2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe
Size

460KB
MD5

13120df0d0267bcb5ca074e10f52f32b
SHA1

2fc0d62fbf44babd188f2ab1938dc00696e4abe7
SHA256

2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa
SHA512

7ebcb95e58abc2ec839deff8a77dffe840677171b852ea724cbd95f6e1525b2b5f448d5c1eed665189a95915beb3567a39977a5e8343b7cddcd9607a3f5d1e8c
SSDEEP

12288:+LKSZhnVepwI20UldLbz5f27POyORdIKB1bybT:+LRhiwI20UldLbz5f27POyORdIKB1byn

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 35 IoCs

pid	Process
2680	wabfaa.exe
2880	wrsd.exe
2028	wjfn.exe
1700	wbywlfl.exe
2080	wwn.exe
1052	wos.exe
1292	wcnmjbr.exe
2528	wjnx.exe
3052	wobauc.exe
2876	wekc.exe
2540	wfnlvveeo.exe
2292	wnsdll.exe
1380	wyyr.exe
3024	wkleuifeu.exe
1672	wgcdxjp.exe
1572	wpetvrm.exe
1984	wexrqddd.exe
1516	wunpofn.exe
1652	whsogm.exe
1180	wcuaa.exe
2828	wcqtmjpcy.exe
980	wpybehe.exe
2308	wsrbeqhg.exe
3060	wvabqyadn.exe
2800	wlnykv.exe
2976	wgofbxvf.exe
2764	warwjey.exe
1872	wgtdhfp.exe
884	wcycrc.exe
2080	wkinqjk.exe
1912	wdeemr.exe
2272	wtoxbuqwy.exe
2472	wevjj.exe
2492	wukdoqhp.exe
2268	wutbcdce.exe

