e0731489c63706fe707e1461cbdba0d066b23b307a142910204ed9c1881a045d

Analysis

max time kernel
151s
max time network
165s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21e4cde11eb9037beb5fb60a7259b9f7.exe
Size

251KB
MD5

21e4cde11eb9037beb5fb60a7259b9f7
SHA1

840096d30a20e23c1b43b0cc3771de917639cf9c
SHA256

e0731489c63706fe707e1461cbdba0d066b23b307a142910204ed9c1881a045d
SHA512

ec0e50a10b54f967de6172cbc8b53f0bff0dd40a5007314f855bab005175f081caf17fbbdb5b3b9e9752a661755bbbdd5dcd766eb44603b16e13de034d18fd5d
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVp+:ZY7xh6SZI4z7FSVp+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Executes dropped EXE 24 IoCs

pid	Process
2736	wob.exe
2424	wwcqy.exe
1664	wjwot.exe
1616	wqsxatuo.exe
2212	wviscb.exe
1056	wta.exe
2516	wjkcad.exe
2924	whtx.exe
2752	wnjjxu.exe
2420	wqp.exe
1112	wwxacxno.exe
2388	wowbhekdr.exe
2004	wakvntsq.exe
2956	whgsbmwa.exe
1684	wiphl.exe
2592	wbv.exe
748	wwbmub.exe
1712	wvxdbc.exe
540	werfewxjg.exe
812	wwekjblr.exe
2464	wdv.exe
2480	wgprskvp.exe
1628	wypmrm.exe
1596	wikqkg.exe

Loads dropped DLL 64 IoCs

pid	Process
1268	21e4cde11eb9037beb5fb60a7259b9f7.exe
1268	21e4cde11eb9037beb5fb60a7259b9f7.exe
1268	21e4cde11eb9037beb5fb60a7259b9f7.exe
1268	21e4cde11eb9037beb5fb60a7259b9f7.exe
2736	wob.exe
2736	wob.exe
2736	wob.exe
2736	wob.exe
2424	wwcqy.exe
2424	wwcqy.exe
2424	wwcqy.exe
2424	wwcqy.exe
1664	wjwot.exe
1664	wjwot.exe
1664	wjwot.exe
1664	wjwot.exe
1616	wqsxatuo.exe
1616	wqsxatuo.exe
1616	wqsxatuo.exe
1616	wqsxatuo.exe
2212	wviscb.exe
2212	wviscb.exe
2212	wviscb.exe
2212	wviscb.exe
1056	wta.exe
1056	wta.exe
1056	wta.exe
1056	wta.exe
2516	wjkcad.exe
2516	wjkcad.exe
2516	wjkcad.exe
2516	wjkcad.exe
2924	whtx.exe
2924	whtx.exe
2924	whtx.exe
2924	whtx.exe
2752	wnjjxu.exe
2752	wnjjxu.exe
2752	wnjjxu.exe
2752	wnjjxu.exe
2420	wqp.exe
2420	wqp.exe
2420	wqp.exe
2420	wqp.exe
1112	wwxacxno.exe
1112	wwxacxno.exe
1112	wwxacxno.exe
1112	wwxacxno.exe
2388	wowbhekdr.exe
2388	wowbhekdr.exe
2388	wowbhekdr.exe
2388	wowbhekdr.exe
2004	wakvntsq.exe
2004	wakvntsq.exe
2004	wakvntsq.exe
2004	wakvntsq.exe
2956	whgsbmwa.exe
2956	whgsbmwa.exe
2956	whgsbmwa.exe
2956	whgsbmwa.exe
1684	wiphl.exe
1684	wiphl.exe
1684	wiphl.exe
1684	wiphl.exe

