1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3

Analysis

max time kernel
162s
max time network
184s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe
Size

225KB
MD5

bbeb014ff76f456cc62ab5128e5846f4
SHA1

83d8f2424e70b3ddb034a335d23ecbd54bd733c7
SHA256

1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3
SHA512

f41937d3b22e9292da384ace6dd574132938d77c864d53dd959368eb3ccc92cf31ab1af4987eab36854623a0abcf371dec61fa7741bbd0cf553dd04adf78ea52
SSDEEP

3072:5YUb5QoJ4g+tknipuH/Zj6Iz1ZdW4SBoC2n+:5YfQ1h6SZI4q

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2408	cmd.exe

Executes dropped EXE 33 IoCs

pid	Process
2488	wmk.exe
2772	wrosps.exe
2656	wgamf.exe
2096	wox.exe
108	wamxfdwr.exe
2320	wxugw.exe
1792	wrpl.exe
2940	wghrmcsef.exe
2452	wovuaqfq.exe
1772	witvc.exe
1912	wvgtxtw.exe
1836	wycfhp.exe
1648	wnoqlw.exe
884	wgpelnuhn.exe
2216	wadgbt.exe
2680	wjtoig.exe
1688	wfhdnbp.exe
1628	wnoyp.exe
1776	wlsmfvfy.exe
2816	wkndm.exe
2148	wdehh.exe
896	wegtf.exe
2880	wblxj.exe
3068	wlmsu.exe
1532	wbegnh.exe
924	wleckw.exe
2772	wgkptr.exe
3024	wxwxfne.exe
2868	weeetyjs.exe
2476	wptkjo.exe
2968	wcbqlc.exe
2244	wblv.exe
2572	wnrpowy.exe