Loads dropped DLL 64 IoCs

pid	Process
2232	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe
2232	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe
2232	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe
2232	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe
2680	wabfaa.exe
2680	wabfaa.exe
2680	wabfaa.exe
2680	wabfaa.exe
2880	wrsd.exe
2880	wrsd.exe
2880	wrsd.exe
2880	wrsd.exe
2028	wjfn.exe
2028	wjfn.exe
2028	wjfn.exe
2028	wjfn.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1700	wbywlfl.exe
1700	wbywlfl.exe
1700	wbywlfl.exe
1700	wbywlfl.exe
2080	wwn.exe
2080	wwn.exe
2080	wwn.exe
2080	wwn.exe
1052	wos.exe
1052	wos.exe
1052	wos.exe
1052	wos.exe
1292	wcnmjbr.exe
1292	wcnmjbr.exe
1292	wcnmjbr.exe
1292	wcnmjbr.exe
2528	wjnx.exe
2528	wjnx.exe
2528	wjnx.exe
2528	wjnx.exe
3052	wobauc.exe
3052	wobauc.exe
3052	wobauc.exe
3052	wobauc.exe
2876	wekc.exe
2876	wekc.exe
2876	wekc.exe
2876	wekc.exe
2540	wfnlvveeo.exe
2540	wfnlvveeo.exe
2540	wfnlvveeo.exe
2540	wfnlvveeo.exe
2292	wnsdll.exe
2292	wnsdll.exe
2292	wnsdll.exe
2292	wnsdll.exe
1380	wyyr.exe
1380	wyyr.exe
1380	wyyr.exe
1380	wyyr.exe
3024	wkleuifeu.exe
3024	wkleuifeu.exe
3024	wkleuifeu.exe
3024	wkleuifeu.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wrsd.exe	wabfaa.exe
File opened for modification	C:\Windows\SysWOW64\wrsd.exe	wabfaa.exe
File opened for modification	C:\Windows\SysWOW64\wfnlvveeo.exe	wekc.exe
File created	C:\Windows\SysWOW64\wexrqddd.exe	wpetvrm.exe
File created	C:\Windows\SysWOW64\wwn.exe	wbywlfl.exe
File opened for modification	C:\Windows\SysWOW64\wgofbxvf.exe	wlnykv.exe
File created	C:\Windows\SysWOW64\wreie.exe	wutbcdce.exe
File created	C:\Windows\SysWOW64\wobauc.exe	wjnx.exe
File opened for modification	C:\Windows\SysWOW64\wtoxbuqwy.exe	wdeemr.exe
File created	C:\Windows\SysWOW64\wyyr.exe	wnsdll.exe
File opened for modification	C:\Windows\SysWOW64\wexrqddd.exe	wpetvrm.exe
File created	C:\Windows\SysWOW64\wukdoqhp.exe	wevjj.exe
File opened for modification	C:\Windows\SysWOW64\wekc.exe	wobauc.exe
File opened for modification	C:\Windows\SysWOW64\whsogm.exe	wunpofn.exe
File opened for modification	C:\Windows\SysWOW64\wsrbeqhg.exe	wpybehe.exe
File created	C:\Windows\SysWOW64\wfnlvveeo.exe	wekc.exe
File created	C:\Windows\SysWOW64\wnsdll.exe	wfnlvveeo.exe
File created	C:\Windows\SysWOW64\wcuaa.exe	whsogm.exe
File opened for modification	C:\Windows\SysWOW64\wpybehe.exe	wcqtmjpcy.exe
File opened for modification	C:\Windows\SysWOW64\wukdoqhp.exe	wevjj.exe
File opened for modification	C:\Windows\SysWOW64\wwn.exe	wbywlfl.exe
File created	C:\Windows\SysWOW64\wcqtmjpcy.exe	wcuaa.exe
File created	C:\Windows\SysWOW64\wpybehe.exe	wcqtmjpcy.exe
File created	C:\Windows\SysWOW64\warwjey.exe	wgofbxvf.exe
File created	C:\Windows\SysWOW64\wkinqjk.exe	wcycrc.exe
File opened for modification	C:\Windows\SysWOW64\wabfaa.exe	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe
File created	C:\Windows\SysWOW64\wgcdxjp.exe	wkleuifeu.exe
File created	C:\Windows\SysWOW64\wunpofn.exe	wexrqddd.exe
File created	C:\Windows\SysWOW64\wsrbeqhg.exe	wpybehe.exe
File created	C:\Windows\SysWOW64\wgtdhfp.exe	warwjey.exe
File opened for modification	C:\Windows\SysWOW64\wgtdhfp.exe	warwjey.exe
File opened for modification	C:\Windows\SysWOW64\wdeemr.exe	wkinqjk.exe
File created	C:\Windows\SysWOW64\wevjj.exe	wtoxbuqwy.exe
File opened for modification	C:\Windows\SysWOW64\wjfn.exe	wrsd.exe
File created	C:\Windows\SysWOW64\wcnmjbr.exe	wos.exe
File opened for modification	C:\Windows\SysWOW64\wjnx.exe	wcnmjbr.exe
File created	C:\Windows\SysWOW64\wvabqyadn.exe	wsrbeqhg.exe
File opened for modification	C:\Windows\SysWOW64\wlnykv.exe	wvabqyadn.exe
File created	C:\Windows\SysWOW64\wdeemr.exe	wkinqjk.exe
File created	C:\Windows\SysWOW64\wjnx.exe	wcnmjbr.exe
File opened for modification	C:\Windows\SysWOW64\wpetvrm.exe	wgcdxjp.exe
File opened for modification	C:\Windows\SysWOW64\wcuaa.exe	whsogm.exe
File opened for modification	C:\Windows\SysWOW64\wcqtmjpcy.exe	wcuaa.exe
File opened for modification	C:\Windows\SysWOW64\wcycrc.exe	wgtdhfp.exe
File created	C:\Windows\SysWOW64\wabfaa.exe	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe
File created	C:\Windows\SysWOW64\wlnykv.exe	wvabqyadn.exe
File opened for modification	C:\Windows\SysWOW64\wevjj.exe	wtoxbuqwy.exe
File opened for modification	C:\Windows\SysWOW64\wos.exe	wwn.exe
File opened for modification	C:\Windows\SysWOW64\wyyr.exe	wnsdll.exe
File opened for modification	C:\Windows\SysWOW64\wkleuifeu.exe	wyyr.exe
File created	C:\Windows\SysWOW64\whsogm.exe	wunpofn.exe
File opened for modification	C:\Windows\SysWOW64\wutbcdce.exe	wukdoqhp.exe
File created	C:\Windows\SysWOW64\wgofbxvf.exe	wlnykv.exe
File opened for modification	C:\Windows\SysWOW64\wbywlfl.exe	wjfn.exe
File created	C:\Windows\SysWOW64\wos.exe	wwn.exe
File opened for modification	C:\Windows\SysWOW64\wnsdll.exe	wfnlvveeo.exe
File created	C:\Windows\SysWOW64\wkleuifeu.exe	wyyr.exe
File created	C:\Windows\SysWOW64\wpetvrm.exe	wgcdxjp.exe
File created	C:\Windows\SysWOW64\wutbcdce.exe	wukdoqhp.exe
File created	C:\Windows\SysWOW64\wbywlfl.exe	wjfn.exe
File opened for modification	C:\Windows\SysWOW64\wobauc.exe	wjnx.exe
File created	C:\Windows\SysWOW64\wekc.exe	wobauc.exe
File opened for modification	C:\Windows\SysWOW64\wgcdxjp.exe	wkleuifeu.exe
File opened for modification	C:\Windows\SysWOW64\wunpofn.exe	wexrqddd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1828	2028	WerFault.exe	36

