9e89ecd28be4d6a18d526770d2e14048760678b2fb0fe6883e6335090140f28a

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 20:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7df70632ef1710871eaeeb9fb98e0c28.exe
Size

251KB
MD5

7df70632ef1710871eaeeb9fb98e0c28
SHA1

3a2390b2495ac6f0eb3336af04cba49ad1134a77
SHA256

9e89ecd28be4d6a18d526770d2e14048760678b2fb0fe6883e6335090140f28a
SHA512

2f70600a5200f95f31488dd12d06dd31e3dd67d70501732514e5908eebc5edfd4cc1a6a90a26099186816b8ebf16eebb7b932442f2a1eba1d7bb45f1f50af99e
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVp6:ZY7xh6SZI4z7FSVp6

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2868	wfshb.exe
2616	woh.exe
1768	wmtt.exe
2200	wjv.exe
2068	wfrui.exe
1800	wlx.exe
1884	woej.exe
2996	wrmkgekf.exe
2540	wet.exe
2544	wnabc.exe
1748	wfnsb.exe
860	wcyu.exe
1616	wbv.exe
1728	wsn.exe
1460	wetgu.exe
776	wyvnjoeb.exe
2356	wqrq.exe
2240	waoyebf.exe
2932	wdoxcl.exe
2472	whw.exe
3068	wbelgrun.exe
2180	wfmlpaold.exe
1968	wnsitak.exe
1020	wwo.exe
1936	wawu.exe
2980	wet.exe
2208	wmltnp.exe
2564	wusqqpy.exe
2436	wpgef.exe
1632	wlc.exe
1204	wulvoo.exe
1236	wdnl.exe
2120	wivl.exe
1552	wtcfbm.exe
1636	wdhsb.exe
2384	wxjaqhy.exe
2668	wjprkyxjy.exe
2324	wgbgaw.exe
2456	wvfdq.exe
2108	wdflnjbv.exe
2808	wcbfayg.exe
2260	whxwfhn.exe
936	wtpafax.exe
3060	wbfknb.exe
1588	wfspcf.exe
2112	wfhvjs.exe
2804	wajprx.exe
2008	wpaoki.exe
2504	wtxenpyky.exe
2780	wxxdla.exe
2172	wjlysorkj.exe
2964	wrsuuo.exe
1104	wsppif.exe
1924	wbykuimku.exe
2356	wyynbbsi.exe
700	wmtunr.exe
2564	wlvxulnuw.exe
808	wlcdxfx.exe
1668	wryetmg.exe
1712	wynpcni.exe
1908	wmmuqecj.exe
1296	wyypvsl.exe
2808	wqn.exe
1592	wpnjbt.exe

