6c1f183e7c052f3b59dfc5e3cd3b9

Download Submit
C:\windows\HDMYYUE.exe

Filesize
208KB

MD5
2047c8f406b45fbb4ab802f4052df07c

SHA1
5ffaf73336f927f1bb074856341b8ad4a68c6e62

SHA256
ec3f128f8fa95745f7239cd59b820abc802077b004ec215d5892f2175358d4a8

SHA512
71da5f33d4b4abe3ecb1a10cccab8ee69011f7d162a87816c4f5ee69e7f18ff01a57ff0a021412f873ff03ccc9bd6f4877a74ff7c3dadbc60edb699a6e387754

Download Submit
C:\windows\HDMYYUE.exe.bat

Filesize
60B

MD5
ecb849d01705302e458f759360685e05

SHA1
73c513dc9b5764fec415c2d37aec171830752e37

SHA256
98b785fc5b9c2f756aba7e69ad73ec411c31da65c28d97f5bf2a5d74cceeeee7

SHA512
33ee473d3f6ef1274681bae134d925670f18b38af11ccdbb4a212c1ed0f91388082d76baf9f8f5a65d2aa52c1208dbdfe1693d5c9893ed1ff07816dbea8bd71c

Download Submit
C:\windows\SysWOW64\EKVID.exe

Filesize
208KB

MD5
1a08de4ca2691bd648f5a019bd5761a2

SHA1
f32f0cfd4a562514a2856cb82cc34cbff8fee8f9

SHA256
bf7fbea15256213c4802dd39e8fd72c8cb4710bd44205f502dbd54ea4d37bf68

SHA512
e4151b626a306ab9400c7d1067df99ecd83fe424217b334d977889043aadf2c4a62863b6f9e0cb0e115077129876ea69fa26e9946c6c62eba54d97973c4f8953

Download Submit
C:\windows\SysWOW64\EKVID.exe.bat

Filesize
74B

MD5
a102e303aedd1f10c393806b75eef452

SHA1
7d8774d7db74c95414ac93004b81f9a916211bf0

SHA256
8ff18cc5281eb15d76377728652ee3874e6c44d19b5b09ce2a69689b4daf6d93

SHA512
000c0f52c9f8e5631c9e7401d980fdb36829a977ddb590f7894f192328d7b7e425e4226da78c6ddb03337fdc4e094ca579e9c91c23e917c6c7e58711381fb3f2

Download Submit
C:\windows\SysWOW64\MFVLLFN.exe

Filesize
208KB

MD5
0d4c496291888db2ef3db61588100eda

SHA1
fe0e3f2d904efa1c86e62474289c9c03c5230c19

SHA256
6fb5b19d373e9474d9291a0ce902a11637223d06fe7c1cfad9f0a528ee567fa7

SHA512
0757fe9d314e6a4154aef7832f6a75623e800830720c1ffa964e2e77ab92923af1c304ea144fff14952a2200758a685c8c045e03baab19dc9ebbb74d0091ce81

Download Submit
C:\windows\SysWOW64\MFVLLFN.exe.bat

Filesize
78B

MD5
8e156cb077146176b1d2b4eea4a3d6c4

SHA1
5890ce6cf96c1720a4756fb2abc2e9ec033121f4

SHA256
e4fbb4373f3408b5e978a56f553eb329b9f5c28b6b2e54838816feafdb204ab3

SHA512
f531d5bd828e851f96bb76b400ca6c860bb2430d74fff1aec604b4afaf2884a9d6f0611843da00efc8d747b5ff787fc0292d78c9d5e1441decbf1aa1aa7dab88

Download Submit
C:\windows\SysWOW64\RIVT.exe

Filesize
208KB

MD5
55af21a0c59b70f84f9d2a6827a076bf

SHA1
5923e80267d0a629f4ebde51fbe0d24053cf7886

SHA256
0b80b85c84d95c04db944721997e42c5eac496a2f6054c28a98c85612eb6d8fb

SHA512
5f18c5c812d5e8c2af9bbe2afadd8b0ebc2c89025b939e685884ceaa0e2c91318f921d52718dfeccf2d9b42f3e23330e4dbea888d5700b5395760f30fcca1cd7