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2680	2232	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe	29
PID 2232 wrote to memory of 2680	2232	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe	29
PID 2232 wrote to memory of 2680	2232	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe	29
PID 2232 wrote to memory of 2680	2232	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe	29
PID 2232 wrote to memory of 2784	2232	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe	30
PID 2232 wrote to memory of 2784	2232	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe	30
PID 2232 wrote to memory of 2784	2232	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe	30
PID 2232 wrote to memory of 2784	2232	2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe	30
PID 2680 wrote to memory of 2880	2680	wabfaa.exe	33
PID 2680 wrote to memory of 2880	2680	wabfaa.exe	33
PID 2680 wrote to memory of 2880	2680	wabfaa.exe	33
PID 2680 wrote to memory of 2880	2680	wabfaa.exe	33
PID 2680 wrote to memory of 1668	2680	wabfaa.exe	34
PID 2680 wrote to memory of 1668	2680	wabfaa.exe	34
PID 2680 wrote to memory of 1668	2680	wabfaa.exe	34
PID 2680 wrote to memory of 1668	2680	wabfaa.exe	34
PID 2880 wrote to memory of 2028	2880	wrsd.exe	36
PID 2880 wrote to memory of 2028	2880	wrsd.exe	36
PID 2880 wrote to memory of 2028	2880	wrsd.exe	36
PID 2880 wrote to memory of 2028	2880	wrsd.exe	36
PID 2880 wrote to memory of 2340	2880	wrsd.exe	37
PID 2880 wrote to memory of 2340	2880	wrsd.exe	37
PID 2880 wrote to memory of 2340	2880	wrsd.exe	37
PID 2880 wrote to memory of 2340	2880	wrsd.exe	37
PID 2028 wrote to memory of 1700	2028	wjfn.exe	39
PID 2028 wrote to memory of 1700	2028	wjfn.exe	39
PID 2028 wrote to memory of 1700	2028	wjfn.exe	39
PID 2028 wrote to memory of 1700	2028	wjfn.exe	39
PID 2028 wrote to memory of 1696	2028	wjfn.exe	40
PID 2028 wrote to memory of 1696	2028	wjfn.exe	40
PID 2028 wrote to memory of 1696	2028	wjfn.exe	40
PID 2028 wrote to memory of 1696	2028	wjfn.exe	40
PID 2028 wrote to memory of 1828	2028	wjfn.exe	42
PID 2028 wrote to memory of 1828	2028	wjfn.exe	42
PID 2028 wrote to memory of 1828	2028	wjfn.exe	42
PID 2028 wrote to memory of 1828	2028	wjfn.exe	42
PID 1700 wrote to memory of 2080	1700	wbywlfl.exe	44
PID 1700 wrote to memory of 2080	1700	wbywlfl.exe	44
PID 1700 wrote to memory of 2080	1700	wbywlfl.exe	44
PID 1700 wrote to memory of 2080	1700	wbywlfl.exe	44
PID 1700 wrote to memory of 1568	1700	wbywlfl.exe	45
PID 1700 wrote to memory of 1568	1700	wbywlfl.exe	45
PID 1700 wrote to memory of 1568	1700	wbywlfl.exe	45
PID 1700 wrote to memory of 1568	1700	wbywlfl.exe	45
PID 2080 wrote to memory of 1052	2080	wwn.exe	47
PID 2080 wrote to memory of 1052	2080	wwn.exe	47
PID 2080 wrote to memory of 1052	2080	wwn.exe	47
PID 2080 wrote to memory of 1052	2080	wwn.exe	47
PID 2080 wrote to memory of 2896	2080	wwn.exe	48
PID 2080 wrote to memory of 2896	2080	wwn.exe	48
PID 2080 wrote to memory of 2896	2080	wwn.exe	48
PID 2080 wrote to memory of 2896	2080	wwn.exe	48
PID 1052 wrote to memory of 1292	1052	wos.exe	50
PID 1052 wrote to memory of 1292	1052	wos.exe	50
PID 1052 wrote to memory of 1292	1052	wos.exe	50
PID 1052 wrote to memory of 1292	1052	wos.exe	50
PID 1052 wrote to memory of 2008	1052	wos.exe	51
PID 1052 wrote to memory of 2008	1052	wos.exe	51
PID 1052 wrote to memory of 2008	1052	wos.exe	51
PID 1052 wrote to memory of 2008	1052	wos.exe	51
PID 1292 wrote to memory of 2528	1292	wcnmjbr.exe	53
PID 1292 wrote to memory of 2528	1292	wcnmjbr.exe	53
PID 1292 wrote to memory of 2528	1292	wcnmjbr.exe	53
PID 1292 wrote to memory of 2528	1292	wcnmjbr.exe	53