Drops file in System32 directory 49 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wjkcad.exe	wta.exe
File created	C:\Windows\SysWOW64\wdv.exe	wwekjblr.exe
File opened for modification	C:\Windows\SysWOW64\wdv.exe	wwekjblr.exe
File opened for modification	C:\Windows\SysWOW64\wypmrm.exe	wgprskvp.exe
File created	C:\Windows\SysWOW64\wowbhekdr.exe	wwxacxno.exe
File created	C:\Windows\SysWOW64\wvxdbc.exe	wwbmub.exe
File opened for modification	C:\Windows\SysWOW64\wwekjblr.exe	werfewxjg.exe
File opened for modification	C:\Windows\SysWOW64\wob.exe	21e4cde11eb9037beb5fb60a7259b9f7.exe
File opened for modification	C:\Windows\SysWOW64\wta.exe	wviscb.exe
File created	C:\Windows\SysWOW64\wnjjxu.exe	whtx.exe
File created	C:\Windows\SysWOW64\wqp.exe	wnjjxu.exe
File opened for modification	C:\Windows\SysWOW64\wowbhekdr.exe	wwxacxno.exe
File opened for modification	C:\Windows\SysWOW64\wbv.exe	wiphl.exe
File created	C:\Windows\SysWOW64\wwekjblr.exe	werfewxjg.exe
File opened for modification	C:\Windows\SysWOW64\wqsxatuo.exe	wjwot.exe
File opened for modification	C:\Windows\SysWOW64\wwxacxno.exe	wqp.exe
File opened for modification	C:\Windows\SysWOW64\wqp.exe	wnjjxu.exe
File created	C:\Windows\SysWOW64\wob.exe	21e4cde11eb9037beb5fb60a7259b9f7.exe
File opened for modification	C:\Windows\SysWOW64\wjwot.exe	wwcqy.exe
File opened for modification	C:\Windows\SysWOW64\wviscb.exe	wqsxatuo.exe
File opened for modification	C:\Windows\SysWOW64\whtx.exe	wjkcad.exe
File opened for modification	C:\Windows\SysWOW64\wnjjxu.exe	whtx.exe
File created	C:\Windows\SysWOW64\whgsbmwa.exe	wakvntsq.exe
File created	C:\Windows\SysWOW64\wwcqy.exe	wob.exe
File created	C:\Windows\SysWOW64\wwxacxno.exe	wqp.exe
File opened for modification	C:\Windows\SysWOW64\whgsbmwa.exe	wakvntsq.exe
File created	C:\Windows\SysWOW64\wikqkg.exe	wypmrm.exe
File opened for modification	C:\Windows\SysWOW64\wwcqy.exe	wob.exe
File created	C:\Windows\SysWOW64\wakvntsq.exe	wowbhekdr.exe
File created	C:\Windows\SysWOW64\wwbmub.exe	wbv.exe
File opened for modification	C:\Windows\SysWOW64\wwbmub.exe	wbv.exe
File opened for modification	C:\Windows\SysWOW64\wvxdbc.exe	wwbmub.exe
File created	C:\Windows\SysWOW64\wjwot.exe	wwcqy.exe
File created	C:\Windows\SysWOW64\werfewxjg.exe	wvxdbc.exe
File created	C:\Windows\SysWOW64\wongdl.exe	wikqkg.exe
File created	C:\Windows\SysWOW64\wta.exe	wviscb.exe
File opened for modification	C:\Windows\SysWOW64\wiphl.exe	whgsbmwa.exe
File created	C:\Windows\SysWOW64\wypmrm.exe	wgprskvp.exe
File created	C:\Windows\SysWOW64\wviscb.exe	wqsxatuo.exe
File opened for modification	C:\Windows\SysWOW64\wjkcad.exe	wta.exe
File created	C:\Windows\SysWOW64\whtx.exe	wjkcad.exe
File created	C:\Windows\SysWOW64\wiphl.exe	whgsbmwa.exe
File opened for modification	C:\Windows\SysWOW64\werfewxjg.exe	wvxdbc.exe
File created	C:\Windows\SysWOW64\wgprskvp.exe	wdv.exe
File created	C:\Windows\SysWOW64\wqsxatuo.exe	wjwot.exe
File opened for modification	C:\Windows\SysWOW64\wakvntsq.exe	wowbhekdr.exe
File opened for modification	C:\Windows\SysWOW64\wgprskvp.exe	wdv.exe
File created	C:\Windows\SysWOW64\wbv.exe	wiphl.exe
File opened for modification	C:\Windows\SysWOW64\wikqkg.exe	wypmrm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2736	1268	21e4cde11eb9037beb5fb60a7259b9f7.exe	29
PID 1268 wrote to memory of 2736	1268	21e4cde11eb9037beb5fb60a7259b9f7.exe	29