Loads dropped DLL 64 IoCs

pid	Process
1364	7df70632ef1710871eaeeb9fb98e0c28.exe
1364	7df70632ef1710871eaeeb9fb98e0c28.exe
1364	7df70632ef1710871eaeeb9fb98e0c28.exe
1364	7df70632ef1710871eaeeb9fb98e0c28.exe
2868	wfshb.exe
2868	wfshb.exe
2868	wfshb.exe
2868	wfshb.exe
2616	woh.exe
2616	woh.exe
2616	woh.exe
2616	woh.exe
1768	wmtt.exe
1768	wmtt.exe
1768	wmtt.exe
1768	wmtt.exe
2200	wjv.exe
2200	wjv.exe
2200	wjv.exe
2200	wjv.exe
2068	wfrui.exe
2068	wfrui.exe
2068	wfrui.exe
2068	wfrui.exe
1800	wlx.exe
1800	wlx.exe
1800	wlx.exe
1800	wlx.exe
1884	woej.exe
1884	woej.exe
1884	woej.exe
1884	woej.exe
2996	wrmkgekf.exe
2996	wrmkgekf.exe
2996	wrmkgekf.exe
2996	wrmkgekf.exe
2540	wet.exe
2540	wet.exe
2540	wet.exe
2540	wet.exe
2544	wnabc.exe
2544	wnabc.exe
2544	wnabc.exe
2544	wnabc.exe
1748	wfnsb.exe
1748	wfnsb.exe
1748	wfnsb.exe
1748	wfnsb.exe
860	wcyu.exe
860	wcyu.exe
860	wcyu.exe
860	wcyu.exe
1616	wbv.exe
1616	wbv.exe
1616	wbv.exe
1616	wbv.exe
1728	wsn.exe
1728	wsn.exe
1728	wsn.exe
1728	wsn.exe
1460	wetgu.exe
1460	wetgu.exe
1460	wetgu.exe
1460	wetgu.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wfshb.exe	7df70632ef1710871eaeeb9fb98e0c28.exe
File opened for modification	C:\Windows\SysWOW64\woej.exe	wlx.exe
File created	C:\Windows\SysWOW64\wcyu.exe	wfnsb.exe
File opened for modification	C:\Windows\SysWOW64\wyvnjoeb.exe	wetgu.exe
File created	C:\Windows\SysWOW64\wajprx.exe	wfhvjs.exe
File opened for modification	C:\Windows\SysWOW64\wxxdla.exe	wtxenpyky.exe
File created	C:\Windows\SysWOW64\wmtunr.exe	wyynbbsi.exe
File created	C:\Windows\SysWOW64\wlcdxfx.exe	wlvxulnuw.exe
File opened for modification	C:\Windows\SysWOW64\wqn.exe	wyypvsl.exe
File created	C:\Windows\SysWOW64\woyasjg.exe	wkckpcye.exe
File created	C:\Windows\SysWOW64\wfrui.exe	wjv.exe
File opened for modification	C:\Windows\SysWOW64\wdoxcl.exe	waoyebf.exe
File opened for modification	C:\Windows\SysWOW64\wet.exe	wawu.exe
File opened for modification	C:\Windows\SysWOW64\wnsitak.exe	wfmlpaold.exe
File created	C:\Windows\SysWOW64\wgbgaw.exe	wjprkyxjy.exe
File created	C:\Windows\SysWOW64\wtpafax.exe	whxwfhn.exe
File created	C:\Windows\SysWOW64\wtxenpyky.exe	wpaoki.exe
File created	C:\Windows\SysWOW64\wsppif.exe	wrsuuo.exe
File opened for modification	C:\Windows\SysWOW64\wanjyivt.exe	wyqol.exe
File created	C:\Windows\SysWOW64\wsn.exe	wbv.exe
File opened for modification	C:\Windows\SysWOW64\wsn.exe	wbv.exe
File opened for modification	C:\Windows\SysWOW64\wetgu.exe	wsn.exe
File opened for modification	C:\Windows\SysWOW64\wvfdq.exe	wgbgaw.exe
File opened for modification	C:\Windows\SysWOW64\whxwfhn.exe	wcbfayg.exe
File created	C:\Windows\SysWOW64\wfwcxqedn.exe	woyasjg.exe
File created	C:\Windows\SysWOW64\woej.exe	wlx.exe
File created	C:\Windows\SysWOW64\wfnsb.exe	wnabc.exe
File opened for modification	C:\Windows\SysWOW64\wwo.exe	wnsitak.exe
File opened for modification	C:\Windows\SysWOW64\wtpafax.exe	whxwfhn.exe
File created	C:\Windows\SysWOW64\wbfknb.exe	wtpafax.exe
File opened for modification	C:\Windows\SysWOW64\wbykuimku.exe	wsppif.exe
File created	C:\Windows\SysWOW64\wynpcni.exe	wryetmg.exe
File created	C:\Windows\SysWOW64\wyypvsl.exe	wmmuqecj.exe
File opened for modification	C:\Windows\SysWOW64\wrusyp.exe	wnxdvh.exe
File created	C:\Windows\SysWOW64\weafkfbt.exe	wiciog.exe
File created	C:\Windows\SysWOW64\wmumk.exe	wyospyv.exe
File created	C:\Windows\SysWOW64\wmtt.exe	woh.exe
File opened for modification	C:\Windows\SysWOW64\wivl.exe	wdnl.exe
File opened for modification	C:\Windows\SysWOW64\wcbfayg.exe	wdflnjbv.exe
File opened for modification	C:\Windows\SysWOW64\wdhsb.exe	wtcfbm.exe
File opened for modification	C:\Windows\SysWOW64\wrwlgxoo.exe	weafkfbt.exe
File created	C:\Windows\SysWOW64\wpaoki.exe	wajprx.exe
File opened for modification	C:\Windows\SysWOW64\wsppif.exe	wrsuuo.exe
File created	C:\Windows\SysWOW64\wmmuqecj.exe	wynpcni.exe
File opened for modification	C:\Windows\SysWOW64\wpcxt.exe	wrusyp.exe
File created	C:\Windows\SysWOW64\wysmxlh.exe	wtjllc.exe
File opened for modification	C:\Windows\SysWOW64\wfrui.exe	wjv.exe
File created	C:\Windows\SysWOW64\wusqqpy.exe	wmltnp.exe
File created	C:\Windows\SysWOW64\wivl.exe	wdnl.exe
File created	C:\Windows\SysWOW64\wdoxcl.exe	waoyebf.exe
File opened for modification	C:\Windows\SysWOW64\wjlysorkj.exe	wxxdla.exe
File created	C:\Windows\SysWOW64\wyynbbsi.exe	wbykuimku.exe
File opened for modification	C:\Windows\SysWOW64\wlvxulnuw.exe	wmtunr.exe
File opened for modification	C:\Windows\SysWOW64\wmtt.exe	woh.exe
File created	C:\Windows\SysWOW64\wqn.exe	wyypvsl.exe
File created	C:\Windows\SysWOW64\wrusyp.exe	wnxdvh.exe
File opened for modification	C:\Windows\SysWOW64\wmplid.exe	wpcxt.exe
File created	C:\Windows\SysWOW64\wyqol.exe	wysmxlh.exe
File opened for modification	C:\Windows\SysWOW64\wrmkgekf.exe	woej.exe
File opened for modification	C:\Windows\SysWOW64\wbv.exe	wcyu.exe
File created	C:\Windows\SysWOW64\wetgu.exe	wsn.exe
File created	C:\Windows\SysWOW64\wvfdq.exe	wgbgaw.exe
File opened for modification	C:\Windows\SysWOW64\wfspcf.exe	wbfknb.exe
File opened for modification	C:\Windows\SysWOW64\wtxenpyky.exe	wpaoki.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3032	1908	WerFault.exe	213