Loads dropped DLL 64 IoCs

pid	Process
2612	1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe
2612	1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe
2612	1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe
2612	1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe
2488	wmk.exe
2488	wmk.exe
2488	wmk.exe
2488	wmk.exe
2772	wrosps.exe
2772	wrosps.exe
2772	wrosps.exe
2772	wrosps.exe
2656	wgamf.exe
2656	wgamf.exe
2656	wgamf.exe
2656	wgamf.exe
2096	wox.exe
2096	wox.exe
2096	wox.exe
2096	wox.exe
108	wamxfdwr.exe
108	wamxfdwr.exe
108	wamxfdwr.exe
108	wamxfdwr.exe
2320	wxugw.exe
2320	wxugw.exe
2320	wxugw.exe
2320	wxugw.exe
1792	wrpl.exe
1792	wrpl.exe
1792	wrpl.exe
1792	wrpl.exe
2940	wghrmcsef.exe
2940	wghrmcsef.exe
2940	wghrmcsef.exe
2940	wghrmcsef.exe
2452	wovuaqfq.exe
2452	wovuaqfq.exe
2452	wovuaqfq.exe
2452	wovuaqfq.exe
1772	witvc.exe
1772	witvc.exe
1772	witvc.exe
1772	witvc.exe
1912	wvgtxtw.exe
1912	wvgtxtw.exe
1912	wvgtxtw.exe
1912	wvgtxtw.exe
1836	wycfhp.exe
1836	wycfhp.exe
1836	wycfhp.exe
1836	wycfhp.exe
1648	wnoqlw.exe
1648	wnoqlw.exe
1648	wnoqlw.exe
1648	wnoqlw.exe
884	wgpelnuhn.exe
884	wgpelnuhn.exe
884	wgpelnuhn.exe
884	wgpelnuhn.exe
2216	wadgbt.exe
2216	wadgbt.exe
2216	wadgbt.exe
2216	wadgbt.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wjtoig.exe	wadgbt.exe
File opened for modification	C:\Windows\SysWOW64\wnoyp.exe	wfhdnbp.exe
File created	C:\Windows\SysWOW64\wlsmfvfy.exe	wnoyp.exe
File opened for modification	C:\Windows\SysWOW64\wdehh.exe	wkndm.exe
File opened for modification	C:\Windows\SysWOW64\wbegnh.exe	wlmsu.exe
File created	C:\Windows\SysWOW64\wvgtxtw.exe	witvc.exe
File opened for modification	C:\Windows\SysWOW64\wovuaqfq.exe	wghrmcsef.exe
File created	C:\Windows\SysWOW64\wdehh.exe	wkndm.exe
File opened for modification	C:\Windows\SysWOW64\wmk.exe	1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe
File opened for modification	C:\Windows\SysWOW64\wblv.exe	wcbqlc.exe
File created	C:\Windows\SysWOW64\wnrpowy.exe	wblv.exe
File opened for modification	C:\Windows\SysWOW64\wvgtxtw.exe	witvc.exe
File created	C:\Windows\SysWOW64\wamxfdwr.exe	wox.exe
File created	C:\Windows\SysWOW64\witvc.exe	wovuaqfq.exe
File created	C:\Windows\SysWOW64\wgpelnuhn.exe	wnoqlw.exe
File opened for modification	C:\Windows\SysWOW64\wgpelnuhn.exe	wnoqlw.exe
File opened for modification	C:\Windows\SysWOW64\wcbqlc.exe	wptkjo.exe
File opened for modification	C:\Windows\SysWOW64\wnrpowy.exe	wblv.exe
File created	C:\Windows\SysWOW64\wrosps.exe	wmk.exe
File opened for modification	C:\Windows\SysWOW64\wlsmfvfy.exe	wnoyp.exe
File opened for modification	C:\Windows\SysWOW64\wegtf.exe	wdehh.exe
File opened for modification	C:\Windows\SysWOW64\wleckw.exe	wbegnh.exe
File opened for modification	C:\Windows\SysWOW64\wptkjo.exe	weeetyjs.exe
File opened for modification	C:\Windows\SysWOW64\wamxfdwr.exe	wox.exe
File opened for modification	C:\Windows\SysWOW64\wgkptr.exe	wleckw.exe
File created	C:\Windows\SysWOW64\wcbqlc.exe	wptkjo.exe
File opened for modification	C:\Windows\SysWOW64\wnoqlw.exe	wycfhp.exe
File created	C:\Windows\SysWOW64\wblv.exe	wcbqlc.exe
File created	C:\Windows\SysWOW64\wgdvjwn.exe	wnrpowy.exe
File created	C:\Windows\SysWOW64\wfhdnbp.exe	wjtoig.exe
File created	C:\Windows\SysWOW64\wxugw.exe	wamxfdwr.exe
File opened for modification	C:\Windows\SysWOW64\witvc.exe	wovuaqfq.exe
File opened for modification	C:\Windows\SysWOW64\wfhdnbp.exe	wjtoig.exe
File opened for modification	C:\Windows\SysWOW64\wkndm.exe	wlsmfvfy.exe
File created	C:\Windows\SysWOW64\wgkptr.exe	wleckw.exe
File created	C:\Windows\SysWOW64\wox.exe	wgamf.exe
File opened for modification	C:\Windows\SysWOW64\wghrmcsef.exe	wrpl.exe
File created	C:\Windows\SysWOW64\wycfhp.exe	wvgtxtw.exe
File created	C:\Windows\SysWOW64\wblxj.exe	wegtf.exe
File created	C:\Windows\SysWOW64\wlmsu.exe	wblxj.exe
File opened for modification	C:\Windows\SysWOW64\wxwxfne.exe	wgkptr.exe
File created	C:\Windows\SysWOW64\weeetyjs.exe	wxwxfne.exe
File created	C:\Windows\SysWOW64\wptkjo.exe	weeetyjs.exe
File created	C:\Windows\SysWOW64\wghrmcsef.exe	wrpl.exe
File created	C:\Windows\SysWOW64\wovuaqfq.exe	wghrmcsef.exe
File opened for modification	C:\Windows\SysWOW64\wadgbt.exe	wgpelnuhn.exe
File opened for modification	C:\Windows\SysWOW64\wox.exe	wgamf.exe
File opened for modification	C:\Windows\SysWOW64\wycfhp.exe	wvgtxtw.exe
File created	C:\Windows\SysWOW64\wnoqlw.exe	wycfhp.exe
File created	C:\Windows\SysWOW64\wnoyp.exe	wfhdnbp.exe