PID 1268 wrote to memory of 2736	1268	21e4cde11eb9037beb5fb60a7259b9f7.exe	29
PID 1268 wrote to memory of 2736	1268	21e4cde11eb9037beb5fb60a7259b9f7.exe	29
PID 1268 wrote to memory of 2608	1268	21e4cde11eb9037beb5fb60a7259b9f7.exe	31
PID 1268 wrote to memory of 2608	1268	21e4cde11eb9037beb5fb60a7259b9f7.exe	31
PID 1268 wrote to memory of 2608	1268	21e4cde11eb9037beb5fb60a7259b9f7.exe	31
PID 1268 wrote to memory of 2608	1268	21e4cde11eb9037beb5fb60a7259b9f7.exe	31
PID 2736 wrote to memory of 2424	2736	wob.exe	32
PID 2736 wrote to memory of 2424	2736	wob.exe	32
PID 2736 wrote to memory of 2424	2736	wob.exe	32
PID 2736 wrote to memory of 2424	2736	wob.exe	32
PID 2736 wrote to memory of 2920	2736	wob.exe	33
PID 2736 wrote to memory of 2920	2736	wob.exe	33
PID 2736 wrote to memory of 2920	2736	wob.exe	33
PID 2736 wrote to memory of 2920	2736	wob.exe	33
PID 2424 wrote to memory of 1664	2424	wwcqy.exe	36
PID 2424 wrote to memory of 1664	2424	wwcqy.exe	36
PID 2424 wrote to memory of 1664	2424	wwcqy.exe	36
PID 2424 wrote to memory of 1664	2424	wwcqy.exe	36
PID 2424 wrote to memory of 1576	2424	wwcqy.exe	37
PID 2424 wrote to memory of 1576	2424	wwcqy.exe	37
PID 2424 wrote to memory of 1576	2424	wwcqy.exe	37
PID 2424 wrote to memory of 1576	2424	wwcqy.exe	37
PID 1664 wrote to memory of 1616	1664	wjwot.exe	40
PID 1664 wrote to memory of 1616	1664	wjwot.exe	40
PID 1664 wrote to memory of 1616	1664	wjwot.exe	40
PID 1664 wrote to memory of 1616	1664	wjwot.exe	40
PID 1664 wrote to memory of 2360	1664	wjwot.exe	41
PID 1664 wrote to memory of 2360	1664	wjwot.exe	41
PID 1664 wrote to memory of 2360	1664	wjwot.exe	41
PID 1664 wrote to memory of 2360	1664	wjwot.exe	41
PID 1616 wrote to memory of 2212	1616	wqsxatuo.exe	43
PID 1616 wrote to memory of 2212	1616	wqsxatuo.exe	43
PID 1616 wrote to memory of 2212	1616	wqsxatuo.exe	43
PID 1616 wrote to memory of 2212	1616	wqsxatuo.exe	43
PID 1616 wrote to memory of 2484	1616	wqsxatuo.exe	44
PID 1616 wrote to memory of 2484	1616	wqsxatuo.exe	44
PID 1616 wrote to memory of 2484	1616	wqsxatuo.exe	44
PID 1616 wrote to memory of 2484	1616	wqsxatuo.exe	44
PID 2212 wrote to memory of 1056	2212	wviscb.exe	49
PID 2212 wrote to memory of 1056	2212	wviscb.exe	49
PID 2212 wrote to memory of 1056	2212	wviscb.exe	49
PID 2212 wrote to memory of 1056	2212	wviscb.exe	49
PID 2212 wrote to memory of 2936	2212	wviscb.exe	51
PID 2212 wrote to memory of 2936	2212	wviscb.exe	51
PID 2212 wrote to memory of 2936	2212	wviscb.exe	51
PID 2212 wrote to memory of 2936	2212	wviscb.exe	51
PID 1056 wrote to memory of 2516	1056	wta.exe	53
PID 1056 wrote to memory of 2516	1056	wta.exe	53
PID 1056 wrote to memory of 2516	1056	wta.exe	53
PID 1056 wrote to memory of 2516	1056	wta.exe	53
PID 1056 wrote to memory of 2884	1056	wta.exe	55
PID 1056 wrote to memory of 2884	1056	wta.exe	55
PID 1056 wrote to memory of 2884	1056	wta.exe	55
PID 1056 wrote to memory of 2884	1056	wta.exe	55
PID 2516 wrote to memory of 2924	2516	wjkcad.exe	56
PID 2516 wrote to memory of 2924	2516	wjkcad.exe	56
PID 2516 wrote to memory of 2924	2516	wjkcad.exe	56
PID 2516 wrote to memory of 2924	2516	wjkcad.exe	56
PID 2516 wrote to memory of 2812	2516	wjkcad.exe	57
PID 2516 wrote to memory of 2812	2516	wjkcad.exe	57
PID 2516 wrote to memory of 2812	2516	wjkcad.exe	57
PID 2516 wrote to memory of 2812	2516	wjkcad.exe	57