Download Submit
C:\windows\SysWOW64\RIVT.exe.bat

Filesize
72B

MD5
c3eb284e80f7caf811b21ecb6c7ac1b0

SHA1
f2d59fff124c9f36c533c85aea0b5b1e7809b1b3

SHA256
33e36421f3c4599cbcc4c3fe965ca6aee0a5783a3fa8b8ae698604d6fcd7c0b4

SHA512
d67d8ba3b58cc87917cd9824f3c31447dbe958c7fd266802e75c5d7c6484bc7e49d476d9421d9268dc8d341ac70969208aa9d9ddb688ef88599ad30cf2f7f159

Download Submit
C:\windows\SysWOW64\UMNPZ.exe

Filesize
208KB

MD5
91110d1e2a5d29f8a57f5378e0b612e6

SHA1
d12024a094a7e2601ae475a75b33388aad395c89

SHA256
ef72babdd4007a23caa12dbffe2fc5c6565964591ce2d16448392e843ac96ca9

SHA512
56c8b67245c5d9126c39e619f9d687e364d4eeb673fce465f17f3880abc7ebb4c725fc9f0d837e8e7255958844f0236af61060c9be534129ca9876d1870ae240

Download Submit
C:\windows\SysWOW64\UMNPZ.exe.bat

Filesize
74B

MD5
5e8960cc5dac54cc7757c3b9f5b3c7b5

SHA1
92bad2b40421d643777265abe712e58756045395

SHA256
67ecf3e6879eeb158883d85aa7f5c7439068f2d355fb6145286ae5c66c2ac0c3

SHA512
31cf7aa56a8685f4df0284653802d39592a39db9c7ebd1110e4ff3ad46891c5452a1809ce0bbc03e4053693c31a611caa5790d2cf65ea1623ad41cab274a56d4

Download Submit
C:\windows\SysWOW64\WYHVV.exe

Filesize
208KB

MD5
7aa618175c48391d1e0ed46684030b79

SHA1
3dea3122ca464abe3cce0357b36aec5b872bf460

SHA256
7f30d239606a23c42f0d7043f0210f6b3242093f5dbd2af2537ee36e2faab8e1

SHA512
6202c423941b3b31bbf6e96792ea57e38f8e00787448b866fa33d05f39a2026f26fc54b706ed870f7d51c5d9d07c139430f28cba9a58537d2327bcfcc0d238dc

Download Submit
C:\windows\SysWOW64\WYHVV.exe.bat

Filesize
74B

MD5
60494f1345f5dd2042b8bff7ced6f1ef

SHA1
91bc09b468526a2f5896c210cf3bb95b91378481

SHA256
c6d2c00464ed7ac47b62bbb42aea7a3ef339cfdeaf07ed1467754b4f25f3d3c9

SHA512
e60ce1aa5330ccba02053e2024edc5f59a5db6376e80a8f191ac8023578b4f84346164e3635f9ff432de63ddcdc9b34bdfc6b17b1b1471339fcbaba9dfd0f091

Download Submit
C:\windows\WTNXX.exe

Filesize
208KB

MD5
623596d220212ab14f7c592796cfe0b1

SHA1
84ec95dd9b34a84ca61f7ada0875de0d2721e74b

SHA256
b7b3a7239970ea33c2625ac89548f4c31255e2e2598f085d93f3462954b97e02

SHA512
055d07e40144cb34954baf37fbb99538922af5257eb05c6637b89dc81a0e249bc063d7e91b2ca176a569b9637a4a7e04ea0cb85d739d3a7c880781891f726df6

Download Submit
C:\windows\WTNXX.exe.bat

Filesize
56B

MD5
b3e07a933dca624abf00b92c52572f7c

SHA1
7ce71fe4020478621270e79117e907a6154f942b

SHA256
dd07bb781d4df7ba2a4b7540c544dfe0a6b62a266317bc9548df65da03f57d14

SHA512
5f75a6fa7e8a66ac56853d9d03fabe106942fe9d5f0eb5f9c26e29b2c128f0895d5cf1717510297296560e7c27e158ff8c9d26445334f27f00ecb6582bc0c771

