432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe
Size

93KB
MD5

0dd0a86c205fb612c3ba72e205249b86
SHA1

dfd5d8118529198384b78e7391536e8c2104f42b
SHA256

432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04
SHA512

e59fd15d18180e2134f0ffffee418cc5de316979efbb80c8417d2b5f0e23ec9a50a9b1ddc8a5403865594071ec02bfb9de413ef4ae84e926e766b1ba72b2b670
SSDEEP

1536:xch3vwSbax3rHV6+HwsWGhG5JiBzQmVDH:BHTrhWiBzQOH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2724	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2580	weuua.exe
2504	wfh.exe
1048	wsdpxh.exe
860	wrwgstg.exe
1008	wckfrv.exe
1632	wqonv.exe
1844	woce.exe
2600	wenydj.exe
2888	wkoli.exe
1608	wxqh.exe
1980	wnsuobx.exe
2420	wsx.exe
1368	wjiqxbqyi.exe
1000	wawr.exe
2548	wnegc.exe
1036	wrvsd.exe
2472	wmhkjcf.exe
2552	wyunrx.exe
2000	wphihmo.exe
2760	wfhsnaj.exe
1724	wolqa.exe
956	wamf.exe
1656	wrxae.exe
1592	whxkm.exe
2544	widooyyj.exe
2948	wdpwijxyf.exe
2940	wqpkyfpx.exe
2796	wxfsrk.exe
2536	wpussw.exe
1012	whudyl.exe
1804	wxt.exe
1604	wbk.exe
892	wfbl.exe
2644	wrmihvkw.exe
2332	wntssaq.exe
1056	wlefp.exe
2912	wxmhlva.exe
916	wgunqdtd.exe
1256	wyacjk.exe
920	wihhprl.exe
1780	wcanayb.exe
2824	wktdmgfre.exe
1584	wivpvgk.exe
2900	wxowqv.exe
2660	wsiccdk.exe
2908	wfpeybhpu.exe
1800	wqkqcapf.exe
1136	wwegn.exe
2032	wrkcs.exe
1588	widkn.exe
2736	wmhlpsk.exe
584	wfqvap.exe
2692	weakx.exe
2744	wirvxb.exe
1292	whaiu.exe
2700	wlqtvl.exe
1816	whg.exe
1368	wwqkegm.exe
2668	wcwl.exe
1852	wvcnnhoiy.exe
2448	wfrwhmr.exe
1988	wbrdfqpg.exe
1972	wmsrvnfg.exe
1268	wescdcyt.exe