File created	C:\Windows\SysWOW64\wleckw.exe	wbegnh.exe
File opened for modification	C:\Windows\SysWOW64\wxugw.exe	wamxfdwr.exe
File opened for modification	C:\Windows\SysWOW64\wrpl.exe	wxugw.exe
File created	C:\Windows\SysWOW64\wegtf.exe	wdehh.exe
File opened for modification	C:\Windows\SysWOW64\wblxj.exe	wegtf.exe
File created	C:\Windows\SysWOW64\wrpl.exe	wxugw.exe
File opened for modification	C:\Windows\SysWOW64\wjtoig.exe	wadgbt.exe
File created	C:\Windows\SysWOW64\wkndm.exe	wlsmfvfy.exe
File opened for modification	C:\Windows\SysWOW64\wrosps.exe	wmk.exe
File created	C:\Windows\SysWOW64\wxwxfne.exe	wgkptr.exe
File created	C:\Windows\SysWOW64\wgamf.exe	wrosps.exe
File created	C:\Windows\SysWOW64\wbegnh.exe	wlmsu.exe
File opened for modification	C:\Windows\SysWOW64\weeetyjs.exe	wxwxfne.exe
File created	C:\Windows\SysWOW64\wadgbt.exe	wgpelnuhn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2488	2612	1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe	31
PID 2612 wrote to memory of 2488	2612	1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe	31
PID 2612 wrote to memory of 2488	2612	1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe	31
PID 2612 wrote to memory of 2488	2612	1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe	31
PID 2612 wrote to memory of 2408	2612	1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe	32
PID 2612 wrote to memory of 2408	2612	1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe	32
PID 2612 wrote to memory of 2408	2612	1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe	32
PID 2612 wrote to memory of 2408	2612	1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe	32
PID 2488 wrote to memory of 2772	2488	wmk.exe	35
PID 2488 wrote to memory of 2772	2488	wmk.exe	35
PID 2488 wrote to memory of 2772	2488	wmk.exe	35
PID 2488 wrote to memory of 2772	2488	wmk.exe	35
PID 2488 wrote to memory of 2792	2488	wmk.exe	36
PID 2488 wrote to memory of 2792	2488	wmk.exe	36
PID 2488 wrote to memory of 2792	2488	wmk.exe	36
PID 2488 wrote to memory of 2792	2488	wmk.exe	36
PID 2772 wrote to memory of 2656	2772	wrosps.exe	39
PID 2772 wrote to memory of 2656	2772	wrosps.exe	39
PID 2772 wrote to memory of 2656	2772	wrosps.exe	39
PID 2772 wrote to memory of 2656	2772	wrosps.exe	39
PID 2772 wrote to memory of 2304	2772	wrosps.exe	40
PID 2772 wrote to memory of 2304	2772	wrosps.exe	40
PID 2772 wrote to memory of 2304	2772	wrosps.exe	40
PID 2772 wrote to memory of 2304	2772	wrosps.exe	40
PID 2656 wrote to memory of 2096	2656	wgamf.exe	42
PID 2656 wrote to memory of 2096	2656	wgamf.exe	42
PID 2656 wrote to memory of 2096	2656	wgamf.exe	42
PID 2656 wrote to memory of 2096	2656	wgamf.exe	42
PID 2656 wrote to memory of 2980	2656	wgamf.exe	43
PID 2656 wrote to memory of 2980	2656	wgamf.exe	43
PID 2656 wrote to memory of 2980	2656	wgamf.exe	43
PID 2656 wrote to memory of 2980	2656	wgamf.exe	43
PID 2096 wrote to memory of 108	2096	wox.exe	45
PID 2096 wrote to memory of 108	2096	wox.exe	45
PID 2096 wrote to memory of 108	2096	wox.exe	45
PID 2096 wrote to memory of 108	2096	wox.exe	45
PID 2096 wrote to memory of 1480	2096	wox.exe	46
PID 2096 wrote to memory of 1480	2096	wox.exe	46
PID 2096 wrote to memory of 1480	2096	wox.exe	46
PID 2096 wrote to memory of 1480	2096	wox.exe	46
PID 108 wrote to memory of 2320	108	wamxfdwr.exe	48
PID 108 wrote to memory of 2320	108	wamxfdwr.exe	48
PID 108 wrote to memory of 2320	108	wamxfdwr.exe	48
PID 108 wrote to memory of 2320	108	wamxfdwr.exe	48
PID 108 wrote to memory of 2344	108	wamxfdwr.exe	49
PID 108 wrote to memory of 2344	108	wamxfdwr.exe	49
PID 108 wrote to memory of 2344	108	wamxfdwr.exe	49
PID 108 wrote to memory of 2344	108	wamxfdwr.exe	49
PID 2320 wrote to memory of 1792	2320	wxugw.exe	51
PID 2320 wrote to memory of 1792	2320	wxugw.exe	51
PID 2320 wrote to memory of 1792	2320	wxugw.exe	51
PID 2320 wrote to memory of 1792	2320	wxugw.exe	51
PID 2320 wrote to memory of 1732	2320	wxugw.exe	52
PID 2320 wrote to memory of 1732	2320	wxugw.exe	52
PID 2320 wrote to memory of 1732	2320	wxugw.exe	52
PID 2320 wrote to memory of 1732	2320	wxugw.exe	52
PID 1792 wrote to memory of 2940	1792	wrpl.exe	54
PID 1792 wrote to memory of 2940	1792	wrpl.exe	54
PID 1792 wrote to memory of 2940	1792	wrpl.exe	54
PID 1792 wrote to memory of 2940	1792	wrpl.exe	54
PID 1792 wrote to memory of 2576	1792	wrpl.exe	55
PID 1792 wrote to memory of 2576	1792	wrpl.exe	55
PID 1792 wrote to memory of 2576	1792	wrpl.exe	55
PID 1792 wrote to memory of 2576	1792	wrpl.exe	55