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2868	1364	7df70632ef1710871eaeeb9fb98e0c28.exe	28
PID 1364 wrote to memory of 2868	1364	7df70632ef1710871eaeeb9fb98e0c28.exe	28
PID 1364 wrote to memory of 2868	1364	7df70632ef1710871eaeeb9fb98e0c28.exe	28
PID 1364 wrote to memory of 2868	1364	7df70632ef1710871eaeeb9fb98e0c28.exe	28
PID 1364 wrote to memory of 2632	1364	7df70632ef1710871eaeeb9fb98e0c28.exe	29
PID 1364 wrote to memory of 2632	1364	7df70632ef1710871eaeeb9fb98e0c28.exe	29
PID 1364 wrote to memory of 2632	1364	7df70632ef1710871eaeeb9fb98e0c28.exe	29
PID 1364 wrote to memory of 2632	1364	7df70632ef1710871eaeeb9fb98e0c28.exe	29
PID 2868 wrote to memory of 2616	2868	wfshb.exe	31
PID 2868 wrote to memory of 2616	2868	wfshb.exe	31
PID 2868 wrote to memory of 2616	2868	wfshb.exe	31
PID 2868 wrote to memory of 2616	2868	wfshb.exe	31
PID 2868 wrote to memory of 2428	2868	wfshb.exe	33
PID 2868 wrote to memory of 2428	2868	wfshb.exe	33
PID 2868 wrote to memory of 2428	2868	wfshb.exe	33
PID 2868 wrote to memory of 2428	2868	wfshb.exe	33
PID 2616 wrote to memory of 1768	2616	woh.exe	34
PID 2616 wrote to memory of 1768	2616	woh.exe	34
PID 2616 wrote to memory of 1768	2616	woh.exe	34
PID 2616 wrote to memory of 1768	2616	woh.exe	34
PID 2616 wrote to memory of 1920	2616	woh.exe	35
PID 2616 wrote to memory of 1920	2616	woh.exe	35
PID 2616 wrote to memory of 1920	2616	woh.exe	35
PID 2616 wrote to memory of 1920	2616	woh.exe	35
PID 1768 wrote to memory of 2200	1768	wmtt.exe	37
PID 1768 wrote to memory of 2200	1768	wmtt.exe	37
PID 1768 wrote to memory of 2200	1768	wmtt.exe	37
PID 1768 wrote to memory of 2200	1768	wmtt.exe	37
PID 1768 wrote to memory of 2724	1768	wmtt.exe	39
PID 1768 wrote to memory of 2724	1768	wmtt.exe	39
PID 1768 wrote to memory of 2724	1768	wmtt.exe	39
PID 1768 wrote to memory of 2724	1768	wmtt.exe	39
PID 2200 wrote to memory of 2068	2200	wjv.exe	40
PID 2200 wrote to memory of 2068	2200	wjv.exe	40
PID 2200 wrote to memory of 2068	2200	wjv.exe	40
PID 2200 wrote to memory of 2068	2200	wjv.exe	40
PID 2200 wrote to memory of 600	2200	wjv.exe	42
PID 2200 wrote to memory of 600	2200	wjv.exe	42
PID 2200 wrote to memory of 600	2200	wjv.exe	42
PID 2200 wrote to memory of 600	2200	wjv.exe	42
PID 2068 wrote to memory of 1800	2068	wfrui.exe	43
PID 2068 wrote to memory of 1800	2068	wfrui.exe	43
PID 2068 wrote to memory of 1800	2068	wfrui.exe	43
PID 2068 wrote to memory of 1800	2068	wfrui.exe	43
PID 2068 wrote to memory of 3032	2068	wfrui.exe	45
PID 2068 wrote to memory of 3032	2068	wfrui.exe	45
PID 2068 wrote to memory of 3032	2068	wfrui.exe	45
PID 2068 wrote to memory of 3032	2068	wfrui.exe	45
PID 1800 wrote to memory of 1884	1800	wlx.exe	46
PID 1800 wrote to memory of 1884	1800	wlx.exe	46
PID 1800 wrote to memory of 1884	1800	wlx.exe	46
PID 1800 wrote to memory of 1884	1800	wlx.exe	46
PID 1800 wrote to memory of 2416	1800	wlx.exe	47
PID 1800 wrote to memory of 2416	1800	wlx.exe	47
PID 1800 wrote to memory of 2416	1800	wlx.exe	47
PID 1800 wrote to memory of 2416	1800	wlx.exe	47
PID 1884 wrote to memory of 2996	1884	woej.exe	49
PID 1884 wrote to memory of 2996	1884	woej.exe	49
PID 1884 wrote to memory of 2996	1884	woej.exe	49
PID 1884 wrote to memory of 2996	1884	woej.exe	49
PID 1884 wrote to memory of 1740	1884	woej.exe	50
PID 1884 wrote to memory of 1740	1884	woej.exe	50
PID 1884 wrote to memory of 1740	1884	woej.exe	50
PID 1884 wrote to memory of 1740	1884	woej.exe	50