Loads dropped DLL 64 IoCs

pid	Process
2520	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe
2520	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe
2520	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe
2520	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe
2580	weuua.exe
2580	weuua.exe
2580	weuua.exe
2580	weuua.exe
2504	wfh.exe
2504	wfh.exe
2504	wfh.exe
2504	wfh.exe
1048	wsdpxh.exe
1048	wsdpxh.exe
1048	wsdpxh.exe
1048	wsdpxh.exe
860	wrwgstg.exe
860	wrwgstg.exe
860	wrwgstg.exe
860	wrwgstg.exe
1008	wckfrv.exe
1008	wckfrv.exe
1008	wckfrv.exe
1008	wckfrv.exe
1632	wqonv.exe
1632	wqonv.exe
1632	wqonv.exe
1632	wqonv.exe
1844	woce.exe
1844	woce.exe
1844	woce.exe
1844	woce.exe
2600	wenydj.exe
2600	wenydj.exe
2600	wenydj.exe
2600	wenydj.exe
2888	wkoli.exe
2888	wkoli.exe
2888	wkoli.exe
2888	wkoli.exe
1608	wxqh.exe
1608	wxqh.exe
1608	wxqh.exe
1608	wxqh.exe
1980	wnsuobx.exe
1980	wnsuobx.exe
1980	wnsuobx.exe
1980	wnsuobx.exe
448	WerFault.exe
448	WerFault.exe
448	WerFault.exe
448	WerFault.exe
2420	wsx.exe
2420	wsx.exe
2420	wsx.exe
2420	wsx.exe
1368	wjiqxbqyi.exe
1368	wjiqxbqyi.exe
1368	wjiqxbqyi.exe
1368	wjiqxbqyi.exe
1000	wawr.exe
1000	wawr.exe
1000	wawr.exe
1000	wawr.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\widooyyj.exe	whxkm.exe
File opened for modification	C:\Windows\SysWOW64\wgunqdtd.exe	wxmhlva.exe
File opened for modification	C:\Windows\SysWOW64\widkn.exe	wrkcs.exe
File created	C:\Windows\SysWOW64\whaiu.exe	wirvxb.exe
File opened for modification	C:\Windows\SysWOW64\wolqa.exe	wfhsnaj.exe
File opened for modification	C:\Windows\SysWOW64\wqpkyfpx.exe	wdpwijxyf.exe
File created	C:\Windows\SysWOW64\whg.exe	wlqtvl.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvnfg.exe	wbrdfqpg.exe
File opened for modification	C:\Windows\SysWOW64\wrwgstg.exe	wsdpxh.exe
File created	C:\Windows\SysWOW64\wbk.exe	wxt.exe
File opened for modification	C:\Windows\SysWOW64\waygmtqgg.exe	wjdkuwpw.exe
File created	C:\Windows\SysWOW64\wyunrx.exe	wmhkjcf.exe
File created	C:\Windows\SysWOW64\woce.exe	wqonv.exe
File opened for modification	C:\Windows\SysWOW64\wfhsnaj.exe	wphihmo.exe
File opened for modification	C:\Windows\SysWOW64\wfbl.exe	wbk.exe
File opened for modification	C:\Windows\SysWOW64\wlrlaao.exe	wngxccdx.exe
File opened for modification	C:\Windows\SysWOW64\wfh.exe	weuua.exe
File created	C:\Windows\SysWOW64\wlqtvl.exe	whaiu.exe
File created	C:\Windows\SysWOW64\wmsrvnfg.exe	wbrdfqpg.exe
File opened for modification	C:\Windows\SysWOW64\wtwmh.exe	wqldcwtfu.exe
File opened for modification	C:\Windows\SysWOW64\wqkqcapf.exe	wfpeybhpu.exe
File opened for modification	C:\Windows\SysWOW64\wyacjk.exe	wgunqdtd.exe
File created	C:\Windows\SysWOW64\wphhbh.exe	wmihtsd.exe
File opened for modification	C:\Windows\SysWOW64\whaqvxsga.exe	wphhbh.exe
File created	C:\Windows\SysWOW64\wphihmo.exe	wyunrx.exe
File opened for modification	C:\Windows\SysWOW64\wxfsrk.exe	wqpkyfpx.exe
File created	C:\Windows\SysWOW64\wfrwhmr.exe	wvcnnhoiy.exe
File created	C:\Windows\SysWOW64\wekbrag.exe	werttaul.exe
File opened for modification	C:\Windows\SysWOW64\wnsuobx.exe	wxqh.exe
File opened for modification	C:\Windows\SysWOW64\wxsbveu.exe	wpetdbsyx.exe
File created	C:\Windows\SysWOW64\wnlobwai.exe	wyigqged.exe
File opened for modification	C:\Windows\SysWOW64\wkoli.exe	wenydj.exe
File created	C:\Windows\SysWOW64\wsx.exe	wnsuobx.exe
File opened for modification	C:\Windows\SysWOW64\wdpwijxyf.exe	widooyyj.exe
File opened for modification	C:\Windows\SysWOW64\wpussw.exe	wxfsrk.exe
File created	C:\Windows\SysWOW64\wdrvhojt.exe	wlrlaao.exe
File created	C:\Windows\SysWOW64\wmihtsd.exe	wkmoyd.exe
File created	C:\Windows\SysWOW64\wqldcwtfu.exe	wbdfoh.exe
File opened for modification	C:\Windows\SysWOW64\weuua.exe	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe
File created	C:\Windows\SysWOW64\wnsuobx.exe	wxqh.exe
File created	C:\Windows\SysWOW64\wrmihvkw.exe	wfbl.exe
File created	C:\Windows\SysWOW64\wntssaq.exe	wrmihvkw.exe
File created	C:\Windows\SysWOW64\wrkcs.exe	wwegn.exe
File created	C:\Windows\SysWOW64\wescdcyt.exe	wmsrvnfg.exe
File opened for modification	C:\Windows\SysWOW64\wjdkuwpw.exe	wtwmh.exe
File opened for modification	C:\Windows\SysWOW64\wxqh.exe	wkoli.exe
File created	C:\Windows\SysWOW64\wcanayb.exe	wihhprl.exe
File created	C:\Windows\SysWOW64\wxsbveu.exe	wpetdbsyx.exe
File created	C:\Windows\SysWOW64\wamf.exe	wolqa.exe
File opened for modification	C:\Windows\SysWOW64\wxmhlva.exe	wlefp.exe
File opened for modification	C:\Windows\SysWOW64\wivpvgk.exe	wktdmgfre.exe
File opened for modification	C:\Windows\SysWOW64\wrkcs.exe	wwegn.exe
File opened for modification	C:\Windows\SysWOW64\wirvxb.exe	weakx.exe
File created	C:\Windows\SysWOW64\wxqh.exe	wkoli.exe
File created	C:\Windows\SysWOW64\wrxae.exe	wamf.exe
File created	C:\Windows\SysWOW64\wivpvgk.exe	wktdmgfre.exe
File opened for modification	C:\Windows\SysWOW64\wxowqv.exe	wivpvgk.exe
File opened for modification	C:\Windows\SysWOW64\wwqkegm.exe	whg.exe
File opened for modification	C:\Windows\SysWOW64\wmihtsd.exe	wkmoyd.exe
File created	C:\Windows\SysWOW64\wmhkjcf.exe	wrvsd.exe
File created	C:\Windows\SysWOW64\wjiqxbqyi.exe	wsx.exe
File created	C:\Windows\SysWOW64\wxfsrk.exe	wqpkyfpx.exe
File opened for modification	C:\Windows\SysWOW64\wntssaq.exe	wrmihvkw.exe
File created	C:\Windows\SysWOW64\wmhlpsk.exe	widkn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
448	1980	WerFault.exe	64
1468	2948	WerFault.exe	111
2092	2644	WerFault.exe	136
2656	556	WerFault.exe	239
1880	1728	WerFault.exe	277