C:\Users\Admin\AppData\Local\Temp\1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe
"C:\Users\Admin\AppData\Local\Temp\1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\wmk.exe
  "C:\Windows\system32\wmk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\wrosps.exe
    "C:\Windows\system32\wrosps.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\wgamf.exe
      "C:\Windows\system32\wgamf.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\wox.exe
        
        "C:\Windows\system32\wox.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\SysWOW64\wamxfdwr.exe
        
        "C:\Windows\system32\wamxfdwr.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Windows\SysWOW64\wxugw.exe
        
        "C:\Windows\system32\wxugw.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\wrpl.exe
        
        "C:\Windows\system32\wrpl.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\wghrmcsef.exe
        
        "C:\Windows\system32\wghrmcsef.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\wovuaqfq.exe
        
        "C:\Windows\system32\wovuaqfq.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\witvc.exe
        
        "C:\Windows\system32\witvc.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\wvgtxtw.exe
        
        "C:\Windows\system32\wvgtxtw.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\wycfhp.exe
        
        "C:\Windows\system32\wycfhp.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\wnoqlw.exe
        
        "C:\Windows\system32\wnoqlw.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\wgpelnuhn.exe
        
        "C:\Windows\system32\wgpelnuhn.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\wadgbt.exe
        
        "C:\Windows\system32\wadgbt.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\wjtoig.exe
        
        "C:\Windows\system32\wjtoig.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\wfhdnbp.exe
        
        "C:\Windows\system32\wfhdnbp.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\wnoyp.exe
        
        "C:\Windows\system32\wnoyp.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\wlsmfvfy.exe
        
        "C:\Windows\system32\wlsmfvfy.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\wkndm.exe
        
        "C:\Windows\system32\wkndm.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\wdehh.exe
        
        "C:\Windows\system32\wdehh.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\wegtf.exe
        
        "C:\Windows\system32\wegtf.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:896
        
        C:\Windows\SysWOW64\wblxj.exe
        
        "C:\Windows\system32\wblxj.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\wlmsu.exe
        
        "C:\Windows\system32\wlmsu.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\wbegnh.exe
        
        "C:\Windows\system32\wbegnh.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\wleckw.exe
        
        "C:\Windows\system32\wleckw.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\wgkptr.exe
        
        "C:\Windows\system32\wgkptr.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\wxwxfne.exe
        
        "C:\Windows\system32\wxwxfne.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\weeetyjs.exe
        