C:\Users\Admin\AppData\Local\Temp\7df70632ef1710871eaeeb9fb98e0c28.exe
"C:\Users\Admin\AppData\Local\Temp\7df70632ef1710871eaeeb9fb98e0c28.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\wfshb.exe
  "C:\Windows\system32\wfshb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\woh.exe
    "C:\Windows\system32\woh.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\wmtt.exe
      "C:\Windows\system32\wmtt.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Windows\SysWOW64\wjv.exe
        
        "C:\Windows\system32\wjv.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Windows\SysWOW64\wfrui.exe
        
        "C:\Windows\system32\wfrui.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\wlx.exe
        
        "C:\Windows\system32\wlx.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\woej.exe
        
        "C:\Windows\system32\woej.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\wrmkgekf.exe
        
        "C:\Windows\system32\wrmkgekf.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2996
        
        C:\Windows\SysWOW64\wet.exe
        
        "C:\Windows\system32\wet.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2540
        
        C:\Windows\SysWOW64\wnabc.exe
        
        "C:\Windows\system32\wnabc.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\wfnsb.exe
        
        "C:\Windows\system32\wfnsb.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\wcyu.exe
        
        "C:\Windows\system32\wcyu.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\wbv.exe
        
        "C:\Windows\system32\wbv.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\wsn.exe
        
        "C:\Windows\system32\wsn.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\wetgu.exe
        
        "C:\Windows\system32\wetgu.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\wyvnjoeb.exe
        
        "C:\Windows\system32\wyvnjoeb.exe"
        17⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\wqrq.exe
        
        "C:\Windows\system32\wqrq.exe"
        18⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\waoyebf.exe
        
        "C:\Windows\system32\waoyebf.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\wdoxcl.exe
        
        "C:\Windows\system32\wdoxcl.exe"
        20⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\whw.exe
        
        "C:\Windows\system32\whw.exe"
        21⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\wbelgrun.exe
        
        "C:\Windows\system32\wbelgrun.exe"
        22⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\wfmlpaold.exe
        
        "C:\Windows\system32\wfmlpaold.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfmlpaold.exe"
        24⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\wnsitak.exe
        
        "C:\Windows\system32\wnsitak.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\wwo.exe
        
        "C:\Windows\system32\wwo.exe"
        25⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\wawu.exe
        
        "C:\Windows\system32\wawu.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\wet.exe
        
        "C:\Windows\system32\wet.exe"
        27⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\wmltnp.exe
        
        "C:\Windows\system32\wmltnp.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\wusqqpy.exe
        
        "C:\Windows\system32\wusqqpy.exe"
        29⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\wpgef.exe
        
        "C:\Windows\system32\wpgef.exe"
        30⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\wlc.exe
        
        "C:\Windows\system32\wlc.exe"
        31⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\wulvoo.exe
        
        "C:\Windows\system32\wulvoo.exe"
        32⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\wdnl.exe
        
        "C:\Windows\system32\wdnl.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\wivl.exe
        
        "C:\Windows\system32\wivl.exe"
        34⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\wtcfbm.exe
        
        "C:\Windows\system32\wtcfbm.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\wdhsb.exe
        
        "C:\Windows\system32\wdhsb.exe"
        36⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\wxjaqhy.exe
        