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2580	2520	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe	28
PID 2520 wrote to memory of 2580	2520	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe	28
PID 2520 wrote to memory of 2580	2520	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe	28
PID 2520 wrote to memory of 2580	2520	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe	28
PID 2520 wrote to memory of 2724	2520	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe	29
PID 2520 wrote to memory of 2724	2520	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe	29
PID 2520 wrote to memory of 2724	2520	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe	29
PID 2520 wrote to memory of 2724	2520	432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe	29
PID 2580 wrote to memory of 2504	2580	weuua.exe	32
PID 2580 wrote to memory of 2504	2580	weuua.exe	32
PID 2580 wrote to memory of 2504	2580	weuua.exe	32
PID 2580 wrote to memory of 2504	2580	weuua.exe	32
PID 2580 wrote to memory of 2764	2580	weuua.exe	33
PID 2580 wrote to memory of 2764	2580	weuua.exe	33
PID 2580 wrote to memory of 2764	2580	weuua.exe	33
PID 2580 wrote to memory of 2764	2580	weuua.exe	33
PID 2504 wrote to memory of 1048	2504	wfh.exe	35
PID 2504 wrote to memory of 1048	2504	wfh.exe	35
PID 2504 wrote to memory of 1048	2504	wfh.exe	35
PID 2504 wrote to memory of 1048	2504	wfh.exe	35
PID 2504 wrote to memory of 2276	2504	wfh.exe	36
PID 2504 wrote to memory of 2276	2504	wfh.exe	36
PID 2504 wrote to memory of 2276	2504	wfh.exe	36
PID 2504 wrote to memory of 2276	2504	wfh.exe	36
PID 1048 wrote to memory of 860	1048	wsdpxh.exe	38
PID 1048 wrote to memory of 860	1048	wsdpxh.exe	38
PID 1048 wrote to memory of 860	1048	wsdpxh.exe	38
PID 1048 wrote to memory of 860	1048	wsdpxh.exe	38
PID 1048 wrote to memory of 812	1048	wsdpxh.exe	39
PID 1048 wrote to memory of 812	1048	wsdpxh.exe	39
PID 1048 wrote to memory of 812	1048	wsdpxh.exe	39
PID 1048 wrote to memory of 812	1048	wsdpxh.exe	39
PID 860 wrote to memory of 1008	860	wrwgstg.exe	44
PID 860 wrote to memory of 1008	860	wrwgstg.exe	44
PID 860 wrote to memory of 1008	860	wrwgstg.exe	44
PID 860 wrote to memory of 1008	860	wrwgstg.exe	44
PID 860 wrote to memory of 920	860	wrwgstg.exe	45
PID 860 wrote to memory of 920	860	wrwgstg.exe	45
PID 860 wrote to memory of 920	860	wrwgstg.exe	45
PID 860 wrote to memory of 920	860	wrwgstg.exe	45
PID 1008 wrote to memory of 1632	1008	wckfrv.exe	48
PID 1008 wrote to memory of 1632	1008	wckfrv.exe	48
PID 1008 wrote to memory of 1632	1008	wckfrv.exe	48
PID 1008 wrote to memory of 1632	1008	wckfrv.exe	48
PID 1008 wrote to memory of 1872	1008	wckfrv.exe	49
PID 1008 wrote to memory of 1872	1008	wckfrv.exe	49
PID 1008 wrote to memory of 1872	1008	wckfrv.exe	49
PID 1008 wrote to memory of 1872	1008	wckfrv.exe	49
PID 1632 wrote to memory of 1844	1632	wqonv.exe	51
PID 1632 wrote to memory of 1844	1632	wqonv.exe	51
PID 1632 wrote to memory of 1844	1632	wqonv.exe	51
PID 1632 wrote to memory of 1844	1632	wqonv.exe	51
PID 1632 wrote to memory of 2644	1632	wqonv.exe	52
PID 1632 wrote to memory of 2644	1632	wqonv.exe	52
PID 1632 wrote to memory of 2644	1632	wqonv.exe	52
PID 1632 wrote to memory of 2644	1632	wqonv.exe	52
PID 1844 wrote to memory of 2600	1844	woce.exe	55
PID 1844 wrote to memory of 2600	1844	woce.exe	55
PID 1844 wrote to memory of 2600	1844	woce.exe	55
PID 1844 wrote to memory of 2600	1844	woce.exe	55
PID 1844 wrote to memory of 2900	1844	woce.exe	56
PID 1844 wrote to memory of 2900	1844	woce.exe	56
PID 1844 wrote to memory of 2900	1844	woce.exe	56
PID 1844 wrote to memory of 2900	1844	woce.exe	56

C:\Users\Admin\AppData\Local\Temp\432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe
"C:\Users\Admin\AppData\Local\Temp\432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\weuua.exe
  "C:\Windows\system32\weuua.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\wfh.exe
    "C:\Windows\system32\wfh.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\wsdpxh.exe
      "C:\Windows\system32\wsdpxh.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1048
    - - C:\Windows\SysWOW64\wrwgstg.exe
        