        "C:\Windows\system32\weeetyjs.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\wptkjo.exe
        
        "C:\Windows\system32\wptkjo.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\wcbqlc.exe
        
        "C:\Windows\system32\wcbqlc.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\wblv.exe
        
        "C:\Windows\system32\wblv.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\wnrpowy.exe
        
        "C:\Windows\system32\wnrpowy.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wblv.exe"
        34⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcbqlc.exe"
        33⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wptkjo.exe"
        32⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weeetyjs.exe"
        31⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwxfne.exe"
        30⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkptr.exe"
        29⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wleckw.exe"
        28⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbegnh.exe"
        27⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlmsu.exe"
        26⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wblxj.exe"
        25⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wegtf.exe"
        24⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdehh.exe"
        23⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkndm.exe"
        22⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsmfvfy.exe"
        21⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnoyp.exe"
        20⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfhdnbp.exe"
        19⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjtoig.exe"
        18⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wadgbt.exe"
        17⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgpelnuhn.exe"
        16⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnoqlw.exe"
        15⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wycfhp.exe"
        14⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgtxtw.exe"
        13⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\witvc.exe"
        12⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovuaqfq.exe"
        11⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghrmcsef.exe"
        10⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrpl.exe"
        9⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxugw.exe"
        8⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wamxfdwr.exe"
        7⤵
        
        PID:2344
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wox.exe"
        6⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgamf.exe"
        5⤵
        
        PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrosps.exe"
      4⤵
      PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmk.exe"
    3⤵
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe"
  2⤵
  - Deletes itself
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9VIG9OF1.txt

Filesize
99B

MD5
21a426afc1049d070717b11554b54432

SHA1
77fea8073929a9e31ebd437369db94873f2ac57a

SHA256
5e54ed8b969ff6552fe84687973c3e92af7196d8be913951e55a716c0fff1ef2

SHA512
e057a5699f419d7e1ea248116d41945128e9f9e4be4e67d863615b31f3463781529d017563bd1a829f29ec02856c53bd59d5dad1aa3fb6f990d607a44702a3d3

Download Submit
\Windows\SysWOW64\wamxfdwr.exe

Filesize
225KB

MD5
359ab6c6ef07fb5395fe42d7dbc03ee5

SHA1
6cc5dcd86153471d7a1ab7d5f0dbcee49df9d956

SHA256
ce5a0c657e0a749128c362aba54dd7435039ee427e22b0a3e22cb4e39e5cf510

SHA512
8779109d103aa0bcf57c260354d58fe7de14ff6aa9791b20418b498c494e26041e0ede5cb555d4339064f7aa684a02b911da30e52e6478cfab58e7bc1ca06e0e

Download Submit
\Windows\SysWOW64\wgamf.exe

Filesize
225KB

MD5
dcb9deecaffda3c9bd11fd0610cf6fd0

SHA1
ff4bcaa33c598225d7bab8e9dc92aba183d84e34

SHA256
65a8bf8d9729452a3d7f29753c994715a93c915649da988487c89ae49f8f2d28

SHA512
1bb8423409bf50bffe3594c2826fb653ff184117ba8ce6baf137cd0a2c6026907fb8ac60305a7b96266f3bb6dc4bd1670ec3996b3af43b2a24591a2e32a4f714

Download Submit
\Windows\SysWOW64\wghrmcsef.exe

Filesize
225KB

MD5
ad9e4d6b896ae62930ba7f041df19923

SHA1
4812fb1198865e5fb3814ab84b19cd000a49618c

SHA256
3f7c68c802e732c5b845927bb46057582f7d2a4b89b6424f43fe021ec7623d7d

SHA512
51467e4ee62a6c2659708890cfce09b2b163d8dbc23836011cbed7b9f929ef155f0f07cedecfa617711a3dc005968ae94295f00847ecf3a11f4e23797aad2626

Download Submit
\Windows\SysWOW64\witvc.exe

Filesize
225KB

MD5
8b9fa45d71ff6d0d0430f808f91d5b41

SHA1
c3e1dc594c305056af14e89627d2a125b52b757f

SHA256
92ae794d72ab8be49e735e1574f5a644fc6729147ff01409cc3876306be168bc

SHA512
8415d25d9bf814475993b74ddbadf172c916768c159038c8b00a8f1ea70ff6a1802efb618e996ee8aa0a607ea99ba64400c04c8c6a0445134f7d0aae4c9b9956