        "C:\Windows\system32\wxjaqhy.exe"
        37⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\wjprkyxjy.exe
        
        "C:\Windows\system32\wjprkyxjy.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\wgbgaw.exe
        
        "C:\Windows\system32\wgbgaw.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\wvfdq.exe
        
        "C:\Windows\system32\wvfdq.exe"
        40⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\wdflnjbv.exe
        
        "C:\Windows\system32\wdflnjbv.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\wcbfayg.exe
        
        "C:\Windows\system32\wcbfayg.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\whxwfhn.exe
        
        "C:\Windows\system32\whxwfhn.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\wtpafax.exe
        
        "C:\Windows\system32\wtpafax.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\wbfknb.exe
        
        "C:\Windows\system32\wbfknb.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\wfspcf.exe
        
        "C:\Windows\system32\wfspcf.exe"
        46⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\wfhvjs.exe
        
        "C:\Windows\system32\wfhvjs.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\wajprx.exe
        
        "C:\Windows\system32\wajprx.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\wpaoki.exe
        
        "C:\Windows\system32\wpaoki.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\wtxenpyky.exe
        
        "C:\Windows\system32\wtxenpyky.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\wxxdla.exe
        
        "C:\Windows\system32\wxxdla.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\wjlysorkj.exe
        
        "C:\Windows\system32\wjlysorkj.exe"
        52⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\wrsuuo.exe
        
        "C:\Windows\system32\wrsuuo.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\wsppif.exe
        
        "C:\Windows\system32\wsppif.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\wbykuimku.exe
        
        "C:\Windows\system32\wbykuimku.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\wyynbbsi.exe
        
        "C:\Windows\system32\wyynbbsi.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\wmtunr.exe
        
        "C:\Windows\system32\wmtunr.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\wlvxulnuw.exe
        
        "C:\Windows\system32\wlvxulnuw.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2564
        
        C:\Windows\SysWOW64\wlcdxfx.exe
        
        "C:\Windows\system32\wlcdxfx.exe"
        59⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\wryetmg.exe
        
        "C:\Windows\system32\wryetmg.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\wynpcni.exe
        
        "C:\Windows\system32\wynpcni.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\wmmuqecj.exe
        
        "C:\Windows\system32\wmmuqecj.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\wyypvsl.exe
        
        "C:\Windows\system32\wyypvsl.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\wqn.exe
        
        "C:\Windows\system32\wqn.exe"
        64⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\wpnjbt.exe
        
        "C:\Windows\system32\wpnjbt.exe"
        65⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\wiqckxeuj.exe
        
        "C:\Windows\system32\wiqckxeuj.exe"
        66⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\wnxdvh.exe
        
        "C:\Windows\system32\wnxdvh.exe"
        67⤵
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\wrusyp.exe
        
        "C:\Windows\system32\wrusyp.exe"
        68⤵
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\wpcxt.exe
        
        "C:\Windows\system32\wpcxt.exe"
        69⤵
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\wmplid.exe
        
        "C:\Windows\system32\wmplid.exe"
        70⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\wkckpcye.exe
        
        "C:\Windows\system32\wkckpcye.exe"
        71⤵
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\woyasjg.exe
        
        "C:\Windows\system32\woyasjg.exe"
        72⤵
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\wfwcxqedn.exe
        
        "C:\Windows\system32\wfwcxqedn.exe"
        73⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\wtjllc.exe
        
        "C:\Windows\system32\wtjllc.exe"
        74⤵
        Drops file in System32 directory
        
        PID:280
        
        C:\Windows\SysWOW64\wysmxlh.exe
        
        "C:\Windows\system32\wysmxlh.exe"
        75⤵
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\wyqol.exe
        
        "C:\Windows\system32\wyqol.exe"
        76⤵
        Drops file in System32 directory
        
        PID:888
        
        C:\Windows\SysWOW64\wanjyivt.exe
        
        "C:\Windows\system32\wanjyivt.exe"
        77⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\wiciog.exe
        
        "C:\Windows\system32\wiciog.exe"
        78⤵
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\weafkfbt.exe
        
        "C:\Windows\system32\weafkfbt.exe"
        79⤵
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\wrwlgxoo.exe
        
        "C:\Windows\system32\wrwlgxoo.exe"
        80⤵
        
        PID:536
        
        C:\Windows\SysWOW64\wyospyv.exe
        
        "C:\Windows\system32\wyospyv.exe"
        81⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\wmumk.exe
        