        "C:\Windows\system32\wrwgstg.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:860
      - C:\Windows\SysWOW64\wckfrv.exe
        
        "C:\Windows\system32\wckfrv.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\wqonv.exe
        
        "C:\Windows\system32\wqonv.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\woce.exe
        
        "C:\Windows\system32\woce.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\wenydj.exe
        
        "C:\Windows\system32\wenydj.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\wkoli.exe
        
        "C:\Windows\system32\wkoli.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\wxqh.exe
        
        "C:\Windows\system32\wxqh.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\wnsuobx.exe
        
        "C:\Windows\system32\wnsuobx.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\wsx.exe
        
        "C:\Windows\system32\wsx.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\wjiqxbqyi.exe
        
        "C:\Windows\system32\wjiqxbqyi.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1368
        
        C:\Windows\SysWOW64\wawr.exe
        
        "C:\Windows\system32\wawr.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1000
        
        C:\Windows\SysWOW64\wnegc.exe
        
        "C:\Windows\system32\wnegc.exe"
        16⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\wrvsd.exe
        
        "C:\Windows\system32\wrvsd.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\wmhkjcf.exe
        
        "C:\Windows\system32\wmhkjcf.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\wyunrx.exe
        
        "C:\Windows\system32\wyunrx.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\wphihmo.exe
        
        "C:\Windows\system32\wphihmo.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\wfhsnaj.exe
        
        "C:\Windows\system32\wfhsnaj.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\wolqa.exe
        
        "C:\Windows\system32\wolqa.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\wamf.exe
        
        "C:\Windows\system32\wamf.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:956
        
        C:\Windows\SysWOW64\wrxae.exe
        
        "C:\Windows\system32\wrxae.exe"
        24⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\whxkm.exe
        
        "C:\Windows\system32\whxkm.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\widooyyj.exe
        
        "C:\Windows\system32\widooyyj.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\wdpwijxyf.exe
        
        "C:\Windows\system32\wdpwijxyf.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\wqpkyfpx.exe
        
        "C:\Windows\system32\wqpkyfpx.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\wxfsrk.exe
        
        "C:\Windows\system32\wxfsrk.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\wpussw.exe
        
        "C:\Windows\system32\wpussw.exe"
        30⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\whudyl.exe
        
        "C:\Windows\system32\whudyl.exe"
        31⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\wxt.exe
        
        "C:\Windows\system32\wxt.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\wbk.exe
        
        "C:\Windows\system32\wbk.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\wfbl.exe
        
        "C:\Windows\system32\wfbl.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:892
        
        C:\Windows\SysWOW64\wrmihvkw.exe
        
        "C:\Windows\system32\wrmihvkw.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\wntssaq.exe
        
        "C:\Windows\system32\wntssaq.exe"
        36⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\wlefp.exe
        
        "C:\Windows\system32\wlefp.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\wxmhlva.exe
        
        "C:\Windows\system32\wxmhlva.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\wgunqdtd.exe
        
        "C:\Windows\system32\wgunqdtd.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\wyacjk.exe
        
        "C:\Windows\system32\wyacjk.exe"
        40⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\wihhprl.exe
        
        "C:\Windows\system32\wihhprl.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\wcanayb.exe
        
        "C:\Windows\system32\wcanayb.exe"
        42⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\wktdmgfre.exe
        
        "C:\Windows\system32\wktdmgfre.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\wivpvgk.exe
        
        "C:\Windows\system32\wivpvgk.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\wxowqv.exe
        
        "C:\Windows\system32\wxowqv.exe"
        45⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\wsiccdk.exe
        
        "C:\Windows\system32\wsiccdk.exe"
        46⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\wfpeybhpu.exe
        
        "C:\Windows\system32\wfpeybhpu.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\wqkqcapf.exe
        
        "C:\Windows\system32\wqkqcapf.exe"
        48⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\wwegn.exe
        
        "C:\Windows\system32\wwegn.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\wrkcs.exe
        
        "C:\Windows\system32\wrkcs.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\widkn.exe
        
        "C:\Windows\system32\widkn.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\wmhlpsk.exe
        
        "C:\Windows\system32\wmhlpsk.exe"
        52⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\wfqvap.exe
        
        "C:\Windows\system32\wfqvap.exe"
        53⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Windows\SysWOW64\weakx.exe
        
        "C:\Windows\system32\weakx.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\wirvxb.exe
        
        "C:\Windows\system32\wirvxb.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\whaiu.exe
        
        "C:\Windows\system32\whaiu.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\wlqtvl.exe
        
        "C:\Windows\system32\wlqtvl.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\whg.exe
        
        "C:\Windows\system32\whg.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\wwqkegm.exe
        
        "C:\Windows\system32\wwqkegm.exe"
        59⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SysWOW64\wcwl.exe
        
        "C:\Windows\system32\wcwl.exe"
        60⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\wvcnnhoiy.exe
        