C:\Users\Admin\AppData\Local\Temp\21e4cde11eb9037beb5fb60a7259b9f7.exe
"C:\Users\Admin\AppData\Local\Temp\21e4cde11eb9037beb5fb60a7259b9f7.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\wob.exe
  "C:\Windows\system32\wob.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\wwcqy.exe
    "C:\Windows\system32\wwcqy.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\wjwot.exe
      "C:\Windows\system32\wjwot.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\SysWOW64\wqsxatuo.exe
        
        "C:\Windows\system32\wqsxatuo.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Windows\SysWOW64\wviscb.exe
        
        "C:\Windows\system32\wviscb.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\wta.exe
        
        "C:\Windows\system32\wta.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\wjkcad.exe
        
        "C:\Windows\system32\wjkcad.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\whtx.exe
        
        "C:\Windows\system32\whtx.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\wnjjxu.exe
        
        "C:\Windows\system32\wnjjxu.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\wqp.exe
        
        "C:\Windows\system32\wqp.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\wwxacxno.exe
        
        "C:\Windows\system32\wwxacxno.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\wowbhekdr.exe
        
        "C:\Windows\system32\wowbhekdr.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\wakvntsq.exe
        
        "C:\Windows\system32\wakvntsq.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\whgsbmwa.exe
        
        "C:\Windows\system32\whgsbmwa.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\wiphl.exe
        
        "C:\Windows\system32\wiphl.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\wbv.exe
        
        "C:\Windows\system32\wbv.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\wwbmub.exe
        
        "C:\Windows\system32\wwbmub.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\wvxdbc.exe
        
        "C:\Windows\system32\wvxdbc.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\werfewxjg.exe
        
        "C:\Windows\system32\werfewxjg.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\wwekjblr.exe
        
        "C:\Windows\system32\wwekjblr.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\wdv.exe
        
        "C:\Windows\system32\wdv.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\wgprskvp.exe
        
        "C:\Windows\system32\wgprskvp.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\wypmrm.exe
        
        "C:\Windows\system32\wypmrm.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\wikqkg.exe
        
        "C:\Windows\system32\wikqkg.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wypmrm.exe"
        25⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgprskvp.exe"
        24⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdv.exe"
        23⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwekjblr.exe"
        22⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\werfewxjg.exe"
        21⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvxdbc.exe"
        20⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbmub.exe"
        19⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbv.exe"
        18⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiphl.exe"
        17⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whgsbmwa.exe"
        16⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wakvntsq.exe"
        15⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wowbhekdr.exe"
        14⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwxacxno.exe"
        13⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqp.exe"
        12⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnjjxu.exe"
        11⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whtx.exe"
        10⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjkcad.exe"
        9⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wta.exe"
        8⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wviscb.exe"
        7⤵
        