        "C:\Windows\system32\wmumk.exe"
        82⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyospyv.exe"
        82⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwlgxoo.exe"
        81⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weafkfbt.exe"
        80⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiciog.exe"
        79⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wanjyivt.exe"
        78⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyqol.exe"
        77⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wysmxlh.exe"
        76⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtjllc.exe"
        75⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfwcxqedn.exe"
        74⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woyasjg.exe"
        73⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkckpcye.exe"
        72⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmplid.exe"
        71⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpcxt.exe"
        70⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrusyp.exe"
        69⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnxdvh.exe"
        68⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiqckxeuj.exe"
        67⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpnjbt.exe"
        66⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqn.exe"
        65⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyypvsl.exe"
        64⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmuqecj.exe"
        63⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 892
        63⤵
        Program crash
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wynpcni.exe"
        62⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryetmg.exe"
        61⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlcdxfx.exe"
        60⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvxulnuw.exe"
        59⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmtunr.exe"
        58⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyynbbsi.exe"
        57⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbykuimku.exe"
        56⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsppif.exe"
        55⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrsuuo.exe"
        54⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjlysorkj.exe"
        53⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxdla.exe"
        52⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxenpyky.exe"
        51⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpaoki.exe"
        50⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wajprx.exe"
        49⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfhvjs.exe"
        48⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfspcf.exe"
        47⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbfknb.exe"
        46⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtpafax.exe"
        45⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxwfhn.exe"
        44⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcbfayg.exe"
        43⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdflnjbv.exe"
        42⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvfdq.exe"
        41⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgbgaw.exe"
        40⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjprkyxjy.exe"
        39⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxjaqhy.exe"
        38⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdhsb.exe"
        37⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtcfbm.exe"
        36⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivl.exe"
        35⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdnl.exe"
        34⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wulvoo.exe"
        33⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlc.exe"
        32⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpgef.exe"
        31⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wusqqpy.exe"
        30⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmltnp.exe"
        29⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wet.exe"
        28⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wawu.exe"
        27⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwo.exe"
        26⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnsitak.exe"
        25⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbelgrun.exe"
        23⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whw.exe"
        22⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdoxcl.exe"
        21⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waoyebf.exe"
        20⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqrq.exe"
        19⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyvnjoeb.exe"
        18⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wetgu.exe"
        17⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsn.exe"
        16⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbv.exe"
        15⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcyu.exe"
        14⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfnsb.exe"
        13⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnabc.exe"
        12⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wet.exe"
        11⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrmkgekf.exe"
        10⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woej.exe"
        9⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlx.exe"
        8⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfrui.exe"
        7⤵
        
        PID:3032
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjv.exe"
        6⤵
        
        PID:600
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmtt.exe"
        5⤵
        
        PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woh.exe"
      4⤵
      PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfshb.exe"
    3⤵
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\7df70632ef1710871eaeeb9fb98e0c28.exe"
  2⤵
  - Deletes itself
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H94VXNR4.txt

Filesize
99B

MD5
625d22c4bcda6f8a5c413cffba77927e

SHA1
0c8c5daf366e01f656d491d7354492b4c682824a

SHA256
1df20c6ec52d1894ada6e2d5e7b03204e7e94e5ce9af8e21d767c616ada910e5

SHA512
49688dd85213bf30c2570a253212519aad04b01f7b32683f031dee13c557befac69dfee22a2785e2b8c0e88a5f28666d64c0c16536f74c482658a80926c4d3f9

Download Submit
\Windows\SysWOW64\wet.exe

Filesize
251KB

MD5
c5a1e90cf4faa3672b5bf6a8ed5baa0c

SHA1
859ae6a72b2b320c69888240626a0290f693475f

SHA256
716e6cce573ce26954d7fe400f5d377348ab9c042ac3e7307b3613f2d4a5a74b

SHA512
0292acbcd60a69005386bfaf5ae39b099ecf9bdc7bb25baf43466feb9e5d31891511381e47e411764a5d0e529e88a312f68e885557eb3d24e224b35fc9762e5f

Download Submit
\Windows\SysWOW64\wfnsb.exe

Filesize
252KB

MD5
b71fcbf82c3173f1678bd412eaa3b095

SHA1
646d6e72cd8729feaa52c67435b79641c0a3e0ea

SHA256
aeae3fbd54368e6f2f3fc8876dddf210b993a3200472928bfb8197e0bb8a29e6

SHA512
3594f6e70ab0b46af1616a00bf62aa265ececef2473dccf229f3b39b39ec5eeb8e191bd6886a6cec39f7def94c6973e327415c8892aaff2ba314061a32b07238

Download Submit
\Windows\SysWOW64\wfrui.exe

Filesize
251KB

MD5
fd5883a84eb87d7a197a4c4e0c854987

SHA1
b4780dfb72e237647c4e24d44bef9e660150d16f

SHA256
2628de4b305c0221c39988fcb134f09aba686febcbf11f4c5139eb4774a432d0

SHA512
b16120a6dcd2433a0bd2249ee25f512700f7d9fab113fb0b4887b4bef5ebfeed249807ce616eac24536935e4dfe5dfef5680f585d2da4b727d30a54623e66f81