Download Submit
C:\windows\system\BMK.exe

Filesize
208KB

MD5
6fec79300c11f771e026faa73997a0a7

SHA1
71ceddf292498c93876d77a0fd1198123d60da34

SHA256
344dfe07cd4611c4cf12dbc3d10812c9fdcd641a3837c2c6cbf330ca3d8e8868

SHA512
2f56643f70021aefe0c35e87cd4087a34b2ad9a9dc0ed84f473828a153a02bc12fcda4cb23e2c6cc5bab6eaf30fb79751ac2286c8270a6ae2f63d248aba0b5df

Download Submit
C:\windows\system\BMK.exe.bat

Filesize
66B

MD5
8603e63eb96fc5fd7e77a796ea969151

SHA1
c2fa81b9bd0b3ae48a1c2d4b93a734001ebfa376

SHA256
2230fca5c75779fab7988984d07b70cdaee0c7edd87ca2a03edb3b33b27bb39b

SHA512
24e2eea6de02582f31bc2fb82da748ea34c9ec904f92494c24099454a0f9fc48202dc8ea6f33f95cb7e31bfff61d8ea01f3095ae4d25faef741d9adf7c18b509

Download Submit
C:\windows\system\QCLSEFY.exe

Filesize
208KB

MD5
388dc4b8afa63ead7f0e95b05867a355

SHA1
e449e86f5c9bb5e5642b4f730cc490e57fa34b65

SHA256
c7ef4f0fc80b240db332d033e38295f127b9734d67157e5265d46dd0ae51064d

SHA512
e3afa438de92907e048423bbb84b8b79984996afe6ebc5df9bd15c7c87c78c6c53bf5b25ce5125c23d28e1ef00a0d4a58be67a4aa94a1a26b42a1019034d6957

Download Submit
C:\windows\system\QCLSEFY.exe.bat

Filesize
74B

MD5
49a433ee6d091e20dc243621780cffeb

SHA1
3b43681f37b4b18aa0d5ab25a716294c3a6f759e

SHA256
7ac13b9d28f863c239ec6f0a1a2ad5a624f19273b517f80e0a96eb89f4984961

SHA512
c4905bed86a939eb02a4d475cd1d344f97e9416590ecb81fb5108406d36b6335a1b165983401671ba712a52a6291e5053c4dad71413cf4a5e482ddc1686f1a41

Download Submit
C:\windows\system\WLOZL.exe

Filesize
208KB

MD5
623596d220212ab14f7c592796cfe0b1

SHA1
84ec95dd9b34a84ca61f7ada0875de0d2721e74b

SHA256
b7b3a7239970ea33c2625ac89548f4c31255e2e2598f085d93f3462954b97e02

SHA512
055d07e40144cb34954baf37fbb99538922af5257eb05c6637b89dc81a0e249bc063d7e91b2ca176a569b9637a4a7e04ea0cb85d739d3a7c880781891f726df6

Download Submit
C:\windows\system\WLOZL.exe.bat

Filesize
70B

MD5
de9bd1b1f6229c108417553625b51ca1

SHA1
603086a794538e6d001fa85df741d6fa60ddb0a9

SHA256
402b894e929fb02e91fce45dda7eefd34f9eacb04b0534ff9b4ca86874545797

SHA512
517a61ee9a826ee1030c3518982fdeaf23f7f78535418668f5cd1785de94220fcc391f0dc54f006252654091b0ff71746ce08d0e4f17eca7f7e688ae78c87077

Download Submit
memory/944-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/944-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1532-130-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1532-94-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1760-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1760-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2184-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2184-118-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3364-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3364-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3524-133-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3524-128-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3652-48-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3652-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3892-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3892-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4084-96-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4084-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4564-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4564-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5092-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5092-132-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5100-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5100-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download