        PID:2936
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqsxatuo.exe"
        6⤵
        
        PID:2484
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwot.exe"
        5⤵
        
        PID:2360
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwcqy.exe"
      4⤵
      PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wob.exe"
    3⤵
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\21e4cde11eb9037beb5fb60a7259b9f7.exe"
  2⤵
  - Deletes itself
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0713YGQV.txt

Filesize
99B

MD5
35e36a607e45b969bd37e5073cd438fa

SHA1
99e17be1e71b6b273244034343d6c003cf8458c2

SHA256
d1219eb37c41592f4465121afbc2bd90377cb65ee0aa80cde405a1862950df00

SHA512
2080a1469322e5da3556aa602b945538d2dad5868ec72d7188c5e02fefde10904123ec296ed21d835854f86e3cebb62a7f173553a417b71eed7975032fdd07ac

Download Submit
C:\Windows\SysWOW64\wob.exe

Filesize
11KB

MD5
fba8b631163a407ad50657e56f428c40

SHA1
b50ff7bed09e5b5495b930d93b4933d1e7c4dd21

SHA256
1fdbc7ebca113e588564e5f7299f58234aee01bff3c6042ad653efe480c64d4f

SHA512
9ee54660da42711d36adaadcbcceec67b7cc7fa06d1120ceae85e8078dfcc77c781e898e57c626157db2d512545ea5cb3675b68304a49738577fd4e1f07d5901

Download Submit
C:\Windows\SysWOW64\wob.exe

Filesize
54KB

MD5
4a54afebb74399d4680a4bb80a7b4a26

SHA1
034f58e47108186340d269b23806934bb2801c17

SHA256
32e99d88a74dfd576106a273eb33b3d7d3f70e90dc0e121080d73ad6c26bf399

SHA512
41bec3332f61e4434a33fbf0d5b6bc627083eb5910b1ad6cd9888e0ff044a45ffad882aab803969fe197daf0609fbdc2af4a0d3d8b5fd139077420f2437ceac6

Download Submit
C:\Windows\SysWOW64\wwcqy.exe

Filesize
157KB

MD5
3a502c969dcf8ba51ec9d666176218b0

SHA1
632e97d7039b0ba4e391b22dad335f80e9b4580d

SHA256
d4d70e07798e92e19e860439f95d0650431f305b67521c3439c03dcaf3dabb8f

SHA512
5b0181bf7f10ec309aaf036ee4ae3c7f8efe24ce67e172331c93f814a26464325c226464183348c4d8a9ed0a26274f52ba8a93738c4bf8a02ea282fed599d90c

Download Submit
C:\Windows\SysWOW64\wwcqy.exe

Filesize
44KB

MD5
8419fa6da22f046aa2f1755c24a0072e

SHA1
8b1c1f2c8d5333a85aa75a19f1ab5ca818e62946

SHA256
5b4926520329c749f57eaa0ec93e8374bf2eed9d8b5bd2758453bd0f909e6449

SHA512
c8a97d5b7145cf419eb3e3521724e5bf9661538912aae341957b29aceb41f131e782e7bdb355a5898d37f80dc5bb43897d92f9ea458d2fd57dc463cb90f0f383

Download Submit
\Windows\SysWOW64\whtx.exe

Filesize
251KB

MD5
8e30346052488c1132bb6a3ee74ff5c3

SHA1
5b281d521e7b131c669e9d5070f8872dfa40985e

SHA256
1fd75ab8fde37a62bbb0fc3f2ae424a6a7a6232d789fe67a94a670d16eaed0bd

SHA512
c354805cbc52bfbc9865359f900ddfc6483391ec0fa8a2fff93b3b84c241bc56a42044cd99d7f92c30a0c558c8d8dd2f29cfe26024a0d79e8209ad7ff16c8b14

Download Submit
\Windows\SysWOW64\wjkcad.exe

Filesize
251KB

MD5
c9d1dae1b777e1b7199e822146545957

SHA1
ad67f3091919b4d9448d4b777da5805496ecdd77

SHA256
0aa2a6522c59efa40544d9862d5e9ad1de06bd1ad94e3e532fabd370bef498f8

SHA512
c1ce840de4e970eeb7a21000ab99b4ebe1ad7e72bd93f87a5eb0a758147e1f59447e15d37dbbebe618b4cb275c50ceadf9eced02e2946a8bbc9dab58d257238d