        "C:\Windows\system32\wvcnnhoiy.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\wfrwhmr.exe
        
        "C:\Windows\system32\wfrwhmr.exe"
        62⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\wbrdfqpg.exe
        
        "C:\Windows\system32\wbrdfqpg.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\wmsrvnfg.exe
        
        "C:\Windows\system32\wmsrvnfg.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\wescdcyt.exe
        
        "C:\Windows\system32\wescdcyt.exe"
        65⤵
        Executes dropped EXE
        
        PID:1268
        
        C:\Windows\SysWOW64\wngxccdx.exe
        
        "C:\Windows\system32\wngxccdx.exe"
        66⤵
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\wlrlaao.exe
        
        "C:\Windows\system32\wlrlaao.exe"
        67⤵
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\wdrvhojt.exe
        
        "C:\Windows\system32\wdrvhojt.exe"
        68⤵
        
        PID:556
        
        C:\Windows\SysWOW64\wcqyxk.exe
        
        "C:\Windows\system32\wcqyxk.exe"
        69⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\wfyhk.exe
        
        "C:\Windows\system32\wfyhk.exe"
        70⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\wpetdbsyx.exe
        
        "C:\Windows\system32\wpetdbsyx.exe"
        71⤵
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\wxsbveu.exe
        
        "C:\Windows\system32\wxsbveu.exe"
        72⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\wkmoyd.exe
        
        "C:\Windows\system32\wkmoyd.exe"
        73⤵
        Drops file in System32 directory
        
        PID:892
        
        C:\Windows\SysWOW64\wmihtsd.exe
        
        "C:\Windows\system32\wmihtsd.exe"
        74⤵
        Drops file in System32 directory
        
        PID:384
        
        C:\Windows\SysWOW64\wphhbh.exe
        
        "C:\Windows\system32\wphhbh.exe"
        75⤵
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\whaqvxsga.exe
        
        "C:\Windows\system32\whaqvxsga.exe"
        76⤵
        
        PID:776
        
        C:\Windows\SysWOW64\wbdfoh.exe
        
        "C:\Windows\system32\wbdfoh.exe"
        77⤵
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\wqldcwtfu.exe
        
        "C:\Windows\system32\wqldcwtfu.exe"
        78⤵
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\wtwmh.exe
        
        "C:\Windows\system32\wtwmh.exe"
        79⤵
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\wjdkuwpw.exe
        
        "C:\Windows\system32\wjdkuwpw.exe"
        80⤵
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\waygmtqgg.exe
        
        "C:\Windows\system32\waygmtqgg.exe"
        81⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\wibylye.exe
        
        "C:\Windows\system32\wibylye.exe"
        82⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\wogbglr.exe
        
        "C:\Windows\system32\wogbglr.exe"
        83⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\werttaul.exe
        
        "C:\Windows\system32\werttaul.exe"
        84⤵
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\wekbrag.exe
        
        "C:\Windows\system32\wekbrag.exe"
        85⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\wyigqged.exe
        
        "C:\Windows\system32\wyigqged.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekbrag.exe"
        86⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\werttaul.exe"
        85⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wogbglr.exe"
        84⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibylye.exe"
        83⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waygmtqgg.exe"
        82⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdkuwpw.exe"
        81⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 48
        81⤵
        Program crash
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtwmh.exe"
        80⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqldcwtfu.exe"
        79⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbdfoh.exe"
        78⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whaqvxsga.exe"
        77⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphhbh.exe"
        76⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmihtsd.exe"
        75⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkmoyd.exe"
        74⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxsbveu.exe"
        73⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpetdbsyx.exe"
        72⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfyhk.exe"
        71⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcqyxk.exe"
        70⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrvhojt.exe"
        69⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 180
        69⤵
        Program crash
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrlaao.exe"
        68⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wngxccdx.exe"
        67⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wescdcyt.exe"
        66⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmsrvnfg.exe"
        65⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbrdfqpg.exe"
        64⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfrwhmr.exe"
        63⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvcnnhoiy.exe"
        62⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwl.exe"
        61⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwqkegm.exe"
        60⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whg.exe"
        59⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqtvl.exe"
        58⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whaiu.exe"
        57⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirvxb.exe"
        56⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weakx.exe"
        55⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfqvap.exe"
        54⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmhlpsk.exe"
        53⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\widkn.exe"
        52⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkcs.exe"
        51⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwegn.exe"
        50⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqkqcapf.exe"
        49⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfpeybhpu.exe"
        48⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsiccdk.exe"
        47⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxowqv.exe"
        46⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wivpvgk.exe"
        45⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wktdmgfre.exe"
        44⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcanayb.exe"
        43⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wihhprl.exe"
        42⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyacjk.exe"
        41⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgunqdtd.exe"
        40⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxmhlva.exe"
        39⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlefp.exe"
        38⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntssaq.exe"
        37⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrmihvkw.exe"
        36⤵
        