C:\Users\Admin\AppData\Local\Temp\2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe
"C:\Users\Admin\AppData\Local\Temp\2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\wabfaa.exe
  "C:\Windows\system32\wabfaa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\wrsd.exe
    "C:\Windows\system32\wrsd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\wjfn.exe
      "C:\Windows\system32\wjfn.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\wbywlfl.exe
        
        "C:\Windows\system32\wbywlfl.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Windows\SysWOW64\wwn.exe
        
        "C:\Windows\system32\wwn.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\wos.exe
        
        "C:\Windows\system32\wos.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\wcnmjbr.exe
        
        "C:\Windows\system32\wcnmjbr.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\wjnx.exe
        
        "C:\Windows\system32\wjnx.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\wobauc.exe
        
        "C:\Windows\system32\wobauc.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\wekc.exe
        
        "C:\Windows\system32\wekc.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\wfnlvveeo.exe
        
        "C:\Windows\system32\wfnlvveeo.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\wnsdll.exe
        
        "C:\Windows\system32\wnsdll.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\wyyr.exe
        
        "C:\Windows\system32\wyyr.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\wkleuifeu.exe
        
        "C:\Windows\system32\wkleuifeu.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\wgcdxjp.exe
        
        "C:\Windows\system32\wgcdxjp.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\wpetvrm.exe
        
        "C:\Windows\system32\wpetvrm.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\wexrqddd.exe
        
        "C:\Windows\system32\wexrqddd.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\wunpofn.exe
        
        "C:\Windows\system32\wunpofn.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\whsogm.exe
        
        "C:\Windows\system32\whsogm.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\wcuaa.exe
        
        "C:\Windows\system32\wcuaa.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\wcqtmjpcy.exe
        
        "C:\Windows\system32\wcqtmjpcy.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\wpybehe.exe
        
        "C:\Windows\system32\wpybehe.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\wsrbeqhg.exe
        
        "C:\Windows\system32\wsrbeqhg.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\wvabqyadn.exe
        
        "C:\Windows\system32\wvabqyadn.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\wlnykv.exe
        
        "C:\Windows\system32\wlnykv.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\wgofbxvf.exe
        
        "C:\Windows\system32\wgofbxvf.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\warwjey.exe
        
        "C:\Windows\system32\warwjey.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\wgtdhfp.exe
        
        "C:\Windows\system32\wgtdhfp.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\wcycrc.exe
        
        "C:\Windows\system32\wcycrc.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\wkinqjk.exe
        