Download Submit
\Windows\SysWOW64\wjwot.exe

Filesize
251KB

MD5
0ae3d568076b67ed4940419703fdd6c0

SHA1
66a6ed73add954b7f61ff0b934a4e9bc49496730

SHA256
c0fd678598ec2d2dff83810c97db42a456f12be69764c89e568a3f1aeec0352e

SHA512
0affb6160e39b05470e4d0b6b2ce372e72da70bd6080dd78473402322e91eae88c69d846f9821093dfcceef88004df51cdd40cb6bbdfd8a9d9eb8348d587889f

Download Submit
\Windows\SysWOW64\wnjjxu.exe

Filesize
251KB

MD5
6f1843cc6029cfad55087b494cef377c

SHA1
2f27815d483f8fb3ebe680774be4e4556753bb20

SHA256
df90fc14cdda1a31478a18de6b3ff982571be3a86416c9c9d6abfaac247bb996

SHA512
47c6342d8cc74e9d63c8676aba14abe0a2147400182dbe3654fb7267c1c9b8686da9329a280178de567a041c928859142eae7208c6e572552c340c8133723811

Download Submit
\Windows\SysWOW64\wob.exe

Filesize
60KB

MD5
1d772eb7e60fcd47df09aa68c7acc29c

SHA1
6eb78caad92e486260b716e616195ef40401395a

SHA256
ceee726db356e52673d59a285a347758cc6b10e07d8fb0d686e4ed79a595ca25

SHA512
5414f55d852177a34d4433b896eb925b285cb9a34f7ab3059f12c4f9c995b7c95f6d3e9f25210d4db81757f6ec9f742e088d940faa05c5afe1bc2528bc897e04

Download Submit
\Windows\SysWOW64\wob.exe

Filesize
27KB

MD5
4651c48e295c87333c32d11a1198eed0

SHA1
2d0d69ed2f965bc57c1838b2c8b5bf984a33aef0

SHA256
879de956f78658f18b5ea99ccb3b310e5e6fb1ffed3e93941e94038f907b991f

SHA512
7a547ca8d2ed77078b19e78439999330b831befb22e5375a6ee1189cee81f1217e4f12352b08446c4eed9e686d78bf173e478e2d26a8ff9249f5ba6f8f755384

Download Submit
\Windows\SysWOW64\wob.exe

Filesize
251KB

MD5
4e0afed841ac605fe96969d4d2eb5ce5

SHA1
37a9d0a6e1864b5a92e58961760ffc5950147301

SHA256
7ec68dbebe1693275c1205e54a805834312c551579e6035b767346122ea39489

SHA512
a1165aeda5506dbb6ec2ba78bec21379aa1790c20ad7fcaf0ccd42096409a543f7f72aaefe5c3932e33956724c505663b734ef43c9708321a39cdaa9d1d4716f

Download Submit
\Windows\SysWOW64\wqp.exe

Filesize
251KB

MD5
3d3f7d7d71401425dc94086b9b92d456

SHA1
154e64af269d630664b78881255c1c34bbc90283

SHA256
4623ff8485dd55ce4f616520884097ccd2528ded76c293f124e9ce3f29abc432

SHA512
2001aad07bc044ac5bb17d6633904e26cb102b10a46320452fe128be56c385ffce0db83ceb9684dcb8f4d2128d47326162e71a81418f33ab50478c3187331e8d

Download Submit
\Windows\SysWOW64\wqsxatuo.exe

Filesize
251KB

MD5
c94c62d4a993eebabb4b5713c6b14801

SHA1
376940b542a8d12933ca85201304b635f9b39f1a

SHA256
5c27a43163724e17e6cf2d5bb962fec5cc3ac85566d99d0296c9eec3e3f67b18

SHA512
65a2357106e9d52ffab9578057cf661c6df9c10a1953eaa7732f0319604e835272152746cc80034c56784478f933fee24215ef6ad961e9694642593db00c9cd9