        PID:840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 48
        36⤵
        Program crash
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfbl.exe"
        35⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbk.exe"
        34⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxt.exe"
        33⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whudyl.exe"
        32⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpussw.exe"
        31⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxfsrk.exe"
        30⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqpkyfpx.exe"
        29⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdpwijxyf.exe"
        28⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 48
        28⤵
        Program crash
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\widooyyj.exe"
        27⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxkm.exe"
        26⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrxae.exe"
        25⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wamf.exe"
        24⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wolqa.exe"
        23⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfhsnaj.exe"
        22⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphihmo.exe"
        21⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyunrx.exe"
        20⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmhkjcf.exe"
        19⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrvsd.exe"
        18⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnegc.exe"
        17⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wawr.exe"
        16⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjiqxbqyi.exe"
        15⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsx.exe"
        14⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnsuobx.exe"
        13⤵
        
        PID:640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 832
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxqh.exe"
        12⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkoli.exe"
        11⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wenydj.exe"
        10⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woce.exe"
        9⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqonv.exe"
        8⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckfrv.exe"
        7⤵
        
        PID:1872
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwgstg.exe"
        6⤵
        
        PID:920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsdpxh.exe"
        5⤵
        
        PID:812
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfh.exe"
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weuua.exe"
    3⤵
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\432818abe625103938e8bf5bece137ea3a1f45d5750fa3c8215b07c234d0ac04.exe"
  2⤵
  - Deletes itself
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\28JEK0B1.txt

Filesize
99B

MD5
87563945c82e6b0c4863e3022ef73ccf

SHA1
15af004cd164f6db3bcf84d456e679b488ea2c61

SHA256
26e96ada2cb57c5893d8cee766c0553aa43cf8b1832f8713839bfad5385c8d9b

SHA512
4cd737be2db53e8d45b96a3a6dedc1a180447a031906be669af52d38188909a1e5817f3208293feb9e13261c88bd4788b4aee76c610fe1e0fcbcfac2166c406d

Download Submit
\Windows\SysWOW64\wckfrv.exe

Filesize
93KB

MD5
183a79086a159e0443e9e6dd90b71e5d

SHA1
ff0a793b036fe0afb566f6e2b807c678fef8c538

SHA256
aa62fae3236543bfaeff5a599781bab63e2805d950e3c2d45b1143509caf58f6

SHA512
d73b07c000c664447614d2e748d67428d8532278b2b6164f43e12afb569ec205f2e326f5453f37d87f130f77f1503e779ac82dabc612f143522829a018676ade

Download Submit
\Windows\SysWOW64\wenydj.exe

Filesize
93KB

MD5
0d0bf28dcecf8a29269bad60cca266b5

SHA1
816c3109f1d4421c7b7cd3334ca3e2f9914cefbe

SHA256
bf097f8d80b56ff21457b8375e6ebeda1c1b4e18a1dd2952d6c829ea5eb548ee

SHA512
1c40b16d29c4ac01bb7f641c83a3be0ee6e42e31ae662a605b2c5dd98f9ca65b6eefe2849eebefb9fe1926ae405244d4e199a78b6aac63b3eaca2deb043d8c0c

Download Submit
\Windows\SysWOW64\weuua.exe

Filesize
93KB

MD5
d2e8e05e4e168e42715622caa9233607

SHA1
b900e52cfaaa8899da3378c68f35a660e552a4f9

SHA256
7e485966f11aaf8f9f9fb6e46bffaf3ce5adef607a715f697e7b3076325ffc2c

SHA512
d497b4f704421249d2dadc4e9274a6de26387cd83c18d9cd6223512376178af2056008ffc78f6a0efe26607b781b798e875e713beb28ef5758687cfe7094f1c0

Download Submit
\Windows\SysWOW64\wfh.exe

Filesize
93KB

MD5
8e2ac495cb444795b75f9c08453fc11d

SHA1
a096b31f2c1c5635e37eac2deb6c46aef3f11352

SHA256
47e679aac3676ee1d4a79671a098abe8a1d4f71b10344e45035ece01ed28d9a7

SHA512
74f6a48987f46d531a2f653a2bd9fe753a8d8ef01cb464945e9c4670bbf5ad19b2cf7afe1e195c1905d25e5df7791ee0657deaa2f2b6b9624c7ed6c25e4f5866

Download Submit
\Windows\SysWOW64\wkoli.exe

Filesize
93KB

MD5
4831715bb19ef7d6b20c49723eb836af

SHA1
906a0394e78675766989c2ff17283a0c8ec06969

SHA256
47ff9493720dd754c40fdfc8f48b0f5b67080c1ee04b01f5d635f1166aacdc5b

SHA512
50f35ce193b09816500d5a491f429da54e0cf16f8ee37af37ccf657f6f9c4a99724b0d1aa6bc7a4bdb8f2b6aa1fc74f95c996b774896490aa6dfffe40e8d9fa5

Download Submit
\Windows\SysWOW64\wnsuobx.exe

Filesize
93KB

MD5
becd6a0ab6e5998b2e7d4fa76a3e7643

SHA1
dd6c6b0dcc3e4843b925b0b30e74df64cbe1a039

SHA256
ed820d1f6e092434ac9df47cd501624510b53468a94b571ec5c9669878e1cabd

SHA512
c5a5028d11f4bf8b3af3cab86ff4132239ae66810d45267f83f0e01730f8e03df4c221ef17edd04edfc03aca7f0b7611c446328dfdd19ffea10420676bcc32f6