        "C:\Windows\system32\wkinqjk.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\wdeemr.exe
        
        "C:\Windows\system32\wdeemr.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\wtoxbuqwy.exe
        
        "C:\Windows\system32\wtoxbuqwy.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\wevjj.exe
        
        "C:\Windows\system32\wevjj.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\wukdoqhp.exe
        
        "C:\Windows\system32\wukdoqhp.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\wutbcdce.exe
        
        "C:\Windows\system32\wutbcdce.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wukdoqhp.exe"
        36⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wevjj.exe"
        35⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtoxbuqwy.exe"
        34⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdeemr.exe"
        33⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkinqjk.exe"
        32⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcycrc.exe"
        31⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtdhfp.exe"
        30⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\warwjey.exe"
        29⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgofbxvf.exe"
        28⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnykv.exe"
        27⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvabqyadn.exe"
        26⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsrbeqhg.exe"
        25⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpybehe.exe"
        24⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcqtmjpcy.exe"
        23⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcuaa.exe"
        22⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whsogm.exe"
        21⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunpofn.exe"
        20⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexrqddd.exe"
        19⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpetvrm.exe"
        18⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgcdxjp.exe"
        17⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkleuifeu.exe"
        16⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyyr.exe"
        15⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnsdll.exe"
        14⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfnlvveeo.exe"
        13⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekc.exe"
        12⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobauc.exe"
        11⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjnx.exe"
        10⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcnmjbr.exe"
        9⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wos.exe"
        8⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwn.exe"
        7⤵
        
        PID:2896
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbywlfl.exe"
        6⤵
        
        PID:1568
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjfn.exe"
        5⤵
        
        PID:1696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 868
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1828
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrsd.exe"
      4⤵
      PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wabfaa.exe"
    3⤵
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\2181cd596eaed3448d45dd9eff7ae6c7490b6cd5afadceae770ab0db403966aa.exe"
  2⤵
  - Deletes itself
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JY2YU4WY.txt

Filesize
99B

MD5
99773e57650a9cb4a935e6d4205e1294

SHA1
007ccd3242db36b379a45142b255b73faa22a97b

SHA256
d2baec20e120a7869bf7854337f23cf2128d8e5904ccc9e20581f251678e6fd6

SHA512
ee62df7c3131252f6d4adb439eb7f4ce7fd4d65f00daa1db6784e9e3316c917fae02f97a60387464ba2904c8d00df44527bad8e8f027f4d0c19e2465845aa3d8

Download Submit
\Windows\SysWOW64\wabfaa.exe

Filesize
460KB

MD5
ca257e903b7d845770d72bb394c7e57c

SHA1
1f548c008d15130d4187b98505ba32432a071c3e

SHA256
59ecebd99af61282a3f1ffa14f080a2a3751688889d54f46caa47ff37420308f

SHA512
ddbaf3075ea38f1951397f986166249da54fcbceaf7ce55548d3c95c4addd51a86697873181862280783ae357e8def376091aefc2d32f0bb601006928c5a5990

Download Submit
\Windows\SysWOW64\wbywlfl.exe

Filesize
460KB

MD5
464450b7e9ea14025755af22db929319

SHA1
270fdbca4301758685e93ad9a019fd8b58c20aca

SHA256
db83ebad4e5748e30b1b1782ab7ab02ebc46c1b5466a35d21626877f7fe960e5

SHA512
ac8d06104dca53de39085277a5915fda58466451b5e1bebb2afe6df58ad535068ba887f0bd0198999c7c271406692622d56ccf4edb805c871e769b378eedda7b

Download Submit
\Windows\SysWOW64\wcnmjbr.exe

Filesize
461KB

MD5
9d9c129c946885f1618ca5ac57b7701c

SHA1
234039c81f225b4b7089571f59afbd68c11f874f

SHA256
a60de8443b4d800ac699c137b6fa0a8f5842d75220ce2ca6048b4da7de391420

SHA512
c6eda6f1d9de41ff778cb59956ab22da277d4d4ab7ac56501f11c0d7a45158991729ed4b3de00678aeb6347f8b674df6b72bb1b6a264756179ab0ca2e4280bc5