Download Submit
\Windows\SysWOW64\wfshb.exe

Filesize
251KB

MD5
941d0e0ab4b0cfe28c1fecbcc629309e

SHA1
d828f436089b9286cfb72bf7bdc200ee0db32d97

SHA256
f68e69f105dfa92c568c7957eaa85929fdda2fa5116d5419f094d8529b79e95c

SHA512
ec1c76d8164e3afe11efc1b9ddb74f53cf148d9dd076a09a843c0b31f5d9dd67a7de62869cff2dc7c3ed84a0ac191e0f9d090a143f712ad3148e0a169b97fb3c

Download Submit
\Windows\SysWOW64\wjv.exe

Filesize
251KB

MD5
38ff641610ba76e115b8171d3b88da33

SHA1
8fee2c3f376549c07c1da57bd57265501da2a360

SHA256
789154e877b9ce5f1c0034280f0208546de2641c2b5d32d72dd6544d298ca11e

SHA512
58674f169c95f824357d01e5458a228cf328190b8371270ac9eb9c2ea0ee588303bf81f29f1ed87f81bb87868b9e721000c0535220c05291494151e1634f586b

Download Submit
\Windows\SysWOW64\wlx.exe

Filesize
251KB

MD5
c045ea0f351068f370413a066a9be78d

SHA1
7bfce7d6851cf9e3f3d5c3b298641d26b4f01c43

SHA256
9bab2af9b82028930d5124dd3fe53ae8f5f355bafb0d817200f0a4f102bb076f

SHA512
83ed209ff2c8523c61e58a7263bb66bd0f8886368b27a3b972b6dbe67a928d6121da361b0e895c4d19ad183f935df23ad2cc87f34b96740306cc6245503fe5f4

Download Submit
\Windows\SysWOW64\wmtt.exe

Filesize
251KB

MD5
9e4d8aa7f406655224c5f2349fcedd6b

SHA1
23846775cd5f978135836910b47fa933c487992e

SHA256
fab1a5cbb9f400c94429af5d0d95f68bd575a74f323889802c63a480a1d86b8c

SHA512
f91cd9d9e8bc655321ab5692401276e042f8a59190574ac614d903492803ee1ac484f659f5126c0ea196129e14e3ac72ad33e85d0c20f63f3d44cead96366fcc

Download Submit
\Windows\SysWOW64\wnabc.exe

Filesize
252KB

MD5
6141bafa9a2c2a72de86996ff42e6f1d

SHA1
89faff5f13bf8142d17d81f2659cb9874c93aa7e

SHA256
8f06389af3ff303ce0b33f4d7ee030845f50d6072c6b13fc675b741bfe1c7637

SHA512
ba7c4975c5242ec03dbc3e3860de6e6395eb4b126f0b58687c43807ee53c7d874ca50f9019b97286305ccf11621c8fc0400416efaac839ff2df9b1ec0538b324

Download Submit
\Windows\SysWOW64\woej.exe

Filesize
251KB

MD5
661c7f3167e2c8d870415b762ba360f7

SHA1
212fdf1050ca04d7ba9e5b041f8f1ee4382b9ac9

SHA256
d5ce8ffb577d3398322178e2f2cc78bd1e352ec7e012f544d93a86a546bacde9

SHA512
bbcd73223b66f952cec7d4a7c7ac9f8f75f96275a92edee4c52930e8c08235a3ce7e1da09de4649a0b6d59f4ec0a2a7d22f22aa379c659e7fce785215edfedfe

Download Submit
\Windows\SysWOW64\woh.exe

Filesize
251KB

MD5
ccb6d72c796ae5f0ca8b8baf117bc94b

SHA1
af8b6a1e23dc387f6cdef0bbd8d4d1b2e27c3916

SHA256
61ac4f6e1d545f388010f32c6ba2e2029b9f9f794333da58545803a37e4cedf7

SHA512
f6fa7b0077c526de52d67c64ede18ebfa9c75be89b0a06ac7f7b17476660849ab9b88a8685d8e9cbf5429f2df1059b10b93df5e76a66150405f86ab82ad1d495

Download Submit
\Windows\SysWOW64\wrmkgekf.exe

Filesize
251KB

MD5
50449234dcf71893c5e02b1f7e2bb1cf

SHA1
333d0ed6b385c68234f10d2234edefbf8d3557d6

SHA256
153f9a22c8685f2c193a0574d4109180229974638f4682ca2dba65ce2539515c

SHA512
fb4fb276202c26bd29fd33cf4107c73869783abe5391afe6de9c5a10c953b0f5ce3a06fe416faf8f07896f0234df547a1917e56d288e83ab5c09bcccecd8e4e9