Download Submit
\Windows\SysWOW64\woce.exe

Filesize
93KB

MD5
5ef87054fe588513674da67ccdb934a6

SHA1
ce9cb12d1497a51dd3d04e460262d8f9fdc401e0

SHA256
97d99a2969042ecbb51673ca6b134add058fbfd4abfb0f3b985f7850ce1d49d5

SHA512
effbb99f996bf5c9c8fa3744fb1c3ac226036d4de43f1d207158af9f9a9db7efb578cda6b5cc8dd86694ed1097f5871defd35f53e24a1417affecf2bc1d31910

Download Submit
\Windows\SysWOW64\wqonv.exe

Filesize
93KB

MD5
79a7e607b32be40322d9712c3753b8f8

SHA1
1f3e67ec7ed2d8e3c6015a1dab8e0eab2931acd9

SHA256
75f0dc251dd1e8f03bcb7b19d1511277a603fd70965ebc10ac2d4353b54e7e61

SHA512
bd3512c5acfaf7f5ab42faf3ea0c153d3ab90338ce6f53ebffa333c53115be77ca2da72a2dcd3302ecd9525fdad5960642a3568d56894dc07f3da14d7a93402b

Download Submit
\Windows\SysWOW64\wrwgstg.exe

Filesize
93KB

MD5
2d835fcb893b678f6b078638231ef54f

SHA1
199756e903b1dfb6be923fe566c0f2d6d660f9f4

SHA256
722bda77e731d1d04fc3eb5a0653445efb3c167bfe59af630d92e04b19055359

SHA512
9464f64c0bb7dbdc4aed014a494a43e0d2d057111266c67f3ed214279a0e59124f38328ac571c2f48f8f17391b5651858fbcd8c5de1fb992390becb46f0f7a43

Download Submit
\Windows\SysWOW64\wsdpxh.exe

Filesize
93KB

MD5
0cd3bb09fb47228230ae493df54b9dd2

SHA1
636caf0fdcc119c5afc727c26123e155028f145c

SHA256
0f0bff94e911fe1a10bc86d19c55268cda558ee6344e8d4f0ac054cc2df02a4d

SHA512
83591954ecf4315aabeffe426c48813183c5fb09a022fe134cd8b0db2012a7c0e59f29a1a20f48986856c36d9184f80fcb151650b4b9622c2c00ea2f1db69102

Download Submit
\Windows\SysWOW64\wxqh.exe

Filesize
93KB

MD5
1421e634977c6a63dd13865e5f06ddb5

SHA1
29738c198782e91f345b7932b5fc2fffb0513b89

SHA256
da6d62100c66e5344ecf26f6a55fc2850315ba59960cec3cccf47fde2051c2a3

SHA512
b148d1b2d4147c6e4d1d49363b2ec937cd44ab1b653b31c1ffd3140c2ff195b322add9bc1069e171cb9c03463b38e695060363331d6ebd7ee3d70da381475740

Download Submit
memory/860-106-0x0000000003D60000-0x0000000003D77000-memory.dmp

Filesize
92KB

Download
memory/860-108-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/860-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/860-105-0x0000000003D60000-0x0000000003D77000-memory.dmp

Filesize
92KB

Download
memory/860-87-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1000-298-0x0000000002390000-0x00000000023A7000-memory.dmp

Filesize
92KB

Download
memory/1000-289-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1000-302-0x0000000002390000-0x00000000023A7000-memory.dmp

Filesize
92KB

Download
memory/1000-303-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1008-129-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1008-122-0x0000000003ED0000-0x0000000003EE7000-memory.dmp

Filesize
92KB

Download
memory/1008-121-0x0000000003ED0000-0x0000000003EE7000-memory.dmp

Filesize
92KB

Download
memory/1008-109-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1036-322-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1036-339-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1036-335-0x0000000003A70000-0x0000000003A87000-memory.dmp

Filesize
92KB

Download
memory/1036-336-0x0000000003A70000-0x0000000003A87000-memory.dmp

Filesize
92KB

Download
memory/1036-337-0x0000000003A70000-0x0000000003A87000-memory.dmp

Filesize
92KB

Download
memory/1036-338-0x0000000003A70000-0x0000000003A87000-memory.dmp

Filesize
92KB

Download
memory/1048-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1048-86-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1048-84-0x0000000002550000-0x0000000002567000-memory.dmp

Filesize
92KB

Download
memory/1048-78-0x0000000002550000-0x0000000002567000-memory.dmp

Filesize
92KB

Download
memory/1368-284-0x0000000003750000-0x0000000003767000-memory.dmp

Filesize
92KB

Download
memory/1368-271-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1368-285-0x0000000003750000-0x0000000003767000-memory.dmp

Filesize
92KB

Download
memory/1368-288-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1368-286-0x0000000003750000-0x0000000003767000-memory.dmp