Download Submit
\Windows\SysWOW64\wekc.exe

Filesize
461KB

MD5
aa478b7ed39a2e857a83a8d6894c7a89

SHA1
b195768e02df34a414a6aea46a43fa631e3c0457

SHA256
dc16af63c3245298bfebfbf0f0e809ef148760843d1c2150a1b98c496b8c4930

SHA512
77c1a5d4fac79757ac32ff7d7fafdabab22ce38b021247591287617acba84b3b57b0bd86bc2b8a77037ee78b97ffc9ede69315ee7c7a628e98ea595000f698e6

Download Submit
\Windows\SysWOW64\wjfn.exe

Filesize
460KB

MD5
077a939cf5682e9127cc0003162a7675

SHA1
2e355104a12264ce3536587bfe5987b63a3e8d89

SHA256
deba284fee07c9bb282f5814667eb93ee288e0a7364ce68eb30f9672235b21cb

SHA512
eba6408aa6a740a12b8850b2c911551e4b00fdedaf61516e55b40d2c17674c75731c2863b60b532071108ac5cdb0a791640b480c14963f7cd8442037cc7e9001

Download Submit
\Windows\SysWOW64\wjnx.exe

Filesize
461KB

MD5
0be244c62285f099d0884d8c8d2fb17b

SHA1
54d5dcf6a19100a7d3841c744d70f75eb29db32a

SHA256
648c8738e076ce4e40beb1eee8503c4ee12e249612bc0cd537a8a2641e998d25

SHA512
90e03eb6fbc297fe863c82b3b26ed08da967a58e1b6c2f10bc26e2a9ae1edd8a90d89e8e33396755da3fef62b09f765858b52c8e8a56a9032e74538339e76e6f

Download Submit
\Windows\SysWOW64\wobauc.exe

Filesize
461KB

MD5
6be6f59d5590debdc32e465de909a451

SHA1
1cda90481cbaad748c88ac51e54418f4696cd3d8

SHA256
538110ffcb4fd7108acc42fb469be0bedafbbee700fd7e8e5a1a7b6de1f0155c

SHA512
401098f4e096ba5dcbfd5272d961256068e1edb611d1a49a2d9ebad83c122d6a7d7a13379192fc38fb5ba2b356241ac28f69fb60a812746993229eb166cef829

Download Submit
\Windows\SysWOW64\wos.exe

Filesize
460KB

MD5
bc1d52d6cfaea55c762f219a734325e4

SHA1
e689273db898c795d5b4658586522ce6472959d9

SHA256
34d826100c220d7bc3dfe92cb707ee3d107bd2158033bed09e903569c9f7b00a

SHA512
d4f0c96ce500a718eeabfa69f681787999fbf088c674094f9e3cf51c5f218e00707b88ef8698e17829d3e1684bab82f8ae3d8d3a2e53cf0033671161bba19421

Download Submit
\Windows\SysWOW64\wrsd.exe

Filesize
460KB

MD5
08b7295db02371b01c276df998af2bb7

SHA1
4978385950ece3431f673af36c0c2579c12822b9

SHA256
2394acca0fb8636d58438bfa861c06ccfdee2ce1de7a98c94b2bdce8e5462c05

SHA512
383a641ad0bca36dc31747f173db7155deeaedf43cedd7af407ed36a0fb5120a25176fba3ad84b0e9c4e3834247441af31c9e2c67d8824fdb3ee6959381de06f

Download Submit
\Windows\SysWOW64\wwn.exe

Filesize
460KB

MD5
904d0e416145b901212cf1d1c1291d42

SHA1
7c682561999990bf1c00050f7f7e13a86eedcab4

SHA256
a7596049d930ada69a1c92ad43ce6d544c3a1766132d2da4589497f93d08de75

SHA512
78d28ea8df914416d0861ddef46756d5cea0076f70ff059d10ea40d091601002945d1c9f9ada02d5ca7a311b6601a4aec81e98d6e69989a041ea2d4da4f9f867

Download Submit
memory/1052-132-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1052-149-0x0000000003C20000-0x0000000003C38000-memory.dmp

Filesize
96KB

Download
memory/1052-150-0x0000000003C30000-0x0000000003C48000-memory.dmp

Filesize
96KB

Download
memory/1052-152-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1292-172-0x0000000003C60000-0x0000000003C78000-memory.dmp