Download Submit
\Windows\SysWOW64\wmk.exe

Filesize
225KB

MD5
f0537249b006cda11d3232e5333cb047

SHA1
89b68b4648aab97dc72e0035a1d565bf220bbeda

SHA256
01eee4b8438d562d2c04ef368287c8161936a2a6bcdbcd2ed8fccb63f25dd523

SHA512
95880cca224697c54b210ab0af4452d711894ffe7d7e49b54290245b687950c8ed8cbfc8f5122e3d042d7515d7a57277d7738928db64bd7ed6b3de2b1f0b1725

Download Submit
\Windows\SysWOW64\wovuaqfq.exe

Filesize
225KB

MD5
6ff3617bede4825f50f7a07e8d2ed6f9

SHA1
9c41845d34d81f295408f66a2e0663140b0a5c0c

SHA256
f38c22d26785303e5d29796962520305f878d62199c9044ed90e96d15edb761d

SHA512
be87db0b4a09d9489283f65dcaac78d02ff13966553a4563b67e6bb726ff82e3d22de0999b57597bd88ce11f46900b81d97114d7f963bfb17862c0f66a08a5bd

Download Submit
\Windows\SysWOW64\wox.exe

Filesize
225KB

MD5
023e8995807c0fa7a19fc1e02ced6631

SHA1
2d5e1d475d5255510b141fb8cc142f4d831c54e6

SHA256
05d1cdc82fc95dcc51b53ef68661d42b6b5354537b81fb9f1132f86e835fee6b

SHA512
b32609c6a0f25c40029e121fee2c9f8161728faffee194b5ce1427c4223ed9220ea959a45d9e7f54b428f4f0f6afa8b474b78867a0ce6cd19f0f097fb127f789

Download Submit
\Windows\SysWOW64\wrosps.exe

Filesize
225KB

MD5
af5fc9c3a7554dd7ac3156f034c4410e

SHA1
52ef9742019faccc713895d9836b9ab05b25cf1f

SHA256
6890208ebc5bcc410fca61be48d835910b135761cf401a903e44ffe12527e62e

SHA512
152fa8abe799b5edea40bc5131bbdcbd7cf890ac167a01b0145d7eeca82364a8b30c8c418cee34d46f5429ffdf570e6a8f9c2aa66c096a7656c205224263ca8b

Download Submit
\Windows\SysWOW64\wrpl.exe

Filesize
225KB

MD5
d31e26635b15736b2a4e02912af58c45

SHA1
111e075c76e88cd8c8da27af1ee3341003405e94

SHA256
83d3d4f9b2af14d27608ef496e7150a0c50b2b71b32c920c5f7706190590e7f9

SHA512
12774117561eb9376541209ae9eed20f637eb06219c7c6af524f8538c66d043b486f0cce83e8f0bb949272d24cc1d35a47fc8c433d5ecc1a0f0787d066f9cb51

Download Submit
\Windows\SysWOW64\wvgtxtw.exe

Filesize
225KB

MD5
6085049e9f93bf34ef0483fe5676b52f

SHA1
0e58ec98e3d5e69ca9479825c6844f5cbf1a9e14

SHA256
a5e0d09d5f894d0c10dcc57af2332dc5df44483d995484b4842912de6a931c0f

SHA512
adba7bc9828866d09bd5844ab9c6610e29ccb7c98af5df85aedaa9e240f0616e61ac24f9671b85404cb8f3d5ffcd7743c9dcb9fa15a0220a9769b1d6f2f4cdb8

Download Submit
\Windows\SysWOW64\wxugw.exe

Filesize
225KB

MD5
2cf3058bcc553cb642ab729aca961cf3

SHA1
5072db77bb9362daa9c6675463f69774160a1560

SHA256
18225add540cc14a24124f83af3e833e8eff1c241c670a1423aded69d706e629

SHA512
9767fcc3ba464fd2eae1905401f5cc8260992e06c4520176c6fd2bf124413fe9149687adf925c4cccfcdfc14ac32b8308a5dd22bd2c387cffd44b81f2dda22aa