Filesize
92KB

Download
memory/1368-287-0x0000000003750000-0x0000000003767000-memory.dmp

Filesize
92KB

Download
memory/1608-231-0x0000000003750000-0x0000000003767000-memory.dmp

Filesize
92KB

Download
memory/1608-236-0x0000000003750000-0x0000000003767000-memory.dmp

Filesize
92KB

Download
memory/1608-237-0x0000000003750000-0x0000000003767000-memory.dmp

Filesize
92KB

Download
memory/1608-239-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1608-220-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1632-151-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1632-147-0x0000000003F60000-0x0000000003F77000-memory.dmp

Filesize
92KB

Download
memory/1632-148-0x0000000004130000-0x0000000004147000-memory.dmp

Filesize
92KB

Download
memory/1632-146-0x0000000003F60000-0x0000000003F77000-memory.dmp

Filesize
92KB

Download
memory/1844-169-0x0000000002560000-0x0000000002577000-memory.dmp

Filesize
92KB

Download
memory/1844-168-0x0000000002560000-0x0000000002577000-memory.dmp

Filesize
92KB

Download
memory/1844-150-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1844-171-0x0000000002570000-0x0000000002587000-memory.dmp

Filesize
92KB

Download
memory/1844-170-0x0000000002570000-0x0000000002587000-memory.dmp

Filesize
92KB

Download
memory/1844-174-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1980-253-0x00000000034E0000-0x00000000034F7000-memory.dmp

Filesize
92KB

Download
memory/1980-315-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1980-254-0x00000000034E0000-0x00000000034F7000-memory.dmp

Filesize
92KB

Download
memory/1980-251-0x00000000034D0000-0x00000000034E7000-memory.dmp

Filesize
92KB

Download
memory/1980-252-0x00000000034D0000-0x00000000034E7000-memory.dmp

Filesize
92KB

Download
memory/1980-321-0x00000000034E0000-0x00000000034F7000-memory.dmp

Filesize
92KB

Download
memory/1980-320-0x00000000034D0000-0x00000000034E7000-memory.dmp

Filesize
92KB

Download
memory/1980-319-0x00000000034D0000-0x00000000034E7000-memory.dmp

Filesize
92KB

Download
memory/1980-238-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2420-272-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2420-267-0x0000000003650000-0x0000000003667000-memory.dmp

Filesize
92KB

Download
memory/2420-268-0x0000000003650000-0x0000000003667000-memory.dmp

Filesize
92KB

Download
memory/2420-269-0x0000000003650000-0x0000000003667000-memory.dmp

Filesize
92KB

Download
memory/2420-270-0x0000000003650000-0x0000000003667000-memory.dmp

Filesize
92KB

Download
memory/2420-255-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2472-352-0x00000000022E0000-0x00000000022F7000-memory.dmp

Filesize
92KB

Download
memory/2472-340-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2472-353-0x0000000002310000-0x0000000002327000-memory.dmp

Filesize
92KB

Download
memory/2472-354-0x0000000002310000-0x0000000002327000-memory.dmp

Filesize
92KB

Download
memory/2472-356-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2504-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2504-62-0x0000000003E60000-0x0000000003E77000-memory.dmp

Filesize
92KB

Download
memory/2504-63-0x0000000003E60000-0x0000000003E77000-memory.dmp

Filesize
92KB

Download
memory/2504-43-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2504-61-0x0000000003D50000-0x0000000003D67000-memory.dmp

Filesize
92KB

Download
memory/2504-50-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-11-0x0000000003AF0000-0x0000000003B07000-memory.dmp

Filesize
92KB

Download
memory/2520-18-0x0000000003AF0000-0x0000000003B07000-memory.dmp

Filesize
92KB

Download
memory/2548-317-0x0000000003500000-0x0000000003517000-memory.dmp

Filesize
92KB

Download
memory/2548-316-0x0000000003500000-0x0000000003517000-memory.dmp

Filesize
92KB

Download
memory/2548-318-0x0000000003500000-0x0000000003517000-memory.dmp

Filesize
92KB

Download
memory/2548-323-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2552-368-0x00000000025C0000-0x00000000025D7000-memory.dmp

Filesize
92KB

Download
memory/2552-355-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2552-369-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2580-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2580-42-0x0000000003590000-0x00000000035A7000-memory.dmp

Filesize
92KB

Download
memory/2580-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2580-41-0x0000000003590000-0x00000000035A7000-memory.dmp

Filesize
92KB

Download
memory/2600-193-0x0000000003830000-0x0000000003847000-memory.dmp

Filesize
92KB

Download
memory/2600-195-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2600-191-0x0000000003820000-0x0000000003837000-memory.dmp

Filesize
92KB

Download
memory/2600-173-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2600-192-0x0000000003830000-0x0000000003847000-memory.dmp

Filesize
92KB

Download
memory/2888-196-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2888-215-0x0000000003570000-0x0000000003587000-memory.dmp

Filesize
92KB

Download
memory/2888-216-0x0000000003570000-0x0000000003587000-memory.dmp

Filesize
92KB

Download
memory/2888-218-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2888-207-0x0000000003570000-0x0000000003587000-memory.dmp

Filesize
92KB

Download
memory/2888-208-0x0000000003570000-0x0000000003587000-memory.dmp

Filesize
92KB

Download