Filesize
96KB

Download
memory/1292-155-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1292-174-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1380-277-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1380-262-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1380-275-0x0000000002FB0000-0x0000000002FC8000-memory.dmp

Filesize
96KB

Download
memory/1380-270-0x0000000002FB0000-0x0000000002FC8000-memory.dmp

Filesize
96KB

Download
memory/1380-276-0x0000000002FB0000-0x0000000002FC8000-memory.dmp

Filesize
96KB

Download
memory/1672-294-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1700-106-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2028-76-0x0000000003220000-0x0000000003238000-memory.dmp

Filesize
96KB

Download
memory/2028-83-0x0000000003230000-0x0000000003248000-memory.dmp

Filesize
96KB

Download
memory/2028-126-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2028-64-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2028-71-0x0000000003220000-0x0000000003238000-memory.dmp

Filesize
96KB

Download
memory/2028-153-0x0000000003220000-0x0000000003238000-memory.dmp

Filesize
96KB

Download
memory/2028-137-0x0000000003220000-0x0000000003238000-memory.dmp

Filesize
96KB

Download
memory/2080-131-0x0000000002F40000-0x0000000002F58000-memory.dmp

Filesize
96KB

Download
memory/2080-109-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2080-128-0x0000000002F40000-0x0000000002F58000-memory.dmp

Filesize
96KB

Download
memory/2080-130-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2080-127-0x0000000002F40000-0x0000000002F58000-memory.dmp

Filesize
96KB

Download
memory/2232-12-0x0000000003AF0000-0x0000000003B08000-memory.dmp

Filesize
96KB

Download
memory/2232-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2232-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2292-261-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2292-279-0x0000000003C20000-0x0000000003C38000-memory.dmp

Filesize
96KB

Download
memory/2292-260-0x0000000003C20000-0x0000000003C38000-memory.dmp

Filesize
96KB

Download
memory/2292-244-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2292-259-0x0000000003C20000-0x0000000003C38000-memory.dmp

Filesize
96KB

Download
memory/2528-246-0x0000000003B40000-0x0000000003B58000-memory.dmp

Filesize
96KB

Download
memory/2528-194-0x0000000003B40000-0x0000000003B58000-memory.dmp

Filesize
96KB

Download
memory/2528-192-0x0000000003B40000-0x0000000003B58000-memory.dmp

Filesize
96KB

Download
memory/2528-195-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2528-175-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2528-191-0x0000000002FE0000-0x0000000002FF8000-memory.dmp

Filesize
96KB

Download
memory/2540-242-0x0000000003DA0000-0x0000000003DB8000-memory.dmp

Filesize
96KB

Download
memory/2540-245-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2540-243-0x0000000003EB0000-0x0000000003EC8000-memory.dmp

Filesize
96KB

Download
memory/2540-230-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2680-42-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2680-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2680-40-0x0000000003BB0000-0x0000000003BC8000-memory.dmp

Filesize
96KB

Download
memory/2876-229-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2876-216-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2876-228-0x0000000003820000-0x0000000003838000-memory.dmp

Filesize
96KB

Download
memory/2880-62-0x0000000003C90000-0x0000000003CA8000-memory.dmp

Filesize
96KB

Download
memory/2880-108-0x0000000003C90000-0x0000000003CA8000-memory.dmp

Filesize
96KB

Download
memory/2880-63-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2880-54-0x0000000003660000-0x0000000003678000-memory.dmp

Filesize
96KB

Download
memory/2880-60-0x0000000003C90000-0x0000000003CA8000-memory.dmp

Filesize
96KB

Download
memory/2880-41-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3024-278-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3024-291-0x0000000003200000-0x0000000003218000-memory.dmp

Filesize
96KB

Download
memory/3024-293-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3024-292-0x0000000003200000-0x0000000003218000-memory.dmp

Filesize
96KB

Download
memory/3052-196-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3052-214-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3052-247-0x00000000030C0000-0x00000000030D8000-memory.dmp

Filesize
96KB

Download
memory/3052-215-0x00000000030C0000-0x00000000030D8000-memory.dmp

Filesize
96KB

Download