Download Submit
\Windows\SysWOW64\wta.exe

Filesize
251KB

MD5
05727e2eded39af4c7377054e83d8096

SHA1
94f0b3ad1f510387bfe854593a266d80ca58b533

SHA256
b58018dbb163ef95ad2a16d84ecebd3684b26c891d099b9c910f854c0bafbf9a

SHA512
fd42991b3e74a26d78f89cb8ee84087177772b5bf8309ce5e69009ece23f65ce0f8769b61f3cebba325f592e7b5b5ea0104bdd30dff3e93bddec0afe3cfbb239

Download Submit
\Windows\SysWOW64\wviscb.exe

Filesize
251KB

MD5
23514ab8e4eb72dc4c95fd8dc1e22fc2

SHA1
b814ccc5bd88d19266e097249f748cdec2235f70

SHA256
1061679727d83dccdc2f670da5a1fee9ab6fdf60d543c60290d2211820b05d27

SHA512
c6a45b344f8772e32eff15c2c14f21b339a217ccd75e273446a56da9943b7a59769903a737fa4f247daf5c6013c3bd0d67d38f146d522befcecc9117d4ae0211

Download Submit
\Windows\SysWOW64\wwcqy.exe

Filesize
251KB

MD5
82f903274267ee3edef26569e62c2e95

SHA1
2257258aea2cd7a33b84853c71decaa7a7911e06

SHA256
ca19c96a100fe0f64c6ccc056974a2b87b6f3c3136c34db3b46012100d0d11c2

SHA512
2e90de3acb52d04ffc58981f5e0cb10e322babddcca96eab9bb326074f09ac8760334f4c6cc4ddaa3f9f249c097bbbafff627c4c0910700d5c78e8e8a735a82e

Download Submit
\Windows\SysWOW64\wwcqy.exe

Filesize
122KB

MD5
48fcc7387fe43ebcfc87292c2bddbb99

SHA1
aad0ce716af7a317ff8da6d04f469f62108fc242

SHA256
8316745de23b04216482537adc014ca85b5f45299cbf1baa1f204ce392588f69

SHA512
684af3fb252284ceeb5fcbe5a278e5fa8ba45e8b10f5966cc2b8a74f90af10520ef8250fe6b42f553393d548f6b8f9b720f71b8cd22ebc45913473b80733e48c

Download Submit
\Windows\SysWOW64\wwcqy.exe

Filesize
68KB

MD5
2de51ca7ac23c244a1064b1482fef924

SHA1
c5e7d0e390a40ce32a02359a8c9526160abc7450

SHA256
516072a44534c7583d4010c7c1a2a3932851608e35c3d261bcf4ec7dfe997e6c

SHA512
e17b431a19cdc164a23ed49f1d0b8e15261de7a3b7d459c1e56b0f145d1efe70182232e4fc0b2ab09ba829425e0ecd33bd7545c8de01ee85d3afaa0337ad592a

Download Submit
\Windows\SysWOW64\wwxacxno.exe

Filesize
251KB

MD5
367705c45bb8e3a9af9cbad212f8b135

SHA1
c293fe59f072cb54c1c479c76cddd6d4f3813ddc

SHA256
d7e9988045d4cb8e3176372e33c13b7062e397c0dd649c44383db4769bc1e10a

SHA512
1c0e9dce7eb4174c64397e769357ed90cf304ccfdf57477af84be3136c039c25f3cd912071ca0a893d0839aa3337e1c9ec0a0131e4a2228638d57aae2e608f8e

Download Submit
memory/1056-134-0x0000000003D60000-0x0000000003D77000-memory.dmp

Filesize
92KB

Download
memory/1056-142-0x0000000003E70000-0x0000000003E87000-memory.dmp

Filesize
92KB

Download
memory/1056-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1056-141-0x0000000003E70000-0x0000000003E87000-memory.dmp