Download Submit
memory/860-268-0x00000000030B0000-0x00000000030C7000-memory.dmp

Filesize
92KB

Download
memory/860-267-0x00000000030B0000-0x00000000030C7000-memory.dmp

Filesize
92KB

Download
memory/860-255-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/860-270-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1364-11-0x0000000003F00000-0x0000000003F17000-memory.dmp

Filesize
92KB

Download
memory/1364-20-0x0000000003F00000-0x0000000003F17000-memory.dmp

Filesize
92KB

Download
memory/1364-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1364-19-0x0000000003F00000-0x0000000003F17000-memory.dmp

Filesize
92KB

Download
memory/1364-12-0x0000000003F00000-0x0000000003F17000-memory.dmp

Filesize
92KB

Download
memory/1364-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1616-283-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1616-269-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1616-282-0x0000000003DA0000-0x0000000003DB7000-memory.dmp

Filesize
92KB

Download
memory/1748-241-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1748-254-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1748-253-0x0000000003620000-0x0000000003637000-memory.dmp

Filesize
92KB

Download
memory/1768-87-0x0000000002220000-0x0000000002237000-memory.dmp

Filesize
92KB

Download
memory/1768-90-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1768-88-0x0000000002220000-0x0000000002237000-memory.dmp

Filesize
92KB

Download
memory/1768-86-0x0000000002220000-0x0000000002237000-memory.dmp

Filesize
92KB

Download
memory/1768-80-0x0000000002220000-0x0000000002237000-memory.dmp

Filesize
92KB

Download
memory/1768-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1800-143-0x00000000032B0000-0x00000000032C7000-memory.dmp

Filesize
92KB

Download
memory/1800-158-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1800-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1800-154-0x00000000032B0000-0x00000000032C7000-memory.dmp

Filesize
92KB

Download
memory/1800-155-0x00000000032B0000-0x00000000032C7000-memory.dmp

Filesize
92KB

Download
memory/1884-177-0x00000000034B0000-0x00000000034C7000-memory.dmp

Filesize
92KB

Download
memory/1884-180-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1884-175-0x0000000003250000-0x0000000003267000-memory.dmp

Filesize
92KB

Download
memory/1884-176-0x0000000003250000-0x0000000003267000-memory.dmp

Filesize
92KB

Download
memory/1884-157-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2068-131-0x0000000002470000-0x0000000002487000-memory.dmp

Filesize
92KB

Download
memory/2068-114-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2068-132-0x0000000003530000-0x0000000003547000-memory.dmp

Filesize
92KB

Download
memory/2068-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2200-103-0x0000000004000000-0x0000000004017000-memory.dmp

Filesize
92KB

Download
memory/2200-113-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2200-111-0x0000000004000000-0x0000000004017000-memory.dmp

Filesize
92KB

Download
memory/2200-110-0x0000000004000000-0x0000000004017000-memory.dmp

Filesize
92KB

Download
memory/2200-92-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2540-202-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2540-219-0x0000000003E60000-0x0000000003E77000-memory.dmp

Filesize
92KB

Download
memory/2540-222-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2544-239-0x0000000003F00000-0x0000000003F17000-memory.dmp

Filesize
92KB

Download
memory/2544-221-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2544-240-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2544-238-0x0000000003F00000-0x0000000003F17000-memory.dmp

Filesize
92KB

Download
memory/2616-62-0x0000000003480000-0x0000000003497000-memory.dmp

Filesize
92KB

Download
memory/2616-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2616-134-0x0000000003480000-0x0000000003497000-memory.dmp

Filesize
92KB

Download
memory/2616-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2616-67-0x0000000003480000-0x0000000003497000-memory.dmp

Filesize
92KB

Download
memory/2616-65-0x0000000003480000-0x0000000003497000-memory.dmp

Filesize
92KB

Download
memory/2616-63-0x0000000003480000-0x0000000003497000-memory.dmp

Filesize
92KB

Download
memory/2868-41-0x0000000002170000-0x0000000002187000-memory.dmp

Filesize
92KB

Download
memory/2868-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2868-43-0x0000000002170000-0x0000000002187000-memory.dmp

Filesize
92KB

Download
memory/2868-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2996-181-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2996-201-0x0000000004050000-0x0000000004067000-memory.dmp

Filesize
92KB

Download
memory/2996-200-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2996-198-0x0000000004050000-0x0000000004067000-memory.dmp

Filesize
92KB

Download
memory/2996-197-0x0000000003260000-0x0000000003277000-memory.dmp

Filesize
92KB

Download