Download Submit
memory/108-130-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/108-126-0x0000000003C30000-0x0000000003C4E000-memory.dmp

Filesize
120KB

Download
memory/108-127-0x0000000003C30000-0x0000000003C4E000-memory.dmp

Filesize
120KB

Download
memory/108-109-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/884-293-0x0000000003BB0000-0x0000000003BCE000-memory.dmp

Filesize
120KB

Download
memory/884-294-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/884-280-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1648-279-0x0000000003C90000-0x0000000003CAE000-memory.dmp

Filesize
120KB

Download
memory/1648-281-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1648-266-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1772-234-0x0000000003EB0000-0x0000000003ECE000-memory.dmp

Filesize
120KB

Download
memory/1772-227-0x0000000003DA0000-0x0000000003DBE000-memory.dmp

Filesize
120KB

Download
memory/1772-215-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1772-236-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1772-233-0x0000000003DA0000-0x0000000003DBE000-memory.dmp

Filesize
120KB

Download
memory/1792-171-0x0000000003C60000-0x0000000003C7E000-memory.dmp

Filesize
120KB

Download
memory/1792-168-0x0000000002E20000-0x0000000002E3E000-memory.dmp

Filesize
120KB

Download
memory/1792-172-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1792-169-0x0000000002E20000-0x0000000002E3E000-memory.dmp

Filesize
120KB

Download
memory/1792-150-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1836-263-0x0000000003670000-0x000000000368E000-memory.dmp

Filesize
120KB

Download
memory/1836-265-0x0000000003670000-0x000000000368E000-memory.dmp

Filesize
120KB

Download
memory/1836-264-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1836-251-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1912-249-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/1912-248-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/1912-250-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1912-235-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2096-86-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2096-108-0x0000000002EF0000-0x0000000002F0E000-memory.dmp

Filesize
120KB

Download
memory/2096-106-0x0000000002EF0000-0x0000000002F0E000-memory.dmp

Filesize
120KB

Download
memory/2096-107-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2096-105-0x0000000002EF0000-0x0000000002F0E000-memory.dmp

Filesize
120KB

Download
memory/2320-149-0x0000000003C90000-0x0000000003CAE000-memory.dmp

Filesize
120KB

Download
memory/2320-129-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2320-147-0x0000000003330000-0x000000000334E000-memory.dmp

Filesize
120KB

Download
memory/2320-151-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2452-212-0x0000000003C40000-0x0000000003C5E000-memory.dmp

Filesize
120KB

Download
memory/2452-195-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2452-213-0x0000000003C40000-0x0000000003C5E000-memory.dmp

Filesize
120KB

Download
memory/2452-216-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2488-42-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/2488-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2488-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2488-38-0x0000000003C60000-0x0000000003C7E000-memory.dmp

Filesize
120KB

Download
memory/2488-40-0x0000000003C60000-0x0000000003C7E000-memory.dmp

Filesize
120KB

Download
memory/2488-41-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/2612-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2612-11-0x0000000003140000-0x000000000315E000-memory.dmp

Filesize
120KB

Download
memory/2612-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-87-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-84-0x0000000003AB0000-0x0000000003ACE000-memory.dmp

Filesize
120KB

Download
memory/2656-83-0x0000000003AB0000-0x0000000003ACE000-memory.dmp

Filesize
120KB

Download
memory/2772-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2772-44-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2772-61-0x0000000003C60000-0x0000000003C7E000-memory.dmp

Filesize
120KB

Download
memory/2772-64-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/2772-63-0x0000000003C70000-0x0000000003C8E000-memory.dmp

Filesize
120KB

Download
memory/2940-173-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2940-193-0x0000000003C00000-0x0000000003C1E000-memory.dmp

Filesize
120KB

Download
memory/2940-190-0x0000000003BF0000-0x0000000003C0E000-memory.dmp

Filesize
120KB

Download
memory/2940-191-0x0000000003C00000-0x0000000003C1E000-memory.dmp

Filesize
120KB

Download
memory/2940-196-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download