Filesize
92KB

Download
memory/1112-239-0x0000000003BD0000-0x0000000003BE7000-memory.dmp

Filesize
92KB

Download
memory/1112-240-0x0000000003BD0000-0x0000000003BE7000-memory.dmp

Filesize
92KB

Download
memory/1112-260-0x0000000003BD0000-0x0000000003BE7000-memory.dmp

Filesize
92KB

Download
memory/1112-242-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1112-241-0x0000000003BD0000-0x0000000003BE7000-memory.dmp

Filesize
92KB

Download
memory/1112-226-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1268-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1268-15-0x0000000003AC0000-0x0000000003AD7000-memory.dmp

Filesize
92KB

Download
memory/1268-18-0x0000000003AC0000-0x0000000003AD7000-memory.dmp

Filesize
92KB

Download
memory/1268-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1616-102-0x0000000003B40000-0x0000000003B57000-memory.dmp

Filesize
92KB

Download
memory/1616-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1616-84-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1664-80-0x0000000003B40000-0x0000000003B57000-memory.dmp

Filesize
92KB

Download
memory/1664-89-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1664-82-0x0000000003C40000-0x0000000003C57000-memory.dmp

Filesize
92KB

Download
memory/1664-83-0x0000000003C40000-0x0000000003C57000-memory.dmp

Filesize
92KB

Download
memory/1664-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1684-305-0x0000000003B30000-0x0000000003B47000-memory.dmp

Filesize
92KB

Download
memory/1684-289-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1684-299-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/1684-304-0x0000000003B30000-0x0000000003B47000-memory.dmp

Filesize
92KB

Download
memory/2004-259-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2004-274-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2004-269-0x0000000003820000-0x0000000003837000-memory.dmp

Filesize
92KB

Download
memory/2212-124-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2212-122-0x00000000031C0000-0x00000000031D7000-memory.dmp

Filesize
92KB

Download
memory/2388-257-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2388-256-0x0000000003630000-0x0000000003647000-memory.dmp

Filesize
92KB

Download
memory/2388-243-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2388-255-0x0000000003630000-0x0000000003647000-memory.dmp

Filesize
92KB

Download
memory/2388-258-0x0000000003630000-0x0000000003647000-memory.dmp

Filesize
92KB

Download
memory/2388-295-0x0000000003630000-0x0000000003647000-memory.dmp

Filesize
92KB

Download
memory/2420-227-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2420-221-0x0000000003A70000-0x0000000003A87000-memory.dmp

Filesize
92KB

Download
memory/2420-219-0x0000000003A70000-0x0000000003A87000-memory.dmp

Filesize
92KB

Download
memory/2424-60-0x0000000003AC0000-0x0000000003AD7000-memory.dmp

Filesize
92KB

Download
memory/2424-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2424-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2424-59-0x0000000003AB0000-0x0000000003AC7000-memory.dmp

Filesize
92KB

Download
memory/2516-167-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2516-163-0x0000000003CE0000-0x0000000003CF7000-memory.dmp

Filesize
92KB

Download
memory/2516-162-0x0000000003CE0000-0x0000000003CF7000-memory.dmp

Filesize
92KB

Download
memory/2736-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2736-32-0x0000000003C80000-0x0000000003C97000-memory.dmp

Filesize
92KB

Download
memory/2736-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2752-198-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/2752-187-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2752-206-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/2752-205-0x0000000003C70000-0x0000000003C87000-memory.dmp

Filesize
92KB

Download
memory/2752-208-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2924-186-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2924-166-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2924-183-0x0000000003C20000-0x0000000003C37000-memory.dmp

Filesize
92KB

Download
memory/2924-184-0x0000000003C20000-0x0000000003C37000-memory.dmp

Filesize
92KB

Download
memory/2956-288-0x0000000003A00000-0x0000000003A17000-memory.dmp

Filesize
92KB

Download
memory/2956-287-0x00000000037D0000-0x00000000037E7000-memory.dmp

Filesize
92KB

Download
memory/2956-286-0x00000000037D0000-0x00000000037E7000-memory.dmp

Filesize
92KB

Download
memory/2956-290-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2956-273-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download